-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] The user operator to create secrets in other namespaces which contains both user and cluster CA certs #2513
Comments
This would definitely would help us a lot. |
+1, would be very helpful |
Thanks for sharing all of the information - @allanmoso: would you be interested in maybe sharing / open-sourcing your solution? We're atm building a very similar solution and are also thinking about doing that; really appreciate your comments / feedback! |
You can allow Strimzi to manage users in other namespaces by specifying |
+1 If the strimzi operator takes care of keeping the secrets created in the right namespace it would be really helpful, |
We have written a Quarkus Operator to distribute secrets based on a label called Sorry but currently the source is not open source. |
@dweber019 : Thanks for sharing the information! IMHO there is no reason why we shouldn't / couldn't share this as an open-source project at ours. Depending on the level of maturity I'd either place it within our top-level organization /baloise - or otherwise the /baloise-incubator. But iirc this is in productive use @ ours which is why I'd place it directly top-level. |
Nice will check how I can open source it ;) |
Here the link to our Quarkus app https://github.com/baloise/kube-secret-watcher as a first draft release. |
A more general tool to copy secrets and cm can help: |
+1 |
I think, it is available from |
@veerendra2 This was one of the use-cases I thought about when designing the configuration provider. It might not be perfect since you need to do the RBAC setup etc., so it is maybe not as easy as using the local secret. But you should definitely give it a try. |
If anyone inserted we built an operator which can copy stuff by providing coordinates in a CRD yaml. |
Did you find a better way to organize applications in a different namespace which can access the Cluster ? |
Triaged on 17.3.2022: This can be addressed by some of our existing utilities:
|
I have a use case where each kafka connect cluster represents a user and is deployed in different namespaces. I can see that there is an example on using secrets in different namespace with KafkaConnector, but is there any way we can reference that secret in KafkaConnect .spec.tls.trustedCertificates? RBAC would not work here I think because kafka connect cannot be deployed. |
Is your feature request related to a problem? Please describe.
We are using TLS authentication for our Kafka clients. Because strimzi's user operator is only able to create user secrets (and CA secrets) in one namespace we are not able to mount those secrets on our Kafka client pods that reside in other namespaces without having to duplicate the secret to the other namespace by other means.
This issue is also the same for the cluster's CA cert which the client needs for its truststore.
Describe the solution you'd like
It would be great if the user-operator is able to watch all namespaces and create the secret in the namespace where the KafkaUser was reconciled from. Because the kafka client also needs the cluster CA cert to connect to the cluster, it would also be nice if the user secret also contains that. This would make it so that everything that a Kafka client application needs to connect to the Kafka cluster is available as a secret in the namespace where it would be deployed, if a KafkaUser object is created in that namespace.
Describe alternatives you've considered
Additional context
The current behavior of the user operator is inconvenient for us based on how we want to manage our k8s cluster. We are pushing for self-service for our developers when it comes to deploying to the kubernetes cluster. However, developers are not able to interact with secrets directly, for security reasons. This prevents them from moving strimzi secrets between namespaces for their applications to use.
We are doing "GitOps" as a way to manage our cluster using Weaveworks' Flux
We are also using Stakater's Reloader tool that would allow us to restart pods when secrets or configmaps are changed, e.g., during CA auto-renewals.
The text was updated successfully, but these errors were encountered: