Merge pull request #31 from stakater/enhancement/26

Enhancement/26

Author: kahootali

README.md

@@ -25,7 +25,7 @@ For now the ProxyInjector only supports [Keycloak Gatekeeper](https://github.com
 The following quickstart let's you set up ProxyInjector:
 
 1. Add configuration to the ProxyInjector
-    The following arguments can either be added to the proxy injector `config.yaml` in the ConfigMap for centralized configuration,
+    The following arguments can either be added to the proxy injector `config.yaml` in the ConfigMap/Secret for centralized configuration,
      or as annotations on the individual target deployments with a `authproxy.stakater.com/` prefix. In case of both,
      the deployment annotation values will override the central configuration. 
 
@@ -40,6 +40,8 @@ The following quickstart let's you set up ProxyInjector:
 
 The rest of the available options can be found at the [Keycloak Gatekeeper documentation](https://www.keycloak.org/docs/latest/securing_apps/index.html#configuration-options)
 
+Note 1: See the section `Using Secrets` below if you do not want to use ConfigMap (because `client-id` and `client-secret` in plain text) and want to use Secrets to hide them.
+
 2. Deploy the controller by running the following command:
 
     For Kubernetes Cluster using kubectl
@@ -58,6 +60,41 @@ The rest of the available options can be found at the [Keycloak Gatekeeper docum
     The `authproxy.stakater.com/listen` annotation or the `listen` property in the ProxyInjector ConfigMap should
     specify where the proxy sidecar will listen for incoming requests, e.g. "0.0.0.0:80" i.e. local port 80
 
+
+### Using Secrets
+
+To use secrets:
+    
+  1. Open [values.yaml](https://github.com/stakater/ProxyInjector/blob/master/deployments/kubernetes/chart/proxyinjector/values.yaml) file by navigating to `deployments/kubernetes/chart/proxyinjector/`
+  
+  2. Set `mount` equals to `"secret"` and pass the data in the data section at the bottom.
+  
+  3. Run `helm template . > proxyinjector.yaml`
+  
+  4. Deploy using the `Deploying` section below.
+
+### Using ConfigMap
+
+To pass user credentials/ API keys in secrets:
+     
+  1. Open [values.yaml](https://github.com/stakater/ProxyInjector/blob/master/deployments/kubernetes/chart/proxyinjector/values.yaml) file by navigating to `deployments/kubernetes/chart/proxyinjector/`
+  
+  2. Set `mount` equals to `"configmap"` and pass the data in the data section at the bottom.
+  
+  3. Run `helm template . > proxyinjector.yaml`
+  
+  4. Deploy using the `Deploying` section below.
+
+### Deploying
+
+You can deploy the controller in the namespace you want to monitor by running the following kubectl command:
+
+```bash
+kubectl apply -f proxyinjector.yaml -n <namespace>
+```
+
+*Note*: Before applying `proxyinjector.yaml`, You need to modify the namespace in the `RoleBinding` subjects section to the namespace you want to apply RBAC to.
+
 ## Help
 
 ### Documentation

deployments/kubernetes/chart/proxyinjector/templates/configmap.yaml

@@ -1,3 +1,4 @@
+{{- if eq .Values.proxyinjector.mount "configmap" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -11,5 +12,5 @@ metadata:
     heritage: {{ .Release.Service | quote }}
   name: {{ template "proxyinjector-name" . }}
 data:
-  config.yml:
-{{ toYaml .Values.proxyinjector.proxyconfig | indent 4 }}
+{{ toYaml .Values.proxyinjector.data | indent 2 }}
+{{- end }}

deployments/kubernetes/chart/proxyinjector/templates/deployment.yaml

@@ -39,7 +39,12 @@ spec:
             name: config-volume
       serviceAccountName: {{ template "proxyinjector-name" . }}
       volumes:
+      {{- if eq .Values.proxyinjector.mount "secret" }}
+      - secret:
+          secretName: {{ template "proxyinjector-name" . }}
+      {{ else }}
       - configMap:
           name: {{ template "proxyinjector-name" . }}
+      {{- end }}
         name: config-volume
 

deployments/kubernetes/chart/proxyinjector/templates/secrets.yaml

@@ -0,0 +1,19 @@
+{{- if eq .Values.proxyinjector.mount "secret" }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  labels:
+    app: {{ template "proxyinjector-name" . }}
+    version: {{ .Chart.Version }}
+    group: {{ .Values.proxyinjector.labels.group }}
+    provider: {{ .Values.proxyinjector.labels.provider }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  name: {{ template "proxyinjector-name" . }}
+data:
+{{- range $key, $value := .Values.proxyinjector.data }}
+  {{ $key }}: {{ $value | b64enc }}
+{{- end }}
+{{- end }}

deployments/kubernetes/chart/proxyinjector/values.yaml

@@ -2,6 +2,7 @@ kubernetes:
   host: https://kubernetes.default
 
 proxyinjector:
+  mount: "configmap"
   tolerations: {}
   labels:
     provider: stakater
@@ -13,18 +14,20 @@ proxyinjector:
     pullPolicy: IfNotPresent
   watchGlobally: true
   configFilePath: /etc/ProxyInjector
-  proxyconfig: |-
-    gatekeeper-image : "keycloak/keycloak-gatekeeper:6.0.1"
-    enable-default-deny: true
-    secure-cookie: false
-    verbose: true
-    enable-logging: true
-    cors-origins:
-    - '*'
-    cors-methods:
-    - GET
-    - POST
-    resources:
-    - uri: '/*'
-    scopes:
-    - 'good-service'
+  data:
+    config.yml: |-
+      proxyconfig:
+        gatekeeper-image: "keycloak/keycloak-gatekeeper:6.0.1"
+        enable-default-deny: true
+        secure-cookie: false
+        verbose: true
+        enable-logging: true
+        cors-origins:
+        - '*'
+        cors-methods:
+        - GET
+        - POST
+        resources:
+        - uri: '/*'
+        scopes:
+        - 'good-service'