Merge pull request #2 from snapp-incubator/feat/namespace-scoped-secrets

changed secrets ClusterRole to Role
snapp-incubator · Aug 28, 2023 · 0647962 · 0647962
2 parents d8dbf47 + 333c3ef
commit 0647962
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 13 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,18 +5,6 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
   - apiGroups:
       - cerberus.snappcloud.io
     resources:
@@ -109,3 +97,23 @@ rules:
       - get
       - patch
       - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: manager-role
+  namespace: "'cerberus-system'"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/controllers/accesstoken_controller.go b/controllers/accesstoken_controller.go
@@ -58,6 +58,7 @@ func (r *AccessTokenReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *AccessTokenReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	// TODO: reconcile on secret change
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&cerberusv1alpha1.AccessToken{}).
 		Complete(r)

diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go
@@ -48,7 +48,7 @@ const (
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webservices/status,verbs=get;
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webserviceaccountbindings,verbs=get;list;watch;
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webserviceaccountbindings/status,verbs=get;
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",namespace='cerberus-system',resources=secrets,verbs=get;list;watch;create;update;patch;delete
 
 // TODO add Secrets to be watched
 func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOnly bool) error {
@@ -79,6 +79,7 @@ func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOn
 	// TODO find cleaner way to select
 	err = c.List(ctx, secrets,
 		client.MatchingLabels{"cerberus.snappcloud.io/secret": "true"},
+		client.InNamespace("cerberus-system"),
 	)
 	if err != nil {
 		return err