├── .github ├── CODEOWNERS └── workflows │ ├── ci.yml │ └── package.yml ├── .gitignore ├── .gitleaks.toml ├── CHANGELOG.md ├── CONTRIBUTING.md ├── Jenkinsfile ├── LICENSE ├── README.md ├── SECURITY.md ├── ci ├── Dockerfile ├── jenkins_build.sh ├── platform_login.sh ├── secrets.yml └── validate_schema.sh ├── conjur-oss ├── .helmignore ├── Chart.yaml ├── README.md ├── UPGRADING.md ├── charts │ └── .gitdirectory ├── files │ ├── conjur.conf │ ├── dhparams.pem │ ├── mime.types │ ├── nginx.conf │ └── postgres-ssl.conf ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── auth-role.yaml │ ├── deployment.yaml │ ├── load-balancer.yaml │ ├── nginx-configmap.yaml │ ├── persistent-volume-claim.yaml │ ├── postgres-ocp-ssl-configmap.yaml │ ├── postgres-ocp.yaml │ ├── postgres.yaml │ ├── secrets.yaml │ ├── service.yaml │ ├── ssl-cert.yaml │ └── tests │ │ ├── test-simple-install-configmap.yaml │ │ └── test-simple-install.yaml ├── values.schema.json └── values.yaml ├── e2e ├── custom-stuff.yml ├── delete-conjur.sh ├── install-conjur-no-pv.sh └── install-conjur.sh ├── examples ├── common │ ├── 1_create_kind_cluster.sh │ ├── 2_helm_install_or_upgrade_conjur.sh │ ├── 3_retrieve_admin_password.sh │ ├── 4_ensure_authn_k8s_enabled.sh │ ├── 5_deploy_demo_apps.sh │ ├── README.md │ ├── customize.env │ ├── start │ └── utils.sh ├── kubernetes-in-docker │ ├── 0_export_env_vars.sh │ └── start └── openshift │ ├── 0_export_env_vars.sh │ └── start ├── helm-upgrade.sh ├── run.sh ├── test-minimal.sh ├── test.sh └── utils.sh /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team 2 | 3 | # Changes to .trivyignore require Security Architect approval 4 | .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects 5 | 6 | # Changes to .codeclimate.yml require Quality Architect approval 7 | .codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects 8 | 9 | # Changes to SECURITY.md require Security Architect approval 10 | SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects 11 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | # Run this on pushes to main 5 | push: 6 | branches: 7 | - main 8 | 9 | # Or when PR operations are done 10 | pull_request: 11 | types: 12 | - opened 13 | - reopened 14 | - synchronize 15 | 16 | jobs: 17 | linter: 18 | name: Run Helm Linter 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Check out code 22 | uses: actions/checkout@v2 23 | 24 | - name: Install Helm 25 | uses: azure/setup-helm@v1 26 | with: 27 | version: v3.3.0 28 | 29 | - name: Run linter 30 | run: helm lint --set dataKey=BLOB ./conjur-oss 31 | 32 | install-test-helm-v3: 33 | name: Install/test Conjur with Helm V3 on KinD Cluster 34 | needs: [ linter ] 35 | runs-on: ubuntu-latest 36 | strategy: 37 | matrix: 38 | kube-tag: 39 | - v1.26.0 40 | - v1.21.2 41 | steps: 42 | - name: Check out code 43 | uses: actions/checkout@v2 44 | 45 | - name: Install Helm 46 | uses: azure/setup-helm@v3 47 | with: 48 | version: v3.2.1 49 | 50 | - name: Create k8s KinD Cluster 51 | uses: helm/kind-action@v1.4.0 52 | with: 53 | node_image: "kindest/node:${{ matrix.kube-tag }}" 54 | cluster_name: kube-${{ matrix.kube-tag }} 55 | 56 | - name: Run integration tests 57 | run: ./test-minimal.sh 58 | 59 | install-test-helm-v2: 60 | name: Install/test Conjur with Helm V2 on KinD Cluster (v1.21.2) 61 | needs: 62 | - linter 63 | - install-test-helm-v3 64 | runs-on: ubuntu-latest 65 | steps: 66 | - name: Check out code 67 | uses: actions/checkout@v2 68 | 69 | - name: Install Helm 70 | uses: azure/setup-helm@v1 71 | with: 72 | version: v2.17.0 73 | 74 | - name: Create k8s KinD Cluster 75 | uses: helm/kind-action@v1.4.0 76 | with: 77 | node_image: "kindest/node:v1.21.2" 78 | cluster_name: kube-v1.21.2-helm2 79 | 80 | - name: Initialize Helm 81 | run: | 82 | # Service account with cluster-admin role for Helm 83 | echo " 84 | apiVersion: v1 85 | kind: ServiceAccount 86 | metadata: 87 | name: tiller 88 | namespace: kube-system 89 | --- 90 | apiVersion: rbac.authorization.k8s.io/v1 91 | kind: ClusterRoleBinding 92 | metadata: 93 | name: tiller 94 | roleRef: 95 | apiGroup: rbac.authorization.k8s.io 96 | kind: ClusterRole 97 | name: cluster-admin 98 | subjects: 99 | - kind: ServiceAccount 100 | name: tiller 101 | namespace: kube-system 102 | " | kubectl create -f - 103 | 104 | # Initialize 105 | helm init --stable-repo-url https://charts.helm.sh/stable --service-account tiller --wait 106 | 107 | - name: Run integration tests 108 | run: ./test-minimal.sh 109 | -------------------------------------------------------------------------------- /.github/workflows/package.yml: -------------------------------------------------------------------------------- 1 | name: Package Tarballs 2 | on: 3 | # Run this workflow on branch main pushes and tag pushes that match v* (eg. `v1.2.3`) 4 | push: 5 | branch: 6 | - 'main' 7 | tags: 8 | - 'v*' 9 | 10 | jobs: 11 | package: 12 | name: Package Tarballs 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - name: Check out code 17 | uses: actions/checkout@v2 18 | 19 | - name: Install Helm 20 | uses: azure/setup-helm@v1 21 | with: 22 | version: v2.16.6 23 | 24 | - name: Package tarballs 25 | run: mkdir -p package; helm package --save=false --destination ./package ./conjur-oss 26 | 27 | - name: Add package to artifacts 28 | uses: actions/upload-artifact@v1 29 | with: 30 | path: ./package 31 | name: package 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | conjur-oss-*.tgz 2 | 3 | conjur-oss/charts/*.tgz 4 | output/ 5 | values-private.yaml 6 | 7 | # Vim swapfiles 8 | *.sw[po] 9 | 10 | # Example temp files 11 | examples/kubernetes-in-docker/temp* 12 | -------------------------------------------------------------------------------- /.gitleaks.toml: -------------------------------------------------------------------------------- 1 | title = "Secretless Broker gitleaks config" 2 | 3 | # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist. 4 | # If GITLEAKS_CONFIG environment variable 5 | # is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load 6 | # configurations from that path. Gitleaks does not whitelist anything by default. 7 | # - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf 8 | # - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json 9 | [[rules]] 10 | description = "AWS Client ID" 11 | regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' 12 | tags = ["key", "AWS"] 13 | 14 | [[rules]] 15 | description = "AWS Secret Key" 16 | regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' 17 | tags = ["key", "AWS"] 18 | 19 | [[rules]] 20 | description = "AWS MWS key" 21 | regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' 22 | tags = ["key", "AWS", "MWS"] 23 | 24 | [[rules]] 25 | description = "PKCS8" 26 | regex = '''-----BEGIN PRIVATE KEY-----''' 27 | tags = ["key", "PKCS8"] 28 | 29 | [[rules]] 30 | description = "RSA" 31 | regex = '''-----BEGIN RSA PRIVATE KEY-----''' 32 | tags = ["key", "RSA"] 33 | 34 | [[rules]] 35 | description = "SSH" 36 | regex = '''-----BEGIN OPENSSH PRIVATE KEY-----''' 37 | tags = ["key", "SSH"] 38 | 39 | [[rules]] 40 | description = "PGP" 41 | regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----''' 42 | tags = ["key", "PGP"] 43 | 44 | [[rules]] 45 | description = "Facebook Secret Key" 46 | regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' 47 | tags = ["key", "Facebook"] 48 | 49 | [[rules]] 50 | description = "Facebook Client ID" 51 | regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' 52 | tags = ["key", "Facebook"] 53 | 54 | [[rules]] 55 | description = "Facebook access token" 56 | regex = '''EAACEdEose0cBA[0-9A-Za-z]+''' 57 | tags = ["key", "Facebook"] 58 | 59 | [[rules]] 60 | description = "Twitter Secret Key" 61 | regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]''' 62 | tags = ["key", "Twitter"] 63 | 64 | [[rules]] 65 | description = "Twitter Client ID" 66 | regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]''' 67 | tags = ["client", "Twitter"] 68 | 69 | [[rules]] 70 | description = "Github" 71 | regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' 72 | tags = ["key", "Github"] 73 | 74 | [[rules]] 75 | description = "LinkedIn Client ID" 76 | regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]''' 77 | tags = ["client", "Twitter"] 78 | 79 | [[rules]] 80 | description = "LinkedIn Secret Key" 81 | regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]''' 82 | tags = ["secret", "Twitter"] 83 | 84 | [[rules]] 85 | description = "Slack" 86 | regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' 87 | tags = ["key", "Slack"] 88 | 89 | [[rules]] 90 | description = "EC" 91 | regex = '''-----BEGIN EC PRIVATE KEY-----''' 92 | tags = ["key", "EC"] 93 | 94 | [[rules]] 95 | description = "Generic API key" 96 | regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]''' 97 | tags = ["key", "API", "generic"] 98 | 99 | [[rules]] 100 | description = "Generic Secret" 101 | regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]''' 102 | tags = ["key", "Secret", "generic"] 103 | 104 | [[rules]] 105 | description = "Google API key" 106 | regex = '''AIza[0-9A-Za-z\\-_]{35}''' 107 | tags = ["key", "Google"] 108 | 109 | [[rules]] 110 | description = "Google Cloud Platform API key" 111 | regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]''' 112 | tags = ["key", "Google", "GCP"] 113 | 114 | [[rules]] 115 | description = "Google OAuth" 116 | regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]''' 117 | tags = ["key", "Google", "OAuth"] 118 | 119 | [[rules]] 120 | description = "Google OAuth access token" 121 | regex = '''ya29\.[0-9A-Za-z\-_]+''' 122 | tags = ["key", "Google", "OAuth"] 123 | 124 | [[rules]] 125 | description = "Heroku API key" 126 | regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' 127 | tags = ["key", "Heroku"] 128 | 129 | [[rules]] 130 | description = "MailChimp API key" 131 | regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' 132 | tags = ["key", "Mailchimp"] 133 | 134 | [[rules]] 135 | description = "Mailgun API key" 136 | regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]''' 137 | tags = ["key", "Mailgun"] 138 | 139 | [[rules]] 140 | description = "Password in URL" 141 | regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?''' 142 | tags = ["key", "URL", "generic"] 143 | 144 | [[rules]] 145 | description = "PayPal Braintree access token" 146 | regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' 147 | tags = ["key", "Paypal"] 148 | 149 | [[rules]] 150 | description = "Picatic API key" 151 | regex = '''sk_live_[0-9a-z]{32}''' 152 | tags = ["key", "Picatic"] 153 | 154 | [[rules]] 155 | description = "Slack Webhook" 156 | regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' 157 | tags = ["key", "slack"] 158 | 159 | [[rules]] 160 | description = "Stripe API key" 161 | regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' 162 | tags = ["key", "Stripe"] 163 | 164 | [[rules]] 165 | description = "Square access token" 166 | regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' 167 | tags = ["key", "square"] 168 | 169 | [[rules]] 170 | description = "Square OAuth secret" 171 | regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' 172 | tags = ["key", "square"] 173 | 174 | [[rules]] 175 | description = "Twilio API key" 176 | regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' 177 | tags = ["key", "twilio"] 178 | 179 | [whitelist] 180 | files = [ 181 | # "(.*?)(jpg|gif|doc|pdf|bin)$", 182 | ".gitleaks.toml" 183 | ] 184 | regexes = [ 185 | "postgres://postgres:PASSWORD", # sample postgres connection string 186 | "postgres://postgres:mypassword", # sample postgres connection string 187 | "postgres://postgres:dgsgAdGPGr4UJXi2", # sample postgres connection string 188 | "postgresql://conjur:conjur@localhost" # local pg connection string used in tests 189 | ] 190 | 191 | # Additional Examples 192 | 193 | # [[rules]] 194 | # description = "Generic Key" 195 | # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)''' 196 | # entropies = [ 197 | # "4.1-4.3", 198 | # "5.5-6.3", 199 | # ] 200 | # entropyROI = "line" 201 | # filetypes = [".go", ".py", ".c"] 202 | # tags = ["key"] 203 | # severity = "8" 204 | # 205 | # 206 | # [[rules]] 207 | # description = "Generic Key" 208 | # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)''' 209 | # entropies = ["4.1-4.3"] 210 | # filetypes = [".gee"] 211 | # entropyROI = "line" 212 | # tags = ["key"] 213 | # severity = "medium" 214 | 215 | # [[rules]] 216 | # description = "Any pem file" 217 | # filetypes = [".key"] 218 | # tags = ["pem"] 219 | # severity = "high" 220 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) 5 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). 6 | 7 | ## Unreleased 8 | 9 | ## [2.0.7] - 2023-08-30 10 | 11 | ### Changed 12 | - The default Postgres server version is incremented to 15.4 from 10.16. 13 | [cyberark/conjur-oss-helm-chart#185](https://github.com/cyberark/conjur-oss-helm-chart/pull/185) 14 | 15 | ## [2.0.6] - 2023-03-09 16 | 17 | ### Changed 18 | - Updated notices to use Conjur CLI v8.0. 19 | [cyberark/conjur-oss-helm-chart#179](https://github.com/cyberark/conjur-oss-helm-chart/pull/179) 20 | 21 | ## [2.0.5] - 2022-08-17 22 | 23 | ### Added 24 | - Support for authn-jwt flow. [cyberark/conjur-oss-helm-chart#169](https://github.com/cyberark/conjur-oss-helm-chart/pull/169) 25 | 26 | ## [2.0.4] - 2021-04-12 27 | 28 | ### Added 29 | - Support for deploying Conjur OSS to OpenShift 4.6. With the automated tests added in 30 | [conjurdemos/kubernetes-conjur-demo#110](https://github.com/conjurdemos/kubernetes-conjur-demo/issues/110), 31 | this helm chart now has [Trusted](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#trusted) 32 | support for OpenShift. 33 | [cyberark/conjur-oss-helm-chart#140](https://github.com/cyberark/conjur-oss-helm-chart/issues/140) 34 | 35 | ### Changed 36 | - The default Postgres server version is incremented to 10.16 from 10.15. [Postgres 10.16](https://www.postgresql.org/docs/10/release-10-16.html) 37 | - The default Conjur version is incremented to 1.11.5. 38 | [cyberark/conjur-oss-helm-chart#149](https://github.com/cyberark/conjur-oss-helm-chart/issues/149) 39 | 40 | ## [2.0.3] - 2020-12-30 41 | 42 | ### Added 43 | - The Conjur OSS helm chart has Community support for deploying Conjur OSS to 44 | OpenShift 4.x. 45 | [cyberark/conjur-oss-helm-chart#60](https://github.com/cyberark/conjur-oss-helm-chart/issues/60) 46 | 47 | ### Changed 48 | - The default Postgres server version is incremented to 10.15 from 10.14. 49 | [cyberark/conjur-oss-helm-chart#120](https://github.com/cyberark/conjur-oss-helm-chart/issues/120) 50 | 51 | ### Fixed 52 | - Conjur pod no longer fails on restarts when the Conjur cluster is helm 53 | installed with the automatic Conjur account creation feature enabled (e.g. 54 | with `--set account.create=true`). The Conjur startup command is revised to 55 | check if the account exists before starting the server with the flag used to 56 | create it. 57 | [cyberark/conjur-oss-helm-chart#119](https://github.com/cyberark/conjur-oss-helm-chart/issues/119) 58 | - Kubernetes-in-Docker example scripts no longer fail with undefined 59 | DOCKER_REGISTRY_PATH environment variable error. 60 | [cyberark/conjur-oss-helm-chart#138](https://github.com/cyberark/conjur-oss-helm-chart/issues/138) 61 | 62 | ## [2.0.2] - 2020-12-02 63 | 64 | ### Changed 65 | - Default Conjur version is upgraded from 1.5 to 1.11. Default Postgres 66 | version is upgraded from 10.12 to 10.14. 67 | [cyberark/conjur-oss-helm-chart#112](https://github.com/cyberark/conjur-oss-helm-chart/issues/112), 68 | [cyberark/conjur-oss-helm-chart#108](https://github.com/cyberark/conjur-oss-helm-chart/issues/108) 69 | - Image `tag` values must now include surrouding quotes when they are 70 | set in a values.yaml file. Arbitrary tag strings are allowed now 71 | (e.g. "latest" is allowable). 72 | [cyberark/conjur-oss-helm-chart#106](https://github.com/cyberark/conjur-oss-helm-chart/issues/106) 73 | 74 | ## [2.0.1] - 2020-10-30 75 | 76 | ### Added 77 | - `CONJUR_LOG_LEVEL` for the Conjur container can now be configured by setting the 78 | `logLevel` value, or updated using `helm upgrade` [cyberark/conjur-oss-helm-chart#77](https://github.com/cyberark/conjur-oss-helm-chart/issues/77) 79 | 80 | ### Changed 81 | - `account` now accepts two values, `account.create`, a boolean, and `account.name`, a string. 82 | These values allow you to configure the creation of a Conjur account on container startup, and 83 | the name of the account. [cyberark/conjur-oss-helm-chart#77](https://github.com/cyberark/conjur-oss-helm-chart/issues/78) 84 | 85 | ### Deprecated 86 | - The `rbac.create` chart value is now deprecated. This value will be replaced in the next major 87 | release with two separate settings: `rbac.createClusterRole` (defaulting to true) and 88 | `rbac.createClusterRoleBinding` (defaulting to false). Though `ClusterRole` creation will continue 89 | to be supported, we recommend users migrate to using `RoleBindings` at application deploy time 90 | rather than relying on overprivileged `ClusterRoleBindings`. 91 | 92 | ## [2.0.0] - 2020-06-18 93 | 94 | ### Added 95 | - Adds password authentication for the backend Postgres database connection. 96 | - Adds TLS support between the Conjur pod and the Postgres pod. 97 | - Adds default auto-generation of the Postgres connection password and 98 | TLS certificate. 99 | - Adds default auto-rotation of the following for `helm upgrade`: 100 | - Conjur TLS CA signing certificate and signed certificate for Conjur 101 | - Postgres database TLS certificate and key 102 | - Adds mechanism for user to set their own TLS CA and signed certificates 103 | for Conjur. 104 | 105 | ### Changed 106 | - Pins default Conjur version to current stable release 1.5. 107 | - Sets default pullPolicy for Nginx and Postgres to `Always`. 108 | 109 | ### Fixed 110 | - Fixes an issue with the use of persistent volume store so that the 111 | Postgres database contents are preserved across pod resets 112 | and helm upgrades. 113 | [Commit](https://github.com/cyberark/conjur-oss-helm-chart/commit/9ee5b2b191f118714193861fc75abd5226c94425), 114 | [Security Bulletin](https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw) 115 | 116 | ## [1.3.8] - 2019-12-20 117 | 118 | ### Added 119 | - Added basic instructions on how to package the chart 120 | - Added gitleaks config to repo 121 | 122 | ### Changed 123 | - Updated deployments to be able to run on Kubernetes 1.16+ 124 | - Updated e2e scripts to support newest helm (v.1.3.8) 125 | 126 | ### Removed 127 | - Removed GitLab pipeline (it wasn't working anyways) 128 | 129 | ## [1.3.7] - 2019-01-31 130 | ### Changed 131 | - Server ciphers have been upgraded to TLS1.2 levels. 132 | 133 | ## [1.3.6] - 2019-01-22 134 | ### Changed 135 | - Changed the default Postgres resource from Pod to Deployment to fix GKE marketplace app 136 | 137 | ## [1.3.5] - 2019-01-22 138 | ### Added 139 | - Made Postgres able to store data on a persistent volume [Issue #15](https://github.com/cyberark/conjur-oss-helm-chart/issues/15). 140 | 141 | ### Changed 142 | - Detached the Helm chart version from docker image version. 143 | 144 | ## [1.3.4] - 2019-01-08 145 | ### Added 146 | - New [`authenticators` parameter](./conjur-oss#configuration), optionally applied to Conjur through `CONJUR_AUTHENTICATOR` variable. 147 | - Added SSL termination to Conjur [Issue #11](https://github.com/cyberark/conjur-oss-helm-chart/issues/11). 148 | - Added self-signed certificate generation to the deployment. 149 | - Added values to control usage of an existing service account or creation 150 | - Added values to control creation of RBAC resources 151 | 152 | ### Changed 153 | - Made ingress enabled by default. 154 | - Changed exposed ports to be strictly https. 155 | - Changed default service type to `NodePort` from `ClusterIP`. 156 | - Updated version number to be in line with OSS Docker image version. 157 | 158 | ## [0.2.1] - 2018-08-01 159 | ### Added 160 | - `app.kubernetes.io` labels are now applied by default to all resources. 161 | 162 | ## [0.2.0] - 2018-08-01 163 | ### Added 164 | - New `deployment.annotations` parameter, optional annotations applied to Conjur deployment. 165 | [PR #6](https://github.com/cyberark/conjur-oss-helm-chart/pull/6) 166 | - New `conjurLabels` and `postgresLabels` parameters, 167 | optional extra labels to apply to respective resources. 168 | [PR #5](https://github.com/cyberark/conjur-oss-helm-chart/pull/5) 169 | 170 | ## 0.1.0 - 2018-07-25 171 | ### Added 172 | - First version of chart available. 173 | 174 | [Unreleased]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.7...HEAD 175 | [2.0.7]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.6...v2.0.7 176 | [2.0.6]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.5...v2.0.6 177 | [2.0.5]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.4...v2.0.5 178 | [2.0.4]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.3...v2.0.4 179 | [2.0.3]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.2...v2.0.3 180 | [2.0.2]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.1...v2.0.2 181 | [2.0.1]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.0...v2.0.1 182 | [2.0.0]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.8...v2.0.0 183 | [1.3.8]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.7...v1.3.8 184 | [1.3.7]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.6...v1.3.7 185 | [1.3.6]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.5...v1.3.6 186 | [1.3.5]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.4...v1.3.5 187 | [1.3.4]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v0.2.1...v1.3.4 188 | [0.2.1]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v0.2.0...v0.2.1 189 | [0.2.0]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v0.1.0...v0.2.0 190 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community). 4 | 5 | ## Table of Contents 6 | 7 | - [Releasing](#releasing) 8 | - [Contributing](#contributing) 9 | 10 | Majority of the instructions on how to build, develop, and run the code in 11 | this repo is located in the main [README.md](README.md) but this file adds 12 | any additional information for contributing code to this project. 13 | 14 | ## Releasing 15 | 16 | ### Upgrading Conjur version 17 | 18 | To upgrade the default Conjur version used by this chart, you will need to 19 | update the following files: 20 | - Update the [README](./conjur-oss/README.md) to change the default value for 21 | `image.tag` in the [Configuration table](./conjur-oss/README.md#configuration) 22 | - Update the `tag` value for the `cyberark/conjur` image in 23 | [conjur-oss/values.yaml](./conjur-oss/values.yaml) 24 | 25 | ### Creating a new release 26 | 27 | To release a new version of this chart: 28 | - Make the appropriate changes 29 | - Update the version number in [`conjur-oss/Chart.yaml`](conjur-oss/Chart.yaml) 30 | - Update the CHANGELOG.md file according to the 31 | [Conjur community guidelines](https://github.com/cyberark/community/blob/master/Conjur/CONTRIBUTING.md#tagging) 32 | - Tag the git history with `v##.##.##` version 33 | - Create the release on GitHub for that tag 34 | - Get the helm chart package from the [package action](https://github.com/cyberark/conjur-oss-helm-chart/actions/workflows/package.yml) - the 35 | `conjur-oss-VERSION.tgz` tarball is in the `package.zip` 36 | - Upload the tarball to the GitHub release 37 | - Add the chart to our [Helm charts repo](https://github.com/cyberark/helm-charts) 38 | 39 | ## Contributing 40 | 41 | 1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo) 42 | 2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository) 43 | 3. Make local changes to your fork by editing files 44 | 3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line) 45 | 4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository) 46 | 5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork) 47 | -------------------------------------------------------------------------------- /Jenkinsfile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env groovy 2 | 3 | import groovy.transform.Field 4 | 5 | @Field 6 | def TAG = "" 7 | 8 | pipeline { 9 | agent { label 'executor-v2' } 10 | 11 | options { 12 | timestamps() 13 | buildDiscarder(logRotator(numToKeepStr: '30')) 14 | } 15 | 16 | triggers { 17 | cron(getDailyCronString()) 18 | } 19 | 20 | stages { 21 | stage('Changelog') { 22 | steps { 23 | parseChangelog() 24 | } 25 | } 26 | 27 | stage('GKE Build and Test') { 28 | environment { 29 | HELM_VERSION = "3.1.3" 30 | } 31 | steps { 32 | sh 'cd ci && summon ./jenkins_build.sh' 33 | } 34 | } 35 | } 36 | 37 | post { 38 | always { 39 | cleanupAndNotify(currentBuild.currentResult) 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # conjur-oss-helm-chart 2 | 3 | [Helm](https://github.com/helm/helm) chart for [Conjur Open Source](https://www.conjur.org). 