infra

README

Introduction

Infra is identity and access management for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.

Features:

• Single-command access: infra login
• No more out-of-sync user configurations
• Fine-grained role assignment
• Onboard and offboard users via Okta (Azure AD, Google, GitHub coming soon)
• Audit logs for who did what, when (coming soon)

Quickstart

Prerequisites:

• Helm (v3+)
• Kubernetes (v1.14+)

Configure

Configure Okta

Follow the Okta guide to set up Okta for Infra. You'll need:

• Okta domain
• Okta client ID
• Okta client secret
• Okta API token

Configure Infra

# example values.yaml
---
config:
  secrets:
    - kind: kubernetes
      namespace: infrahq

  providers:
    - kind: okta
      # Update with values from above
      domain: <Okta domain>
      clientID: <Okta client id>
      clientSecret: <Okta client secret>
      apiToken: <Okta api token>

  groups:
    # Grants the "Everyone" Okta group read-only access
    # to the default namespace of all Kubernetes clusters
    - name: Everyone
      provider: okta
      roles:
        - kind: role
          name: view
          destinations:
            - labels:
                - kubernetes
              namespaces:
                - default

See the Helm Chart reference for a complete list of options configurable through Helm.

Note: Infra uses Secrets to securely load secrets. It is not recommended to use plain text secrets. Considering using another supported secret type.

Install Infra

helm repo add infrahq https://helm.infrahq.com/
helm repo update
helm install -n infrahq --create-namespace -f values.yaml infra infrahq/infra

Install Infra CLI

Debian, Ubuntu

sudo echo 'deb [trusted=yes] https://apt.fury.io/infrahq/ /' >/etc/apt/sources.list.d/infrahq.list
sudo apt update
sudo apt install infra

Fedora, Red Hat Enterprise Linux

sudo dnf config-manager --add-repo https://yum.fury.io/infrahq/
sudo dnf install infra

macOS

brew install infrahq/tap/infra

Windows

scoop bucket add infrahq https://github.com/infrahq/scoop.git
scoop install infra

Access Your Infrastructure

You will need to get your Infra endpoint. This step will be different depending on your Service type.

Ingress

INFRA_HOST=$(kubectl -n infrahq get ingress -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")

LoadBalancer

Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with:

kubectl -n infrahq get services -l infrahq.com/component=infra -w

INFRA_HOST=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")

ClusterIP

CONTAINER_PORT=$(kubectl -n infrahq get services -l infrahq.com/component=infra -o jsonpath="{.items[].spec.ports[0].port}")
kubectl -n infrahq port-forward services infra 8080:$CONTAINER_PORT &
INFRA_HOST='localhost:8080'

Once you have your infra host, it is time to login.

infra login $INFRA_HOST

Follow the instructions on screen to complete the login process.

See the Infra CLI reference for more ways to use infra.

Next Steps

Connect Additional Identity Providers

• Providers
  • Okta

Connect Additional Infrastructure Destinations

• Destinations
  • Kubernetes

Upgrade Infra

helm repo update
helm upgrade -n infrahq -f values.yaml infra infrahq/infra

Security

We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via security@infrahq.com.

Documentation

• API Reference
• Infra CLI Reference
• Helm Chart Reference
• Contributing
• License