Closed kamit78 closed 3 years ago
wstrange
commented
3 years ago Hi Amit,
Secret Agent supports deployment of secrets in multiple namespaces, and as such it needs priviliges to watch and create secrets in all namespaces. This is simliar to operators such as cert-manager. Cluster permissions are required for proper operation.
kamit78
commented
3 years ago Hi, So there is no way to make it work without cluster permissions ?
What if we create cluster resources manually and then install secret agent. Would it work or anything you want to suggest.
wstrange
commented
3 years ago No, that would not work. The operator requires the ability to read and create secrets in namespaces. This is fundemental to how it operates. This is very similiar to https://cert-manager.io/docs/
kamit78
commented
3 years ago Just curious why agent require cluster permission to read and write secretes to only one namespace.
I mean if by some means we configure it to only read and write secretes to pre-configured namespace only not to all namespace.
Actually we have deployed forgerock stack(7.1.0) without secret agent operator but getting SSL handshake issue when AM try to connect DS over ssl on ldap port 1636.
We are struggling to fix it and then thought to use this operation if possible without cluster permissions.
Hi,
Due to security compliance issues, we cannot provide cluster level permission to secret agent operator
Is there any workaround with which we can use secret agent operation without cluster permissions ? Any suggestions
We want to use secret agent to deploy forgerock stack