kubeapps icon indicating copy to clipboard operation
kubeapps copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

Custom CA repo secret is not accessible by regular users.

Open yug0slav opened this issue 2 years ago • 2 comments

Describe the bug The regular user gets a secret permission error when attempting to deploy from kubeapps repo configured with custom CA (even with skip TLS verify flag), works fine if I skip TLS verify and don't setup CA at all.

To Reproduce Steps to reproduce the behavior:

  1. create apprepo with custom CA
  2. login as regular user
  3. attempt to deploy from repo
  4. See error
An error occurred: Unable to create the installed package for the package "test-repo/nginx" using the plugin "helm.packages": rpc error: code = Unauthenticated desc = Missing permissions rpc error: code = Internal desc = Unable to fetch app repo "test-repo" from namespace "kubeapps": unable to read secret "apprepo-test-repo-secrets": secrets "apprepo-test-repo-secrets" is forbidden: User "oidc/testuser" cannot get resource "secrets" in API group "" in the namespace "kubeapps"

Expected behavior Correct RBAC and/or skip TLS verification.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • Version 2.4.6
  • Kubernetes version v1.21.2
  • Package version kubeapps-10.2.0

Additional context Add any other context about the problem here.

yug0slav avatar Sep 08 '22 15:09 yug0slav

Hello,

We are having same issue on a Rancher installation

Missing permissions internal: Unable to fetch app repo "datahub-repo" from namespace "kubeapps": unable to read secret "apprepo-datahub-repo-secrets": secrets "apprepo-datahub-repo-secrets" is forbidden: User "xxxxxxx" cannot get resource "secrets" in API group "" in the namespace "kubeapps".

We had to do following changes in order to make it work (manual changes):

For role: {{ printf "%s-repositories-write" .Release.Name }}

  • add "get" verb for "secrets" (it has only "create" https://github.com/vmware-tanzu/kubeapps/blob/main/chart/kubeapps/templates/apprepository/rbac.yaml#L153)

For ClusterRole: {{ printf "kubeapps:%s:apprepositories-read" .Release.Namespace | quote }})

  • add "secrets" resources with "get" verb (it is only apprepositories resource - https://github.com/vmware-tanzu/kubeapps/blob/main/chart/kubeapps/templates/apprepository/rbac.yaml#L171)

Please help us with this change.

Thank you ! Cristi Vlad

cristi-vlad avatar May 27 '24 15:05 cristi-vlad

Hi! Thanks for the input! All the changes in the chart can be proposed via PR in the bitnami/charts repo instead. This way, they will get released sooner.

antgamdia avatar May 27 '24 19:05 antgamdia