Merge remote-tracking branch 'origin/main' into misc/operator-namespace-installation

misc: updated version
feat: k8 operator namespace installation
2025-06-29 04:31:59 +00:00 · 2024-12-13 03:49:10 +08:00 · 2024-12-13 03:06:07 +08:00 · 2024-12-05 23:12:37 +08:00
6 changed files with 75 additions and 19 deletions
--- a/docs/integrations/platforms/kubernetes.mdx
+++ b/docs/integrations/platforms/kubernetes.mdx
@ -41,6 +41,30 @@ The operator can be install via [Helm](https://helm.sh) or [kubectl](https://git
    helm install --generate-name infisical-helm-charts/secrets-operator --version=0.1.4 --set controllerManager.manager.image.tag=v0.2.0
    ```

+    **Namespace-scoped Installation**
+
+    The operator can be configured to watch and manage secrets in a specific namespace instead of having cluster-wide access.
+
+    ```bash
+    helm install operator infisical-helm-charts/secrets-operator \
+      --namespace your-namespace \
+      --set scopedNamespace=your-namespace \
+      --set scopedRBAC=true
+    ```
+
+    When scoped to a namespace, the operator will:
+
+    - Only watch InfisicalSecrets in the specified namespace
+    - Only create/update Kubernetes secrets in that namespace
+    - Only access deployments in that namespace
+
+    The default configuration gives cluster-wide access:
+
+    ```yaml
+    scopedNamespace: "" # Empty for cluster-wide access
+    scopedRBAC: false # Cluster-wide permissions
+    ```
+
   </Tab>
 	 <Tab title="Kubectl">
   For production deployments, it is highly recommended to set the version of the Kubernetes operator manually instead of pointing to the latest version.
--- a/helm-charts/secrets-operator/Chart.yaml
+++ b/helm-charts/secrets-operator/Chart.yaml
@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.7.5
+version: v0.7.6
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.7.5"
+appVersion: "v0.7.6"
--- a/helm-charts/secrets-operator/templates/deployment.yaml
+++ b/helm-charts/secrets-operator/templates/deployment.yaml
@ -54,7 +54,11 @@ spec:
          10 }}
        securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
          | nindent 10 }}
-      - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
+      - args:
+        {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
+        {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+        - --namespace={{ .Values.scopedNamespace }}
+        {{- end }}
        command:
        - /manager
        env:
--- a/helm-charts/secrets-operator/templates/manager-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/manager-rbac.yaml
@ -1,7 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
  name: {{ include "secrets-operator.fullname" . }}-manager-role
+  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+  namespace: {{ .Values.scopedNamespace | quote }}
+  {{- end }}
  labels:
  {{- include "secrets-operator.labels" . | nindent 4 }}
 rules:
@ -72,9 +79,16 @@ rules:
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: RoleBinding
+{{- else }}
 kind: ClusterRoleBinding
+{{- end }}
 metadata:
  name: {{ include "secrets-operator.fullname" . }}-manager-rolebinding
+  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+  namespace: {{ .Values.scopedNamespace | quote }}
+  {{- end }}
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: k8-operator
@ -82,7 +96,11 @@ metadata:
  {{- include "secrets-operator.labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
+  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+  kind: Role
+  {{- else }}
  kind: ClusterRole
+  {{- end }}
  name: '{{ include "secrets-operator.fullname" . }}-manager-role'
 subjects:
 - kind: ServiceAccount
--- a/helm-charts/secrets-operator/values.yaml
+++ b/helm-charts/secrets-operator/values.yaml
@ -1,15 +1,15 @@
 controllerManager:
  kubeRbacProxy:
    args:
-    - --secure-listen-address=0.0.0.0:8443
-    - --upstream=http://127.0.0.1:8080/
-    - --logtostderr=true
-    - --v=0
+      - --secure-listen-address=0.0.0.0:8443
+      - --upstream=http://127.0.0.1:8080/
+      - --logtostderr=true
+      - --v=0
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
-        - ALL
+          - ALL
    image:
      repository: gcr.io/kubebuilder/kube-rbac-proxy
      tag: v0.15.0
@ -22,17 +22,17 @@ controllerManager:
        memory: 64Mi
  manager:
    args:
-    - --health-probe-bind-address=:8081
-    - --metrics-bind-address=127.0.0.1:8080
-    - --leader-elect
+      - --health-probe-bind-address=:8081
+      - --metrics-bind-address=127.0.0.1:8080
+      - --leader-elect
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
-        - ALL
+          - ALL
    image:
      repository: infisical/kubernetes-operator
-      tag: v0.7.5
+      tag: v0.7.6
    resources:
      limits:
        cpu: 500m
@ -46,10 +46,12 @@ controllerManager:
  nodeSelector: {}
  tolerations: []
 kubernetesClusterDomain: cluster.local
+scopedNamespace: ""
+scopedRBAC: false
 metricsService:
  ports:
-  - name: https
-    port: 8443
-    protocol: TCP
-    targetPort: https
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: https
  type: ClusterIP
--- a/k8-operator/main.go
+++ b/k8-operator/main.go
@ -36,8 +36,10 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
+	var namespace string
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&namespace, "namespace", "", "Watch InfisicalSecrets scoped in the provided namespace only")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@ -49,7 +51,7 @@ func main() {

 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	ctrlOpts := ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
 		Port:                   9443,
@ -67,7 +69,13 @@ func main() {
 		// if you are doing or is intended to do any operation such as perform cleanups
 		// after the manager stops then its usage might be unsafe.
 		// LeaderElectionReleaseOnCancel: true,
-	})
+	}
+
+	if namespace != "" {
+		ctrlOpts.Namespace = namespace
+	}
+
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrlOpts)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
Author	SHA1	Message	Date
Sheen Capadngan	639057415f	Merge remote-tracking branch 'origin/main' into misc/operator-namespace-installation	2024-12-13 03:49:10 +08:00
Sheen Capadngan	c38dae2319	misc: updated version	2024-12-13 03:06:07 +08:00
Sheen Capadngan	39f71f9488	feat: k8 operator namespace installation	2024-12-05 23:12:37 +08:00