4 | 5 | [![GitHub release](https://img.shields.io/github/release/cyberark/conjur-oss-helm-chart.svg)](https://github.com/cyberark/conjur-oss-helm-chart/releases/latest) 6 | [![pipeline status](https://gitlab.com/cyberark/conjur-oss-helm-chart/badges/master/pipeline.svg)](https://gitlab.com/cyberark/conjur-oss-helm-chart/pipelines) 7 | 8 | [![Github commits (since latest release)](https://img.shields.io/github/commits-since/cyberark/conjur-oss-helm-chart/latest.svg)](https://github.com/cyberark/conjur-oss-helm-chart/commits/master) 9 | 10 | --- 11 | 12 | ## Using conjur-oss-helm-chart with Conjur Open Source 13 | 14 | See [./conjur-oss](conjur-oss) for Chart files and instructions. 15 | 16 | We **strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 17 | suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 18 | Conjur maintainers perform additional testing on the suite release versions to ensure 19 | compatibility. When possible, upgrade your Conjur version to match the 20 | [latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 21 | when using integrations, choose the latest suite release that matches your Conjur version. For any 22 | questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5). 23 | 24 | 25 | ## Requirements 26 | 27 | This chart requires Helm v3+. The chart may work with older versions of Helm 28 | but that deployment isn't specifically supported. 29 | 30 | ## Contributing 31 | 32 | We store instructions for development and guidelines for how to build and test this 33 | project in the [CONTRIBUTING.md](CONTRIBUTING.md) - please refer to that document 34 | if you would like to contribute. 35 | 36 | ## Testing 37 | 38 | This repository includes basic smoke testing on GKE. The Conjur OSS Helm Chart is also exercised more thoroughly by the [cyberark/conjur-authn-k8s-client](https://github.com/cyberark/conjur-authn-k8s-client) project, which clones the OSS Helm Chart repo and uses it while testing across several versions of Kubernetes and OpenShift. 39 | 40 | ## License 41 | 42 | This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details. 43 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policies and Procedures 2 | 3 | This document outlines security procedures and general policies for the CyberArk Conjur 4 | suite of tools and products. 5 | 6 | * [Reporting a Bug](#reporting-a-bug) 7 | * [Disclosure Policy](#disclosure-policy) 8 | * [Comments on this Policy](#comments-on-this-policy) 9 | 10 | ## Reporting a Bug 11 | 12 | The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously. 13 | Thank you for improving the security of the Conjur suite. We appreciate your efforts and 14 | responsible disclosure and will make every effort to acknowledge your 15 | contributions. 16 | 17 | Report security bugs by emailing the lead maintainers at security@conjur.org. 18 | 19 | The maintainers will acknowledge your email within 2 business days. Subsequently, we will 20 | send a more detailed response within 2 business days of our acknowledgement indicating 21 | the next steps in handling your report. After the initial reply to your report, the security 22 | team will endeavor to keep you informed of the progress towards a fix and full 23 | announcement, and may ask for additional information or guidance. 24 | 25 | Report security bugs in third-party modules to the person or team maintaining 26 | the module. 27 | 28 | ## Disclosure Policy 29 | 30 | When the security team receives a security bug report, they will assign it to a 31 | primary handler. This person will coordinate the fix and release process, 32 | involving the following steps: 33 | 34 | * Confirm the problem and determine the affected versions. 35 | * Audit code to find any potential similar problems. 36 | * Prepare fixes for all releases still under maintenance. These fixes will be 37 | released as fast as possible. 38 | 39 | ## Comments on this Policy 40 | 41 | If you have suggestions on how this process could be improved please submit a 42 | pull request. 43 | -------------------------------------------------------------------------------- /ci/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM google/cloud-sdk 2 | 3 | ARG HELM_VERSION=3.1.3 4 | ARG KUBECTL_VERSION=1.16.9 5 | 6 | RUN mkdir -p /src 7 | WORKDIR /src 8 | 9 | # Install Docker client 10 | RUN apt-get update && \ 11 | apt-get install -y apt-transport-https \ 12 | ca-certificates \ 13 | curl \ 14 | gnupg2 \ 15 | software-properties-common \ 16 | wget && \ 17 | distro="$(. /etc/os-release; echo $ID)" && \ 18 | release="$(lsb_release -cs)" && \ 19 | curl -fsSL "https://download.docker.com/linux/$distro/gpg" > /tmp/docker_repo_key && \ 20 | apt-key add /tmp/docker_repo_key && \ 21 | add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$distro $release stable" && \ 22 | apt-get update && \ 23 | apt-get install -y docker-ce && \ 24 | apt-get clean && \ 25 | rm -rf /var/lib/apt/lists/* 26 | 27 | # Install Helm client 28 | RUN wget https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ 29 | tar xvf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ 30 | mv linux-amd64/helm /usr/local/bin/ && \ 31 | rm helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ 32 | rm -rf linux-amd64 33 | 34 | # Install Kubernetes client 35 | RUN wget -O /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \ 36 | chmod +x /usr/local/bin/kubectl 37 | -------------------------------------------------------------------------------- /ci/jenkins_build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | source ../utils.sh 5 | 6 | # This script does the following in sequence: 7 | # - Runs a Helm install of a Conjur OSS server 8 | # - Runs a Helm test that deploys a test container that runs a 9 | # Bash Automated Test System (a.k.a. "Bats") test script that 10 | # confirms that the Conjur server's status page is active. 11 | # 12 | # Optional Environment Variables: 13 | # CONJUR_NAMESPACE: Namespace to use for Conjur deployment. The 14 | # namespace is created if it doesn't exist. 15 | # HELM_INSTALL_TIMEOUT: Helm install timeout in seconds. 16 | # Defaults to `180`. 17 | # HELM_TEST_LOGGING: Set to true to enable Helm test log collection. 18 | # Defaults to false. 19 | # HELM_VERSION: Helm client version to use for the test. 20 | # Defaults to '3.1.3'. 21 | # KUBECTL_VERSION: Kubectl client version to use for the test. 22 | # Defaults to '1.16.9'. 23 | # SKIP_GCLOUD_LOGIN: If set to 'true', then skip Gcloud authentication. 24 | # This is useful for local testing whereby you've 25 | # already authenticated with GCP and/or have 'kubectl' 26 | # access to a cluster. Defaults to 'false'. 27 | # AUTHN_STRATEGY: Strategy of authentication. Can be authn-jwt or 28 | # authn-k8s, defaults to authn-k8s 29 | 30 | test_id="$(random_string)" 31 | 32 | export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss-test-$test_id}" 33 | export HELM_INSTALL_TIMEOUT="${HELM_INSTALL_TIMEOUT:-180}" 34 | export HELM_TEST_LOGGING="${HELM_TEST_LOGGING:-true}" 35 | export HELM_VERSION="${HELM_VERSION:-3.1.3}" 36 | export KUBECTL_VERSION="${KUBECTL_VERSION:-1.16.9}" 37 | export RELEASE_NAME="$CONJUR_NAMESPACE" 38 | export SKIP_GCLOUD_LOGIN="${SKIP_GCLOUD_LOGIN:-false}" 39 | export AUTHN_STRATEGY="${AUTHN_STRATEGY:-authn-k8s}" 40 | 41 | announce "Building gcloud/kubectl/helm client image..." 42 | # Build the gcloud/kubectl/helm client container image 43 | tools_image_name="conjur-oss-helm-kubectl" 44 | docker build -t "${tools_image_name}" \ 45 | --quiet \ 46 | --build-arg HELM_VERSION="$HELM_VERSION" \ 47 | --build-arg KUBECTL_VERSION="$KUBECTL_VERSION" \ 48 | -f Dockerfile \ 49 | . 50 | 51 | tmp_dir="$(pwd)/.tmp" 52 | tmp_bin_dir="${tmp_dir}/bin" 53 | mkdir -p "${tmp_bin_dir}" \ 54 | "${tmp_dir}/.kube" \ 55 | "${tmp_dir}/.config" 56 | export PATH="${tmp_bin_dir}:${PATH}" 57 | 58 | # Create a local alias for running 'gcloud' in client container 59 | cat > "${tmp_bin_dir}/gcloud" < "${tmp_bin_dir}/helm" < "${tmp_bin_dir}/kubectl" </dev/null)" != "" ]]; do 23 | echo -n '.' 24 | sleep 2 25 | 26 | attempt=$(( attempt + 1 )) 27 | if [ $attempt -gt 10 ]; then 28 | echo 29 | echo "ERROR: Could not log into Gcloud!" 30 | exit 1 31 | fi 32 | 33 | log_in 34 | done 35 | 36 | echo "Logged into remote resources." 37 | -------------------------------------------------------------------------------- /ci/secrets.yml: -------------------------------------------------------------------------------- 1 | GCLOUD_CLUSTER_NAME: !var ci/gke/rapid/cluster-name 2 | GCLOUD_PROJECT_NAME: !var ci/gke/project-name 3 | GCLOUD_SERVICE_KEY: !var:file ci/gke/service-key 4 | GCLOUD_ZONE: !var ci/gke/zone 5 | 6 | DOCKER_REGISTRY_URL: us.gcr.io 7 | DOCKER_REGISTRY_PATH: us.gcr.io/refreshing-mark-284016 8 | -------------------------------------------------------------------------------- /ci/validate_schema.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Run from top level dir 4 | cd "$(dirname $0)/.." 5 | 6 | if jq -e . >/dev/null < ./conjur-oss/values.schema.json; then 7 | echo "Helm chart values schema is valid JSON." && exit 0 8 | else 9 | echo "Helm chart values schema is not valid JSON." && exit 1 10 | fi 11 | -------------------------------------------------------------------------------- /conjur-oss/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /conjur-oss/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: conjur-oss 3 | home: https://www.conjur.org 4 | version: 2.0.7 5 | description: A Helm chart for CyberArk Conjur 6 | icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg 7 | keywords: 8 | - security 9 | - 'secrets management' 10 | sources: 11 | - https://github.com/cyberark/conjur-oss-helm-chart 12 | - https://github.com/cyberark/conjur 13 | maintainers: 14 | - name: Conjur Maintainers 15 | email: conj_maintainers@cyberark.com 16 | -------------------------------------------------------------------------------- /conjur-oss/README.md: -------------------------------------------------------------------------------- 1 | # Conjur Open Source Helm Chart 2 | 3 | [CyberArk Conjur Open Source](https://www.conjur.org) is a powerful secrets management solution, 4 | tailored specifically to the unique infrastructure requirements of 5 | native cloud, containers, and DevOps environments. 6 | Conjur Open Source is part of the CyberArk Privileged Access Security Solution which is widely used by enterprises across the globe. 7 | 8 | [![GitHub release](https://img.shields.io/github/release/cyberark/conjur-oss-helm-chart.svg)](https://github.com/cyberark/conjur-oss-helm-chart/releases/latest) 9 | [![pipeline status](https://gitlab.com/cyberark/conjur-oss-helm-chart/badges/master/pipeline.svg)](https://gitlab.com/cyberark/conjur-oss-helm-chart/pipelines) 10 | 11 | [![Github commits (since latest release)](https://img.shields.io/github/commits-since/cyberark/conjur-oss-helm-chart/latest.svg)](https://github.com/cyberark/conjur-oss-helm-chart/commits/master) 12 | 13 | --- 14 | 15 | ## Table of Contents 16 | 17 | - [Prerequisites and Guidelines](#prerequisites-and-guidelines) 18 | - [Installing the Chart](#installing-the-chart) 19 | * [Simple Install](#simple-install) 20 | * [Installation on OCP](#installation-on-ocp) 21 | * [Custom Installation](#custom-installation) 22 | + [Example: Installation Using Command Line Arguments](#example-installation-using-command-line-arguments) 23 | + [Example: Installation Using Custom YAML File](#example-installation-using-custom-yaml-file) 24 | * [Configuring Conjur Accounts](#configuring-conjur-accounts) 25 | * [Installing Conjur with an External Postgres Database](#installing-conjur-with-an-external-postgres-database) 26 | * [Auto-Generated Configuration](#auto-generated-configuration) 27 | - [Upgrading, Modifying, or Migrating a Conjur Open Source Helm Deployment](#upgrading-modifying-or-migrating-a-conjur-open-source-helm-deployment) 28 | * [Modifying environment variables for an existing Conjur Open Source Helm Deployment](#modifying-environment-variables-for-an-existing-conjur-open-source-helm-deployment) 29 | + [Example: Changing Log Level](#example-changing-log-level) 30 | - [Configuration](#configuration) 31 | * [Deploying Without Persistent Volume Support (e.g. for MiniKube, KataCoda)](#deploying-without-persistent-volume-support-eg-for-minikube-katacoda) 32 | * [Deploying Without LoadBalancer Support (e.g. for KinD, MiniKube, KataCoda)](#deploying-without-loadbalancer-support-eg-for-kind-minikube-katacoda) 33 | * [Debugging](#debugging) 34 | * [PostgreSQL Database Password Restrictions](#postgresql-database-password-restrictions) 35 | - [What's Next? Deploy an Example Application That Uses Conjur Secrets](#whats-next-deploy-an-example-application-that-uses-conjur-secrets) 36 | - [Deleting the Conjur Deployment](#deleting-the-conjur-deployment) 37 | * [Uninstalling the Chart via Helm Delete](#uninstalling-the-chart-via-helm-delete) 38 | * [Cleaning Up Kubernetes Secrets Not Managed by Helm](#cleaning-up-kubernetes-secrets-not-managed-by-helm) 39 | - [Contributing](#contributing) 40 | 41 | ## Prerequisites and Guidelines 42 | 43 | - Installation to an isolated Kubernetes cluster or namespace is highly 44 | recommended in order to facilitate limiting of direct access to Conjur 45 | Kubernetes resources to security administrators. Here, the term isolated 46 | refers to: 47 | * No workloads besides Conjur and its backend database running in the 48 | Kubernetes cluster/namespace. 49 | * Kubernetes and Helm access to the cluster/namespace is limited to 50 | security administrators via Role-Based Access Control (RBAC). 51 | - Kubernetes 1.7+ 52 | - OCP 4.6 53 | - Helm v3+. The chart may work with older versions of 54 | Helm but that deployment isn't specifically supported. 55 | - It is recommended that auto-upgrades of Kubernetes version not be 56 | used in the Kubernetes platform in which Conjur is deployed. Kubernetes 57 | version upgrades should be done in concert with Conjur version upgrades 58 | to ensure compatibility between Conjur and Kubernetes. 59 | 60 | ## Installing the Chart 61 | 62 | The Chart can be installed from a GitHub release Chart tarball or by cloning 63 | this GitHub repository. 64 | 65 | All releases: https://github.com/cyberark/conjur-oss-helm-chart/releases 66 | 67 | ### Simple Install 68 | 69 | To install Conjur with an integrated Postgres database: 70 | 71 | ```sh-session 72 | $ CONJUR_NAMESPACE= 73 | $ kubectl create namespace "$CONJUR_NAMESPACE" 74 | $ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" 75 | $ HELM_RELEASE= 76 | $ VERSION= 77 | $ helm install \ 78 | -n "$CONJUR_NAMESPACE" \ 79 | --set dataKey="$DATA_KEY" \ 80 | "$HELM_RELEASE" \ 81 | https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v$VERSION/conjur-oss-$VERSION.tgz 82 | ``` 83 | 84 | _Note: The configured data key will be used to encrypt sensitive information 85 | in Conjur's database. This must be archived in a safe place._ 86 | 87 | _Note: These commands require Helm v3+ as-written. If using Helm v2, use 88 | arguments `--name conjur-oss` in place of `conjur-oss`._ 89 | 90 | _Note: It is highly recommended that custom, signed SSL certificates be used 91 | rather than using auto-generated certificates for external Conjur access and 92 | for integrated Postgres database access (see 93 | [Custom Installation](#custom-installation) below). 94 | 95 | Conjur is running HTTPS on port 443 (9443 within the cluster) with a self-signed 96 | certificate. A PostgreSQL deployment is created to store Conjur state. 97 | 98 | Note that you can also install from source by cloning this repository and running: 99 | 100 | ```sh-session 101 | $ CONJUR_NAMESPACE= 102 | $ kubectl create namespace "$CONJUR_NAMESPACE" 103 | $ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" 104 | $ HELM_RELEASE= 105 | $ helm install \ 106 | -n "$CONJUR_NAMESPACE" \ 107 | --set dataKey="$DATA_KEY" \ 108 | "$HELM_RELEASE" \ 109 | ./conjur-oss 110 | ``` 111 | 112 | ### Installation on OCP 113 | 114 | To install Conjur on OCP, use the `openshift.enabled=true` value, and 115 | use images for Conjur, NGINX, and Postgres that are appropriate for an 116 | OpenShift platform. The following Helm install example includes the default 117 | values for Conjur, NGINX, Postgres images for deploying on OpenShift: 118 | 119 | ```sh-session 120 | $ CONJUR_NAMESPACE= 121 | $ oc create namespace "$CONJUR_NAMESPACE" 122 | $ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" 123 | $ HELM_RELEASE= 124 | $ helm install \ 125 | -n "$CONJUR_NAMESPACE" \ 126 | --set image.repository=registry.connect.redhat.com/cyberark/conjur \ 127 | --set image.tag=latest \ 128 | --set nginx.image.repository=registry.connect.redhat.com/cyberark/conjur-nginx \ 129 | --set nginx.image.tag=latest \ 130 | --set postgres.image.repository=registry.redhat.io/rhel8/postgresql-15 \ 131 | --set postgres.image.tag=latest \ 132 | --set openshift.enabled=true \ 133 | --set dataKey="$DATA_KEY" \ 134 | "$HELM_RELEASE" \ 135 | https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz 136 | ``` 137 | 138 | 139 | ### Custom Installation 140 | 141 | All important chart values can be customized. The table in the 142 | [Configuration](#configuration) section below describes customizable 143 | chart values. 144 | 145 | Values can be customized either by: 146 | - By including `helm install` command line arguments of the form 147 | `--set =` for any non-default configuration values (see the 148 | [Example: Installation Using Command Line Arguments](#example-installation-using-command-line-arguments) 149 | section below. 150 | - Creating a custom version of the `values.yaml` file (see the 151 | [Example: Installation Using Custom YAML File](#example-installation-using-custom-yaml-file) 152 | section below). 153 | 154 | _Note: When using non-default values for Helm install or upgrade, 155 | the user is advised:_ 156 | - _Setting configurable parameters to non-default values may result in a 157 | combination of settings that may not have been tested._ 158 | - _Using component images other than the defaults may introduce security 159 | vulnerabilities._ 160 | 161 | _Note: It is recommended that any custom chart values that are sensitive in 162 | nature should be set on the Helm command line rather than in a custom values 163 | file (to avoid the risk of the custom values file not getting deleted after 164 | use). An example of how to do this for `database.url` is shown below._ 165 | 166 | #### Example: Installation Using Command Line Arguments 167 | The following shows how to install a Conjur deployment with: 168 | - A specific version of Conjur 169 | - A custom domain name to use for accessing Conjur from outside of the cluster 170 | 171 | ```sh-session 172 | $ CONJUR_NAMESPACE=my-conjur-namespace 173 | $ kubectl create namespace "$CONJUR_NAMESPACE" 174 | $ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" 175 | $ HELM_ARGS="--set dataKey=$DATA_KEY \ 176 | --set image.tag=1.11.0 \ 177 | --set image.pullPolicy=IfNotPresent \ 178 | --set ssl.hostname=custom.domainname.com 179 | $ helm install \ 180 | -n "$CONJUR_NAMESPACE" \ 181 | $HELM_ARGS \ 182 | conjur-oss \ 183 | https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz 184 | ``` 185 | 186 | #### Example: Installation Using Custom YAML File 187 | The following shows how to install a Conjur deployment with: 188 | - A specific version of Conjur 189 | - Additional Kubernetes-API authenticators enabled 190 | - A custom domain name to use for accessing Conjur from outside of the cluster 191 | 192 | First, create a custom values file: 193 | 194 | ```sh-session 195 | $ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" 196 | $ cat >custom-values.yaml </conjur-oss-.tgz 219 | ``` 220 | 221 | *NOTE:* If using the Kubernetes authenticator for Conjur, the `account.name` value 222 | (see [Configuration](#configuration)) must match the initial Conjur account 223 | created. 224 | 225 | ### Configuring Conjur Accounts 226 | 227 | By setting `account.create` to `true`, you can direct your Conjur 228 | container to create an account during startup. To retrieve the credentials 229 | for this account, perform the following commands: 230 | 231 | ```sh-session 232 | CONJUR_ACCOUNT= 233 | CONJUR_NAMESPACE= 234 | HELM_RELEASE= 235 | POD_NAME=$(kubectl get pods --namespace "$CONJUR_NAMESPACE" \ 236 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 237 | -o jsonpath="{.items[0].metadata.name}") 238 | kubectl exec --namespace "$CONJUR_NAMESPACE" \ 239 | "$POD_NAME" \ 240 | --container=conjur-oss \ 241 | -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1 242 | ``` 243 | 244 | > Note: If you have `logLevel` set to `debug`, the `tail -1` command will truncate the output. 245 | To see all output, remove this additional command from the end. 246 | 247 | If you set `account.create` to `false`, or did not provide a value, an admin account will 248 | need to be created. To create an account, use the following commands: 249 | 250 | ```sh-session 251 | CONJUR_ACCOUNT= 252 | POD_NAME=$(kubectl get pods --namespace "$CONJUR_NAMESPACE" \ 253 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 254 | -o jsonpath="{.items[0].metadata.name}") 255 | kubectl exec --namespace $CONJUR_NAMESPACE \ 256 | $POD_NAME \ 257 | --container=conjur-oss \ 258 | -- conjurctl account create $CONJUR_ACCOUNT | tail -1 259 | ``` 260 | The credentials for this account will be provided after the account has been created. 261 | Store these in a safe location. 262 | 263 | ### Installing Conjur with an External Postgres Database 264 | 265 | You can configure Conjur to use an external (non-integrated) Postgres database 266 | by running `helm install` with the following command line argument (or 267 | setting the equivalent field in a custom values.yaml file): 268 | 269 | ``` 270 | --set database.url= 271 | ``` 272 | 273 | The format of a Postgres database connection string is documented 274 | [here](https://www.postgresql.org/docs/15/libpq-connect.html#LIBPQ-CONNSTRING). 275 | 276 | If this chart value is not explicitly set, then an integrated Postgres 277 | database will be deployed along with Conjur. 278 | 279 | ### Auto-Generated Configuration 280 | 281 | By default, a `helm install` of the Conjur Open Source helm chart will include 282 | automatic generation of the following configuration: 283 | 284 | - Postgres database password (for integrated Postgres database only). 285 | 286 | _Note: The database password configuration is not used when an external 287 | Postgres database is configured._ 288 | 289 | The database password for an integrated Postgres database is automatically 290 | generated if it is not set explicitly. Alternatively, the database password 291 | can be set explicitly by including the following `helm install` command 292 | line argument (or by setting the equivalent field in a custom values.yaml 293 | file): 294 | 295 | ``` 296 | --set database.password= 297 | ``` 298 | 299 | - Postgres database SSL certificate and key (for integrated Postgres 300 | database only). 301 | 302 | Alternatively, these values can be set explicitly with the following 303 | `helm install` arguments (or by setting the equivalent field in a custom 304 | values.yaml file): 305 | 306 | ``` 307 | --set database.ssl.cert= 308 | --set database.ssl.key= 309 | ``` 310 | 311 | - Conjur SSL CA signing certificate and SSL self-signed certificate. 312 | 313 | Alternatively, these values can be set explicitly with the following 314 | `helm install` arguments: 315 | 316 | ``` 317 | --set ssl.caCert= 318 | --set ssl.caKey= 319 | --set ssl.cert= 320 | --set ssl.key= 321 | ``` 322 | 323 | ## Upgrading, Modifying, or Migrating a Conjur Open Source Helm Deployment 324 | 325 | This Helm chart supports modifications or upgrades of a Conjur deployment via the 326 | [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/#helm) command. 