Multitenancy: Allow to watch ExternalSecrets using annotation #549
Conversation
aabouzaid
force-pushed
the
scoped-access-by-annotation
branch
2 times, most recently
from
55070f9
to
9280dd3
Compare
|
This PR is ready for review :-) |
aabouzaid
force-pushed
the
scoped-access-by-annotation
branch
from
9280dd3
to
c1aed62
Compare
|
I've updated the docs with a recommendation to disable the CRD manager to avoid having multiple deployments fighting over the CRD. |
|
@Flydiverny, is there any blocker for this PR? If not, I would be happy to fix the conflicts to make sure it's ready to be merged. |
|
@moolen Do you know if we had any discussions for the CRD to have something like an What I'm thinking maybe it would be better to have an optional field on the CRD resource instead of using an annotation and if possible align it with the crd-spec? @aabouzaid I think there shouldn't be any blockers but the question above I think is something we could discuss first :) |
|
Yes, we have a mechanic for that with the We factor out a |
|
Ah! I was sure I had seen it in there, but didn't locate it in the ExternalSecret CRD! Makes sense its in the SecretStore.
@aabouzaid WDYT? Up for updating it to using |
|
@Flydiverny sounds good, I will work on it asap 👍 |
|
Closing as #701 was merged |
Hello,
This PR is 2 of 2 PRs to address support for multitenancy. The first PR is #548
This PR adds a new option that allows to scope KES access by ExternalSecrets using annotation.
i.e. each ExternalSecret can tell which KES is responsible to manage that ExternalSecret.
This feature doesn't fix any security concerns like #548, but in combination with #548 it allows to have namespace scoped KES and global KES at the same time. So if there are 2 KES, there is no need to set namespaces for both of them as described in the other PR.
The feature implementation is done, and also the unit test. I just need to update the docs.