Comments (9)
yes but the resourcegroup is needed for non-cf.
from cloud-operators.
Some more details on the design we discussed with @vazirim:
- We can maintain back compatibility with the current design, by adding a configuration parameter in the
seed-defaults
config (secrets-namespace
). - If
secrets-namespace
is not specified we look first in the namespace of the resource being created, and if noseed-secret
is found there, we fall back to thedefault
namespace to look forseed-secret
there. - If the
secrets-namespace
is specified, and noseed-secret
is found in the namespace for the resource being created, then we look for a secret with nameseed-secret-<resource-namespace>
in the namespace indicated bysecrets-namespace
from cloud-operators.
@pdettori just curious, are the names seed-secret
and seed-defaults
configurable? If we put them into the end-user's namespace where the service/bind resource being created, I would like to use a more explicitly name , i.e. secret-ibm-cloud-operator
and config-ibm-cloud-operator
to avoid the deletion by end-user.
from cloud-operators.
@cdlliuy Sure, we can rename.
Just to be clear, every namespace will still need a seed-default configmap, because this is what will tell us where to look for the secret. It will also contain the context (org/space/resource group) corresponding to that namespace.
from cloud-operators.
I guess the org/space is optional , right? it is a concept for cf.
from cloud-operators.
@pdettori After some thinking, I think we may reconsider the design. One major concern is from security.
From security perspective, IBM service can not store any customer sensitive information. So coligo can not store customer apikey into an system namespace, it could only be in customer's namespace.
So far I do not have a good idea how to resolve the problem. Suggest to hold on and use seed-secret in user's namespace which open to all namespace users. Will follow this issue later after discuss with more people to get feedback.
What do you think ? Thank you.
from cloud-operators.
@ZhuangYuZY yes, I can see how this makes sense from security perspective. If there is a concern about users accessing the IAM API Key from the secret, one possible approach is to give the IAM API Key only the minimum permissions required to create IBM Cloud Services.
from cloud-operators.
Yes, now we are working on to try to create a service id with minimum permission to create IBM Cloud service and credential. But seems IBM Cloud operator can not work well with service id, so we created issue #98 to track it. It will be priority for us.
Thank you.
from cloud-operators.
Fixed in v0.1.7
from cloud-operators.
Related Issues (20)
- ReadMe changes : spec.context.resourcegroup
- Multiple credentials created when creating CloudantDB service HOT 1
- Operator should not target locally targeted resource group when using API Key HOT 1
- Add region to service definition HOT 1
- Failed to delete service instance
- Support Secrets Manager HOT 2
- Operator description points to empty Install Guide
- Invalid struct tag
- Automated OperatorHub releases HOT 5
- Operator installation script fails to apply 3 yaml files due to missing namespace HOT 2
- Enhancement Request: add IBM Power Linux Platform (ppc64le) support HOT 4
- Service binding to Event Streams service stuck in pending state HOT 3
- There should be the possibility to create Binding without ownerReference to Service. HOT 1
- Operator projects using the removed APIs in k8s 1.22 requires changes.
- OOMKilled error on ibmcloud-operator-controller-manager HOT 2
- Not able to install the ibm cloud operator by following the instructions in README.md HOT 1
- Deletion of CRs (service and binding) ends with an unstable state for the CRs and the IBM Cloud Operator HOT 3
- Memory Limit too low results in OOMKilled HOT 6
- Default configuration value keys are wrong in README
- Support fallback of ConfigMap/Secrets in management namespace mode
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-operators.