diff --git a/README.md b/README.md index eacd941..1b3f42c 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,32 @@ # dvls-kubernetes-operator -// TODO(user): Add simple overview of use/purpose +:warning: **This operator is a work in progress, expect breaking changes between releases** :warning: + +Operator to sync Devolutions Server `Credential Entry - Username / Password` entries as Kubernetes Secrets ## Description -// TODO(user): An in-depth paragraph about your project and overview of use +This operator uses the defined custom resource DvlsSecret which manages its own Kubernetes Secret and will keep itself up to date at a defined interval (every minute by default). +The Docker image can be found [here](https://hub.docker.com/r/devolutions/dvls-kubernetes-operator). + +### Operator configuration +The following Environment Variables can be used to configure the operator : +- `DEVO_OPERATOR_DVLS_BASEURI` (required) - DVLS instance base URI +- `DEVO_OPERATOR_DVLS_APPID` (required) - DVLS Application ID +- `DEVO_OPERATOR_DVLS_APPSECRET` (required) - DVLS Application Secret +- `DEVO_OPERATOR_REQUEUE_DURATION` (optional) - Entry/Secret resync interval (default 60s). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + +A sample of the custom resource can be found [here](https://github.com/Devolutions/dvls-kubernetes-operator/blob/master/config/samples/dvls_v1alpha1_dvlssecret.yaml). +The entry ID can be fetched by going in the entry properties, `Advanced -> Session ID`. + +### Devolutions Server configuration +We recommend creating an [Application ID](https://helpserver.devolutions.net/webinterface_applications.html?q=application) specifically to be used with the Operator that has [minimal access to a vault](https://helpserver.devolutions.net/vaults_applications.html?q=application) that only contains the secrets to be synchronized. + +Only `Credential Entry - Username / Password` entries are supported at the moment. The following entry data is available per secret : +- entry name +- username +- password + +### Kubernetes configuration +Since this operator uses Kubernetes Secrets, it is recommended that you follow [best practices](https://kubernetes.io/docs/concepts/security/secrets-good-practices/) surrounding secrets, especially [encryption at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). ## Getting Started You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster. @@ -42,7 +66,6 @@ make undeploy ``` ## Contributing -// TODO(user): Add detailed information on how you would like others to contribute to this project ### How it works This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) diff --git a/api/v1alpha1/dvlssecret_types.go b/api/v1alpha1/dvlssecret_types.go index f37c3a4..51cf401 100644 --- a/api/v1alpha1/dvlssecret_types.go +++ b/api/v1alpha1/dvlssecret_types.go @@ -29,8 +29,6 @@ type DvlsSecretSpec struct { // Important: Run "make" to regenerate code after modifying this file EntryID string `json:"entryId"` // entry id on dvls - // SecretName string `json:"secretName"` // secret name on kubernetes - // Namespace string `json:"namespace"` // secret namespace on kubernetes } // DvlsSecretStatus defines the observed state of DvlsSecret diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 14f4c8e..666203d 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -58,13 +58,8 @@ spec: # - linux securityContext: runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault containers: - command: - /manager @@ -89,14 +84,11 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: limits: - cpu: 500m memory: 128Mi requests: - cpu: 10m + cpu: 100m memory: 64Mi env: - name: DEVO_OPERATOR_DVLS_APPID diff --git a/config/samples/dvls_v1alpha1_dvlssecret.yaml b/config/samples/dvls_v1alpha1_dvlssecret.yaml index dc66e1c..5badd44 100644 --- a/config/samples/dvls_v1alpha1_dvlssecret.yaml +++ b/config/samples/dvls_v1alpha1_dvlssecret.yaml @@ -9,5 +9,4 @@ metadata: app.kubernetes.io/created-by: dvls-kubernetes-operator name: dvlssecret-sample spec: - # TODO(user): Add fields here - entryId: (entry id) + entryId: 00000000-0000-0000-0000-000000000000 diff --git a/controllers/dvlssecret_controller.go b/controllers/dvlssecret_controller.go index 9f6dcc0..d4c7ac2 100644 --- a/controllers/dvlssecret_controller.go +++ b/controllers/dvlssecret_controller.go @@ -66,13 +66,6 @@ type DvlsSecretReconciler struct { // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. -// TODO(user): Modify the Reconcile function to compare the state specified by -// the DvlsSecret object against the actual cluster state, and then -// perform operations to make the cluster state reflect the state specified by -// the user. -// -// For more details, check Reconcile and its Result here: -// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.13.0/pkg/reconcile func (r *DvlsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := log.FromContext(ctx)