327 | This includes tasks such as rotating SSL certificates. 328 | 329 | For details on how to upgrade or modify an existing Conjur Open Source Helm deployment, 330 | or migrate Conjur configuration from on Conjur Open Source Helm deployment to a new, 331 | separate Conjur Open Source Helm deployment, please see the 332 | [UPGRADING.md](UPGRADING.md) markdown file. 333 | 334 | ### Modifying environment variables for an existing Conjur Open Source Helm Deployment 335 | 336 | After deploying the Conjur Open Source using the helm chart, you may need to add or modify an 337 | environment variable within the Conjur container. This task can be performed without needing 338 | to tear down your existing deployment by using the `helm upgrade` command. 339 | 340 | #### Example: Changing Log Level 341 | 342 | For example, to change the log-level of the Conjur container in your 343 | deployment, run the following: 344 | 345 | ```sh-session 346 | $ CONJUR_NAMESPACE="" 347 | $ HELM_RELEASE="conjur-oss" 348 | $ LOG_LEVEL=" 349 | $ helm upgrade \ 350 | -n "$CONJUR_NAMESPACE" \ 351 | --reuse-values \ 352 | --set logLevel="$LOG_LEVEL" \ 353 | "$HELM_RELEASE" \ 354 | ./conjur-oss 355 | ``` 356 | 357 | ## Configuration 358 | 359 | The following table lists the configurable parameters of the Conjur Open Source chart and their default values. 360 | 361 | |Parameter|Description|Default| 362 | |---------|-----------|-------| 363 | |`account.name`|Name of the Conjur account to be used by the Kubernetes authenticator|`"default"`| 364 | |`account.create`|If true, a Conjur account is created automatically after installation|`false`| 365 | |`authenticators`|List of authenticators that Conjur will whitelist and load.|`"authn"`| 366 | |`conjurLabels`|Extra Kubernetes labels to apply to Conjur resources|`{}`| 367 | |`database.url`|PostgreSQL connection string. The format is documented [here](https://www.postgresql.org/docs/15/libpq-connect.html#LIBPQ-CONNSTRING). If left blank, an integrated PostgreSQL deployment is created.|`""`| 368 | |`database.password`|PostgreSQL database password string. Unused if an external Postgres database is configured. See [PostgreSQL Database Password Restrictions](#postgresql-database-password-restrictions) below.|`""`| 369 | |`database.ssl.Cert`|PostgreSQL TLS x509 certificate, base64 encoded.|`""`| 370 | |`database.ssl.key`|PostgreSQL TLS private key, base64 encoded.|`""`| 371 | |`dataKey`|Conjur data key, 32 byte base-64 encoded string for data encryption.|`""`| 372 | |`deployment.annotations`|Annotations for Conjur deployment|`{}`| 373 | |`image.repository`|Conjur Docker image repository|`"cyberark/conjur"`| 374 | |`image.tag`|Conjur Docker image tag|`"1.11.5"`| 375 | |`image.pullPolicy`|Pull policy for Conjur Docker image|`"Always"`| 376 | |`logLevel`|Conjur log level. Set to 'debug' to enable detailed debug logs in the Conjur container |`"info"`| 377 | |`nginx.image.repository`|NGINX Docker image repository|`"nginx"`| 378 | |`nginx.image.tag`|NGINX Docker image tag|`"1.15"`| 379 | |`nginx.image.pullPolicy`|Pull policy for NGINX Docker image|`"IfNotPresent"`| 380 | |`openshift.enabled`|Indicates that Conjur is to be installed on an OpenShift platform|`false`| 381 | |`postgres.image.pullPolicy`|Pull policy for postgres Docker image|`"IfNotPresent"`| 382 | |`postgres.image.repository`|postgres Docker image repository|`"postgres"`| 383 | |`postgres.image.tag`|postgres Docker image tag|`"10.16"`| 384 | |`postgres.persistentVolume.create`|Create a peristent volume to back the PostgreSQL data|`true`| 385 | |`postgres.persistentVolume.size`|Size of persistent volume to be created for PostgreSQL|`"8Gi"`| 386 | |`postgres.persistentVolume.storageClass`|Storage class to be used for PostgreSQL persistent volume claim|`nil`| 387 | |`rbac.create`|Controls whether or not RBAC resources are created. This setting is deprecated and will be replaced in the next major release with two separate settings: `rbac.createClusterRole` (defaulting to true) and `rbac.createClusterRoleBinding` (defaulting to false), and the creation of RoleBindings will be recommended over relying on this ClusterRoleBinding.|`true`| 388 | |`replicaCount`|Number of desired Conjur pods|`1`| 389 | |`service.external.annotations`|Annotations for the external LoadBalancer|`[service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp]`| 390 | |`service.external.enabled`|Expose service to the Internet|`true`| 391 | |`service.external.port`|Conjur external service port|`443`| 392 | |`service.internal.annotations`|Annotations for Conjur service|`{}`| 393 | |`service.internal.port`|Conjur internal service port|`443`| 394 | |`service.internal.type`|Conjur internal service type (ClusterIP and NodePort supported)|`"NodePort"`| 395 | |`serviceAccount.create`|Controls whether or not a service account is created|`true`| 396 | |`serviceAccount.name`|Name of the ServiceAccount to be used by access-controlled resources created by the chart|`nil`| 397 | |`ssl.altNames`|Subject Alt Names for generated Conjur certificate and ingress|`[]`| 398 | |`ssl.expiration`|Expiration limit for generated certificates|`365`| 399 | |`ssl.hostname`|Hostname and Common Name for generated certificate and ingress|`"conjur.myorg.com"`| 400 | |`postgresLabels`|Extra Kubernetes labels to apply to Conjur PostgreSQL resources|`{}`| 401 | 402 | ### Deploying Without Persistent Volume Support (e.g. for MiniKube, KataCoda) 403 | Some Kubernetes platforms (e.g. MiniKube and KataCoda) do not have 404 | out-of-the-box support for StorageClasses or PersistentVolumes. If you 405 | are Helm installing a Conjur cluster on such a platform, then it is possible 406 | to install the cluster without persistent storage of Conjur secrets 407 | configuration and data by using the following chart setting: 408 | 409 | ``` 410 | --set postgres.persistentVolume.create=false 411 | ``` 412 | 413 | Using this flag means that your Conjur policies and secrets will not be 414 | stored persistently across pod resets, so this is intended to be used 415 | for experimentation, exploration, or automated testing, and is **not intended 416 | to be used in production environments**. 417 | 418 | ### Deploying Without LoadBalancer Support (e.g. for KinD, MiniKube, KataCoda) 419 | Some Kubernetes platforms (e.g. Kubernetes-in-Docker [KinD], MiniKube 420 | and KataCoda) do not have out-of-the-box support for LoadBalancers. 421 | 422 | For such platforms, one workaround for this is to install a software 423 | load balancer add-on, such as MetalLB, and assign a pool of routed IPs 424 | for the software load balancer to use as external IPs. Configuring such 425 | a software load balancer is considered out-of-scope here. Please refer to 426 | the [MetalLB documentation](https://metallb.universe.tf) for details. 427 | 428 | An alternative to using a software load balancer would be to install the 429 | Conjur cluster without LoadBalancer support by using the following 430 | chart setting: 431 | 432 | ``` 433 | --set service.external.enabled=false 434 | ``` 435 | 436 | Using this flag will result in a Conjur deployment that uses services of 437 | type `NodePort` rather then `LoadBalancer`. 438 | 439 | ### Debugging 440 | To display additional debugging information for the Conjur container, 441 | you can set the `logLevel` value to `debug`. 442 | 443 | To change this value without needing to re-deploy or modify your 444 | configuration, perform the following steps: 445 | 446 | 1. Run `helm upgrade` to change the current debug value 447 | 448 | ```sh-session 449 | $ CONJUR_NAMESPACE="" 450 | $ HELM_RELEASE="conjur-oss" 451 | $ LOG_LEVEL="debug" 452 | $ helm upgrade \ 453 | -n "$CONJUR_NAMESPACE" \ 454 | --reuse-values \ 455 | --set logLevel="$LOG_LEVEL" \ 456 | "$HELM_RELEASE" \ 457 | ./conjur-oss 458 | ``` 459 | 460 | 2. _(Optional)_ Retrieve the ID of the Conjur container 461 | ```sh-session 462 | $ POD_NAME=$(kubectl get pods \ 463 | --namespace $CONJUR_NAMESPACE \ 464 | -l "app=conjur-oss,release=conjur-oss" \ 465 | -o jsonpath="{.items[0].metadata.name}") 466 | 467 | ``` 468 | 469 | 3. Access logs for your Conjur container 470 | ```sh-session 471 | $ kubectl logs $POD_NAME conjur-oss 472 | ``` 473 | - _(Optional)_ Use `-f` to follow logs 474 | ```sh-session 475 | $ kubectl logs -f $POD_NAME conjur-oss 476 | ``` 477 | 478 | ### PostgreSQL Database Password Restrictions 479 | The following restrictions apply to the PostgreSQL database password: 480 | 481 | - Password must only contain the following: 482 | - Digits (0-9) 483 | - Letters (A-Z,a-z) 484 | - The special characters: 485 | ["-", ".", "_", or "~"] 486 | - Password length must be less than or equal to 64 characters. 487 | 488 | ## What's Next? Deploy an Example Application That Uses Conjur Secrets 489 | 490 | If you are new to Conjur, you may be interested in learning more about how 491 | Conjur security policy can be configured and an application can 492 | be deployed that uses Conjur Open Source to safely manage secrets data. 493 | 494 | This repository contains a set of scripts that can: 495 | 496 | - Create a [Kubernetes-in-Docker](https://github.com/kubernetes-sigs/kind) 497 | (KinD) cluster on your local machine 498 | - Helm install a Conjur Open Source cluster on that KinD cluster 499 | - Enable the 500 | [Conjur Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) 501 | (authn-k8s) (as a security admin) 502 | - Load Conjur security policies for some example applications 503 | (as a security admin) 504 | - Deploy instances of a simple "Pet Store" application each using 505 | one of the following Conjur authentication broker/clients: 506 | - [Secretless Broker](https://github.com/cyberark/secretless-broker) sidecar container 507 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 508 | sidecar container 509 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 510 | init container 511 | (as an application developer/deployer) 512 | 513 | Please refer to the [README.md](../examples/kubernetes-in-docker/README.md) 514 | file in the `../examples/kubernetes-in-docker` directory for more details 515 | on how to run these demo scripts. 516 | 517 | These scripts will also generate some application-specific Conjur policy 518 | YAML files and Kubernetes application manifests as concrete examples of 519 | how applications can be deployed that use Conjur Kubernetes authentication 520 | to safely retrieve secrets. 521 | 522 | ## Deleting the Conjur Deployment 523 | 524 | Uninstalling or deleting a Conjur deployment involves two steps: 525 | - Running `helm delete` to delete Kubernetes resources that are 526 | managed directly by Helm as part of the Conjur Helm release. 527 | - Using `kubectl delete` to delete Kubernetes secrets that are associated 528 | with the Conjur release, but are not managed directly by Helm. 529 | 530 | ### Uninstalling the Chart via Helm Delete 531 | To uninstall/delete resources that are associated with a Conjur deployment 532 | that are directly managed by Helm, use `helm delete`: 533 | 534 | ```sh-session 535 | $ CONJUR_NAMESPACE="" 536 | $ HELM_RELEASE="conjur-oss" 537 | $ helm delete -n "$CONJUR_NAMESPACE" "$HELM_RELEASE" 538 | ``` 539 | 540 | ### Cleaning Up Kubernetes Secrets Not Managed by Helm 541 | 542 | Following a `helm delete` of a Conjur deployment, there may be some 543 | residual Kubernetes secrets that have not been deleted. This will happen 544 | whenever secrets are created for "auto-generated" Conjur configuration. 545 | Such secrets are decorated with a "pre-install" Helm hook annotation, 546 | essentially making these secrets "self-managed" from a Helm perspective. 547 | The benefit to having these secrets become "self-managed" is that it prevents 548 | loss of that configuration as a result of `helm upgrade` operations. The 549 | downside is that those secrets are no longer cleaned up as part of 550 | `helm delete`. 551 | 552 | The Kubernetes secrets that may need to be manually deleted following 553 | `helm delete` are: 554 | 555 | |Secret Name|Description|When is Manual Deletion Required?| 556 | |-----------|-----------|---------------------------------| 557 | |`-conjur-database-password`|Database Password|When created (i.e. database URL not explicitly set)| 558 | |`-conjur-database-ssl`|Database SSL Certificate|When auto-generated (i.e. not explicitly set)| 559 | |`-conjur-database-url`|Database URL|When auto-generated (i.e. not explicitly set)| 560 | |`-conjur-data-key`|Data encryption key|Always| 561 | |`-conjur-ssl-ca-cert`|Conjur SSL CA Certificate|When auto-generated (i.e. not explicitly set)| 562 | |`-conjur-ssl-cert`|Conjur SSL Access Certificate|When auto-generated (i.e. not explicitly set)| 563 | 564 | To delete the residual "self-managed" Kubernetes secrets associated with 565 | the Conjur deployment, run the following: 566 | 567 | ```sh-session 568 | $ CONJUR_NAMESPACE="" 569 | $ HELM_RELEASE="conjur-oss" 570 | $ kubectl delete secrets -n "$CONJUR_NAMESPACE" --selector="release=$HELM_RELEASE" 571 | ``` 572 | 573 | ## Contributing 574 | 575 | This chart is maintained at 576 | [github.com/cyberark/conjur-oss-helm-chart](https://github.com/cyberark/conjur-oss-helm-chart). 577 | -------------------------------------------------------------------------------- /conjur-oss/UPGRADING.md: -------------------------------------------------------------------------------- 1 | # Upgrading, Modifying, or Migrating a Conjur Open Source Helm Deployment 2 | 3 | This guide describes how to upgrade, modify, or migrate data from a 4 | [CyberArk Conjur Open Source](https://www.conjur.org) (Conjur Open Source) 5 | installation that has been deployed using the 6 | [Conjur Open Source Helm Chart](https://github.com/cyberark/conjur-oss-helm-chart/conjur-oss). 7 | 8 | There are two main scenarios covered in this document: 9 | - Upgrading/Modifying an existing Conjur Open Source Helm release 10 | - Migrating configuration from an existing Conjur Open Source Helm release 11 | to a new Conjur Open Source Helm Release 12 | 13 | For more details about installing Conjur Open Source or contributing to Conjur Open Source 14 | Helm chart development, please refer to the 15 | [Conjur Open Source Helm Chart repository](https://github.com/cyberark/conjur-oss-helm-chart/conjur-oss). 16 | 17 | To see what Conjur Open Source Helm chart configurations can be upgraded/updated, 18 | please refer to the [Configuration](README.md#configuration) section of 19 | the Conjur Open Source Helm chart [README.md](README.md) file. 20 | 21 | --- 22 | 23 | ## Table of Contents 24 | 25 | - [Prerequisites and Guidelines](#prerequisites-and-guidelines) 26 | - [Upgrading/Modifying a Conjur Open Source Helm Release](#upgradingmodifying-a-conjur-open-source-helm-release) 27 | * [Running Helm Upgrade](#running-helm-upgrade) 28 | + [Example: Upgrading Conjur Version](#example-upgrading-conjur-version) 29 | + [Example: Upgrading NGINX Version](#example-upgrading-nginx-version) 30 | * [Rotating the SSL Certificate for an Integrated Postgres Database](#rotating-the-ssl-certificate-for-an-integrated-postgres-database) 31 | * [Rotating the Conjur SSL CA and Access Certificates](#rotating-the-conjur-ssl-ca-and-access-certificates) 32 | * [Updating the Database URL for an External Postgres Database](#updating-the-database-url-for-an-external-postgres-database) 33 | - [Migrating Conjur Open Source Configuration to a New Conjur Open Source Helm Release](#migrating-conjur-oss-configuration-to-a-new-conjur-open-source-helm-release) 34 | * [Overview](#overview) 35 | * [Assumptions and Limitations](#assumptions-and-limitations) 36 | * [Migrating Conjur Open Source Configuration With Integrated Postgres Database](#migrating-conjur-open-source-configuration-with-integrated-postgres-database) 37 | + [Step 1: Save Helm State and Kubernetes Secrets Data](#step-1-save-helm-state-and-kubernetes-secrets-data) 38 | + [Step 2: Save Postgres Database State](#step-2-save-postgres-database-state) 39 | + [Step 3: Uninstall Original Conjur Open Source Helm Release](#step-3-uninstall-original-conjur-open-source-helm-release) 40 | + [Step 4: Helm Install a New Conjur Open Source Deployment](#step-4-helm-install-a-new-conjur-open-source-deployment) 41 | + [Step 5: Restore the Postgres Database](#step-5-restore-the-postgres-database) 42 | + [Step 6: Redeploy helm chart with updated 'replicaCount'](#step-6-redeploy-helm-chart-with-updated-replicaCount) 43 | * [Migrating Conjur Open Source Configuration With External Postgres Database](#migrating-conjur-open-source-configuration-with-external-postgres-database) 44 | + [Step 1: Save Helm State and Kubernetes Secrets Data](#step-1-save-helm-state-and-kubernetes-secrets-data) 45 | + [Step 2: Uninstall Original Conjur Open Source Helm Release](#step-2-uninstall-original-conjur-open-source-helm-release) 46 | + [Step 3: Helm Install a New Conjur Open Source Deployment](#step-3-helm-install-a-new-conjur-open-source-deployment) 47 | 48 | ## Prerequisites and Guidelines 49 | 50 | Please refer to the 51 | [Prerequisites and Guidelines](README.md#prerequisites-and-guidelines) 52 | section of Conjur Open Source helm chart [README.md](README.md) file for overall 53 | prerequisites and guidelines for using the Conjur Open Source helm chart. 54 | 55 | ## Upgrading/Modifying a Conjur Open Source Helm Release 56 | 57 | This Helm chart supports modifications or upgrades of a Conjur deployment via 58 | `helm upgrade`. There are three upgrade scenarios to consider, depending on 59 | whether there are any major (breaking) version changes for the release 60 | components: 61 | 62 | - Conjur 63 | - NGINX 64 | - Postgres 65 | 66 | and depending on whether the Helm chart used for upgrade is different than 67 | that used for Helm install: 68 | 69 | |Component Version Changes|Chart Version Used for Upgrade|Currently Supported?|Notes| 70 | |-------------------------|------------------------------|:------------------:|:---:| 71 | |Minor (i.e. non-breaking)|Same version as Helm install|**YES**|| 72 | |Minor (i.e. non-breaking)|Different version than Helm install|**YES**|| 73 | |Major (breaking)|Same or different than Helm install|**NO**|**Note 1, Note 2**| 74 | 75 | _**Note 1**: To determine if a version change/bump is considered a breaking change, refer 76 | to this repository's `CHANGELOG.md` file for the respective current vs. new 77 | helm chart version._ 78 | 79 | _**Note 2**: Details on how upgrades involving breaking changes to Conjur, NGINX, 80 | or PostgreSQL will be supported in future releases are TBD._ 81 | 82 | ### Running Helm Upgrade 83 | 84 | To perform a Helm upgrade, run the following (replacing `` 85 | with your Conjur deployment namespace): 86 | 87 | ```sh-session 88 | $ CONJUR_NAMESPACE="" 89 | $ HELM_RELEASE="conjur-oss" 90 | $ helm upgrade \ 91 | -n "$CONJUR_NAMESPACE" \ 92 | --reuse-values \ 93 | < INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \ 94 | "$HELM_RELEASE" \ 95 | https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz 96 | ``` 97 | 98 | Or if you've cloned the https://github.com/cyberark/conjur-oss-helm-chart 99 | repository (replacing `` with your Conjur deployment namespace): 100 | 101 | ```sh-session 102 | $ CONJUR_NAMESPACE="" 103 | $ HELM_RELEASE="conjur-oss" 104 | $ helm upgrade \ 105 | -n "$CONJUR_NAMESPACE" \ 106 | --reuse-values \ 107 | < INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \ 108 | "$HELM_RELEASE" \ 109 | ./conjur-oss 110 | ``` 111 | 112 | Some notes: 113 | 114 | - The `--reuse-values` is required to preserve any non-default values 115 | that were used during your previous `helm install`. 116 | - Custom values that can be set via `--set` are described in the 117 | [Custom Installation](README.md#custom-installation) section of the 118 | [README.md](README.md) file. 119 | - The master data key used in the `helm install` is preserved for `helm 120 | upgrade` operations. It is not possible to modify the master data key 121 | via `helm upgrade`. 122 | - The database password used by an integrated Postgres database is preserved 123 | for `helm upgrade`. It is not possible to modify the database password 124 | via `helm upgrade`. 125 | - By default, the Postgres database SSL self-signed certificate and key are 126 | preserved for `helm upgrade`. To rotate the database SSL certificate and 127 | key, see the 128 | [Rotating the SSL Certificate for an Integrated Postgres Database](#rotating-the-ssl-certificate-for-an-integrated-postgres-database) 129 | section below. 130 | - By default, the Conjur CA certificate and self-signed certificate (for 131 | external access) are preserved for `helm upgrade`. To rotate the Conjur 132 | CA and self-signed certificates, see the 133 | [Rotating the Conjur SSL CA and Self-Signed Certificates](#rotating-the-conjur-ssl-ca-and-self-signed-certificates) 134 | section below. 135 | 136 | #### Example: Upgrading Conjur Version 137 | 138 | For example, to upgrade the version of Conjur that is used in the Conjur 139 | deployment, run the following: 140 | 141 | ```sh-session 142 | $ CONJUR_NAMESPACE="" 143 | $ HELM_RELEASE="conjur-oss" 144 | $ helm upgrade \ 145 | -n "$CONJUR_NAMESPACE" \ 146 | --reuse-values \ 147 | --set image.tag="" \ 148 | "$HELM_RELEASE" \ 149 | ./conjur-oss 150 | ``` 151 | 152 | #### Example: Upgrading NGINX Version 153 | 154 | For example, to change the version of NGINX that is used in the Conjur 155 | deployment, run the following: 156 | 157 | ```sh-session 158 | $ CONJUR_NAMESPACE="" 159 | $ HELM_RELEASE="conjur-oss" 160 | $ helm upgrade \ 161 | -n "$CONJUR_NAMESPACE" \ 162 | --reuse-values \ 163 | --set nginx.image.tag="" \ 164 | "$HELM_RELEASE" \ 165 | ./conjur-oss 166 | ``` 167 | 168 | ### Rotating the SSL Certificate for an Integrated Postgres Database 169 | 170 | If a Helm deployment of Conjur Open Source included the deployment of an integrated 171 | Postgres database (i.e. the `database.url` chart value was not explicitly 172 | set for `helm install`), then `helm upgrade` operations will by default 173 | preserve the self-signed SSL certificate and key used to access the 174 | integrated database. 175 | 176 | Alternatively, the integrated database SSL certificate and key can be 177 | manually updated (or "rotated") as follows: 178 | 179 | 1. Generate a self-signed certificate and key. 180 | 181 | 2. Delete the Kubernetes secret for the database SSL certificate. (Note: 182 | this is optional if the current database SSL certificate was set 183 | explicitly, but mandatory if the SSL certificate and key were 184 | auto-generated by the Conjur Open Source Helm chart): 185 | 186 | ```sh-session 187 | $ CONJUR_NAMESPACE="" 188 | $ HELM_RELEASE="conjur-oss" 189 | $ CERT_SECRET=$(kubectl get secrets \ 190 | -n "$CONJUR_NAMESPACE" \ 191 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 192 | -o name \ 193 | | grep conjur-database-ssl) 194 | $ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET" 195 | ``` 196 | 197 | 3. Run `helm upgrade`, setting the certificate values from Step 1: 198 | 199 | ```sh-session 200 | $ helm upgrade \ 201 | -n "$CONJUR_NAMESPACE" \ 202 | --reuse-values \ 203 | --set database.ssl.cert="" \ 204 | --set database.ssl.key="" \ 205 | "$HELM_RELEASE" \ 206 | ./conjur-oss 207 | ``` 208 | 209 | ### Rotating the Conjur SSL CA and Access Certificates 210 | 211 | By default, a `helm upgrade` operation will preserve the SSL CA certificate 212 | and key used for signing and the SSL certificate and key used for 213 | external Conjur access. 214 | 215 | Alternatively, the Conjur SSL CA and SSL access certificates can be manually 216 | updated (or "rotated") as follows: 217 | 218 | 1. Generate an SSL CA self-signing certificate and key and a self-signed 219 | certificate and key for external Conjur access. 