infra

command module
v0.5.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 1, 2022 License: Apache-2.0 Imports: 2 Imported by: 0

README

We take security very seriously. If you believe you have found a security issue please report it to our security team by contacting us at security@infrahq.com.

Introduction

Infra is identity and access management for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.

Features:

  • Single-command access: infra login
  • No more out-of-sync user configurations
  • Fine-grained role assignment
  • Onboard and offboard users via Okta (Active Directory, Google, GitHub coming soon)
  • Audit logs for who did what, when (coming soon)

Quickstart

Prerequisites:

Step 1: Install Infra CLI

macOS 
brew install infrahq/tap/infra
Windows 
scoop bucket add infrahq https://github.com/infrahq/scoop.git
scoop install infra
Linux 
# Ubuntu & Debian
sudo echo 'deb [trusted=yes] https://apt.fury.io/infrahq/ /' >/etc/apt/sources.list.d/infrahq.list
sudo apt update
sudo apt install infra

# Fedora & Red Hat Enterprise Linux
sudo dnf config-manager --add-repo https://yum.fury.io/infrahq/
sudo dnf install infra

Step 2: Configure Infra YAML

Note: Infra uses Secrets to securely load secrets. It is not recommended to use plain text secrets. Considering using another supported secret type.

Please follow Okta Configuration to obtain clientID and clientSecret for connecting Okta to Infra.

# example infra.yaml

# adding an Identity Provider 
# currently only Okta is supported
providers: 
  - name: Okta
    url: example.okta.com
    clientID: example_jsldf08j23d081j2d12sd 
    clientSecret:  example_plain_secret #see note above

grants:
# 1. Set up an initial user from IdP to become Infra administrator
  - user: you@example.com
    role: admin
    resource: infra
# Or set up an initial group of users from IdP to become Infra administrator
  - group: Admin  # case sensitive 
    role: admin 
    resource: infra 

# 2. Grant group(s) or user(s) from IdP to have access to the determined resource

# Example for granting access to an individual user the cluster admin role on a Kubernetes cluster named 'example-cluster'. This name is specified when installing Infra Engine. 

  - user: you@example.com 
    role: cluster-admin  #cluster_roles required
    resource: kubernetes.example-cluster # kubernetes cluster name 

# Example for granting access to an individual user the cluster role 'edit' on a namespace. In this case, Infra will automatically scope the cluster-role to a namespace. 

  - user: you@example.com
    role: edit  #cluster_roles required
    resource: kubernetes.example-cluster.web #specifying the 'web' namespace inside kubernetes cluster named 'example-cluster' 

# Example for granting access to a group called 'Everyone' from Okta to the Kubernetes cluster named 'example-cluster'. 
  - group: Everyone
    role: view  #cluster_roles required
    resource: kubernetes.example-cluster

Step 3: Install Infra

helm repo add infrahq https://helm.infrahq.com/

helm install -n infrahq --create-namespace infra infrahq/infra --set-file config.import=infra.yaml

You'll need the Infra Root API Token to log into Infra. Please generate this token by running the following commands:

ROOT_API_TOKEN=$(kubectl -n infrahq get secrets infra -o jsonpath='{.data.root-api-token}' | base64 --decode)
echo $ROOT_API_TOKEN

Please store this in a safe place.

Next, you'll need to find the URL of Infra Server to log into Infra.

Default (LoadBalancer) Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with: 
  INFRA_SERVER=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
  echo $INFRA_SERVER
Ingress 
INFRA_SERVER=$(kubectl -n infrahq get ingress -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
ClusterIP 
CONTAINER_PORT=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].spec.ports[0].port}")
kubectl -n infrahq port-forward services infra 8080:$CONTAINER_PORT &
INFRA_SERVER='localhost:8080'

From the terminal login to Infra

infra login `URL`

Next Steps

Connect Additional Kubernetes Clusters

Using Infra CLI:

Generate the helm install command via

infra destination add kubernetes example-name

Run the output Helm command on the Kubernetes cluster to be added.

Example:

helm install infrahq/engine --set infra.name=kubernetes.example-name --set infra.apiToken=2pVqDSdkTF.oSCEe6czoBWdgc6wRz0ywK8y --set infra.host=localhost --set infra.skipTLSVerify=true

Upgrade Infra

helm repo update

helm upgrade -n infrahq --create-namespace infra infrahq/infra --set-file config.import=infra.yaml

Security

We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via security@infrahq.com.

Documentation

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
access
api
certs
claims
cmd
config
docgen command
engine
generate
kubernetes
logging
Package logging provides a shared logger and log utilities to be used in all internal packages.
 Package logging provides a shared logger and log utilities to be used in all internal packages.
registry
registry/authn
registry/data
registry/models
timer
tools/querylinter module
test module
testutil
docker

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.