search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
430 stars 89 forks source link

Helm: add support for cluster role aggregates #752

Closed benashz closed 1 month ago

benashz commented 1 month ago

Extends the Helm chart to create ClusterRole aggregates based of the resource specific viewer and editor roles. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles for more details.

By default no aggregate ClusterRoles will be installed. See below for examples on how to enable the new feature.

$ helm install [...] \
  --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' \
  --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}'

Selective viewer roles output:

helm template -s templates/clusterrole-aggregated-viewer.yaml \
  --set 'controller.rbac.clusterRoleAggregation.viewerRoles={vaultauth,hcpauth}' .
---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-viewer
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-viewer
    vso.hashicorp.com/aggregate-to-editor: "true"
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/role-instance: vaultauth-viewer-role
  - matchLabels:
      vso.hashicorp.com/role-instance: hcpauth-viewer-role

Aggregate all viewer roles output:

helm template -s templates/clusterrole-aggregated-viewer.yaml --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' .                
---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-viewer
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-viewer
    vso.hashicorp.com/aggregate-to-editor: "true"
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/aggregate-to-viewer: "true"

All editor roles output:

helm template -s templates/clusterrole-aggregated-editor.yaml --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}' .
---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-editor.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-editor
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-editor
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/aggregate-to-editor: "true"