220 | 221 | 2. Delete the Kubernetes secrets for the Conjur CA signing certificate and 222 | the Conjur self-signed certificate. (Note: This step is optional if the 223 | current Conjur CA and self-signed certificates were set explicitly, but 224 | mandatory if these certificates were auto-generated by the Conjur 225 | OSS Helm chart): 226 | 227 | ```sh-session 228 | $ CONJUR_NAMESPACE="" 229 | $ HELM_RELEASE="conjur-oss" 230 | $ CA_SECRET=$(kubectl get secrets \ 231 | -n "$CONJUR_NAMESPACE" \ 232 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 233 | -o name \ 234 | | grep conjur-ssl-ca-cert) 235 | $ kubectl delete -n "$CONJUR_NAMESPACE" "$CA_SECRET" 236 | $ CERT_SECRET=$(kubectl get secrets \ 237 | -n "$CONJUR_NAMESPACE" \ 238 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 239 | -o name \ 240 | | grep conjur-ssl-cert) 241 | $ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET" 242 | ``` 243 | 244 | 3. Run `helm upgrade`, setting the certificate values from Step 1: 245 | 246 | ```sh-session 247 | $ helm upgrade \ 248 | -n "$CONJUR_NAMESPACE" \ 249 | --reuse-values \ 250 | --set ssl.caCert="" \ 251 | --set ssl.caKey="" \ 252 | --set ssl.cert="" \ 253 | --set ssl.key="" \ 254 | "$HELM_RELEASE" \ 255 | ./conjur-oss 256 | ``` 257 | 258 | ### Updating the Database URL for an External Postgres Database 259 | 260 | If you are using an external Postgres database for your Conjur deployment 261 | (i.e. you had explicitly set the `database.url` chart value in your 262 | prior `helm install`), then by default any `helm upgrade` operation that 263 | uses the `--reuse-values` flag will preserve that `database.url` value. 264 | 265 | On the other hand, if you need to update the `database.url` connection 266 | string for some reason (e.g. the domain name or password for 267 | the external Postgres database has been changed), then you **must 268 | update the database URL by doing a `helm upgrade` that uses the command 269 | line argument `--set "database.url="`**: 270 | 271 | ```sh-session 272 | $ CONJUR_NAMESPACE="" 273 | $ HELM_RELEASE="conjur-oss" 274 | $ helm upgrade \ 275 | -n "$CONJUR_NAMESPACE" \ 276 | --reuse-values \ 277 | --set "database.url=" \ 278 | "$HELM_RELEASE" \ 279 | ./conjur-oss 280 | ``` 281 | 282 | ## Migrating Conjur Open Source Configuration to a New Conjur Open Source Helm Release 283 | 284 | ### Overview 285 | 286 | In some cases, it may be desirable to migrate Conjur configuration from 287 | one Conjur Open Source Helm release to a new, separate Helm release. For example, 288 | you may want to migrate your Conjur Open Source deployment to a different 289 | Kubernetes provider, or you may want to move your Conjur Open Source deployment 290 | to a more secure Kubernetes environment. 291 | 292 | This section provides the steps for extracting Conjur configuration from 293 | an existing Conjur Open Source Helm deployment, and restoring that Conjur configuration 294 | on a new, separate Conjur Open Source Helm deployment. 295 | 296 | The backup operation from the original Conjur Open Source deployment involves 297 | extracting Conjur Open Source state from three sources: 298 | 299 | - Kubernetes secrets 300 | - Helm state 301 | - Postgres database state 302 | 303 | The restore operation to the new Conjur Open Source deployment involves: 304 | 305 | - Running `helm init` to restore Helm state and Kubernetes secrets 306 | - Postgres restore of Conjur's database state 307 | 308 | ### Assumptions and Limitations 309 | 310 | - Currently, _the version of Conjur for the new Conjur Open Source deployment 311 | **MUST** be the same as the version of Conjur on the original Conjur 312 | OSS deployment_. (Support for migration to different versions of Conjur 313 | may be available in the future, but this will require schema translation 314 | logic that is TBD). 315 | - For deployments using an integrated Postgres database, _the **major** 316 | version of Postgres in the new Conjur Open Source deployment must be the 317 | same as the **major** version of Postgres in the original deployment_. 318 | - For simplicity, the instructions described here will include the 319 | recreation of only a critical **subset** of Helm state from the old Conjur 320 | deployment to new deployment. It is possible to modify the steps to 321 | include transfer of more Helm state, but that is left out-of-scope for 322 | simplicity in these instructions. 323 | 324 | The Helm values that are included in the migration described here: 325 | - `account.name` 326 | - `authenticators` 327 | - `database.password` 328 | - `database.url` 329 | - `dataKey` 330 | 331 | The Helm values that are left out for simplicity and brevity are all 332 | other Helm chart values listed in the 333 | [Configuration](README.md#configuration) section of the 334 | [README.md](README.md) file. 335 | 336 | - _**All instructions that follow assume that you are in the base of 337 | https://github.com/cyberark/conjur-oss-helm-chart repo**_ 338 | 339 | ### Migrating Conjur Open Source Configuration With Integrated Postgres Database 340 | 341 | When a Conjur Open Source Helm deployment includes an integrated (internal) Postgres 342 | database, the procedure for migrating Conjur Open Source state to a new Conjur Open Source 343 | Helm deployment is as follows: 344 | 345 | #### Step 1: Save Helm State and Kubernetes Secrets Data 346 | 347 | _This assumes that only Conjur is in the specified namespace. 348 | If not, manually set the `helm_chart_name` variable_ 349 | 350 | (Replace `` with your Conjur deployment namespace.) 351 | 352 | ```sh-session 353 | $ namespace="" 354 | 355 | $ helm_chart_name=$(helm list -n "$namespace" -q) 356 | $ account=$(helm show values "$helm_chart_name" | \ 357 | awk '/^account\.name:/{print $2}' | \ 358 | sed -e 's/^"//' -e 's/"$//') 359 | $ authenticators=$(kubectl get secret \ 360 | -n "$namespace" \ 361 | "${helm_chart_name}-conjur-authenticators" \ 362 | -o jsonpath="{.data.key }" | \ 363 | base64 --decode) 364 | $ data_key=$(kubectl get secret \ 365 | -n "$namespace" \ 366 | "${helm_chart_name}-conjur-data-key" \ 367 | -o jsonpath="{.data.key }" | \ 368 | base64 --decode) 369 | ``` 370 | 371 | Next, check your Conjur Open Source chart version: 372 | 373 | ```sh-session 374 | $ helm show chart "$helm_chart_name"| awk '/^version:/{print $2}' 375 | ``` 376 | 377 | If your Conjur Open Source chart version is 2.0.0 or newer, then you will also need 378 | to store the database password: 379 | ```sh-session 380 | $ db_password=$(kubectl get secret \ 381 | -n "$namespace" \ 382 | "${helm_chart_name}-conjur-database-password" \ 383 | -o jsonpath="{.data.key }" | \ 384 | base64 --decode) 385 | ``` 386 | 387 | #### Step 2: Save Postgres Database State 388 | 389 | ```sh-session 390 | # Get name of the Postgres pod in the current deployment 391 | $ postgres_old_pod=$(kubectl get pods \ 392 | -n "$namespace" \ 393 | -l "app=conjur-oss-postgres" \ 394 | -o jsonpath="{.items[0].metadata.name}") 395 | 396 | # Run the `pg_dump` utility to create a database archive file 397 | $ kubectl exec -it \ 398 | -n "$namespace" \ 399 | $postgres_old_pod \ 400 | -- pg_dump -U postgres -c -C --column-inserts \ 401 | --inserts -f /dbdump.tar -F tar 402 | 403 | # Copy the database archive file from the Postgres pod to your local machine 404 | $ kubectl cp -n "$namespace" $postgres_old_pod:dbdump.tar dbdump.tar 405 | ``` 406 | 407 | #### Step 3: Uninstall Original Conjur Open Source Helm Release 408 | 409 | Run `helm uninstall ...` to delete the original Conjur Open Source Helm release 410 | and delete any residual, "self-managed" Kubernetes secrets. 411 | 412 | **WARNING: This will remove your old certificates!** 413 | 414 | ```sh-session 415 | $ helm uninstall -n "$namespace" $helm_chart_name 416 | $ kubectl delete secrets -n "$namespace" -l release="$helm_chart_name" 417 | ``` 418 | 419 | #### Step 4: Helm Install a New Conjur Open Source Deployment 420 | 421 | **WARNING: This will possibly change your external service IP!** 422 | 423 | _This new deployment is unusable in this state as a regular deployment since 424 | the `replicaCount` is temporarily set to 0 (which is intentional). The 425 | `helm upgrade` in [Step 6](#step-6-redeploy-helm-chart-with-updated-replicacount) 426 | below will enable it._ 427 | 428 | ```sh-session 429 | $ namespace="" 430 | $ helm_chart_name=conjur-oss 431 | $ helm install \ 432 | -n "$namespace" \ 433 | --set account.name="$account" \ 434 | --set authenticators="$authenticators" \ 435 | --set database.password="$db_password" \ 436 | --set dataKey="$data_key" \ 437 | --set replicaCount=0 \ 438 | $helm_chart_name \ 439 | ./conjur-oss 440 | ``` 441 | 442 | #### Step 5: Restore the Postgres Database 443 | 444 | _We use the `template1` part of the connection string to delete and recreate the database. 445 | This assumes that database names have not changed between upgrades. Replace `postgres` in the 446 | `sed` command if your connection string used a different database name._ 447 | 448 | ```sh-session 449 | # Get the name of the Postgres pod in the new deployment 450 | $ postgres_new_pod=$(kubectl get pods \ 451 | -n "$namespace" \ 452 | -l "app=conjur-oss-postgres" \ 453 | -o jsonpath="{.items[0].metadata.name}") 454 | 455 | # Copy the database archive file from your local machine to the Postgres 456 | # pod in the new deployment 457 | $ kubectl cp -n "$namespace" ./dbdump.tar $postgres_new_pod:/dbdump.tar 458 | 459 | # Run the `pg_restore` utility to restore the database archive file to 460 | # the Postgres pod. 461 | $ pg_restore_connection_string=$(kubectl get secret \ 462 | -n "$namespace" \ 463 | ${helm_chart_name}-conjur-database-url \ 464 | -o jsonpath="{.data.key}" | \ 465 | base64 --decode | \ 466 | sed 's/postgres?/template1?/') 467 | $ kubectl exec -it -n "$namespace" \ 468 | $postgres_new_pod \ 469 | -- pg_restore -C -c -d "$pg_restore_connection_string" /dbdump.tar 470 | 471 | # Remove the database archive file from the Postgres pod 472 | $ kubectl exec -it -n "$namespace" \ 473 | $postgres_new_pod \ 474 | -- rm -rf /dbdump.tar 475 | ``` 476 | 477 | #### Step 6: Redeploy Helm Chart With Updated `replicaCount` 478 | 479 | ```sh-session 480 | $ helm upgrade -n "$namespace" \ 481 | --reuse-values \ 482 | --set replicaCount="1" \ 483 | $helm_chart_name \ 484 | ./conjur-oss 485 | ``` 486 | 487 | ### Migrating Conjur Open Source Configuration With External Postgres Database 488 | 489 | When a Conjur Open Source Helm deployment includes an external Postgres database, 490 | the procedure for migrating Conjur Open Source state to a new Conjur Open Source Helm 491 | deployment is as follows: 492 | 493 | #### Step 1: Save Helm State and Kubernetes Secrets Data 494 | 495 | _This assumes that only Conjur is in the specified namespace. 496 | If not, manually set the `helm_chart_name` variable_ 497 | 498 | ```sh-session 499 | $ namespace="" 500 | 501 | $ helm_chart_name=$(helm list -n "$namespace" -q) 502 | $ account=$(helm show values "$helm_chart_name" | \ 503 | awk '/^account\.name:/{print $2}' | \ 504 | sed -e 's/^"//' -e 's/"$//') 505 | $ authenticators=$(kubectl get secret \ 506 | -n "$namespace" \ 507 | "${helm_chart_name}-conjur-authenticators" \ 508 | -o jsonpath="{.data.key }" | \ 509 | base64 --decode) 510 | $ data_key=$(kubectl get secret \ 511 | -n "$namespace" \ 512 | "${helm_chart_name}-conjur-data-key" \ 513 | -o jsonpath="{.data.key }" | \ 514 | base64 --decode) 515 | $ db_url=$(kubectl get secret \ 516 | -n "$namespace" \ 517 | "${helm_chart_name}-conjur-database-url" \ 518 | -o jsonpath="{.data.key }" | \ 519 | base64 --decode) 520 | ``` 521 | 522 | #### Step 2: Uninstall Original Conjur Open Source Helm Release 523 | 524 | Run `helm uninstall ...` to delete the original Conjur Open Source Helm release 525 | and delete any residual, "self-managed" Kubernetes secrets. 526 | 527 | **WARNING: This will remove your old certificates!** 528 | 529 | ```sh-session 530 | $ helm uninstall -n "$namespace" $helm_chart_name 531 | $ kubectl delete secrets -n "$namespace" -l release="$helm_chart_name" 532 | ``` 533 | 534 | #### Step 3: Helm Install a New Conjur Open Source Deployment 535 | 536 | **WARNING: This will possibly change your external service IP!** 537 | 538 | ```sh-session 539 | $ namespace="" 540 | $ helm_chart_name=conjur-oss 541 | $ helm install \ 542 | -n "$namespace" \ 543 | --set account.name="$account" \ 544 | --set authenticators="$authenticators" \ 545 | --set database.url="$db_url" \ 546 | --set dataKey="$data_key" \ 547 | $helm_chart_name \ 548 | ./conjur-oss 549 | ``` 550 | -------------------------------------------------------------------------------- /conjur-oss/charts/.gitdirectory: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyberark/conjur-oss-helm-chart/b1d3c385389ab0b142808db2103490cd6ce89f25/conjur-oss/charts/.gitdirectory -------------------------------------------------------------------------------- /conjur-oss/files/conjur.conf: -------------------------------------------------------------------------------- 1 | server { 2 | ssl_certificate /opt/conjur/etc/ssl/cert/tls.crt; 3 | ssl_certificate_key /opt/conjur/etc/ssl/cert/tls.key; 4 | 5 | ssl_client_certificate /opt/conjur/etc/ssl/ca/tls.crt; 6 | 7 | ssl_verify_client optional_no_ca; 8 | 9 | listen 9443 ssl; 10 | listen [::]:9443 ssl; 11 | 12 | proxy_set_header Conjur-Forwarded-Host $http_host; 13 | proxy_set_header X-Forwarded-Proto $scheme; 14 | proxy_set_header X-Real_IP $remote_Addr; 15 | proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for; 16 | proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; 17 | 18 | # Container health status 19 | location /status { 20 | access_log off; 21 | return 200 'OK'; 22 | } 23 | 24 | location / { 25 | proxy_pass http://127.0.0.1:8080; 26 | } 27 | } 28 | 29 | server { 30 | # redirect outside unencrypted access to https 31 | listen 9000; 32 | listen [::]:9000; 33 | return 301 https://$host$request_uri; 34 | } 35 | -------------------------------------------------------------------------------- /conjur-oss/files/dhparams.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEAhg2rRNwhgO8Nxc363bnKNKxb7xP8BXdQBnEHNxtqfpPRQViiP8K9 3 | fMHHvN5/QAeB0hCOEg6dhbYurOcT9ZfFy9BSC9QFTixfDmMHe9MT1VIYqvsXVyjO 4 | l/ivdCW0/eMZ5sc1Fcleym+TQzzrgnI0Kad17tmq4tvBKky+0YY4Q/M9BupZ7omc 5 | fyqhY+LyEqIjWuCd3eE7YQIonOrXJ+8xuOjl5uilFu4Zz+i4KeELmAG1WaOjvg+Z 6 | dJcve9soB3uaJW45jS/7cRl94VPJsfCJC/Z6E2R6CSPDgvytxL8aAM5FCyMQljN3 7 | vS9xNgsWz5gZqU3gbxW2dRgedjEvW5VHMwIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /conjur-oss/files/mime.types: -------------------------------------------------------------------------------- 1 | types { 2 | text/html html htm shtml; 3 | text/css css; 4 | text/xml xml; 5 | image/gif gif; 6 | image/jpeg jpeg jpg; 7 | application/javascript js; 8 | application/atom+xml atom; 9 | application/rss+xml rss; 10 | 11 | text/mathml mml; 12 | text/plain txt; 13 | text/vnd.sun.j2me.app-descriptor jad; 14 | text/vnd.wap.wml wml; 15 | text/x-component htc; 16 | 17 | image/png png; 18 | image/svg+xml svg svgz; 19 | image/tiff tif tiff; 20 | image/vnd.wap.wbmp wbmp; 21 | image/webp webp; 22 | image/x-icon ico; 23 | image/x-jng jng; 24 | image/x-ms-bmp bmp; 25 | 26 | font/woff woff; 27 | font/woff2 woff2; 28 | 29 | application/java-archive jar war ear; 30 | application/json json; 31 | application/mac-binhex40 hqx; 32 | application/msword doc; 33 | application/pdf pdf; 34 | application/postscript ps eps ai; 35 | application/rtf rtf; 36 | application/vnd.apple.mpegurl m3u8; 37 | application/vnd.google-earth.kml+xml kml; 38 | application/vnd.google-earth.kmz kmz; 39 | application/vnd.ms-excel xls; 40 | application/vnd.ms-fontobject eot; 41 | application/vnd.ms-powerpoint ppt; 42 | application/vnd.oasis.opendocument.graphics odg; 43 | application/vnd.oasis.opendocument.presentation odp; 44 | application/vnd.oasis.opendocument.spreadsheet ods; 45 | application/vnd.oasis.opendocument.text odt; 46 | application/vnd.openxmlformats-officedocument.presentationml.presentation 47 | pptx; 48 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet 49 | xlsx; 50 | application/vnd.openxmlformats-officedocument.wordprocessingml.document 51 | docx; 52 | application/vnd.wap.wmlc wmlc; 53 | application/x-7z-compressed 7z; 54 | application/x-cocoa cco; 55 | application/x-java-archive-diff jardiff; 56 | application/x-java-jnlp-file jnlp; 57 | application/x-makeself run; 58 | application/x-perl pl pm; 59 | application/x-pilot prc pdb; 60 | application/x-rar-compressed rar; 61 | application/x-redhat-package-manager rpm; 62 | application/x-sea sea; 63 | application/x-shockwave-flash swf; 64 | application/x-stuffit sit; 65 | application/x-tcl tcl tk; 66 | application/x-x509-ca-cert der pem crt; 67 | application/x-xpinstall xpi; 68 | application/xhtml+xml xhtml; 69 | application/xspf+xml xspf; 70 | application/zip zip; 71 | 72 | application/octet-stream bin exe dll; 73 | application/octet-stream deb; 74 | application/octet-stream dmg; 75 | application/octet-stream iso img; 76 | application/octet-stream msi msp msm; 77 | 78 | audio/midi mid midi kar; 79 | audio/mpeg mp3; 80 | audio/ogg ogg; 81 | audio/x-m4a m4a; 82 | audio/x-realaudio ra; 83 | 84 | video/3gpp 3gpp 3gp; 85 | video/mp2t ts; 86 | video/mp4 mp4; 87 | video/mpeg mpeg mpg; 88 | video/quicktime mov; 89 | video/webm webm; 90 | video/x-flv flv; 91 | video/x-m4v m4v; 92 | video/x-mng mng; 93 | video/x-ms-asf asx asf; 94 | video/x-ms-wmv wmv; 95 | video/x-msvideo avi; 96 | } 97 | -------------------------------------------------------------------------------- /conjur-oss/files/nginx.conf: -------------------------------------------------------------------------------- 1 | worker_processes auto; 2 | pid /var/run/nginx.pid; 3 | 4 | events { 5 | worker_connections 768; 6 | } 7 | 8 | http { 9 | server_tokens off; 10 | include mime.types; 11 | default_type application/octet-stream; 12 | 13 | sendfile on; 14 | keepalive_timeout 65; 15 | client_max_body_size 10M; 16 | proxy_read_timeout 600s; 17 | 18 | # Prevent DoS attacks 19 | reset_timedout_connection on; 20 | 21 | # Speed up SSL connections 22 | ssl_session_timeout 10m; 23 | ssl_session_cache shared:SSL:10m; 24 | 25 | # Custom security-minded SSL settings 26 | ssl_dhparam /etc/nginx/dhparams.pem; 27 | ssl_protocols TLSv1.3 TLSv1.2; 28 | ssl_prefer_server_ciphers on; 29 | ssl_ciphers 'ALL:!RSA:!SHA:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!DSS:!SRP:!DSS:!SEED:!SSLv3:!SSLv2:!IDEA:!aGOST'; 30 | 31 | log_format syslog '$http_host ' 32 | '$remote_addr ' 33 | '"$request" $status $body_bytes_sent ' 34 | '"$http_referer" "$http_user_agent" ' 35 | '$request_time ' 36 | '$upstream_response_time'; 37 | 38 | access_log /var/log/nginx/access.log syslog; 39 | 40 | # Don't ever retry failed requests. In spite of the name, this 41 | # prevents retries even if there's only a single upstream. 42 | proxy_next_upstream off; 43 | 44 | include /etc/nginx/sites-enabled/*; 45 | } 46 | -------------------------------------------------------------------------------- /conjur-oss/files/postgres-ssl.conf: -------------------------------------------------------------------------------- 1 | ssl = on 2 | ssl_cert_file = '/opt/app-root/src/certificates/tls.crt' 3 | ssl_key_file = '/opt/app-root/src/certificates/tls.key' 4 | #ssl_ca_file = '/opt/app-root/src/certificates/ca.crt' 5 | #ssl_crl_file = '/opt/app-root/src/certificates/list.crl' 6 | -------------------------------------------------------------------------------- /conjur-oss/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URLs. These should match the configured SSL values: 2 | - https://{{ $.Values.ssl.hostname }} 3 | {{- range .Values.ssl.altNames }} 4 | - https://{{ . }} 5 | {{- end }} 6 | {{- if .Values.service.external.enabled }} 7 | 8 | It may take 1-10 minutes for the LoadBalancer IP to be available. You can watch 9 | the status of the progress by running: 10 | 11 | kubectl get svc \ 12 | --namespace {{ .Release.Namespace }} \ 13 | -w {{ template "conjur-oss.fullname" . }}-ingress 14 | 15 | and waiting until you have a value in "EXTERNAL-IP" column. 16 | 17 | If you are running MiniKube, you can run: 18 | 19 | minikube service {{ template "conjur-oss.fullname" . }}-ingress --url 20 | 21 | to see the external IP and port. If using MiniKube, also make sure to use "https" 22 | scheme instead of the "http" that MiniKube will print out. 23 | 24 | Once the external ingress is available, you can get the service endpoint by running: 25 | 26 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} \ 27 | {{ template "conjur-oss.fullname" . }}-ingress \ 28 | -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 29 | echo -e " Service is exposed at ${SERVICE_IP}:{{ .Values.service.external.port }}\n" \ 30 | "Ensure that domain "{{ .Values.ssl.hostname }}" has an A record to ${SERVICE_IP}\n" \ 31 | "and only use the DNS endpoint https://{{ .Values.ssl.hostname }}:{{ .Values.service.external.port }} to connect.\n" 32 | 33 | Note: You must have a DNS name matching the SSL hostname (or otherwise one of the SSL 34 | alternate names) rather that the raw IP when connecting to the service with Conjur 35 | CLI tool or SSL verification will fail on logging in. If you are just locally testing 36 | things, you can work around the DNS mapping by adding the following entry to your 37 | /etc/hosts file: "$SERVICE_IP {{ $.Values.ssl.hostname }}" 38 | {{- end }} 39 | 40 | {{ if .Values.account.create }} 41 | 2. Configure Conjur Account 42 | 43 | To retrieve the credentials for the account created in Conjur at startup, {{ .Values.account.name | quote }} 44 | , use the following commands: 45 | 46 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} \ 47 | -l "app={{ template "conjur-oss.name" . }},release={{ .Release.Name }}" \ 48 | -o jsonpath="{.items[0].metadata.name}") 49 | kubectl exec --namespace {{ .Release.Namespace }} \ 50 | $POD_NAME \ 51 | --container={{ .Chart.Name }} \ 52 | -- conjurctl role retrieve-key {{ .Values.account.name }}:user:admin | tail -1 53 | 54 | Back up this key in a safe location. 55 | {{- else }} 56 | 2. Configure Conjur Account 57 | 58 | To create an initial account and login, follow the instructions here: 59 | https://www.conjur.org/get-started/install-conjur.html#install-and-configure 60 | 61 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} \ 62 | -l "app={{ template "conjur-oss.name" . }},release={{ .Release.Name }}" \ 63 | -o jsonpath="{.items[0].metadata.name}") 64 | kubectl exec --namespace {{ .Release.Namespace }} \ 65 | $POD_NAME \ 66 | --container={{ .Chart.Name }} \ 67 | -- conjurctl account create {{ .Values.account.name | quote }} | tail -1 68 | 69 | Note that the conjurctl account create command gives you the 70 | public key and admin API key for the account administrator you created. 71 | Back them up in a safe location. 72 | {{- end }} 73 | 74 | 3. Connect to Conjur 75 | 76 | Start a container with Conjur CLI and authenticate with the new user: 77 | 78 | docker run --rm -it --entrypoint bash cyberark/conjur-cli:8 79 | # Or if using MiniKube, use the following command from the host: 80 | # docker run --rm -it --network host --entrypoint bash cyberark/conjur-cli:8 81 | 82 | # Here ENDPOINT is the DNS name https endpoint for your Conjur service. 83 | # NOTE: Ensure that the target endpoint matches at least one of the expected server 84 | # SSL certificate names otherwise SSL verification will fail and you will not 85 | # be able to log in. 86 | # NOTE: Also ensure that the URL does not contain a slash (`/`) at the end of the URL 87 | conjur init -u -a {{ .Values.account.name | quote }} --self-signed 88 | 89 | # API key here is the key that creation of the account provided you in step #2 90 | conjur login -i admin -p 91 | 92 | # Check that you are identified as the admin user 93 | conjur whoami 94 | 95 | 4. Next Steps 96 | - Go through the Conjur Tutorials: https://www.conjur.org/tutorials/ 97 | - View Conjur's API Documentation: https://www.conjur.org/api.html 98 | -------------------------------------------------------------------------------- /conjur-oss/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "conjur-oss.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "conjur-oss.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "conjur-oss.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Generate CA and end user certificate for NGINX 36 | */}} 37 | {{- define "conjur-oss.ssl-cert-gen" -}} 38 | {{- $altNames := .Values.ssl.altNames -}} 39 | {{- $altNames := append $altNames .Values.ssl.hostname -}} 40 | {{- $altNames := append $altNames (include "conjur-oss.fullname" .) -}} 41 | {{- $altNames := append $altNames ( printf "%s.%s" (include "conjur-oss.fullname" .) .Release.Namespace ) -}} 42 | {{- $altNames := append $altNames ( printf "%s.%s.svc" (include "conjur-oss.fullname" .) .Release.Namespace ) -}} 43 | {{- $altNames := append $altNames ( printf "%s.