run sealed-secrets controller for multiple namespaces #157
Comments
aliartiza75
changed the title
iow: You want to run sealed-secrets on a list of explicit namespaces? This can't be done using the existing code, but of course you could modify it to do so. You would need to watch each of the chosen namespaces separately (in separate goroutines), and then feed events into the existing workqueue.
The controller will run in any namespace you start it in. You can modify the controller.yaml file to specify any metadata.namespace you care to use. You will also need to change the namespace in the RBAC rules. An alternative is just to modify this line in the jsonnet, and then regenerate the YAML files (see the Makefile). Just to be clear, the controller will still watch for SealedSecrets in all namespaces, regardless of which namespace it runs from. |
Can't we do this using helm charts instead of modifying the code files? |
Yes. And you can also use kustomize (built-in feature in kubectl: |
|
closing this issue since it seems to me the questions have been answered. The main readme now mentions how to run sealed secrets in another namespace. We're also considering low-privilege self-service deployment for multi-tenant environments, will be tracked in #233. |
|
Same here! My customer has a large multi-tenant Redhat Openshift Cluster, and I won't get ClusterAdmin rights, just for a dozen namespaces. The sealedsecrets controller won't stop complaining about not having cluster-wide view of sealedsecrets. |
|
The controller has a flag: Set this to false (e.g. via the env var (If you cannot install extra RBAC rules we ship I thought we documented this but I see the readme doesn't mention it yet and the helm chart (which used to be community maintained until recently when it was merged here) too doesn't seem to support it. See #324 |
|
@ThomasVitt we'll track the issue about missing documentation in #501, let's move the conversation there |
|
@mkmik I want to bring up the discussion again :-) I would like to modify the code so that you can provide a list of namespaces which one controller can watch and unseal secrets into. This would be my first time contributing to a github project, can you tell me how we should proceed? Should I just provide the pull-request and discuss it with you guys? Thanks, Thomas |
|
Mybe we'd move the conversation to Issue #233 !? |
|
Yes or open another issue with the smaller scope (iirc #233 also covers the problem if installing CR definitions) |
Hello everyone,
Q1Is there a way to run this controller for multiple namespaces with these conditions:ClusterRole(because in this way it can access all the namespaces).Q2How can I run this controller for acustom namespace(by dynamically specifying its name usingenv var) because after looking at thecontroller.yamlfile, I found out that there is noenvvar is being passed to it except namespace specification inmetatdatafield?Need help in this regards
Thank you.
The text was updated successfully, but these errors were encountered: