We take security very seriously. If you believe you have found a security issue please report it to our security team by contacting us at security@infrahq.com.
Introduction
Infra is identity and access management for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.
Features:
- Single-command access:
infra login
- No more out-of-sync user configurations
- Fine-grained role assignment
- Onboard and offboard users via Okta (Azure AD, Google, GitHub coming soon)
- Audit logs for who did what, when (coming soon)
Quickstart
Prerequisites:
Follow the Okta guide to set up Okta for Infra. You'll need:
- Okta domain
- Okta client ID
- Okta client secret
- Okta API token
# example values.yaml
---
config:
providers:
- kind: okta
# Update with values from above
# Values can be securely loaded from different secret managers (e.g. Kubernetes secrets)
# or in plaintext (not recommended for production). See https://github.com/infrahq/infra/blob/main/docs/secrets.md
domain: <Okta domain>
clientID: <Okta client id>
clientSecret: <Okta client secret>
apiToken: <Okta api token>
groups:
# Grants the "Everyone" Okta group read-only access
# to the default namespace of your Kubernetes cluster
- name: Everyone
provider: okta
roles:
- kind: cluster-role
name: view
destinations:
- name: <cluster name> # cluster name in your cloud provider
kind: kubernetes
namespaces:
- default
See the Helm Chart reference for a complete list of options configurable through Helm.
Note: Infra uses Secrets to securely load secrets.
It is not recommended to use plain text secrets. Considering using another supported secret type.
Install Infra
helm repo add infrahq https://helm.infrahq.com/
helm repo update
helm upgrade --install -n infrahq --create-namespace -f values.yaml infra infrahq/infra
Install Infra CLI
macOS
brew install infrahq/tap/infra
Windows
scoop bucket add infrahq https://github.com/infrahq/scoop.git
scoop install infra
Linux
# Ubuntu & Debian
sudo echo 'deb [trusted=yes] https://apt.fury.io/infrahq/ /' >/etc/apt/sources.list.d/infrahq.list
sudo apt update
sudo apt install infra
# Fedora & Red Hat Enterprise Linux
sudo dnf config-manager --add-repo https://yum.fury.io/infrahq/
sudo dnf install infra
Access Your Infrastructure
You will need to get your Infra endpoint. This step will be different depending on your Service type.
Ingress
INFRA_HOST=$(kubectl -n infrahq get ingress -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
LoadBalancer
Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with:
kubectl -n infrahq get services -l infrahq.com/component=infra -w
INFRA_HOST=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
ClusterIP
CONTAINER_PORT=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].spec.ports[0].port}")
kubectl -n infrahq port-forward services infra 8080:$CONTAINER_PORT &
INFRA_HOST='localhost:8080'
Once you have your infra host, it is time to login.
infra login
Follow the instructions on screen to complete the login process.
See the Infra CLI reference for more ways to use infra
.
Next Steps
Connect Additional Identity Providers
Connect Additional Infrastructure Destinations
Upgrade Infra
helm repo update
helm upgrade --install -n infrahq -f values.yaml infra infrahq/infra
We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via security@infrahq.com.