%s.svc.cluster.local" (include "conjur-oss.fullname" .) .Release.Namespace ) -}} 44 | {{- $expiration := .Values.ssl.expiration | int -}} 45 | {{- $ca := genCA "conjur-oss-ca" (.Values.ssl.expiration | int) -}} 46 | {{- $cert := genSignedCert .Values.ssl.hostname nil $altNames $expiration $ca -}} 47 | {{- $_ := set . "caCrt" ($ca.Cert | b64enc) }} 48 | {{- $_ := set . "caKey" ($ca.Key | b64enc) }} 49 | {{- $_ := set . "certCrt" (printf "%s\n%s" $cert.Cert $ca.Cert | b64enc) }} 50 | {{- $_ := set . "certKey" ($cert.Key | b64enc) }} 51 | {{- end -}} 52 | 53 | {{/* 54 | Use the database password chart value if provided, or generate a 55 | 64-character, random, alphanumeric password for the backend database 56 | */}} 57 | {{- define "conjur-oss.database-password" -}} 58 | {{- if .Values.database.password }} 59 | {{- $_ := set . "dbPassword" (.Values.database.password | trunc 64) }} 60 | {{- else }} 61 | {{- $_ := set . "dbPassword" (randAlphaNum 64) }} 62 | {{- end }} 63 | {{- end -}} 64 | 65 | {{/* 66 | Generate self-signed certificate for the backend database 67 | */}} 68 | {{- define "conjur-oss.database-cert-gen" -}} 69 | {{- $expiration := .Values.database.ssl.expiration | int -}} 70 | {{- $cert := genSelfSignedCert "pg" nil nil $expiration -}} 71 | {{- $_ := set . "dbCrt" ($cert.Cert | b64enc) }} 72 | {{- $_ := set . "dbKey" ($cert.Key | b64enc) }} 73 | {{- end -}} 74 | 75 | {{/* 76 | Return the most recent RBAC API available 77 | */}} 78 | {{- define "conjur-oss.rbac-api" -}} 79 | {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} 80 | {{- printf "rbac.authorization.k8s.io/v1" -}} 81 | {{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} 82 | {{- printf "rbac.authorization.k8s.io/v1beta1" -}} 83 | {{- else }} 84 | {{- printf "rbac.authorization.k8s.io/v1alpha1" -}} 85 | {{- end }} 86 | {{- end }} 87 | 88 | {{/* 89 | Returns the service account name for this deployment 90 | */}} 91 | {{- define "conjur-oss.service-account" -}} 92 | {{- if .Values.serviceAccount.create -}} 93 | {{ default (include "conjur-oss.fullname" .) .Values.serviceAccount.name }} 94 | {{- else -}} 95 | {{ default "default" .Values.serviceAccount.name }} 96 | {{- end -}} 97 | {{- end -}} 98 | -------------------------------------------------------------------------------- /conjur-oss/templates/auth-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "conjur-oss.service-account" . }} 7 | labels: 8 | app: {{ template "conjur-oss.name" . }} 9 | chart: {{ template "conjur-oss.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | app.kubernetes.io/name: {{ .Release.Name }} 13 | {{- with .Values.conjurLabels }} 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | --- 18 | {{- if .Values.rbac.create }} 19 | apiVersion: {{ include "conjur-oss.rbac-api" . }} 20 | kind: ClusterRole 21 | metadata: 22 | name: {{ .Release.Name }}-conjur-authenticator 23 | labels: 24 | app: {{ template "conjur-oss.name" . }} 25 | chart: {{ template "conjur-oss.chart" . }} 26 | release: {{ .Release.Name }} 27 | heritage: {{ .Release.Service }} 28 | app.kubernetes.io/name: {{ .Release.Name }} 29 | {{- with .Values.conjurLabels }} 30 | {{ toYaml . | indent 4 }} 31 | {{- end }} 32 | rules: 33 | - apiGroups: [""] # "" indicates the core API group 34 | resources: ["pods", "serviceaccounts"] 35 | verbs: ["get", "list"] 36 | - apiGroups: ["extensions"] 37 | resources: [ "deployments", "replicasets"] 38 | verbs: ["get", "list"] 39 | - apiGroups: ["apps"] 40 | resources: [ "deployments", "statefulsets", "replicasets"] 41 | verbs: ["get", "list"] 42 | - apiGroups: [""] 43 | resources: ["pods/exec"] 44 | verbs: ["create", "get"] 45 | --- 46 | kind: ClusterRoleBinding 47 | apiVersion: {{ include "conjur-oss.rbac-api" . }} 48 | metadata: 49 | name: {{ .Release.Name }}-conjur-authenticator 50 | labels: 51 | app: {{ template "conjur-oss.name" . }} 52 | chart: {{ template "conjur-oss.chart" . }} 53 | release: {{ .Release.Name }} 54 | heritage: {{ .Release.Service }} 55 | app.kubernetes.io/name: {{ .Release.Name }} 56 | {{- with .Values.conjurLabels }} 57 | {{ toYaml . | indent 4 }} 58 | {{- end }} 59 | subjects: 60 | - kind: ServiceAccount 61 | name: {{ template "conjur-oss.service-account" . }} 62 | namespace: {{ .Release.Namespace }} 63 | roleRef: 64 | kind: ClusterRole 65 | name: {{ .Release.Name }}-conjur-authenticator 66 | apiGroup: rbac.authorization.k8s.io 67 | {{- end }} 68 | -------------------------------------------------------------------------------- /conjur-oss/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "conjur-oss.fullname" . }} 5 | labels: &AppConjurLabels 6 | app: {{ template "conjur-oss.name" . }} 7 | chart: {{ template "conjur-oss.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | app.kubernetes.io/name: {{ .Release.Name }} 11 | app.kubernetes.io/component: service 12 | {{- with .Values.conjurLabels }} 13 | {{ toYaml . | indent 4 }} 14 | {{- end }} 15 | {{- with .Values.deployment.annotations }} 16 | annotations: 17 | {{ toYaml . | indent 4 }} 18 | {{- end }} 19 | spec: 20 | replicas: {{ .Values.replicaCount }} 21 | selector: 22 | matchLabels: *AppConjurLabels 23 | template: 24 | metadata: 25 | labels: *AppConjurLabels 26 | annotations: 27 | # Automatically roll deployment if dependent secrets have been changed 28 | checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} 29 | checksum/ssl-cert: {{ include (print $.Template.BasePath "/ssl-cert.yaml") . | sha256sum }} 30 | checksum/nginx-configmap: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }} 31 | spec: 32 | serviceAccountName: {{ template "conjur-oss.service-account" . }} 33 | volumes: 34 | - name: {{ .Release.Name }}-conjur-ssl-cert-volume 35 | secret: 36 | secretName: {{ .Release.Name }}-conjur-ssl-cert 37 | # Permission == 0400. JSON spec doesn't support octal notation. 38 | defaultMode: 256 39 | - name: {{ .Release.Name }}-conjur-ssl-ca-cert-volume 40 | secret: 41 | secretName: {{ .Release.Name }}-conjur-ssl-ca-cert 42 | # Permission == 0400. JSON spec doesn't support octal notation. 43 | defaultMode: 256 44 | {{- if not .Values.openshift.enabled }} 45 | - name: {{ .Release.Name }}-conjur-configmap-volume 46 | configMap: 47 | name: {{ .Release.Name }}-conjur-nginx-configmap 48 | items: 49 | - key: nginx_conf 50 | path: nginx.conf 51 | - key: mime_types 52 | path: mime.types 53 | - key: dhparams 54 | path: dhparams.pem 55 | - key: conjur_site 56 | path: sites-enabled/conjur.conf 57 | {{- end }} 58 | containers: 59 | - name: {{ .Release.Name }}-nginx 60 | image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" 61 | imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} 62 | ports: 63 | - containerPort: 9443 64 | name: https 65 | - containerPort: 9000 66 | name: http 67 | livenessProbe: 68 | httpGet: 69 | path: /status 70 | scheme: HTTPS 71 | port: https 72 | initialDelaySeconds: 1 73 | periodSeconds: 5 74 | timeoutSeconds: 3 75 | # 1 seconds * 180 = 3 minutes 76 | failureThreshold: 180 77 | readinessProbe: 78 | httpGet: 79 | path: /status 80 | scheme: HTTPS 81 | port: https 82 | initialDelaySeconds: 1 83 | periodSeconds: 5 84 | timeoutSeconds: 3 85 | # 1 seconds * 180 = 3 minutes 86 | failureThreshold: 180 87 | volumeMounts: 88 | - name: {{ .Release.Name }}-conjur-ssl-cert-volume 89 | mountPath: /opt/conjur/etc/ssl/cert 90 | readOnly: true 91 | - name: {{ .Release.Name }}-conjur-ssl-ca-cert-volume 92 | mountPath: /opt/conjur/etc/ssl/ca 93 | readOnly: true 94 | {{- if not .Values.openshift.enabled }} 95 | - name: {{ .Release.Name }}-conjur-configmap-volume 96 | mountPath: /etc/nginx 97 | readOnly: true 98 | {{- end }} 99 | 100 | - name: {{ .Chart.Name }} 101 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 102 | imagePullPolicy: {{ .Values.image.pullPolicy }} 103 | {{- if .Values.account.create }} 104 | # If the configured account has already been created, then start the 105 | # server without account creation. Otherwise, start the server with 106 | # account creation. 107 | command: ["bash"] 108 | args: 109 | - -c 110 | - | 111 | if conjurctl role retrieve-key {{ .Values.account.name }}:user:admin >/dev/null 2>&1; then 112 | conjurctl server; 113 | else 114 | conjurctl server --account={{ .Values.account.name }} | grep -v 'API key for admin:'; 115 | fi 116 | {{ else }} 117 | args: ["server"] 118 | {{- end }} 119 | ports: 120 | - name: http 121 | containerPort: 8080 122 | protocol: TCP 123 | livenessProbe: 124 | httpGet: 125 | path: / 126 | port: http 127 | initialDelaySeconds: 1 128 | periodSeconds: 5 129 | timeoutSeconds: 2 130 | # 1 seconds * 180 = 3 minutes 131 | failureThreshold: 180 132 | readinessProbe: 133 | httpGet: 134 | path: / 135 | port: http 136 | initialDelaySeconds: 1 137 | periodSeconds: 30 138 | timeoutSeconds: 30 139 | # 1 seconds * 180 = 3 minutes 140 | failureThreshold: 180 141 | env: 142 | - name: PORT 143 | value: "8080" 144 | - name: CONJUR_AUTHENTICATORS 145 | valueFrom: 146 | secretKeyRef: 147 | name: {{ .Release.Name }}-conjur-authenticators 148 | key: key 149 | - name: CONJUR_DATA_KEY 150 | valueFrom: 151 | secretKeyRef: 152 | name: {{ .Release.Name }}-conjur-data-key 153 | key: key 154 | - name: DATABASE_URL 155 | valueFrom: 156 | secretKeyRef: 157 | name: {{ .Release.Name }}-conjur-database-url 158 | key: key 159 | - name: CONJUR_ACCOUNT 160 | value: {{ .Values.account.name }} 161 | - name: CONJUR_LOG_LEVEL 162 | value: {{ .Values.logLevel }} 163 | resources: 164 | {{ toYaml .Values.resources | indent 12 }} 165 | {{- with .Values.nodeSelector }} 166 | nodeSelector: 167 | {{ toYaml . | indent 8 }} 168 | {{- end }} 169 | {{- with .Values.affinity }} 170 | affinity: 171 | {{ toYaml . | indent 8 }} 172 | {{- end }} 173 | {{- with .Values.tolerations }} 174 | tolerations: 175 | {{ toYaml . | indent 8 }} 176 | {{- end }} 177 | -------------------------------------------------------------------------------- /conjur-oss/templates/load-balancer.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.service.external.enabled -}} 2 | {{- $fullName := include "conjur-oss.fullname" . -}} 3 | --- 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: {{ $fullName }}-ingress 8 | labels: &AppConjurLabels 9 | app: {{ template "conjur-oss.name" . }} 10 | chart: {{ template "conjur-oss.chart" . }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | app.kubernetes.io/name: {{ .Release.Name }} 14 | app.kubernetes.io/component: service 15 | {{- with .Values.conjurLabels }} 16 | {{ toYaml . | indent 4 }} 17 | {{- end }} 18 | annotations: 19 | {{- with .Values.service.external.annotations }} 20 | {{ toYaml . | indent 4 }} 21 | {{ end -}} 22 | spec: 23 | type: LoadBalancer 24 | selector: *AppConjurLabels 25 | ports: 26 | - name: https 27 | protocol: TCP 28 | targetPort: https 29 | port: {{ .Values.service.external.port }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /conjur-oss/templates/nginx-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.openshift.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Release.Name }}-conjur-nginx-configmap 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | chart: {{ template "conjur-oss.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | data: 12 | nginx_conf: {{ tpl (.Files.Get "files/nginx.conf") . | quote }} 13 | mime_types: {{ tpl (.Files.Get "files/mime.types") . | quote }} 14 | conjur_site: {{ tpl (.Files.Get "files/conjur.conf") . | quote }} 15 | dhparams: {{ tpl (.Files.Get "files/dhparams.pem") . | quote }} 16 | {{- end -}} -------------------------------------------------------------------------------- /conjur-oss/templates/persistent-volume-claim.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.postgres.persistentVolume.create }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Release.Name }}-conjur-oss-pvc 6 | labels: 7 | app: {{ template "conjur-oss.name" . }} 8 | chart: {{ template "conjur-oss.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | app.kubernetes.io/name: {{ .Release.Name }} 12 | app.kubernetes.io/component: pvc 13 | {{- with .Values.conjurLabels }} 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | spec: 17 | accessModes: 18 | - ReadWriteOnce 19 | resources: 20 | requests: 21 | storage: {{ .Values.postgres.persistentVolume.size }} 22 | {{ if .Values.postgres.persistentVolume.storageClass }} 23 | storageClassName: {{ .Values.postgres.persistentVolume.storageClass }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /conjur-oss/templates/postgres-ocp-ssl-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openshift.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Release.Name }}-conjur-postgres-configmap 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | chart: {{ template "conjur-oss.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | data: 12 | postgres_ssl: {{ tpl (.Files.Get "files/postgres-ssl.conf") . | quote }} 13 | {{- end -}} -------------------------------------------------------------------------------- /conjur-oss/templates/postgres-ocp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.openshift.enabled) (eq .Values.database.url "")}} 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | annotations: 7 | template.openshift.io/expose-uri: postgres://{.spec.clusterIP}:{.spec.ports[?(.name=="postgresql")].port} 8 | name: {{ .Release.Name }}-postgres 9 | labels: &AppPostgresServiceLabels 10 | app: {{ template "conjur-oss.name" . }}-postgres 11 | chart: {{ template "conjur-oss.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- with .Values.postgresLabels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | spec: 18 | ports: 19 | - name: postgresql 20 | port: 5432 21 | protocol: TCP 22 | targetPort: 5432 23 | selector: *AppPostgresServiceLabels 24 | --- 25 | apiVersion: apps/v1 26 | kind: StatefulSet 27 | metadata: 28 | name: {{ .Release.Name }}-postgres 29 | labels: &AppPostgresLabels 30 | app: {{ template "conjur-oss.name" . }}-postgres 31 | chart: {{ template "conjur-oss.chart" . }} 32 | release: {{ .Release.Name }} 33 | heritage: {{ .Release.Service }} 34 | {{- with .Values.postgresLabels }} 35 | {{ toYaml . | indent 4 }} 36 | {{- end }} 37 | spec: 38 | serviceName: {{ .Release.Name }}-postgres 39 | replicas: 1 40 | selector: 41 | matchLabels: *AppPostgresLabels 42 | template: 43 | metadata: 44 | labels: *AppPostgresLabels 45 | spec: 46 | containers: 47 | - image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}" 48 | imagePullPolicy: IfNotPresent 49 | name: postgresql 50 | env: 51 | - name: POSTGRESQL_ADMIN_PASSWORD 52 | valueFrom: 53 | secretKeyRef: 54 | name: {{ .Release.Name }}-conjur-database-password 55 | key: key 56 | livenessProbe: 57 | exec: 58 | command: 59 | - /usr/libexec/check-container 60 | - --live 61 | initialDelaySeconds: 120 62 | timeoutSeconds: 10 63 | ports: 64 | - containerPort: 5432 65 | protocol: TCP 66 | readinessProbe: 67 | exec: 68 | command: 69 | - /usr/libexec/check-container 70 | initialDelaySeconds: 5 71 | timeoutSeconds: 1 72 | securityContext: 73 | capabilities: {} 74 | privileged: false 75 | terminationMessagePath: /dev/termination-log 76 | volumeMounts: 77 | {{ if .Values.postgres.persistentVolume.create }} 78 | - name: postgresql-data 79 | mountPath: /var/lib/pgsql/data 80 | {{- end }} 81 | - name: ssl-certs 82 | mountPath: "/opt/app-root/src/certificates" 83 | readOnly: true 84 | - name: {{ .Release.Name }}-conjur-postgres-configmap-volume 85 | mountPath: /opt/app-root/src/postgresql-cfg 86 | readOnly: true 87 | volumes: 88 | {{ if .Values.postgres.persistentVolume.create }} 89 | - name: postgresql-data 90 | persistentVolumeClaim: 91 | claimName: {{ .Release.Name }}-conjur-oss-pvc 92 | {{- end }} 93 | - name: ssl-certs 94 | secret: 95 | secretName: {{ .Release.Name }}-conjur-database-ssl 96 | # Set file permissions to 0600 (which corresponds to 384 decimal) 97 | defaultMode: 384 98 | - name: {{ .Release.Name }}-conjur-postgres-configmap-volume 99 | configMap: 100 | name: {{ .Release.Name }}-conjur-postgres-configmap 101 | items: 102 | - key: postgres_ssl 103 | path: postgres-ssl.conf 104 | {{- end }} 105 | -------------------------------------------------------------------------------- /conjur-oss/templates/postgres.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.openshift.enabled) (eq .Values.database.url "")}} 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Release.Name }}-postgres 7 | labels: &AppPostgresServiceLabels 8 | app: {{ template "conjur-oss.name" . }}-postgres 9 | chart: {{ template "conjur-oss.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | app.kubernetes.io/name: {{ .Release.Name }} 13 | app.kubernetes.io/component: postgres 14 | {{- with .Values.postgresLabels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | spec: 18 | ports: 19 | - port: 5432 20 | selector: *AppPostgresServiceLabels 21 | --- 22 | apiVersion: apps/v1 23 | kind: StatefulSet 24 | metadata: 25 | name: {{ .Release.Name }}-postgres 26 | labels: &AppPostgresLabels 27 | app: {{ template "conjur-oss.name" . }}-postgres 28 | chart: {{ template "conjur-oss.chart" . }} 29 | release: {{ .Release.Name }} 30 | heritage: {{ .Release.Service }} 31 | app.kubernetes.io/name: {{ .Release.Name }} 32 | app.kubernetes.io/component: postgres 33 | {{- with .Values.postgresLabels }} 34 | {{ toYaml . | indent 4 }} 35 | {{- end }} 36 | spec: 37 | serviceName: {{ .Release.Name }}-postgres 38 | replicas: 1 39 | selector: 40 | matchLabels: *AppPostgresLabels 41 | template: 42 | metadata: 43 | labels: *AppPostgresLabels 44 | annotations: 45 | checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} 46 | spec: 47 | securityContext: 48 | fsGroup: 999 49 | containers: 50 | - image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}" 51 | imagePullPolicy: {{ .Values.postgres.image.pullPolicy }} 52 | name: postgres 53 | args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/tls.crt", "-c", "ssl_key_file=/etc/certs/tls.key"] 54 | env: 55 | - name: POSTGRES_HOST_AUTH_METHOD 56 | value: password 57 | - name: POSTGRES_PASSWORD 58 | valueFrom: 59 | secretKeyRef: 60 | name: {{ .Release.Name }}-conjur-database-password 61 | key: key 62 | - name: PGDATA 63 | value: /var/lib/postgresql/data/pgdata 64 | volumeMounts: 65 | {{ if .Values.postgres.persistentVolume.create }} 66 | - name: postgres-data 67 | mountPath: "/var/lib/postgresql/data" 68 | {{- end }} 69 | - name: ssl-certs 70 | mountPath: "/etc/certs" 71 | readOnly: true 72 | volumes: 73 | {{ if .Values.postgres.persistentVolume.create }} 74 | - name: postgres-data 75 | persistentVolumeClaim: 76 | claimName: {{ .Release.Name }}-conjur-oss-pvc 77 | {{- end }} 78 | - name: ssl-certs 79 | secret: 80 | secretName: {{ .Release.Name }}-conjur-database-ssl 81 | # Set file permissions to 0600 (which corresponds to 384 decimal) 82 | defaultMode: 384 83 | {{ end }} 84 | -------------------------------------------------------------------------------- /conjur-oss/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Release.Name }}-conjur-authenticators 6 | labels: 7 | app: {{ template "conjur-oss.name" . }} 8 | chart: {{ template "conjur-oss.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | app.kubernetes.io/name: {{ .Release.Name }} 12 | app.kubernetes.io/component: service 13 | {{- with .Values.conjurLabels }} 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | type: Opaque 17 | data: 18 | key: "{{ .Values.authenticators | b64enc }}" 19 | --- 20 | apiVersion: v1 21 | kind: Secret 22 | metadata: 23 | name: {{ .Release.Name }}-conjur-data-key 24 | labels: 25 | app: {{ template "conjur-oss.name" . }} 26 | chart: {{ template "conjur-oss.chart" . }} 27 | release: {{ .Release.Name }} 28 | heritage: {{ .Release.Service }} 29 | app.kubernetes.io/name: {{ .Release.Name }} 30 | app.kubernetes.io/component: service 31 | {{- with .Values.conjurLabels }} 32 | {{ toYaml . | indent 4 }} 33 | {{- end }} 34 | annotations: 35 | helm.sh/hook: pre-install 36 | helm.sh/hook-delete-policy: before-hook-creation 37 | type: Opaque 38 | data: 39 | key: {{ .Values.dataKey | b64enc }} 40 | --- 41 | {{- include "conjur-oss.database-password" . }} 42 | apiVersion: v1 43 | kind: Secret 44 | metadata: 45 | name: {{ .Release.Name }}-conjur-database-url 46 | labels: 47 | app: {{ template "conjur-oss.name" . }} 48 | chart: {{ template "conjur-oss.chart" . }} 49 | release: {{ .Release.Name }} 50 | heritage: {{ .Release.Service }} 51 | app.kubernetes.io/name: {{ .Release.Name }} 52 | app.kubernetes.io/component: service 53 | {{- with .Values.conjurLabels }} 54 | {{ toYaml . | indent 4 }} 55 | {{- end }} 56 | {{- if not .Values.database.url }} 57 | annotations: 58 | helm.sh/hook: pre-install 59 | helm.sh/hook-delete-policy: before-hook-creation 60 | {{- end }} 61 | type: Opaque 62 | data: 63 | {{ if .Values.database.url }} 64 | key: {{ .Values.database.url | b64enc }} 65 | {{ else }} 66 | key: {{ printf "postgres://postgres:%s@%v-postgres/postgres?sslmode=require" .dbPassword .Release.Name | b64enc }} 67 | {{ end }} 68 | 69 | {{ if eq .Values.database.url "" }} 70 | --- 71 | apiVersion: v1 72 | kind: Secret 73 | metadata: 74 | name: {{ .Release.Name }}-conjur-database-password 75 | labels: 76 | app: {{ template "conjur-oss.name" . }} 77 | chart: {{ template "conjur-oss.chart" . }} 78 | release: {{ .Release.Name }} 79 | heritage: {{ .Release.Service }} 80 | app.kubernetes.io/name: {{ .Release.Name }} 81 | app.kubernetes.io/component: service 82 | {{- with .Values.conjurLabels }} 83 | {{ toYaml . | indent 4 }} 84 | {{- end }} 85 | annotations: 86 | helm.sh/hook: pre-install 87 | helm.sh/hook-delete-policy: before-hook-creation 88 | type: Opaque 89 | data: 90 | key: {{ .dbPassword | b64enc }} 91 | --- 92 | {{- include "conjur-oss.database-cert-gen" . }} 93 | apiVersion: v1 94 | kind: Secret 95 | metadata: 96 | name: {{ .Release.Name }}-conjur-database-ssl 97 | labels: 98 | app: {{ template "conjur-oss.name" . }} 99 | chart: {{ template "conjur-oss.chart" . }} 100 | release: {{ .Release.Name }} 101 | heritage: {{ .Release.Service }} 102 | app.kubernetes.io/name: {{ .Release.Name }} 103 | app.kubernetes.io/component: service 104 | {{- with .Values.conjurLabels }} 105 | {{ toYaml . | indent 4 }} 106 | {{- end }} 107 | {{- if not .Values.database.ssl.cert }} 108 | annotations: 109 | helm.sh/hook: pre-install 110 | helm.sh/hook-delete-policy: before-hook-creation 111 | {{- end }} 112 | type: kubernetes.io/tls 113 | data: 114 | {{- if .Values.database.ssl.cert }} 115 | tls.crt: {{ .Values.database.ssl.cert }} 116 | tls.key: {{ .Values.database.ssl.key }} 117 | {{- else }} 118 | tls.crt: {{ .dbCrt }} 119 | tls.key: {{ .dbKey }} 120 | {{- end }} 121 | {{ end }} 122 | -------------------------------------------------------------------------------- /conjur-oss/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "conjur-oss.fullname" . }} 5 | labels: &AppConjurLabels 6 | app: {{ template "conjur-oss.name" . }} 7 | chart: {{ template "conjur-oss.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | app.kubernetes.io/name: {{ .Release.Name }} 11 | app.kubernetes.io/component: service 12 | {{- with .Values.conjurLabels }} 13 | {{ toYaml . | indent 4 }} 14 | {{- end }} 15 | {{- with .Values.service.internal.annotations }} 16 | annotations: 17 | {{ toYaml . | indent 4 }} 18 | {{- end }} 19 | spec: 20 | type: {{ .Values.service.internal.type }} 21 | ports: 22 | - port: {{ .Values.service.internal.port }} 23 | targetPort: https 24 | protocol: TCP 25 | name: https 26 | selector: *AppConjurLabels 27 | -------------------------------------------------------------------------------- /conjur-oss/templates/ssl-cert.yaml: -------------------------------------------------------------------------------- 1 | {{- $ssl := . }} 2 | {{- include "conjur-oss.ssl-cert-gen" $ssl }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ .Release.Name }}-conjur-ssl-ca-cert 7 | labels: 8 | app: {{ template "conjur-oss.name" . }} 9 | chart: {{ template "conjur-oss.