Closed dervoeti closed 2 months ago
I now created separate RBAC rules for the Job now instead of using the ones from secret-operator.
Reasoning (besides better security):
The Job
should run before secret-op starts and the SecretClass
is created, because otherwise a race condition might occur where secret-op is already started but the Job
did not finish yet, hence the Secret
is not yet copied over to the new namespace and secret-op might create a new CA (if a Pod
requests a cert). Since the Job
needs a ServiceAccount
to view/edit Secrets and that ServiceAccount
needs to be created before the installation of secret-op as well, the ServiceAccount
and other RBAC resources have been created and also annotated with the Hook annotations for Helm.
I set the hook-delete-policy
to hook-succeeded
so all the resources from this one time job will automatically be deleted if it succeeds. The hook-weight
annotations make sure the RBAC resources are created before the Job
.
Just retested it a couple of times, works as expected.
Description
Fixes https://github.com/stackabletech/secret-operator/issues/453 by creating a one-time job that copies the secret over to the new namespace if it does not exist there yet.
Definition of Done Checklist