inlets-operator icon indicating copy to clipboard operation
inlets-operator copied to clipboard
verified publisher icon inlets

Create a secret for the license, rather than using (only) a flag (for the operator)

Open alexellis opened this issue 5 years ago • 10 comments

Create a secret for the inlets-pro license, rather than using (only) a flag

Expected Behaviour

The license should be read from a file as not to leak the value in kubectl get deploy inlets-operator

Current Behaviour

The license is shown in the deployment and via helm install when it's passed as a flag.

Possible Solution

Using a secret, like we do for the API access token would make sense.

A change in the arkade app for the inlets-operator would also be required.

This is where the license is being read as an arg:

https://github.com/inlets/inlets-operator/blob/master/main.go#L79

Here is an example of reading a file (name passed via flag):

https://github.com/inlets/inlets-operator/blob/master/main.go#L74

And here is the helm chart to update:

https://github.com/inlets/inlets-operator/blob/master/chart/inlets-operator/templates/deployment.yaml#L36

Add an if statement and attach a volume in the same way as we do for a secret when the file is given instead of a literal value.

alexellis avatar Mar 10 '20 15:03 alexellis

/add label: help wanted

alexellis avatar Apr 29 '20 09:04 alexellis

/assign: me

Ill raise an issue on arkade to switch to this too

Waterdrips avatar Apr 30 '20 10:04 Waterdrips

Thanks Alistair

alexellis avatar May 01 '20 15:05 alexellis

Hi @Waterdrips did you have a chance to start this yet?

alexellis avatar May 04 '20 08:05 alexellis

Spent the weekend fighting my RPis and net booting.

Ill start working on this this evening if thats ok.

Waterdrips avatar May 04 '20 09:05 Waterdrips

Sounds good. Hope you won 😁

alexellis avatar May 04 '20 09:05 alexellis

@viveksyngh do you want to take a look?

alexellis avatar Aug 18 '21 16:08 alexellis

/derek assign me

viveksyngh avatar Aug 25 '21 15:08 viveksyngh

@alexellis I was thinking if we can create a secret with the licence and then using secret name as input to the the controller. Which will be read by the controller to the read the secret and also set a watch for that, so in case if this get's updated controller will reconcile all objects.

viveksyngh avatar Aug 25 '21 15:08 viveksyngh

Part 1a is just changing the helm chart to use a secret name/reference instead of a literal value, but keeping backwards compatibility. Part 1b is changing the arkade app to create the new secret and instruct the helm chart to use it.

See how we do that for arkade and openfaas - https://github.com/alexellis/arkade/blob/master/cmd/apps/openfaas_app.go#L126

Part 2 is more along the lines of what you're saying. We may need one master secret per namespace with the license in it, or one new license secret per client.

alexellis avatar Aug 25 '21 16:08 alexellis