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | app.kubernetes.io/name: {{ .Release.Name }} 13 | app.kubernetes.io/component: ssl-cert 14 | {{- with .Values.conjurLabels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | {{- if not .Values.ssl.caCert }} 18 | annotations: 19 | helm.sh/hook: pre-install 20 | helm.sh/hook-delete-policy: before-hook-creation 21 | {{- end }} 22 | type: kubernetes.io/tls 23 | data: 24 | {{- if .Values.ssl.caCert }} 25 | tls.crt: {{ .Values.ssl.caCert }} 26 | tls.key: {{ .Values.ssl.caKey }} 27 | {{- else }} 28 | tls.crt: {{ .caCrt }} 29 | tls.key: {{ .caKey }} 30 | {{- end }} 31 | --- 32 | apiVersion: v1 33 | kind: Secret 34 | metadata: 35 | name: {{ .Release.Name }}-conjur-ssl-cert 36 | labels: 37 | app: {{ template "conjur-oss.name" . }} 38 | chart: {{ template "conjur-oss.chart" . }} 39 | release: {{ .Release.Name }} 40 | heritage: {{ .Release.Service }} 41 | app.kubernetes.io/name: {{ .Release.Name }} 42 | app.kubernetes.io/component: ssl-cert 43 | {{- with .Values.conjurLabels }} 44 | {{ toYaml . | indent 4 }} 45 | {{- end }} 46 | {{- if not .Values.ssl.caCert }} 47 | annotations: 48 | helm.sh/hook: pre-install 49 | helm.sh/hook-delete-policy: before-hook-creation 50 | {{- end }} 51 | type: kubernetes.io/tls 52 | data: 53 | {{- if .Values.ssl.caCert }} 54 | tls.crt: {{ .Values.ssl.cert }} 55 | tls.key: {{ .Values.ssl.key }} 56 | {{- else }} 57 | tls.crt: {{ .certCrt }} 58 | tls.key: {{ .certKey }} 59 | {{- end }} 60 | -------------------------------------------------------------------------------- /conjur-oss/templates/tests/test-simple-install-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "conjur-oss.fullname" . }}-tests 5 | data: 6 | run.sh: |- 7 | @test "Testing that Conjur status page is up" { 8 | curl -f --cacert /cacert/tls.crt https://{{ template "conjur-oss.fullname" . }}/ | grep 'Status' 9 | } 10 | -------------------------------------------------------------------------------- /conjur-oss/templates/tests/test-simple-install.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ .Release.Name }}-test-{{ randAlphaNum 5 | lower }}" 5 | labels: 6 | app: {{ template "conjur-oss.name" . }} 7 | chart: {{ template "conjur-oss.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | {{ if .Values.test.deleteOnSuccess }} 13 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 14 | {{ else }} 15 | "helm.sh/hook-delete-policy": before-hook-creation 16 | {{ end }} 17 | spec: 18 | initContainers: 19 | - name: {{ .Release.Name }}-bats-init 20 | image: bats/bats:v1.1 21 | command: 22 | - "bash" 23 | - "-exc" 24 | - | 25 | # copy bats to tools dir 26 | cp -R /opt/bats/libexec/bats-core/ /tools/bats/ 27 | volumeMounts: 28 | - mountPath: /tools 29 | name: tools 30 | containers: 31 | - name: {{ .Release.Name }}-test 32 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 33 | workingDir: "/tools/bats" 34 | command: ["/tools/bats/bats", "-t", "/tests/run.sh"] 35 | env: 36 | - name: PATH 37 | value: "/tools/bats:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 38 | volumeMounts: 39 | - mountPath: /tests 40 | name: tests 41 | readOnly: true 42 | - mountPath: /tools 43 | name: tools 44 | - mountPath: /cacert 45 | name: {{ .Release.Name }}-test-ssl-ca-cert-volume 46 | readOnly: true 47 | volumes: 48 | - name: tests 49 | configMap: 50 | name: {{ template "conjur-oss.fullname" . }}-tests 51 | - name: {{ .Release.Name }}-test-ssl-ca-cert-volume 52 | secret: 53 | secretName: {{ .Release.Name }}-conjur-ssl-ca-cert 54 | # Permission == 0400. JSON spec doesn’t support octal notation. 55 | defaultMode: 256 56 | - name: tools 57 | emptyDir: {} 58 | restartPolicy: Never 59 | -------------------------------------------------------------------------------- /conjur-oss/values.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema", 3 | "required": [ 4 | "dataKey" 5 | ], 6 | "properties": { 7 | "account": { 8 | "type": "object", 9 | "properties": { 10 | "create": { 11 | "type": "boolean" 12 | }, 13 | "name": { 14 | "type": "string", 15 | "minLength": 1 16 | } 17 | } 18 | }, 19 | "affinity": { 20 | "type": "object" 21 | }, 22 | "authenticators": { 23 | "type": "string" 24 | }, 25 | "conjurLabels": { 26 | "type": "object" 27 | }, 28 | "database": { 29 | "properties": { 30 | "password": { 31 | "type": "string" 32 | }, 33 | "ssl": { 34 | "dependencies": { 35 | "cert": { 36 | "required": [ 37 | "key" 38 | ] 39 | } 40 | }, 41 | "properties": { 42 | "cert": { 43 | "type": "string", 44 | "minLength": 1 45 | }, 46 | "key": { 47 | "type": "string", 48 | "minLength": 1 49 | }, 50 | "expiration": { 51 | "type": "integer", 52 | "minimum": 1 53 | } 54 | } 55 | }, 56 | "url": { 57 | "type": "string" 58 | } 59 | } 60 | }, 61 | "dataKey": { 62 | "type": "string", 63 | "minLength": 1 64 | }, 65 | "deployment": { 66 | "properties": { 67 | "annotations": { 68 | "type": "object" 69 | } 70 | } 71 | }, 72 | "image": { 73 | "properties": { 74 | "repository": { 75 | "type": "string" 76 | }, 77 | "tag": { 78 | "type": "string" 79 | }, 80 | "pullPolicy": { 81 | "type": "string" 82 | } 83 | } 84 | }, 85 | "nginx": { 86 | "properties": { 87 | "image": { 88 | "properties": { 89 | "repository": { 90 | "type": "string" 91 | }, 92 | "tag": { 93 | "type": "string" 94 | }, 95 | "pullPolicy": { 96 | "type": "string" 97 | } 98 | } 99 | } 100 | } 101 | }, 102 | "nodeSelector": { 103 | "type": "object" 104 | }, 105 | "postgres": { 106 | "properties": { 107 | "image": { 108 | "properties": { 109 | "repository": { 110 | "type": "string" 111 | }, 112 | "tag": { 113 | "type": "string" 114 | }, 115 | "pullPolicy": { 116 | "type": "string" 117 | } 118 | } 119 | }, 120 | "persistentVolume": { 121 | "properties": { 122 | "create": { 123 | "type": "boolean" 124 | }, 125 | "size": { 126 | "type": "string" 127 | }, 128 | "storageClass": { 129 | "type": "string" 130 | } 131 | } 132 | } 133 | } 134 | }, 135 | "postgresLabels": { 136 | "type": "object" 137 | }, 138 | "rbac": { 139 | "properties": { 140 | "create": { 141 | "type": "boolean" 142 | } 143 | } 144 | }, 145 | "replicaCount": { 146 | "type": "integer", 147 | "minimum": 1 148 | }, 149 | "resources": { 150 | "type": "object" 151 | }, 152 | "service": { 153 | "properties": { 154 | "external": { 155 | "properties": { 156 | "annotations": { 157 | "type": "object" 158 | }, 159 | "enabled": { 160 | "type": "boolean" 161 | }, 162 | "port": { 163 | "type": "integer" 164 | } 165 | } 166 | }, 167 | "internal": { 168 | "properties": { 169 | "annotations": { 170 | "type": "object" 171 | }, 172 | "port": { 173 | "type": "integer" 174 | }, 175 | "type": { 176 | "type": "string" 177 | } 178 | } 179 | } 180 | } 181 | }, 182 | "serviceAccount": { 183 | "properties": { 184 | "create": { 185 | "type": "boolean" 186 | }, 187 | "name": { 188 | "type": "string" 189 | } 190 | } 191 | }, 192 | "ssl": { 193 | "dependencies": { 194 | "cert": { 195 | "required": [ 196 | "key", 197 | "caCert", 198 | "caKey" 199 | ] 200 | } 201 | }, 202 | "properties": { 203 | "caCert": { 204 | "type": "string", 205 | "minLength": 1 206 | }, 207 | "caKey": { 208 | "type": "string", 209 | "minLength": 1 210 | }, 211 | "cert": { 212 | "type": "string", 213 | "minLength": 1 214 | }, 215 | "key": { 216 | "type": "string", 217 | "minLength": 1 218 | }, 219 | "expiration": { 220 | "type": "integer", 221 | "minimum": 1 222 | }, 223 | "hostname": { 224 | "type": "string" 225 | }, 226 | "altNames": { 227 | "type": "array", 228 | "items": { 229 | "type": "string" 230 | } 231 | } 232 | }, 233 | "test": { 234 | "properties": { 235 | "deleteOnSuccess": { 236 | "type": "boolean" 237 | } 238 | } 239 | } 240 | }, 241 | "tolerations": { 242 | "type": "array", 243 | "items": { 244 | "type": "string" 245 | } 246 | }, 247 | "openshift": { 248 | "properties": { 249 | "enabled": { 250 | "type": "boolean" 251 | } 252 | } 253 | } 254 | } 255 | } 256 | -------------------------------------------------------------------------------- /conjur-oss/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for conjur-oss. 2 | 3 | 4 | # NOTE: It is recommended that any chart values that contain sensitive 5 | # information (e.g. database.password, database.url, and SSL certificates 6 | # and keys) be set on the command line with a `--set key=value` argument 7 | # rather than setting these in a custom values YAML file. This avoids the 8 | # risk of leaving around residual values files containing this sensitive 9 | # information. 10 | 11 | account: 12 | # Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable 13 | # for the Conjur container. 14 | name: "default" 15 | # Set to 'true' to allow the Conjur server to automatically create an account 16 | # with the configured account.name. 17 | create: false 18 | 19 | # Affinity rules to apply to the Conjur pod to indicate to Kubernetes scheduler 20 | # which nodes would be most appropriate for Conjur pod placement. See: 21 | # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node 22 | affinity: {} 23 | 24 | # Conjur whitelisted authenticators, presented as a comma-separated list. 25 | # Maps to CONJUR_AUTHENTICATORS env variable for the Conjur container. 26 | authenticators: "authn" 27 | 28 | # Additional labels to apply to all conjur resources 29 | conjurLabels: {} 30 | 31 | # Conjur log level. Set to 'debug' to enable detailed debug logs 32 | # in the Conjur container. 33 | logLevel: "info" 34 | 35 | database: 36 | # PostgreSQL connection password. If left blank, a pseudo-random, 37 | # 64-character alphanumeric password will be auto-generated. 38 | # Note that this value will be ignored for Helm upgrade operations. 39 | password: "" 40 | 41 | ssl: 42 | # Backend database SSL certificate and private key. These should be 43 | # base64-encoded strings. If these values are not set, a self-signed 44 | # certificate will be auto-generated. 45 | # cert: 46 | # key: 47 | # Expiration for an auto-generated cert. 48 | expiration: 365 # days 49 | 50 | # PostgreSQL connection string. If left blank, a PostgreSQL deployment 51 | # is created. This value will be ignored for Helm upgrade operations 52 | # (i.e. value used for install is reused). 53 | url: "" 54 | 55 | # Conjur data key, 32 byte base-64 encoded string for data encryption. 56 | # Generate one with `docker run --rm cyberark/conjur data-key generate`. 57 | # This is a required setting. 58 | # dataKey: 59 | 60 | # Annotations to apply to the Conjur deployment. 61 | deployment: 62 | annotations: {} 63 | 64 | image: 65 | # NOTE: For OpenShift deployments, the default values to use for the 66 | # Conjur image are as follows: 67 | # 68 | # repository: registry.connect.redhat.com/cyberark/conjur 69 | # tag: latest 70 | repository: cyberark/conjur # https://hub.docker.com/r/cyberark/conjur/ 71 | tag: 'latest' 72 | pullPolicy: Always 73 | 74 | nginx: 75 | image: 76 | # NOTE: For OpenShift deployments, the default values to use for the 77 | # NGINX image are as follows: 78 | # 79 | # repository: registry.connect.redhat.com/cyberark/conjur-nginx 80 | # tag: latest 81 | repository: nginx # https://hub.docker.com/_/nginx/ 82 | tag: '1.15' 83 | pullPolicy: Always 84 | 85 | # nodeSelector (node selection constraints) to apply to the Conjur pod. Refer to: 86 | # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector 87 | nodeSelector: {} 88 | 89 | postgres: 90 | image: 91 | # NOTE: For OpenShift deployments, the default values to use for the 92 | # postgres image are as follows: 93 | # 94 | # repository: registry.redhat.io/rhscl/postgresql-10-rhel7 95 | # tag: latest 96 | repository: postgres # https://hub.docker.com/_/postgres/ 97 | tag: '15.4' 98 | pullPolicy: Always 99 | 100 | persistentVolume: 101 | create: true 102 | size: 8Gi 103 | # Set storageClass to use a non-default storage class for your platform 104 | # storageClass: 105 | 106 | # Additional labels to apply to all postgres-related resources 107 | postgresLabels: {} 108 | 109 | # Indicates whether the Conjur ClusterRole and ClusterRoleBinding should be 110 | # created. This should be set to true, unless there is already a Conjur 111 | # deployment in a separate namespace that has already created these 112 | # cluster-wide resources. 113 | # 114 | # NOTE: This setting is deprecated and will be replaced in the next major 115 | # release with two separate settings: 116 | # - rbac.createClusterRole (defaulting to true) 117 | # - rbac.createClusterRoleBinding (defaulting to false) 118 | # and the recommendation will be for chart users to create RoleBindings 119 | # for each individual namespace that supports applications that require 120 | # Conjur Kubernetes authentication. 121 | rbac: 122 | create: true 123 | 124 | # Number of Conjur pods to run 125 | replicaCount: 1 126 | 127 | # Conjur container resource limits and requests. It is recommended that 128 | # these Conjur-specific limits/requests remain unset, and instead let the 129 | # Conjur container resources be constrained by namespace-wide limit ranges 130 | # and resource quotas. The namespace-wide resource limitations are 131 | # typically set by a cluster administrator to values that make sense for 132 | # the host Kubernetes platform. 133 | # 134 | # If you do want to specify resources, uncomment the following lines, adjust 135 | # them as necessary, and remove the curly braces after 'resources:'. 136 | # limits: 137 | # cpu: 100m 138 | # memory: 128Mi 139 | # requests: 140 | # cpu: 100m 141 | # memory: 128Mi 142 | resources: {} 143 | 144 | service: 145 | external: 146 | annotations: 147 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp 148 | enabled: true 149 | port: 443 150 | 151 | internal: 152 | annotations: {} 153 | port: 443 154 | type: NodePort 155 | 156 | ssl: 157 | # Conjur CA certificate and key, and signed certificate and key. These 158 | # should be base64-encoded. If left blank, CA certificate and signed 159 | # certificate will be auto-generated. 160 | # caCert: 161 | # caKey: 162 | # cert: 163 | # key: 164 | 165 | expiration: 365 # days 166 | hostname: "conjur.myorg.com" 167 | altNames: [] 168 | 169 | test: 170 | deleteOnSuccess: true # If true, test pods are deleted upon successful 171 | # test completion. Otherwise, test pods are not 172 | # automatically deleted upon test completion, 173 | # regardless of test success or failure. 174 | 175 | serviceAccount: 176 | # Indicates whether Conjur service account should be created or not. 177 | # Typically set to `true`, unless the service account has already been 178 | # created outside of this Helm chart workflow. 179 | create: true 180 | # Suffix to apply to the Conjur service account name. 181 | # name: 182 | 183 | # Tolerations to apply to the Conjur pod to indicate to the Kubernetes 184 | # scheduler which nodes should be avoided for Conjur pod placement. See: 185 | # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration 186 | tolerations: [] 187 | 188 | # Set enabled true for OCP support 189 | openshift: 190 | enabled: false 191 | -------------------------------------------------------------------------------- /e2e/custom-stuff.yml: -------------------------------------------------------------------------------- 1 | authenticators: "authn-k8s/minikube,authn" 2 | dataKey: "GENERATED_DATAKEY" # docker run --rm -it cyberark/conjur data-key generate 3 | database.url: "postgres://postgres:PASSWORD@POSTGRES_ENDPOINT/postgres" 4 | 5 | image: 6 | tag: "1.0.1-stable" 7 | pullPolicy: IfNotPresent 8 | 9 | service: 10 | type: NodePort 11 | 12 | ingress: 13 | enabled: true 14 | annotations: 15 | external-dns.alpha.kubernetes.io/hostname: conjur-oss.itd.mydomain.com. 16 | kubernetes.io/ingress.allow-http: "true" 17 | hosts: 18 | - conjur-oss.itd.mydomain.com 19 | tls: 20 | letsencrypt: 21 | enabled: true 22 | dns01: 23 | provider: cloud-dns-staging 24 | issuerRef: 25 | name: "letsencrypt-staging" 26 | kind: ClusterIssuer 27 | -------------------------------------------------------------------------------- /e2e/delete-conjur.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eo pipefail 4 | 5 | source ../is-helm-v2.sh 6 | 7 | if [ "$(which jq)" == "" ]; then 8 | echo "ERROR: Could not find jq utility!" 9 | exit 1 10 | fi 11 | 12 | helm_list_args="--output=json" 13 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 14 | helm_list_args="$helm_list_args -n $CONJUR_NAMESPACE" 15 | fi 16 | conjur_releases=$(helm list $helm_list_args | jq -r '.[] | select(.chart | match("conjur-oss-.*")) | .name') 17 | 18 | if [ "${conjur_releases}" == "" ]; then 19 | echo "ERROR: Could not find any deployed Conjur releases!" 20 | exit 1 21 | fi 22 | 23 | for conjur_release in ${conjur_releases}; do 24 | echo "Deleting Conjur release '${conjur_release}'..." 25 | if is_helm_v2; then 26 | helm_del_args="$helm_del_args --purge" 27 | fi 28 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 29 | helm_del_args="$helm_del_args -n $CONJUR_NAMESPACE" 30 | fi 31 | if [ -z "$helm_del_args" ]; then 32 | helm delete "${conjur_release}" 33 | else 34 | helm delete $helm_del_args "${conjur_release}" 35 | fi 36 | 37 | if [ -z "$CONJUR_NAMESPACE" ]; then 38 | kubectl delete secrets --selector="release=${conjur_release}" 39 | else 40 | kubectl delete secrets \ 41 | -n "$CONJUR_NAMESPACE" \ 42 | --selector="release=${conjur_release}" 43 | fi 44 | done 45 | 46 | echo "Done!" 47 | -------------------------------------------------------------------------------- /e2e/install-conjur-no-pv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | data_key="$(docker run --rm cyberark/conjur data-key generate)" 4 | helm_args="--set dataKey=$data_key \ 5 | --set postgres.persistentVolume.create=false" 6 | 7 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 8 | if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then 9 | kubectl create namespace "$CONJUR_NAMESPACE" 10 | fi 11 | helm_args="$helm_args -n $CONJUR_NAMESPACE" 12 | fi 13 | 14 | helm install $helm_args conjur-e2e ../conjur-oss 15 | -------------------------------------------------------------------------------- /e2e/install-conjur.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | data_key="$(docker run --rm cyberark/conjur data-key generate)" 4 | helm_args="--set dataKey=$data_key" 5 | 6 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 7 | if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then 8 | kubectl create namespace "$CONJUR_NAMESPACE" 9 | fi 10 | helm_args="$helm_args -n $CONJUR_NAMESPACE" 11 | fi 12 | 13 | helm install $helm_args conjur-e2e ../conjur-oss 14 | -------------------------------------------------------------------------------- /examples/common/1_create_kind_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | . utils.sh 6 | 7 | check_env_var "KIND_CLUSTER_NAME" 8 | min_kind_version="0.7.0" 9 | 10 | # Confirm that 'kind' binary is installed. 11 | if ! command -v kind &> /dev/null; then 12 | echo "kind binary not found. See https://kind.sigs.k8s.io/docs/user/quick-start/" 13 | echo "for installation instructions." 14 | exit 1 15 | fi 16 | 17 | # Check version of 'kind' binary. 18 | kind_version="$(kind version -q)" 19 | if ! meets_min_version $kind_version $min_kind_version; then 20 | echo "kind version $kind_version is invalid. Version must be $min_kind_version or newer" 21 | exit 1 22 | fi 23 | 24 | registry_container_is_running() { 25 | docker inspect -f '{{.State.Running}}' $DOCKER_LOCAL_REGISTRY_NAME 2>/dev/null 26 | } 27 | 28 | # Check if KinD cluster has already been created 29 | if [ "$(kind get clusters | grep "^$KIND_CLUSTER_NAME$")" = "$KIND_CLUSTER_NAME" ]; then 30 | echo "KinD cluster '$KIND_CLUSTER_NAME' already exists. Skipping cluster creation." 31 | if [[ $USE_DOCKER_LOCAL_REGISTRY == "true" ]]; then 32 | if ! registry_container_is_running; then 33 | echo "KinD cluster '$KIND_CLUSTER_NAME' does not have an internal Docker registry running" 34 | echo "and 'USE_DOCKER_LOCAL_REGISTRY' is set to 'true'. To use an" 35 | echo "internal Docker registry, please delete the KinD cluster:" 36 | echo " kind delete cluster --name $KIND_CLUSTER_NAME" 37 | echo "and restart the demo scripts to create a new KinD cluster." 38 | exit 1 39 | fi 40 | fi 41 | elif [[ $USE_DOCKER_LOCAL_REGISTRY == "true" ]]; then 42 | announce "Creating KinD Cluster with local registry" 43 | 44 | reg_name="$DOCKER_LOCAL_REGISTRY_NAME" 45 | reg_port="$DOCKER_LOCAL_REGISTRY_PORT" 46 | 47 | # create registry container unless it already exists 48 | if ! registry_container_is_running; then 49 | echo "Creating a registry container" 50 | # Create a Docker network named 'kind' if not already created 51 | docker network inspect kind >/dev/null 2>&1 || \ 52 | docker network create kind 53 | docker run \ 54 | -d --restart=always -p "${reg_port}:${reg_port}" --name "${reg_name}" --net=kind \ 55 | registry:2 56 | fi 57 | reg_ip="$(docker inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' "${reg_name}")" 58 | echo "Registry IP: ${reg_ip}" 59 | 60 | # create a cluster with the local registry enabled in containerd 61 | cat < /dev/null; then 9 | echo "helm binary not found. See https://helm.sh/docs/intro/install/" 10 | echo "for installation instructions." 11 | exit 1 12 | fi 13 | 14 | # Check version of 'helm' binary. 15 | helm_version="$(helm version --template {{.Version}} | sed 's/^v//')" 16 | if ! meets_min_version $helm_version $min_helm_version; then 17 | echo "helm version $helm_version is invalid. Version must be $min_helm_version or newer" 18 | exit 1 19 | fi 20 | 21 | # Create the namespace for the Conjur cluster if necessary 22 | if has_namespace "$CONJUR_NAMESPACE"; then 23 | echo "Namespace '$CONJUR_NAMESPACE' exists, not going to create it." 24 | else 25 | kubectl create ns "$CONJUR_NAMESPACE" 26 | fi 27 | 28 | # Check if the Conjur cluster release has already been installed. If so, run 29 | # Helm upgrade. Otherwise, do a Helm install of the Conjur cluster. 30 | if [ "$(helm list -q -n $CONJUR_NAMESPACE | grep "^$HELM_RELEASE$")" = "$HELM_RELEASE" ]; then 31 | echo "Helm upgrading existing Conjur cluster. Waiting for upgrade to complete." 32 | args=("upgrade" "--reuse-values" ) 33 | else 34 | # Helm install a Conjur cluster and create a Conjur account 35 | echo "Helm installing a Conjur cluster. Waiting for install to complete." 36 | data_key="$(docker run --rm cyberark/conjur data-key generate)" 37 | args=("install" "--set" "dataKey=$data_key" ) 38 | fi 39 | 40 | args+=("-n" "$CONJUR_NAMESPACE" \ 41 | "--set" "account.name=$CONJUR_ACCOUNT" \ 42 | "--set" "account.create=true" \ 43 | "--set" "authenticators=authn\,$AUTHN_STRATEGY/$AUTHENTICATOR_ID" \ 44 | "--set" "logLevel=$CONJUR_LOG_LEVEL" \ 45 | "--set" "service.external.enabled=$CONJUR_LOADBALANCER_SVCS" \ 46 | "--wait" \ 47 | "--timeout" "300s" ) 48 | 49 | if [[ "$PLATFORM" == "openshift" ]]; then 50 | args+=("--set" "image.repository=$IMAGE_REPOSITORY" \ 51 | "--set" "image.tag=$IMAGE_TAG" \ 52 | "--set" "fullnameOverride=conjur-oss" \ 53 | "--set" "nginx.image.repository=$NGINX_REPOSITORY" \ 54 | "--set" "nginx.image.tag=$NGINX_TAG" \ 55 | "--set" "postgres.image.repository=$POSTGRES_REPOSITORY" \ 56 | "--set" "postgres.image.tag=$POSTGRES_TAG" \ 57 | "--set" "postgres.persistentVolume.create=$POSTGRES_PV_CREATE" \ 58 | "--set" "rbac.create=true" \ 59 | "--set" "openshift.enabled=$OPENSHIFT_ENABLED" ) 60 | fi 61 | 62 | args+=("$HELM_RELEASE" \ 63 | "../../conjur-oss") 64 | 65 | echo "helm" "${args[@]}" 66 | 67 | helm "${args[@]}" 68 | -------------------------------------------------------------------------------- /examples/common/3_retrieve_admin_password.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | . utils.sh 6 | 7 | master_pod="$(get_master_pod_name)" 8 | echo "$(kubectl exec \ 9 | -n "$CONJUR_NAMESPACE" \ 10 | "$master_pod" \ 11 | --container=conjur-oss \ 12 | -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1)" 13 | -------------------------------------------------------------------------------- /examples/common/4_ensure_authn_k8s_enabled.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | . utils.sh 6 | 7 | # Ensure that $AUTHENTICATOR_ID is enabled for authn-k8s 8 | authenticators="$(kubectl get secret \ 9 | -n $CONJUR_NAMESPACE \ 10 | $HELM_RELEASE-conjur-authenticators \ 11 | --template={{.data.key}} | base64 -d)" 12 | if grep -q "$authenticators" <<< "$AUTHENTICATOR_ID"; then 13 | echo "Enabling authenticator ID $AUTHENTICATOR_ID for $AUTHN_STRATEGY" 14 | helm upgrade \ 15 | -n "$CONJUR_NAMESPACE" \ 16 | --reuse-values \ 17 | --set authenticators="authn\,$AUTHN_STRATEGY/$AUTHENTICATOR_ID" \ 18 | --set logLevel="$CONJUR_LOG_LEVEL" \ 19 | --wait \ 20 | --timeout 300s \ 21 | "$HELM_RELEASE" \ 22 | ../../conjur-oss 23 | 24 | # Wait for Conjur pods become ready 25 | wait_for_conjur_ready 26 | 27 | else 28 | echo "Authenticator ID $AUTHENTICATOR_ID is already enabled for $AUTHN_STRATEGY" 29 | fi 30 | -------------------------------------------------------------------------------- /examples/common/5_deploy_demo_apps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | . utils.sh 6 | 7 | conjur_demo_scripts_path="temp/kubernetes-conjur-demo" 8 | 9 | # Clone the conjurdemos/kubernetes-conjur-demo repo 10 | rm -rf "$conjur_demo_scripts_path" 11 | announce "Cloning Kubernetes Conjur Demo scripts to $conjur_demo_scripts_path" 12 | mkdir -p temp 13 | git clone https://github.com/conjurdemos/kubernetes-conjur-demo "$conjur_demo_scripts_path" 14 | 15 | # Because the kubernetes-conjur-demo scripts use a different naming convention 16 | # for the Conjur namespace env variable, some translation is required. 