Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection Secret: Use from other namespaces #501

Closed
thriqon opened this issue Dec 1, 2022 · 4 comments · Fixed by #700
Closed

Connection Secret: Use from other namespaces #501

thriqon opened this issue Dec 1, 2022 · 4 comments · Fixed by #700
Labels
enhancement New feature or request

Comments

@thriqon
Copy link

thriqon commented Dec 1, 2022

Is your feature request related to a problem? Please describe.
Managing an external, but centrally managed RabbitMQ cluster with applications in different namespaces (which should not be exposed to the admin credentials) is currently impossible.

Describe the solution you'd like
The connectionSecret reference should allow setting the namespace of the connection secret. Additionally, restrictions on the namespaces allowed to do so should be possible (with the same annotation as the cluster object?).

Describe alternatives you've considered
Copying the connection secret to all application namespaces is possible, but highly undesirable (due to management issues and admin password exposure).

Additional context
#294 introduced the connection secret from #135.
@MirahImage
Copy link
Member

Can you help us to better understand the problem you're trying to solve? Where is the RabbitMQ cluster located (in Kubernetes, elsewhere)? Are you trying to create users for a single RabbitMQ across multiple namespaces?

@thriqon
Copy link
Author

thriqon commented Dec 5, 2022

The cluster is external to Kubernetes. And yes, we are trying to use one cluster across multiple namespaces.

Crucially, the cluster is not managed by the Cluster Operator, which does have the option to use clusters cross-namespace.

@MirahImage MirahImage added the enhancement New feature or request label Dec 9, 2022
@MirahImage
Copy link
Member

We would rather not allow cross-namespace ability, as it breaks the namespace isolation that many of our users rely upon.

If you are concerned about replicating secrets across namespaces, secretgen controller can help with that.

If you are concerned about security, without additional controls such as admission webhooks (e.g. OPA validation), having the ability to create topology-operator users is equivalent to having admin user permissions on RabbitMQ, as it is possible to create a user with admin permissions via the topology operator.

@thriqon
Copy link
Author

thriqon commented Dec 12, 2022

I won't argue with you, as it is your project, but I am surprised about the isolation guarantees. The default way using the in-cluster StatefulSet does allow cross-namespace sharing, with support to specify and limit acceptable consumers.

Thanks anyway for your answer and an awesome project!

@thriqon thriqon closed this as completed Dec 12, 2022
@mindw mindw mentioned this issue Nov 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@thriqon @MirahImage