infra

README

We take security very seriously. If you believe you have found a security issue please report it to our security team by contacting us at security@infrahq.com.

Introduction

Infra is identity and access management for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.

Features:

• Single-command access: infra login
• No more out-of-sync user configurations
• Fine-grained role assignment
• Onboard and offboard users via Okta (Active Directory, Google, GitHub coming soon)
• Audit logs for who did what, when (coming soon)

Quickstart

Prerequisites:

• Install Helm (v3+)
• Install Kubernetes (v1.14+)

Step 1: Install Infra CLI

macOS

brew install infrahq/tap/infra

Windows

scoop bucket add infrahq https://github.com/infrahq/scoop.git
scoop install infra

Linux

# Ubuntu & Debian
sudo echo 'deb [trusted=yes] https://apt.fury.io/infrahq/ /' >/etc/apt/sources.list.d/infrahq.list
sudo apt update
sudo apt install infra

# Fedora & Red Hat Enterprise Linux
sudo dnf config-manager --add-repo https://yum.fury.io/infrahq/
sudo dnf install infra

Step 2: Configure Infra YAML

Note: Infra uses Secrets to securely load secrets. It is not recommended to use plain text secrets. Considering using another supported secret type.

Please follow Okta Configuration to obtain clientID and clientSecret for connecting Okta to Infra.

# example infra.yaml

# Add an Identity Provider
# Only Okta is supported currently
providers:
  - name: Okta
    url: example.okta.com
    clientID: example_jsldf08j23d081j2d12sd
    clientSecret:  env:example_secret #see note above about secrets

grants:
# 1. Grant user(s) or group(s) as Infra administrator
# Setup an user as Infra administrator
  - user: you@example.com
    role: admin
    resource: infra

# 2. Grant user(s) or group(s) access to a resources
# Example of granting access to an individual user the `cluster-admin` role. The name of a resource is specified when installing the Infra Engine at that location.
  - user: you@example.com
    role: cluster-admin                  # cluster_roles required
    resource: kubernetes.example-cluster # limit access to the `example-cluster` Kubernetes cluster

# Example of granting access to an individual user through assigning them to the 'edit' role in the `web` namespace.
# In this case, Infra will automatically scope the access to a namespace.
  - user: you@example.com
    role: edit                               # cluster_roles required
    resource: kubernetes.example-cluster.web # limit access to only the `web` namespace in the `example-cluster` Kubernetes cluster

# Example of granting access to a group the `view` role.
  - group: Everyone
    role: view                           # cluster_roles required
    resource: kubernetes.example-cluster # limit access to the `example-cluster` Kubernetes cluster

Step 3: Install Infra

helm repo add infrahq https://helm.infrahq.com/
helm repo update
helm upgrade --install -n infrahq --create-namespace infra infrahq/infra --set-file server.config.import=infra.yaml

Infra can be configured using Helm values. To see the available configuration values, run:

helm show values infrahq/infra

Step 4: Login to Infra

Next, you'll need to find the URL of the Infra server to login to Infra.

Port Forwarding

Kubernetes port forwarding can be used in access the API server.

kubectl -n infrahq port-forward deployments/infra-server 8080:80 8443:443

Infra API server can now be accessed on localhost:8080 or localhost:8443

LoadBalancer

Change the Infra server service type to LoadBalancer.

kubectl -n infrahq patch service infra-server -p '{"spec": {"type": "LoadBalancer"}}'

Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with:

kubectl -n infrahq get service infra-server -w

Once the endpoint is ready, get the Infra API server URL.

kubectl -n infrahq get service infra-server -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"

Ingress

Follow the Ingress documentation to configure your Infra server with a Kubernetes ingress. Once configured, get the Infra API server URL.

kubectl -n infrahq get ingress infra-server -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"

API Server Access Key

If not provided by the user during Helm install, the admin access key will be randomly generated. Retrieve it using kubectl.

WARNING: This admin access key grants full access to Infra. Do not share it.

kubectl -n infrahq get secret infra-admin-access-key -o jsonpath='{.data.access-key}' | base64 -d

Once you have access to the Infra API server and the access key, login to Infra from the terminal.

infra login <INFRA_API_SERVER>

Step 5: Access the Cluster

In order to get access to the cluster, the engine service must be accessible externally. The easiest way to achieve this is to use a LoadBalancer service.

kubectl -n infrahq patch service infra-engine -p '{"spec": {"type": "LoadBalancer"}}'

Switch to the cluster with Infra CLI.

infra use kubernetes.example_cluster

Next Steps

Connect Additional Kubernetes Clusters

Using Infra CLI:

Generate the helm install command via

infra destinations add kubernetes example-cluster

Run the output Helm command on the Kubernetes cluster to be added.

Example:

helm upgrade --install infra-engine infrahq/engine --set config.accessKey=2pVqDSdkTF.oSCEe6czoBWdgc6wRz0ywK8y --set config.name=kubernetes.example-cluster --set config.server=https://infra.acme.com

Upgrade Infra

helm repo update
helm upgrade -n infrahq --create-namespace infra infrahq/infra --set-file server.config.import=infra.yaml

Security

We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via security@infrahq.com.

Documentation

• Infra CLI Reference
• Helm Chart Reference
• Contributing
• License