Create a secret for the license, rather than using (only) a flag (for the operator)

[alexellis]

Create a secret for the inlets-pro license, rather than using (only) a flag

Expected Behaviour

The license should be read from a file as not to leak the value in kubectl get deploy inlets-operator

Current Behaviour

The license is shown in the deployment and via helm install when it's passed as a flag.

Possible Solution

Using a secret, like we do for the API access token would make sense.

A change in the arkade app for the inlets-operator would also be required.

This is where the license is being read as an arg:

https://github.com/inlets/inlets-operator/blob/master/main.go#L79

Here is an example of reading a file (name passed via flag):

https://github.com/inlets/inlets-operator/blob/master/main.go#L74

And here is the helm chart to update:

https://github.com/inlets/inlets-operator/blob/master/chart/inlets-operator/templates/deployment.yaml#L36

Add an if statement and attach a volume in the same way as we do for a secret when the file is given instead of a literal value.

[alexellis]

/add label: help wanted

[Waterdrips]

/assign: me

Ill raise an issue on arkade to switch to this too

[alexellis]

Thanks Alistair

[alexellis]

Hi @Waterdrips did you have a chance to start this yet?

[Waterdrips]

Spent the weekend fighting my RPis and net booting.

Ill start working on this this evening if thats ok.

[alexellis]

Sounds good. Hope you won 😁

[alexellis]

@viveksyngh do you want to take a look?

[viveksyngh]

/derek assign me

[viveksyngh]

@alexellis I was thinking if we can create a secret with the licence and then using secret name as input to the the controller. Which will be read by the controller to the read the secret and also set a watch for that, so in case if this get's updated controller will reconcile all objects.

[alexellis]

Part 1a is just changing the helm chart to use a secret name/reference instead of a literal value, but keeping backwards compatibility. Part 1b is changing the arkade app to create the new secret and instruct the helm chart to use it.

See how we do that for arkade and openfaas - https://github.com/alexellis/arkade/blob/master/cmd/apps/openfaas_app.go#L126

Part 2 is more along the lines of what you're saying. We may need one master secret per namespace with the license in it, or one new license secret per client.