feat: allow user impersonation (#182)

* feat: allow user impersonation * fix: allows self patching and better logs * Update package-lock.json * fix: null annotation bug * docs: update readme
razee-io · Feb 4, 2021 · 0753e28 · 0753e28
1 parent 0d4d6ac
commit 0753e28
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 79 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,8 @@ metadata:
   name: <remote_resource_name>
   namespace: <namespace>
 spec:
+  clusterAuth:
+    impersonateUser: razeedeploy
   requests:
     - options:
         url: https://<source_repo_url>/<file_name1>
@@ -54,11 +56,45 @@ spec:
   type: object
   required: [requests]
   properties:
+    clusterAuth:
+      type: object
+      ...
     requests:
       type: array
       ...
 ```
 
+### User Impersonation
+
+**Path:** `.spec.clusterAuth.impersonateUser`
+
+**Description:** Impersonates a user for the given resource. This includes all
+actions the controller must make related to the resource (fetching envs, getting
+resources, applying resources, etc.). The RazeeDeploy resource must be created in
+the razeedeploy namespace in order to use impersonateUser, all other namespaces
+will ignore impersonateUser and default to the razeedeploy user (eg. no user impersonation).
+ImpersonateUser only applies to the single RazeeDeploy resource that it has been
+added to.
+
+**Note:**: If cluster owners want to prevent users, with direct cluster access, from
+using user-impersonation, they should prevent those users from creating RazeeDeploy
+resources in the razeedeploy namespace. In the future we will have an Admission
+Controller that should improve security and eliminate the need for the razeedeploy
+namespace scoping. [razeedeploy-core #189](https://github.com/razee-io/razeedeploy-core/issues/189)
+
+**Schema:**
+
+```yaml
+properties:
+  clusterAuth:
+    type: object
+    properties:
+      impersonateUser:
+        type: string
+```
+
+**Default:** `'razeedeploy'`
+
 ### Request Options
 
 **Path:** `.spec.requests[].options`

diff --git a/kubernetes/RemoteResource/resource.yaml b/kubernetes/RemoteResource/resource.yaml
@@ -122,6 +122,11 @@ items:
               type: object
               required: [requests]
               properties:
+                clusterAuth:
+                  type: object
+                  properties:
+                    impersonateUser:
+                      type: string
                 requests:
                   type: array
                   items:

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -42,8 +42,8 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@razee/kubernetes-util": "^0.1.6",
-    "@razee/razeedeploy-core": "^0.10.3",
+    "@razee/kubernetes-util": "0.2.0",
+    "@razee/razeedeploy-core": "0.11.3",
     "bunyan": "^1.8.14",
     "clone": "^2.1.2",
     "request-promise-native": "^1.0.9"