search

inlets / inlets-operator

Get public TCP LoadBalancers for local Kubernetes clusters
https://docs.inlets.dev/reference/inlets-operator
MIT License
1.34k stars 97 forks source link

Create a secret for the license, rather than using (only) a flag (for the operator) #67

Open alexellis opened 4 years ago

alexellis commented 4 years ago

Create a secret for the inlets-pro license, rather than using (only) a flag

Expected Behaviour

The license should be read from a file as not to leak the value in kubectl get deploy inlets-operator

Current Behaviour

The license is shown in the deployment and via helm install when it's passed as a flag.

Possible Solution

Using a secret, like we do for the API access token would make sense.

A change in the arkade app for the inlets-operator would also be required.

This is where the license is being read as an arg:

https://github.com/inlets/inlets-operator/blob/master/main.go#L79

Here is an example of reading a file (name passed via flag):

https://github.com/inlets/inlets-operator/blob/master/main.go#L74

And here is the helm chart to update:

https://github.com/inlets/inlets-operator/blob/master/chart/inlets-operator/templates/deployment.yaml#L36

Add an if statement and attach a volume in the same way as we do for a secret when the file is given instead of a literal value.

alexellis commented 4 years ago

/add label: help wanted

Waterdrips commented 4 years ago

/assign: me

Ill raise an issue on arkade to switch to this too

alexellis commented 4 years ago

Thanks Alistair

alexellis commented 4 years ago

Hi @Waterdrips did you have a chance to start this yet?

Waterdrips commented 4 years ago

Spent the weekend fighting my RPis and net booting.

Ill start working on this this evening if thats ok.

alexellis commented 4 years ago

Sounds good. Hope you won 😁

alexellis commented 3 years ago

@viveksyngh do you want to take a look?

viveksyngh commented 3 years ago

/derek assign me

viveksyngh commented 3 years ago

@alexellis I was thinking if we can create a secret with the licence and then using secret name as input to the the controller. Which will be read by the controller to the read the secret and also set a watch for that, so in case if this get's updated controller will reconcile all objects.

alexellis commented 3 years ago

Part 1a is just changing the helm chart to use a secret name/reference instead of a literal value, but keeping backwards compatibility. Part 1b is changing the arkade app to create the new secret and instruct the helm chart to use it.

See how we do that for arkade and openfaas - https://github.com/alexellis/arkade/blob/master/cmd/apps/openfaas_app.go#L126

Part 2 is more along the lines of what you're saying. We may need one master secret per namespace with the license in it, or one new license secret per client.