17 | export CONJUR_NAMESPACE_NAME="$CONJUR_NAMESPACE" 18 | 19 | announce "Running the Kubernetes Conjur Demo scripts" 20 | cd "$conjur_demo_scripts_path" 21 | ./start 22 | 23 | announce "Cleaning up test/validation deployments and pods" 24 | # The 'test-app-with-host-outside-apps-branch-summon-init' deployment 25 | # is used to test that authentication works with the Conjur host defined 26 | # anywhere in the policy branch. It can be deleted now. 27 | kubectl delete deployment -n "$TEST_APP_NAMESPACE_NAME" \ 28 | test-app-with-host-outside-apps-branch-summon-init 29 | if [[ "$TEST_APP_LOADBALANCER_SVCS" == "false" ]]; then 30 | kubectl delete pod -n "$TEST_APP_NAMESPACE_NAME" test-curl 31 | fi 32 | 33 | announce "Deployment of Conjur and demo applications is complete!" 34 | -------------------------------------------------------------------------------- /examples/common/README.md: -------------------------------------------------------------------------------- 1 | # All-in-One Demo: Deploy Kubernetes, Conjur Open Source, and Applications that Retrieve Secrets Securely 2 | 3 | ## Table of Contents 4 | * [What This Demonstration Does](#what-this-demonstration-does) 5 | * [Prerequisites](#prerequisites) 6 | * [Let's Run the Demo!](#lets-run-the-demo-) 7 | * [Behind the Scenes: So What Did this Demo Just Do?](#behind-the-scenes-so-what-did-this-demo-just-do-) 8 | + [Background: The Conjur Kubernetes Authenticator and Conjur Application Identity](#background-the-conjur-kubernetes-authenticator-and-conjur-application-identity) 9 | + [Demo Script Workflow](#demo-script-workflow) 10 | + [Exploring The Local KinD Cluster](#exploring-the-local-kind-cluster) 11 | + [Exploring the `conjur-oss` Namespace](#exploring-the-conjur-oss-namespace) 12 | + [Viewing Rendered Conjur-OSS Security Policy](#viewing-rendered-conjur-oss-security-policy) 13 | + [Exploring the Demo Application `app-test` Namespace](#exploring-the-demo-application-app-test-namespace) 14 | * [Customizable Demo Settings](#customizable-demo-settings) 15 | + [How to Modify Customizable Demo Settings](#how-to-modify-customizable-demo-settings) 16 | + [Example: Configuring a Docker Registry](#example-configuring-a-docker-registry) 17 | * [Enabling Conjur Debug Logging](#enabling-conjur-debug-logging) 18 | * [Cleaning Up](#cleaning-up) 19 | + [Deleting the Kubernetes Conjur Demo Applications](#deleting-the-kubernetes-conjur-demo-applications) 20 | + [Uninstalling Conjur Open Source via Helm Delete](#uninstalling-conjur-open-source-via-helm-delete) 21 | + [Deleting the KinD Cluster](#deleting-the-kind-cluster) 22 | 23 | ## What This Demonstration Does 24 | 25 | The scripts in this directory can be used to run an "All-in-One" 26 | demonstration of how Conjur Open Source can be deployed along with a simple 27 | [Pet Store](https://github.com/conjurdemos/pet-store-demo/) application 28 | that securely retrieves application-specific secrets from Conjur Open Source. 29 | 30 | It is not necessary for you to have access to a Kubernetes cluster 31 | before running the scripts. The scripts conveniently create a local, 32 | containerized Kubernetes cluster for the demo using 33 | [Kubernetes-in-Docker](https://github.com/kubernetes-sigs/kind) (KinD). 34 | 35 | The scripts demonstrate the various choices of Conjur authentication 36 | broker/clients that you have available for empowering an application for 37 | securely accessing secrets via Conjur: 38 | - [Secretless Broker](https://github.com/cyberark/secretless-broker) sidecar container 39 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 40 | sidecar container 41 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 42 | init container 43 | 44 | The scripts also demonstrate how Conjur authentication uses 45 | [Conjur application identity](https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_AppIdentity.htm?TocPath=Integrations%7COpenShift%252C%20Kubernetes%252C%20and%20GKE%7C_____2) 46 | to uniquely identify and authenticate the application before it is permitted 47 | to access application-specific secrets from Conjur. 48 | 49 | ## Prerequisites 50 | 51 | - Linux or MacOS host that is running [Docker](https://docs.docker.com/get-docker/) 52 | - [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 53 | client version 1.13 or newer. 54 | 55 |
56 | Click to expand installation examples. 57 | 58 | ##### Install `kubectl` on Linux 59 | 60 | ```sh-session 61 | # Download the binary, make it executable, and move it to your PATH 62 | curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.19.0/bin/linux/amd64/kubectl 63 | chmod +x ./kubectl 64 | sudo mv ./kubectl /usr/local/bin 65 | ``` 66 | 67 | ##### Install `kubectl` on MacOS 68 | 69 | ```sh-session 70 | brew install kubernetes-cli 71 | ``` 72 | 73 |
74 | 75 | - [Kubernetes-in-Docker (`kind`)](https://kind.sigs.k8s.io/docs/user/quick-start#installation) 76 | binary version 0.7.0 or newer. 77 | 78 |
79 | Click to expand installation examples. 80 | 81 | ##### Install `kind` on Linux 82 | 83 | ```sh-session 84 | # Download the binary, make it executable, and move it to your PATH 85 | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.9.0/kind-linux-amd64 86 | chmod +x ./kind 87 | sudo mv ./kind /usr/local/bin 88 | ``` 89 | 90 | ##### Install `kind` on MacOS 91 | 92 | ```sh-session 93 | brew install kind 94 | ``` 95 |
96 | 97 | - [`helm`](https://helm.sh/docs/intro/install/) client version 3 or newer. 98 | 99 |
100 | Click to expand installation examples. 101 | 102 | ##### Installing `helm` on Linux: 103 | 104 | ```sh-session 105 | # Download the release tar file, unpack it, and copy the client to your PATH 106 | mkdir -p ~/temp/helm-v3.3.1 107 | cd ~/temp/helm-v3.3.1 108 | helm_tar_file=helm-v3.3.1-linux-amd64.tar.gz 109 | curl https://get.helm.sh/"$helm_tar_file" --output "$helm_tar_file" 110 | tar -zxvf "$helm_tar_file" 111 | sudo mv linux-amd64/helm /usr/local/bin 112 | ``` 113 | 114 | ##### Installing `helm` on MacOS: 115 | 116 | ```sh-session 117 | brew install helm 118 | ``` 119 |
120 | 121 | ## Let's Run the Demo! 122 | 123 | 1. Clone the 124 | [Conjur Open Source Helm Chart](https://github.com/cyberark/conjur-oss-helm-chart) 125 | GitHub repository, if you haven't done so already. 126 | 127 |
128 | Click to expand cloning commands. 129 | 130 | ```sh-session 131 | mkdir -p ~/cyberark 132 | cd ~/cyberark 133 | git clone https://github.com/cyberark/conjur-oss-helm-chart 134 | cd conjur-oss-helm-chart 135 | ``` 136 |
137 | 138 | 1. Run the demo scripts! 139 | 140 | ```sh-session 141 | cd examples/kubernetes-in-docker 142 | ./start 143 | ``` 144 | 145 | That's all there is to it! 146 | 147 | The scripts will create a KinD cluster, install Conjur Open Source, load 148 | Conjur security policy, and deploy several instances of the `Pet Store` 149 | applications that use Conjur Kubernetes authentication. 150 | 151 | If everything is successful, you should see the following message: 152 | 153 | ```sh-session 154 | ++++++++++++++++++++++++++++++++++++++++++++++++++++ 155 | 156 | Deployment of Conjur and demo applications is complete! 157 | 158 | ++++++++++++++++++++++++++++++++++++++++++++++++++++ 159 | ``` 160 | 161 | ## Behind the Scenes: So What Did this Demo Just Do? 162 | 163 | If you followed the steps in the previous section, you should now have: 164 | 165 | - A local [Kubernetes-in-Docker (KinD)](https://github.com/kubernetes-sigs/kind) 166 | cluster that is running: 167 | - A [Conjur Open Source](https://docs.conjur.org/) server, with a peristent 168 | Postgresql backend database, that has the 169 | [Conjur Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) 170 | enabled 171 | - Several instances of the 172 | [Pet Store](https://github.com/conjurdemos/pet-store-demo/) application 173 | that are using the following Conjur broker/clients to authenticate with 174 | Conjur and to access application-specific secrets from Conjur: 175 | - [Secretless Broker](https://github.com/cyberark/secretless-broker) sidecar 176 | container to manage the application's database connection 177 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 178 | sidecar container to provide the Conjur access token, and 179 | [Summon](https://github.com/cyberark/summon) to inject the application's 180 | database credentials into the application environment 181 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 182 | init container to provide the Conjur access token, and 183 | [Summon](https://github.com/cyberark/summon) to inject the application's 184 | database credentials into the application environment 185 | 186 | Before we explore this setup further, it would help to discuss the 187 | [Conjur Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) 188 | (`authn-k8s`) and 189 | [Conjur application identity](https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_AppIdentity.htm?TocPath=Integrations%7COpenShift%252C%20Kubernetes%252C%20and%20GKE%7C_____2). 190 | 191 | ### Background: The Conjur Kubernetes Authenticator and Conjur Application Identity 192 | 193 | The Conjur authentication broker/clients listed above are essentially 194 | authentication proxies for the application. These broker/clients communicate 195 | with the 196 | [Conjur Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) 197 | (a.k.a. `authn-k8s`) plugin running on the Conjur server to authenticate a 198 | Kubernetes application. 199 | 200 | The `authn-k8s` plugin makes use of several forms of 201 | [Conjur application identity](https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_AppIdentity.htm?TocPath=Integrations%7COpenShift%252C%20Kubernetes%252C%20and%20GKE%7C_____2) 202 | to positively identify the application. In the case of Kubernetes Conjur demo 203 | scripts, the application identity that is used are the following 204 | attributes of each application instance: 205 | - Kubernetes Namespace name 206 | - Kubernetes ServiceAccount name 207 | - Kubernetes Deployment name 208 | - Kubernetes Authenticator (sidecar or init) container name 209 | 210 | If all of the above resource names match what has been specified in Conjur 211 | policy (which is typically loaded into Conjur by a security administrator), 212 | then the application is permitted to access secrets as dictated by that policy. 213 | 214 | ### Demo Script Workflow 215 | 216 | Let's now take a high-level look at the workflow that the demo scripts 217 | followed in creating your demo environment. The workflow can be categorized 218 | into four phases: 219 | 220 | - Platform Admin Tasks: 221 | - Create a local, containerized, Kubernetes cluster using 222 | [KinD](https://github.com/kubernetes-sigs/kind) Kubernetes cluster 223 | - Helm install Conjur Open Source 224 | - Security Admin Tasks: 225 | - Enable the 226 | [Conjur Kubernetes Authenticator](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm) 227 | (`authn-k8s`) 228 | - Load Conjur authentication and application-specific security policies 229 | - Application Deployment: 230 | - Deploy instances of a simple "Pet Store" application using 231 | each of the following Conjur authentication broker/clients: 232 | - [Secretless Broker](https://github.com/cyberark/secretless-broker) sidecar container 233 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 234 | sidecar container 235 | - [Conjur Kubernetes Authenticator Client](https://github.com/cyberark/conjur-authn-k8s-client) 236 | init container 237 | - Application Verification: 238 | - Poll each application's Kubernetes service, wait for a response. 239 | (A response indicates Kubernetes authentication was successful.) 240 | - Add a "pet" entry for each application 241 | - Read back "pet" entries for each application 242 | 243 | ### Exploring The Local KinD Cluster 244 | 245 | The demo scripts use 246 | [Kubernetes-in-Docker (KinD)](https://github.com/kubernetes-sigs/kind) 247 | for creating a local, containerized, Kubernetes cluster on your local host 248 | machine. With KinD, Kubernetes nodes are created as local Docker containers. 249 | KinD supports multiple-node clusters, and can be run on Linux, 250 | macOS, or Windows hosts (_NOTE: These demo scripts are not supported on 251 | Windows environments._) 252 | 253 | To view existing KinD clusters that are running on your host, run: 254 | 255 | ```sh-session 256 | $ kind get clusters 257 | kind 258 | $ 259 | ``` 260 | 261 | To view Kubernetes namespaces that have been created on the `kind` cluster: 262 | 263 | ```sh-session 264 | $ kubectl get ns 265 | NAME STATUS AGE 266 | app-test Active 24m 267 | conjur-oss Active 24m 268 | default Active 24m 269 | kube-node-lease Active 24m 270 | kube-public Active 24m 271 | kube-system Active 24m 272 | local-path-storage Active 24m 273 | $ 274 | ``` 275 | 276 | ### Exploring the `conjur-oss` Namespace 277 | 278 | This demonstration makes use of the 279 | [Conjur Open Source Helm Chart](https://github.com/cyberark/conjur-oss-helm-chart/tree/master/conjur-oss) 280 | to install a Conjur cluster on the local KinD cluster. 281 | 282 | #### Conjur Open Source Pods 283 | 284 | To view the Conjur Open Source cluster pods that are created by the Helm chart, run: 285 | 286 | ```sh-session 287 | $ kubectl get pods -n conjur-oss -l release=conjur-oss 288 | NAME READY STATUS RESTARTS AGE 289 | conjur-oss-5cb86bf558-vrr4r 2/2 Running 0 26m 290 | conjur-oss-postgres-0 1/1 Running 0 26m 291 | $ 292 | ``` 293 | 294 | The Helm install of Conjur Open Source creates a Conjur Open Source master pod and 295 | a Postgresql pod to serve as a backend database to persistently store 296 | Conjur Open Source policies and secrets. 297 | 298 | The Conjur Open Source master pod contains two containers: 299 | 300 | ```sh-session 301 | $ kubectl get pod -n conjur-oss -l app=conjur-oss -o jsonpath='{.items[*].spec.containers[*].name}' 302 | conjur-oss-nginx conjur-oss 303 | $ 304 | ``` 305 | 306 | The `conjur-oss` container provides the Conjur Open Source server functionality, 307 | and the `conjur-oss-nginx` container terminates TLS for secure access to 308 | the Conjur Open Source service. 309 | 310 | #### Kubernetes Authentication ClusterRole 311 | 312 | The Conjur Open Source Helm Chart includes the deployment of a 313 | [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) 314 | resource. A Kubernetes `ClusterRole` contains rules that 315 | enumerate a set of permissions to access various Kubernetes resources. 316 | 317 | In this case, the Conjur Open Source authentication `ClusterRole` is used to enumerate 318 | permissions that may be granted to the Conjur Kubernetes Authenticator 319 | *on a per-namespace basis* to allow the authenticator to authenticate 320 | applications based upon 321 | [Conjur application identity](https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_AppIdentity.htm?TocPath=Integrations%7COpenShift%252C%20Kubernetes%252C%20and%20GKE%7C_____2). 322 | 323 | Note that the permissions that are included in this `ClusterRole` 324 | do not take effect until the `ClusterRole` is bound to the Conjur Open Source 325 | service account via a namespace-scoped `RoleBinding`, as described in the 326 | [Demo Application RoleBinding](#demo-application-rolebinding) section below. 327 | 328 | To view the Conjur Open Source authentication ClusterRole, run: 329 | 330 | ```sh-session 331 | kubectl get clusterrole -n conjur-oss -l release=conjur-oss -o yaml 332 | ``` 333 | 334 |
335 | Click to view sample output. 336 | 337 | ``` 338 | kubectl get clusterrole -n conjur-oss -l release=conjur-oss -o yaml 339 | apiVersion: v1 340 | items: 341 | - apiVersion: rbac.authorization.k8s.io/v1 342 | kind: ClusterRole 343 | metadata: 344 | creationTimestamp: "2020-11-02T14:01:14Z" 345 | labels: 346 | app: conjur-oss 347 | app.kubernetes.io/name: conjur-oss 348 | chart: conjur-oss-2.0.1 349 | heritage: Helm 350 | release: conjur-oss 351 | managedFields: 352 | - apiVersion: rbac.authorization.k8s.io/v1beta1 353 | fieldsType: FieldsV1 354 | fieldsV1: 355 | f:metadata: 356 | f:labels: 357 | .: {} 358 | f:app: {} 359 | f:app.kubernetes.io/name: {} 360 | f:chart: {} 361 | f:heritage: {} 362 | f:release: {} 363 | f:rules: {} 364 | manager: Go-http-client 365 | operation: Update 366 | time: "2020-11-02T14:01:14Z" 367 | name: conjur-oss-conjur-authenticator 368 | resourceVersion: "103227" 369 | selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/conjur-oss-conjur-authenticator 370 | uid: a319546d-784d-47fc-b5c1-5652e60c91d1 371 | rules: 372 | - apiGroups: 373 | - "" 374 | resources: 375 | - pods 376 | - serviceaccounts 377 | verbs: 378 | - get 379 | - list 380 | - apiGroups: 381 | - extensions 382 | resources: 383 | - deployments 384 | - replicasets 385 | verbs: 386 | - get 387 | - list 388 | - apiGroups: 389 | - apps 390 | resources: 391 | - deployments 392 | - statefulsets 393 | - replicasets 394 | verbs: 395 | - get 396 | - list 397 | - apiGroups: 398 | - "" 399 | resources: 400 | - pods/exec 401 | verbs: 402 | - create 403 | - get 404 | kind: List 405 | metadata: 406 | resourceVersion: "" 407 | selfLink: "" 408 | ``` 409 |
410 | 411 | #### Viewing Enabled Conjur Authenticator Plugins 412 | 413 | Conjur Open Source supports several industry-standard 414 | [authentication types](https://docs.conjur.org/Latest/en/Content/Operations/Services/authentication-types.htm#SupportedAuthenticators). 415 | Conjur can be configured to use on or a combination of authenticator types. 416 | 417 | In addition to the default Conjur authenticator, these demo scripts enable 418 | the Conjur 419 | [Kubernetes Authenticator (`authn-k8s`)](https://docs.conjur.org/Latest/en/Content/Operations/Services/k8s_auth.htm?tocpath=Integrations%7C_____9#KubernetesAuthenticator) that authenticates 420 | applications based upon 421 | [Conjur Application Identity](https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_AppIdentity.htm?TocPath=Integrations%7COpenShift%252C%20Kubernetes%252C%20and%20GKE%7C_____2). 422 | 423 | To view the authenticators that are enabled for Conjur Open Source, run: 424 | 425 | ```sh-session 426 | $ authn_secret=$(kubectl get secret -n conjur-oss | grep authenticators | awk '{print $1}') 427 | $ kubectl get secret -n conjur-oss "$authn_secret" --template={{.data.key}} | base64 -d && echo 428 | authn,authn-k8s/my-authenticator-id 429 | $ 430 | ``` 431 | 432 | In this case, there are two authenticators enabled: 433 | - `authn`: The default Conjur authenticator 434 | - `authn-k8s/my-authenticator-id`: The Kubernetes authenticator is enabled 435 | for an authenticator ID of `my-authenticator-id`. 436 | 437 | #### Conjur CLI Pod 438 | 439 | For convenience, the demo scripts create a `conjur-cli` deployment in the 440 | `conjur-oss` namespace. This makes it easy to run 441 | [Conjur CLI](https://docs.conjur.org/latest/en/Content/Tools/CLI_Help.htm) 442 | commands to configure the Conjur cluster: 443 | 444 | ```sh-session 445 | $ kubectl get pods -n conjur-oss -l app=conjur-cli 446 | NAME READY STATUS RESTARTS AGE 447 | conjur-cli-6d895db49d-qs4pb 1/1 Running 0 59s 448 | $ 449 | ``` 450 | 451 | To run 452 | [Conjur CLI](https://docs.conjur.org/latest/en/Content/Tools/CLI_Help.htm) 453 | commands, first initialized the Conjur CLI pod's connection with 454 | Conjur as follows: 455 | 456 | ``` 457 | # Retrieve Conjur admin password 458 | CONJUR_POD="$(kubectl get pods -n conjur-oss -l app=conjur-oss \ 459 | -o jsonpath='{.items[0].metadata.name}')" 460 | CONJUR_ACCOUNT="$(kubectl exec -n conjur-oss $CONJUR_POD -c conjur-oss \ 461 | -- printenv \ 462 | | grep CONJUR_ACCOUNT \ 463 | | sed 's/.*=//')" 464 | ADMIN_PASSWORD="$(kubectl exec -n conjur-oss $CONJUR_POD -c conjur-oss \ 465 | -- conjurctl role retrieve-key $CONJUR_ACCOUNT:user:admin | tail -1)" 466 | 467 | # Initialize the Conjur CLI pod's connection to Conjur 468 | export CLI_POD="$(kubectl get pods -n conjur-oss -l app=conjur-cli \ 469 | -o jsonpath='{.items[0].metadata.name}')" 470 | CONJUR_URL="https://conjur-oss.conjur-oss.svc.cluster.local" 471 | kubectl exec -n conjur-oss $CLI_POD \ 472 | -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $CONJUR_URL --self-signed" 473 | kubectl exec -n conjur-oss $CLI_POD -- conjur login \ 474 | -i admin -p $ADMIN_PASSWORD 475 | ``` 476 | 477 | And then create a `conjur` alias if your shell supports aliases: 478 | 479 | ``` 480 | # Create a 'conjur' command alias 481 | alias conjur="kubectl exec -n conjur-oss $CLI_POD -- conjur" 482 | ``` 483 | 484 | Or export a `CONJUR_CMD` environment variable if your shell does not 485 | support aliases: 486 | 487 | ``` 488 | # Create a 'conjur' command alias 489 | export CONJUR_CMD="kubectl exec -n conjur-oss $CLI_POD -- conjur" 490 | ``` 491 | 492 | After that initial setup, Conjur commands can be executed using the `conjur` 493 | command alias, if you've created one: 494 | 495 | ```sh-session 496 | $ conjur list -k variable | grep alice 497 | "myConjurAccount:user:alice", 498 | $ 499 | ``` 500 | 501 | Or by using the `CONJUR_CMD` environment variable: 502 | 503 | ```sh-session 504 | $ $CONJUR_CMD list -k variable | grep alice 505 | "myConjurAccount:user:alice", 506 | $ 507 | ``` 508 | 509 | ### Viewing Rendered Conjur-OSS Security Policy 510 | 511 | The demo scripts render several YAML manifest files that define 512 | application-specific Conjur security policy. These YAML manifest files 513 | are loaded into the Conjur Open Source server to configure which applications 514 | are permitted to access secrets from Conjur. 515 | 516 | **After the demo scripts have been run**, it is possible to view the 517 | rendered Conjur security manifest files. These files can be viewed 518 | in the `temp/kubernetes-conjur-demo/policy/generated` subdirectory: 519 | 520 | - app-test.app-identity.yml 521 | - app-test.cluster-authn-svc.yml 522 | - app-test.project-authn.yml 523 | 524 | *_NOTE: These rendered Conjur policy manifests can be found only after 525 | running the demo scripts._* 526 | 527 | For example, let's look at the entry in `app-test.project-authn.yml` 528 | that defines the Conjur application identity for the `test-app-secretless` 529 | application that is deployed by the demo scripts: 530 | 531 | ``` 532 | - !host 533 | id: test-app-secretless 534 | annotations: 535 | authn-k8s/namespace: app-test 536 | authn-k8s/service-account: test-app-secretless 537 | authn-k8s/deployment: test-app-secretless 538 | authn-k8s/authentication-container-name: secretless 539 | kubernetes: "true" 540 | ``` 541 | 542 | In this host definition, the annotations specify that in order for the 543 | Secretless Broker to successfully authenticate the `test-app-secretless` 544 | deployment, all of the following need to be true: 545 | 546 | - Application is running in the `app-test` namespace 547 | - Application is using the `test-app-secretless` ServiceAccount 548 | - Application's deployment name is `test-app-secretless` 549 | - Application pod contains a container named `secretless` 550 | 551 | ### Exploring the Demo Application `app-test` Namespace 552 | 553 | #### Demo Application Pods 554 | 555 | You can view the demo application pods that are created by the demo script 556 | by running: 557 | 558 | ``` 559 | kubectl get pods -n app-test 560 | ``` 561 | 562 |
563 | Click to expand sample output. 564 | 565 | ``` 566 | $ kubectl get pods -n app-test 567 | NAME READY STATUS RESTARTS AGE 568 | secretless-pg-0 1/1 Running 0 14h 569 | summon-init-pg-0 1/1 Running 0 14h 570 | summon-sidecar-pg-0 1/1 Running 0 14h 571 | test-app-secretless-989486bc7-dfm9z 2/2 Running 1 14h 572 | test-app-summon-init-7f9c8f4598-6djn5 1/1 Running 0 14h 573 | test-app-summon-sidecar-5dc96cd94c-pdflp 2/2 Running 0 14h 574 | test-app-with-host-outside-apps-branch-summon-init-74987c45jrp6 1/1 Running 0 14h 575 | test-curl 576 | $ 577 | ``` 578 |
