[DEPRECATED] Sealed Secrets Operator (Helm) installs Sealed Secrets in OpenShift and Kubernetes.
Home Page: http://sealed-secrets-operator-helm.rtfd.io/
License: Apache License 2.0
Hi,
Can you please go into detail about the role concept of the Operator?
Seeing the file at https://github.com/disposab1e/sealed-secrets-operator-helm/blob/master/guides/ocp4/manual/role.yaml it seems like that the operator requires quite a lot of access to work. Or could the resources and verbs be broken down into more detail to reduce the permissions of the operator and the operator still work fine?
Thanks
Steps to reproduce
Step 1:
Spinup a fresh 4.6 openshift cluster
Step 2:
Login to the cluster as kubeadmin
Step 3:
Apply the sealed-secrets-operator subscription through oc command
oc create -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
labels:
operators.coreos.com/sealed-secrets-operator-helm.cicd: ""
managedFields:
-
apiVersion: operators.coreos.com/v1alpha1
manager: olm
operation: Update
-
apiVersion: operators.coreos.com/v1alpha1
manager: catalog
operation: Update
name: sealed-secrets-operator-helm
namespace: cicd
spec:
channel: alpha
installPlanApproval: Automatic
name: sealed-secrets-operator-helm
source: community-operators
sourceNamespace: openshift-marketplace
startingCSV: sealed-secrets-operator-helm.v0.0.2
EOF
Step 4:
Check the operator status from the openshift console
The operator cannot create ingress:
{"level":"error","ts":1631867415.8278918,"logger":"helm.controller","msg":"Release failed","namespace":"sealed-secrets","name":"sealed-secret-controller","apiVersion":"bitnami.com/v1alpha1","kind":"SealedSecretController","release":"sealed-secret-controller","error":"failed to install release: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: ingresses.networking.k8s.io \"sealed-secret-controller-sealed-secrets\" is forbidden: User \"system:serviceaccount:sealed-secrets:sealed-secrets-operator-helm\" cannot get resource \"ingresses\" in API group \"networking.k8s.io\" in the namespace \"sealed-secrets\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\tpkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/helm/controller.HelmOperatorReconciler.Reconcile\n\tsrc/github.com/operator-framework/operator-sdk/pkg/helm/controller/reconcile.go:197\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88"}
{"level":"error","ts":1631867415.8357806,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"sealedsecretcontroller-controller","request":"sealed-secrets/sealed-secret-controller","error":"failed to install release: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: ingresses.networking.k8s.io \"sealed-secret-controller-sealed-secrets\" is forbidden: User \"system:serviceaccount:sealed-secrets:sealed-secrets-operator-helm\" cannot get resource \"ingresses\" in API group \"networking.k8s.io\" in the namespace \"sealed-secrets\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\tpkg/mod/github.com/go-logr/[email protected]/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\tpkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\tpkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88"}
When the operator from OperatorHub is installed in multiple namespaces and CR instances are created in their respective namespaces. The instances fail with the following error
failed to install release: rendered manifests contain a resource that already exists. Unable to continue with install: existing resource conflict: namespace: , name: sealedsecrets.bitnami.com, existing_kind: apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition, new_kind: apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition
Steps to reproduce:
foo. Install the operator in namespace foo and create the CR in foobar. Install the operator in namespace bar and create the CR in barOperator Version: 0.0.2
Environment: OpenShift 4.6
On OpenShift the sealed secrets resource is not aggregated to the admin cluster role. This prevents service accounts (eg Argo CD) from managing sealed secret resources even though they have admin privileges in that namespace This could be achieved by adding the label
"rbac.authorization.k8s.io/aggregate-to-admin": "true",
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.