Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Inject database user credentials into deployments with database clients #141

Closed
jensneuse opened this issue Mar 5, 2018 · 7 comments
Assignees
Milestone

Comments

@jensneuse
Copy link

@jensneuse jensneuse commented Mar 5, 2018

It would be useful to have some kind of annotation to indicate to the operator that a container needs client credentials with specific rights to a kubedb managed database.

Once submitting an annotated deployment to the kubernetes api the kubedb operator should intercept the deployment. It should generate credentials (at the database level) and inject them according to the annotations as environment variables into the deployment/container. On container deletion the operator should automatically cleanup the created database roles.

For security reasons the initial database deployment could be enhanced with role bindings between the database and kubernetes service accounts, so that it's only possible to get credentials injected into the database client container when the deployment serviceAccount matches the ones declared with the database kind.

@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Mar 21, 2018

@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Apr 19, 2018

@tamalsaha tamalsaha referenced this issue May 31, 2018
1 of 2 tasks complete
@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Jul 11, 2018

apiVersion: authorization.kubedb.com/v1alpha1
kind: PostgresRole
spec:
  provider:
    vault:
      serviceName: <vault-svc>
      secretName: <vault-token-secret>
  database:
    serviceName: <db-svc>
    secretName: <db-root-cred-secret>
  definition: 'CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";'
  ttl: 7d
status:
  conditions:
  - lastTransitionTime: 2018-07-11T09:16:17Z
    message: endpoints for service/voyager-operator in "kube-system" have no addresses
    reason: MissingEndpoints
    status: "False"
    type: Available

->>>>>>>>>>>>>>>>>>>>> Create Role in Vault


$ vault write database/config/my-postgresql-database \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
    username="root" \
    password="root"


vault write database/roles/my-role \
    db_name=my-postgresql-database \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"
Success! Data written to: database/roles/my-role

---------------------------------------------------------------------------

apiVersion: authorization.kubedb.com/v1alpha1
kind: PostgresRoleBinding
roleRef:
 name:
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
store:
 secret: <secret>


->>>>>>>>>>>>>>>>>>>>>>>>>>

kind: Secret
apiVersion: v1
data:
  vault-provisioned-credential


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pg-db-credential-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["<secret-name-for-db-role>"]
  verbs: ["get"]

---------------

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pg-db-credential-reader
  apiGroup: rbac.authorization.k8s.io

--------------------------------------------------------------

@tamalsaha tamalsaha added this to the 0.9.0 milestone Jul 31, 2018
@tamalsaha tamalsaha modified the milestones: 0.9.0, 0.10.0 Aug 15, 2018
@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Aug 17, 2018

Design decisions:

  • If Role is deleted, RoleBindings are not deleted.
  • If Role is updated, credentials must be reissued.
  • If Role is deleted, credentials must be revoked.
@tamalsaha tamalsaha referenced this issue Aug 30, 2018
@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Sep 25, 2018

@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Nov 27, 2018

This has been implemented in kubevault/operator#123

@tamalsaha tamalsaha closed this Nov 27, 2018
@tamalsaha

This comment has been minimized.

Copy link
Member

@tamalsaha tamalsaha commented Mar 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.