feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support (#5168)

* add infisical k8s auth with Client JWT as Reviewer JWT Token

Signed-off-by: Christophe Jauffret <reg-github@geo6.net>

* update value schema

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Christophe Jauffret <reg-github@geo6.net>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

deploy/charts/external-secrets/README.md

@@ -189,6 +189,7 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.renderMode | string | `"skipIfMissing"` | How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`" Possible values: - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing. - `failIfMissing`: Fail Helm install if CRD is not present. - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD. @schema enum: - skipIfMissing - failIfMissing - alwaysRender @schema |
 | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | strategy | object | `{}` | Set deployment strategy |
+| systemAuthDelegator | bool | `false` | If true the system:auth-delegator ClusterRole will be added to RBAC |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
 | webhook.affinity | object | `{}` |  |

deploy/charts/external-secrets/templates/rbac.yaml

@@ -404,3 +404,20 @@ rules:
     - "watch"
 {{- end }}
 {{- end }}
+{{- if .Values.systemAuthDelegator }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-auth-delegator
+  labels:
+    {{- include "external-secrets.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "external-secrets.serviceAccountName" . }}
+    namespace: {{ template "external-secrets.namespace" . }}
+{{- end }}

deploy/charts/external-secrets/tests/rbac_test.yaml

@@ -30,3 +30,39 @@ tests:
           kind: ClusterRole
           path: metadata.name
           value: RELEASE-NAME-external-secrets-edit
+  - it: should not create auth delegator ClusterRoleBinding by default
+    documentSelector:
+      path: kind
+      value: ClusterRoleBinding
+    asserts:
+      - notEqual:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-auth-delegator
+
+  - it: should create auth delegator ClusterRoleBinding when systemAuthDelegator is true
+    set:
+      systemAuthDelegator: true
+    documentSelector:
+      path: metadata.name
+      value: RELEASE-NAME-external-secrets-auth-delegator
+    asserts:
+      - isKind:
+          of: ClusterRoleBinding
+      - equal:
+          path: roleRef.apiGroup
+          value: rbac.authorization.k8s.io
+      - equal:
+          path: roleRef.kind
+          value: ClusterRole
+      - equal:
+          path: roleRef.name
+          value: system:auth-delegator
+      - equal:
+          path: subjects[0].kind
+          value: ServiceAccount
+      - equal:
+          path: subjects[0].name
+          value: RELEASE-NAME-external-secrets
+      - equal:
+          path: subjects[0].namespace
+          value: NAMESPACE

deploy/charts/external-secrets/values.schema.json

@@ -692,6 +692,9 @@
         "strategy": {
             "type": "object"
         },
+        "systemAuthDelegator": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },

deploy/charts/external-secrets/values.yaml

@@ -82,6 +82,9 @@ scopedRBAC: false
 # -- If true the OpenShift finalizer permissions will be added to RBAC
 openshiftFinalizers: true
 
+# -- If true the system:auth-delegator ClusterRole will be added to RBAC
+systemAuthDelegator: false
+
 # -- if true, the operator will process cluster external secret. Else, it will ignore them.
 processClusterExternalSecret: true