579 | 580 | The pods displayed will include: 581 | - Test application pods 582 | - Test application database pods 583 | - A `test-curl` pod used to access applications from within the KinD cluster 584 | 585 | #### Demo Application RoleBinding 586 | 587 | The demo scripts create a namespace-scoped Kubernetes 588 | [RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) 589 | named `test-app-conjur-authenticator-role-binding-conjur-oss` in the 590 | `app-test` namespace. This RoleBinding is used to grant access permissions 591 | that were defined in the `conjur-oss-conjur-authenticator` ClusterRole 592 | (see the 593 | [Kubernetes Authentication ClusterRole](#kubernetes-authentication-clusterRole) 594 | section above). 595 | 596 | RoleBindings are namespace-scoped; that is, they access permissions that are 597 | granted apply only to resources that are in the namespace in which the 598 | RoleBinding exists (in this case, the `app-test namespace). 599 | 600 | To view the demo application RoleBinding, use: 601 | 602 | ``` 603 | kubectl get rolebinding -n app-test -o yaml 604 | ``` 605 | 606 |
607 | Click to expand sample output. 608 | 609 | ```sh-session 610 | $ kubectl get rolebinding -n app-test -o yaml 611 | apiVersion: v1 612 | items: 613 | - apiVersion: rbac.authorization.k8s.io/v1 614 | kind: RoleBinding 615 | metadata: 616 | creationTimestamp: "2020-11-02T19:34:58Z" 617 | managedFields: 618 | - apiVersion: rbac.authorization.k8s.io/v1 619 | fieldsType: FieldsV1 620 | fieldsV1: 621 | f:roleRef: 622 | f:apiGroup: {} 623 | f:kind: {} 624 | f:name: {} 625 | f:subjects: {} 626 | manager: kubectl 627 | operation: Update 628 | time: "2020-11-02T19:34:58Z" 629 | name: test-app-conjur-authenticator-role-binding-conjur-oss 630 | namespace: app-test 631 | resourceVersion: "1479" 632 | selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/app-test/rolebindings/test-app-conjur-authenticator-role-binding-conjur-oss 633 | uid: 7b056eb2-876c-4486-b784-3a847506bf62 634 | roleRef: 635 | apiGroup: rbac.authorization.k8s.io 636 | kind: ClusterRole 637 | name: conjur-oss-conjur-authenticator 638 | subjects: 639 | - kind: ServiceAccount 640 | name: conjur-oss 641 | namespace: conjur-oss 642 | kind: List 643 | metadata: 644 | resourceVersion: "" 645 | selfLink: "" 646 | ``` 647 |
648 | 649 | ## Customizable Demo Settings 650 | 651 | The demo scripts provide customizable environment variable settings 652 | to allow the scripts to be run in different situations. The customizable 653 | settings can be viewed in the `customize.env` file (where they will appear 654 | commented out). The default values of these customizable settings will 655 | work as-is in most cases, but there may be special situations that require 656 | modifications to these settings. 657 | 658 | ### How to Modify Customizable Demo Settings 659 | 660 | There are two ways to modify the customizable demo settings: 661 | 662 | 1. Modify settings directly in the `customize.env` file and run the 663 | `start` script without arguments as shown earlier, i.e.: 664 | 665 | ``` 666 | ./start 667 | ``` 668 | 669 | 2. Create a copy of `customize.env` file and make modifications to the new 670 | file. Then when starting the demo with the `start` script, use the 671 | `-c` argument to have it use your customized settings file, e.g.: 672 | 673 | ``` 674 | ./start -c my_customize.env 675 | ``` 676 | 677 | ### Example: Configuring a Docker Registry 678 | 679 | By default, the Kubernetes Conjur Demo scripts will create a local, insecure 680 | Docker registry to which the scripts can build and push demo images. When 681 | pods are created in the KinD cluster, then Kubernetes will pull images 682 | from that local, insecure registry. 683 | 684 | If you would prefer to use a public Docker registry (e.g. DockerHub), 685 | you can uncomment out and modify the following lines in `customize.env`: 686 | 687 | ``` 688 | #export USE_DOCKER_LOCAL_REGISTRY=true 689 | #export DOCKER_REGISTRY_URL="docker.io" 690 | #export DOCKER_REGISTRY_PATH="" 691 | #export DOCKER_USERNAME="" 692 | #export DOCKER_PASSWORD="" 693 | #export DOCKER_EMAIL="" 694 | ``` 695 | 696 | For example, if you are using a personal DockerHub account, the environment 697 | settings might look something like this: 698 | 699 | ``` 700 | export USE_DOCKER_LOCAL_REGISTRY=false 701 | export DOCKER_REGISTRY_URL="docker.io" 702 | export DOCKER_REGISTRY_PATH="firstnamelastname" 703 | export DOCKER_USERNAME="firstnamelastname" 704 | export DOCKER_PASSWORD="GreatGooglyMoogly" 705 | export DOCKER_EMAIL="firstname.lastname@example.com" 706 | ``` 707 | 708 | ## Enabling Conjur Debug Logging 709 | 710 | If for some reason the scripts fail to deploy applications, or fail to 711 | successfully retrieve Conjur secrets, it may help to enable debug logs 712 | in the Conjur server, and then using `kubectl logs ...` to display 713 | Conjur logs in order to troubleshoot the problem. 714 | 715 | To enable Conjur debug logging, use Helm upgrade as follows: 716 | 717 | ```sh-session 718 | CONJUR_NAMESPACE=conjur-oss 719 | HELM_RELEASE=conjur-oss 720 | helm upgrade \ 721 | -n "$CONJUR_NAMESPACE" \ 722 | --reuse-values \ 723 | --set logLevel=debug \ 724 | "$HELM_RELEASE" \ 725 | ./conjur-oss 726 | ``` 727 | 728 | The Conjur servers logs can then be displayed as follows: 729 | 730 | ```sh-session 731 | conjur_container="conjur-oss" 732 | pod_name=$(kubectl get pods \ 733 | -n "$CONJUR_NAMESPACE" \ 734 | -l "app=conjur-oss,release=$HELM_RELEASE" \ 735 | -o jsonpath="{.items[0].metadata.name}") 736 | kubectl logs -n "$CONJUR_NAMESPACE" "$pod_name" "$conjur_container" 737 | ``` 738 | 739 | ## Cleaning Up 740 | 741 | When you are done with the Kubernetes Conjur Demo, you can clean up 742 | the demo setup as described in the following sections. 743 | 744 | **_NOTE: If you are cleaning up all resources associated with the demo, 745 | you can skip down to 746 | [Deleting the KinD Cluster](#deleting-the-kind-cluster)._** 747 | 748 | ### Deleting the Kubernetes Conjur Demo Applications 749 | 750 | The Kubernetes Conjur Demo application deployments and their related 751 | Kubernetes resources can be cleaned up by deleting the `app-test` namespace: 752 | 753 | ```sh-session 754 | kubectl delete ns app-test 755 | ``` 756 | 757 | ### Uninstalling Conjur Open Source via Helm Delete 758 | 759 | To remove the Conjur Open Source deployment from your KinD cluster, run the following: 760 | 761 | ```sh-session 762 | CONJUR_NAMESPACE=conjur-oss 763 | HELM_RELEASE=conjur-oss 764 | helm delete -n "$CONJUR_NAMESPACE" "$HELM_RELEASE" 765 | ``` 766 | 767 | ### Deleting the KinD Cluster 768 | 769 | **_NOTE: If you are deleting the KinD cluster, there is no need to perform 770 | the cleanup steps from the previous two sections._** 771 | 772 | To delete the KinD cluster from your local host, run the following: 773 | 774 | ```sh-session 775 | kind delete cluster 776 | ``` 777 | -------------------------------------------------------------------------------- /examples/common/customize.env: -------------------------------------------------------------------------------- 1 | # Demo Customization 2 | 3 | # Uncomment and modify the settings below, and source the resulting file 4 | # to customize the demo scripts that are in this directory. 5 | # 6 | # NOTE: The DOCKER settings below are required, unless USE_DOCKER_LOCAL_REGISTRY 7 | # is set to "true" 8 | 9 | # You can choose to have the scripts create a local, insecure Docker registry 10 | # for pushing/pulling pod images by exporting the following: 11 | # export USE_DOCKER_LOCAL_REGISTRY=true 12 | # Or you can use a public Docker registry (e.g. DockerHub) by exporting 13 | # your Docker credentials, which might look something like this: 14 | # export USE_DOCKER_LOCAL_REGISTRY="false" 15 | # export DOCKER_REGISTRY_URL="docker.io" 16 | # export DOCKER_REGISTRY_PATH="firstnamelastname" 17 | # export DOCKER_USERNAME="firstnamelastname" 18 | # export DOCKER_PASSWORD="GreatGooglyMoogly" 19 | # export DOCKER_EMAIL="firstname.lastname@example.com" 20 | #export USE_DOCKER_LOCAL_REGISTRY="true" 21 | #export DOCKER_REGISTRY_URL="docker.io" 22 | #export DOCKER_REGISTRY_PATH="" 23 | #export DOCKER_USERNAME="" 24 | #export DOCKER_PASSWORD="" 25 | #export DOCKER_EMAIL="" 26 | 27 | # Uncomment and modify any of the environment variable settings that follow 28 | # in order to customize this demo. 29 | 30 | # KinD options 31 | #export CREATE_KIND_CLUSTER="" 32 | #export KIND_CLUSTER_NAME="" 33 | 34 | # Helm install options 35 | #export HELM_INSTALL_CONJUR="" 36 | #export HELM_RELEASE="" 37 | #export CONJUR_NAMESPACE="" 38 | #export CONJUR_ACCOUNT="" 39 | #export CONJUR_LOG_LEVEL="debug" 40 | 41 | # Basic demo config 42 | #export TEST_APP_DATABASE="" 43 | #export TEST_APP_NAMESPACE_NAME="" 44 | 45 | # Configuration for Conjur authentication 46 | #export ANNOTATION_BASED_AUTHN="" 47 | #export AUTHN_STRATEGY="" 48 | #export AUTHENTICATOR_ID="" 49 | -------------------------------------------------------------------------------- /examples/common/start: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | minimum_kind_version=0.7.0 6 | 7 | . utils.sh 8 | 9 | print_usage() { 10 | echo "Start Conjur Kubernetes demo on Kubernetes-in-Docker (KinD)." 11 | echo "This includes:" 12 | echo " - Create a KinD cluster on your local machine." 13 | echo " - Helm install Conjur OSS on the KinD cluster." 14 | echo " - Load application-specific Conjur security policies." 15 | echo " - Deploy instances of a "Pet Store" application using the" 16 | echo " following Conjur authentication broker/clients:" 17 | echo " - Secretless Broker" 18 | echo " - Conjur Kubernetes Authen Client sidecar container" 19 | echo " - Conjur Kubernetes Authen Client init container" 20 | echo 21 | echo "Syntax:" 22 | echo "$0 [arguments]" 23 | echo 24 | echo "Options:" 25 | echo "-h Show help" 26 | echo "-c Customization file to use containing" 27 | echo " environment settings. (Typically a" 28 | echo " modified copy of 'customize.env'." 29 | exit 0 30 | } 31 | 32 | # Default values for 'start' 33 | customize_file="customize.env" 34 | env_file="../kubernetes-in-docker/0_export_env_vars.sh" 35 | 36 | while getopts 'c:hp:' flag; do 37 | case "${flag}" in 38 | c) customize_file="${OPTARG}" ;; 39 | h) print_usage ;; 40 | p) env_file="${OPTARG}" ;; 41 | *) print_usage ;; 42 | esac 43 | done 44 | 45 | # Source customized environment settings 46 | announce "Sourcing customized environment in $customize_file" 47 | . "$customize_file" 48 | 49 | announce "Setting demo environment variable defaults" 50 | 51 | . "$env_file" 52 | 53 | if [ $CREATE_KIND_CLUSTER = "true" ]; then 54 | announce "Creating a Kubernetes-in-Docker cluster if necessary" 55 | ./1_create_kind_cluster.sh 56 | fi 57 | 58 | if [ $HELM_INSTALL_CONJUR = "true" ]; then 59 | announce "Helm installing/upgrading Conjur OSS cluster" 60 | ./2_helm_install_or_upgrade_conjur.sh 61 | 62 | # Wait for Conjur pods to become ready (just in case there are old 63 | # Conjur pods getting terminated as part of Helm upgrade) 64 | announce "Waiting for Conjur to become ready" 65 | wait_for_conjur_ready 66 | fi 67 | 68 | announce "Retrieving the Conjur admin password" 69 | export CONJUR_ADMIN_PASSWORD="$(./3_retrieve_admin_password.sh)" 70 | 71 | announce "Enabling the Conjur Kubernetes authenticator if necessary" 72 | ./4_ensure_authn_k8s_enabled.sh 73 | 74 | announce "Deploying Conjur demo applications" 75 | ./5_deploy_demo_apps.sh 76 | -------------------------------------------------------------------------------- /examples/common/utils.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | check_env_var() { 4 | if [[ -z "${!1+x}" ]]; then 5 | echo "$1 must be exported before running these scripts." 6 | exit 1 7 | fi 8 | } 9 | 10 | announce() { 11 | echo "++++++++++++++++++++++++++++++++++++++++++++++++++++" 12 | echo "" 13 | echo "$@" 14 | echo "" 15 | echo "++++++++++++++++++++++++++++++++++++++++++++++++++++" 16 | } 17 | 18 | conjur_master_labels() { 19 | echo "app=conjur-oss,release=$HELM_RELEASE" 20 | } 21 | 22 | conjur_postgres_labels() { 23 | echo "app=conjur-oss-postgres,release=$HELM_RELEASE" 24 | } 25 | 26 | get_master_pod_name() { 27 | pod_name=$(kubectl get pods \ 28 | -n "$CONJUR_NAMESPACE" \ 29 | -l "$(conjur_master_labels)" \ 30 | -o jsonpath="{.items[0].metadata.name}") 31 | echo $pod_name 32 | } 33 | 34 | has_namespace() { 35 | if kubectl get namespace "$1" &>/dev/null; then 36 | true 37 | else 38 | false 39 | fi 40 | } 41 | 42 | wait_for_it() { 43 | local timeout=$1 44 | local spacer=2 45 | shift 46 | 47 | if ! [ $timeout = '-1' ]; then 48 | local times_to_run=$((timeout / spacer)) 49 | 50 | echo "Waiting for '$@' up to $timeout s" 51 | for i in $(seq $times_to_run); do 52 | eval $@ > /dev/null && echo 'Success!' && return 0 53 | echo -n . 54 | sleep $spacer 55 | done 56 | 57 | # Last run evaluated. If this fails we return an error exit code to caller 58 | eval $@ 59 | else 60 | echo "Waiting for '$@' forever" 61 | 62 | while ! eval $@ > /dev/null; do 63 | echo -n . 64 | sleep $spacer 65 | done 66 | echo 'Success!' 67 | fi 68 | } 69 | 70 | wait_for_conjur_ready() { 71 | echo "Waiting for Conjur pod to be ready" 72 | kubectl wait --for=condition=ready pod \ 73 | -n $CONJUR_NAMESPACE \ 74 | -l "$(conjur_master_labels)" \ 75 | --timeout 300s 76 | echo "Waiting for Postgres pod to be ready" 77 | kubectl wait --for=condition=ready pod \ 78 | -n $CONJUR_NAMESPACE \ 79 | -l "$(conjur_postgres_labels)" \ 80 | --timeout 300s 81 | } 82 | 83 | oldest_version() { 84 | v1=$1 85 | v2=$2 86 | 87 | echo "$(printf '%s\n' "$v1" "$v2" | sort -V | head -n1)" 88 | } 89 | 90 | meets_min_version() { 91 | actual_version=$1 92 | min_version=$2 93 | 94 | oldest="$(oldest_version $actual_version $min_version)" 95 | if [ "$oldest" = "$min_version" ]; then 96 | true 97 | else 98 | false 99 | fi 100 | } 101 | -------------------------------------------------------------------------------- /examples/kubernetes-in-docker/0_export_env_vars.sh: -------------------------------------------------------------------------------- 1 | # KinD install options 2 | export CREATE_KIND_CLUSTER="${CREATE_KIND_CLUSTER:-true}" 3 | export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}" 4 | 5 | # Helm install options 6 | export HELM_INSTALL_CONJUR="${HELM_INSTALL_CONJUR:-true}" 7 | export HELM_RELEASE="${HELM_RELEASE:-conjur-oss}" 8 | # The Conjur namespace name might be set with CONJUR_NAMESPACE_NAME in other 9 | # projects so look for both. Use CONJUR_NAMESPACE_NAME if both are set. 10 | export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss}" 11 | export CONJUR_NAMESPACE="${CONJUR_NAMESPACE_NAME:-$CONJUR_NAMESPACE}" 12 | export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" 13 | export CONJUR_LOG_LEVEL="${CONJUR_LOG_LEVEL:-info}" 14 | 15 | # Basic demo config 16 | export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" 17 | export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" 18 | 19 | # Configuration for Conjur authentication 20 | export ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-true}" 21 | export AUTHN_STRATEGY="${AUTHN_STRATEGY:-authn-k8s}" 22 | export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" 23 | 24 | # Conjur OSS Helm chart specific setting for demo scripts 25 | export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" 26 | 27 | # KinD specific specific setting for demo scripts 28 | export CONJUR_LOADBALANCER_SVCS="${CONJUR_LOADBALANCER_SVCS:-false}" 29 | export TEST_APP_LOADBALANCER_SVCS="${TEST_APP_LOADBALANCER_SVCS:-false}" 30 | 31 | # You can choose to have the scripts create a local, insecure Docker registry 32 | # for pushing/pulling pod images by exporting the following: 33 | # export USE_DOCKER_LOCAL_REGISTRY=true 34 | # Or you can use a public Docker registry (e.g. DockerHub) by exporting 35 | # your Docker credentials. 36 | # 37 | # These can be configured/customized in customize.env 38 | export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-true}" 39 | export DOCKER_LOCAL_REGISTRY_NAME="${DOCKER_LOCAL_REGISTRY_NAME:-kind-registry}" 40 | export DOCKER_LOCAL_REGISTRY_PORT="${DOCKER_LOCAL_REGISTRY_PORT:-5000}" 41 | export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:${DOCKER_LOCAL_REGISTRY_PORT}}" 42 | export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-${DOCKER_REGISTRY_URL}}" 43 | if [[ "USE_DOCKER_LOCAL_REGISTRY" == "false" ]]; then 44 | check_env_var "DOCKER_USERNAME" 45 | check_env_var "DOCKER_PASSWORD" 46 | check_env_var "DOCKER_EMAIL" 47 | fi 48 | -------------------------------------------------------------------------------- /examples/kubernetes-in-docker/start: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | export PLATFORM="kubernetes" 6 | cd ../common 7 | ./start -p ../kubernetes-in-docker/0_export_env_vars.sh "$@" 8 | -------------------------------------------------------------------------------- /examples/openshift/0_export_env_vars.sh: -------------------------------------------------------------------------------- 1 | # KinD install options 2 | export CREATE_KIND_CLUSTER="${CREATE_KIND_CLUSTER:-false}" 3 | export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}" 4 | 5 | # Helm install options 6 | export HELM_INSTALL_CONJUR="${HELM_INSTALL_CONJUR:-true}" 7 | export HELM_RELEASE="${HELM_RELEASE:-conjur-oss}" 8 | # The Conjur namespace name might be set with CONJUR_NAMESPACE_NAME in other 9 | # projects so look for both. Use CONJUR_NAMESPACE_NAME if both are set. 10 | export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss}" 11 | export CONJUR_NAMESPACE="${CONJUR_NAMESPACE_NAME:-$CONJUR_NAMESPACE}" 12 | export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" 13 | export CONJUR_LOG_LEVEL="${CONJUR_LOG_LEVEL:-info}" 14 | 15 | # Basic demo config 16 | export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" 17 | export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" 18 | 19 | # Configuration for Conjur authentication 20 | export ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-true}" 21 | export AUTHN_STRATEGY="${AUTHN_STRATEGY:-authn-k8s}" 22 | export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" 23 | 24 | # Conjur OSS Helm chart specific setting for demo scripts 25 | export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" 26 | 27 | # KinD specific specific setting for demo scripts 28 | export CONJUR_LOADBALANCER_SVCS="${CONJUR_LOADBALANCER_SVCS:-false}" 29 | export TEST_APP_LOADBALANCER_SVCS="${TEST_APP_LOADBALANCER_SVCS:-false}" 30 | 31 | # Openshift specific setting for demo scripts 32 | export IMAGE_REPOSITORY="${IMAGE_REPOSITORY:-registry.connect.redhat.com/cyberark/conjur}" 33 | export IMAGE_TAG="${IMAGE_TAG:-latest}" 34 | export NGINX_REPOSITORY="${NGINX_REPOSITORY:-registry.connect.redhat.com/cyberark/conjur-nginx}" 35 | export NGINX_TAG="${NGINX_TAG:-latest}" 36 | export POSTGRES_REPOSITORY="${POSTGRES_REPOSITORY:-registry.redhat.io/rhel8/postgresql-15}" 37 | export POSTGRES_TAG="${POSTGRES_TAG:-latest}" 38 | export POSTGRES_PV_CREATE="${POSTGRES_PV_CREATE:-false}" 39 | export OPENSHIFT_ENABLED="${OPENSHIFT_ENABLED:-true}" 40 | 41 | # You can choose to have the scripts create a local, insecure Docker registry 42 | # for pushing/pulling pod images by exporting the following: 43 | # export USE_DOCKER_LOCAL_REGISTRY=true 44 | # Or you can use a public Docker registry (e.g. DockerHub) by exporting 45 | # your Docker credentials. 46 | # 47 | # These can be configured/customized in customize.env 48 | export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-true}" 49 | export DOCKER_LOCAL_REGISTRY_NAME="${DOCKER_LOCAL_REGISTRY_NAME:-kind-registry}" 50 | export DOCKER_LOCAL_REGISTRY_PORT="${DOCKER_LOCAL_REGISTRY_PORT:-5000}" 51 | export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:${DOCKER_LOCAL_REGISTRY_PORT}}" 52 | 53 | 54 | export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-${DOCKER_REGISTRY_URL}}" 55 | if [[ "USE_DOCKER_LOCAL_REGISTRY" == "false" ]]; then 56 | check_env_var "DOCKER_USERNAME" 57 | check_env_var "DOCKER_PASSWORD" 58 | check_env_var "DOCKER_EMAIL" 59 | fi 60 | -------------------------------------------------------------------------------- /examples/openshift/start: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | export PLATFORM="openshift" 6 | cd ../common 7 | ./start -p ../openshift/0_export_env_vars.sh "$@" 8 | -------------------------------------------------------------------------------- /helm-upgrade.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | # USAGE: 6 | # ./helm_upgrade.sh [set-chart-values-arguments] 7 | # 8 | # Note that for helm upgrades, any settings for the following chart values 9 | # will be ignored: 10 | # dataKey 11 | # database.password 12 | # database.url 13 | # since these values (and their Kubernetes respective secrets) will remain 14 | # unchanged across Helm upgrades. 15 | 16 | # For Helm upgrade operations, the --reuse-values command line flag must 17 | # be used in order to preserve any non-default values that were used 18 | # during helm install. 19 | # 20 | # Also, force the recreation of pods, since Helm isn't aware that pods need 21 | # to be started e.g. for when configmaps or secrets are changed. 22 | HELM_ARGS="$@ --reuse-values" 23 | 24 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 25 | HELM_ARGS="$HELM_ARGS -n $CONJUR_NAMESPACE" 26 | fi 27 | 28 | # Find the helm release (it will contain 'conjur-oss-' in its chart name) 29 | helm_release=$(helm list --output=json | jq -r '.[] | select(.chart | match("conjur-oss-.*")) | .name') 30 | 31 | helm upgrade $HELM_ARGS $helm_release ./conjur-oss 32 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | source ./utils.sh 6 | 7 | HELM_RELEASE=${HELM_RELEASE:-conjur-oss} 8 | 9 | if [ -z "$HELM_ARGS" ]; then 10 | # Generate database data-key 11 | data_key="$(docker run --rm cyberark/conjur data-key generate)" 12 | HELM_ARGS="$@ --set dataKey=$data_key" 13 | 14 | if is_helm_v2; then 15 | echo "Helm version is 2" 16 | HELM_ARGS="$HELM_ARGS --name $HELM_RELEASE" 17 | else 18 | echo "Helm version is 3 or newer" 19 | HELM_ARGS="$HELM_ARGS $HELM_RELEASE" 20 | fi 21 | fi 22 | 23 | if [ ! -z "$CONJUR_NAMESPACE" ]; then 24 | if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then 25 | kubectl create namespace "$CONJUR_NAMESPACE" 26 | fi 27 | HELM_ARGS="$HELM_ARGS --namespace $CONJUR_NAMESPACE" 28 | fi 29 | 30 | helm install $HELM_ARGS ./conjur-oss 31 | -------------------------------------------------------------------------------- /test-minimal.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | source ./utils.sh 4 | 5 | # This script runs the minimal helm test, without relies on external load 6 | # balancers or persistent volumes. This is suitable for environment where 7 | # these resources aren't available. 8 | # 9 | # This test also enables Helm test logging by default. 10 | 11 | # Validate our schema before running tests 12 | ./ci/validate_schema.sh 13 | 14 | export HELM_INSTALL_ARGS="--set service.external.enabled=false \ 15 | --set postgres.persistentVolume.create=false" 16 | 17 | export HELM_INSTALL_TIMEOUT="180" 18 | if ! is_helm_v2; then 19 | # Helm v3 requires units for timeout values 20 | HELM_INSTALL_TIMEOUT+="s" 21 | fi 22 | 23 | export HELM_TEST_LOGGING=${HELM_TEST_LOGGING:-true} 24 | 25 | ./test.sh 26 | 27 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | source ./utils.sh 6 | 7 | # Validate our schema before running tests 8 | ./ci/validate_schema.sh 9 | 10 | # Run Helm test 11 | # 12 | # This script does the following in sequence: 13 | # - Runs a Helm install of a Conjur server 14 | # - Runs a Helm test that deploys a test container that runs a 15 | # Bash Automated Test System (a.k.a. "Bats") test script that 16 | # confirms that the Conjur server's status page is active. 17 | # 18 | # Syntax: 19 | # ./test.sh 20 | # 21 | # Optional Environment Variables: 22 | # CONJUR_NAMESPACE: Namespace to use for Conjur deployment. The 23 | # namespace is created if it doesn't exist. 24 | # HELM_INSTALL_ARGS: Additional arguments to pass to the `helm install` 25 | # command beyond the standard arguments used below: 26 | # --wait 27 | # --timeout $HELM_INSTALL_TIMEOUT 28 | # --set "dataKey=$dataKey" 29 | # Defaults to empty string. 30 | # HELM_INSTALL_TIMEOUT: Helm install timeout. Defaults to `900` for 31 | # Helm V2 and `900s` for newer versions of Helm. 32 | # HELM_TEST_LOGGING: Set to true to enable Helm test log collection. 33 | # Defaults to false. 34 | # RELEASE_NAME: Name of Helm release to use for testing 35 | # Defaults to "helm-chart-test--