There is an initial cluster prep helm chart

izgeri commented 3 years ago

Overview

This user story requires the definition of a cluster prep helm chart, including:

values.yaml file
templates/golden_configmap.yaml templated manifest
templates/service_account.yaml templated manifest
templates/clusterrole.yaml templated manifest
README.md explaining basic usage and a table of configurable values
templates/NOTES.txt simply announcing completion, maybe listing objects that have been deployed

Desired Implementation

Out of Scope:

values.schema.json (covered in Issue #233)
Unit test based on unittest framework (covered in Issue #234)
Helm test validation (covered in Issue #228)

Kubernetes Objects to be Created for Helm install/upgrade

When helm install ... is invoked on this Helm chart, there should be two Kubernetes objects created in the authenticator Namespace:

Golden (Reference) ConfigMap
Authenticator ServiceAccount
Authenticator ClusterRole

Sample Golden ConfigMap Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a Golden ConfigMap that looks similar to the following:

apiVersion: v1
kind: ConfigMap
metadata:
  name: authn-k8s-config-map
  labels:
    app.kubernetes.io/name: golden-configmap
    app.kubernetes.io/component: conjur-config
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
data:
  # authn-k8s Configuration
  authnK8sAuthenticatorID: my-authenticator-id
  authnK8sClusterRole: conjur-authenticator-clusterrole
  authnK8sNamespace: conjur-ns
  authnK8sServiceAccount: conjur-sa

  # Conjur Configuration
  conjurAccount: myConjurAccount
  conjurApplianceUrl: https://conjur.conjur-ns.svc.cluster.local
  conjurSslCertificate: <Unencoded Conjur SSL certificate>
  conjurSslCertificateBase64: <base64 encoded Conjur SSL certificate>

Sample ClusterRole Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a ClusterRole that looks similar to the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: authn-k8s-clusterrole
    app.kubernetes.io/component: authn-k8s-permissions
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
  name: authn-k8s
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - serviceaccounts
  verbs:
  - get
  - list
- apiGroups:
  - extensions
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
  - get

Sample ServiceAccount Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a ServiceAccount that looks similar to the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/name: authn-k8s-serviceaccount
    app.kubernetes.io/component: authn-k8s-identity
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
  name: authn-k8s

Helm chart Files to be created

This Helm chart requires the creation of the following files in the chart subdirectory:

values.yaml file
templates/golden_configmap.yaml templated manifest
templates/authn_serviceaccount.yaml templated manifest
templates/authn_clusterrole.yaml templated manifest
README.md explaining basic usage, upgrade examples, and a table of configurable values
templates/NOTES.txt simply announcing completion, maybe listing objects that have been deployed

`values.yaml` requirements

The values.yaml file created for this Helm chart must contain the fields that are listed in the "Kubernetes Cluster Prep Helm Chart Value" column of the "User Input: Information Gathered for Kubernetes Cluster Preparation" section of this document: https://cyberark365.sharepoint.com/:w:/s/Conjur/EbhBd0DKYt1MstzSj-4sWOkBssiD23FAHA4JgW-2V2YwrA?e=04gdla.

Additional "control knobs"

The values.yaml file should also include a couple of other "control knobs":

authnK8s.rbac.enable This is needed to enable/disable creation of the authn-k8s ClusterRole. This is future-proofing: There may be cases in the future whereby someone might want to share ClusterRoles across multiple authn-k8s authenticators.
authnK8s.serviceAccount.enable This is for future-proofing. For some deployments, e.g. with the Conjur OSS Helm chart, there already exists a ServiceAccount that can be used/re-used.

Default values

The values.yaml file should provide the following default values:
conjur.account defaults to "default"
authnK8s.rbac.enable defaults to true
authnK8s.serviceAccount.enable defaults to true

Template manifests requirements

The template manifests must enforce that required values have been explicitly defined. Required values are those fields in the values.yaml file that are indicated as "Mandatory" in the "Kubernetes Cluster Prep Helm Chart Value" column of the "User Input: Information Gathered for Kubernetes Cluster Preparation" section of this document: https://cyberark365.sharepoint.com/:w:/s/Conjur/EbhBd0DKYt1MstzSj-4sWOkBssiD23FAHA4JgW-2V2YwrA?e=04gdla.

`README.md` requirements

The README.md must include:

Overview of the intended use of the chart.
Step-by-step instructions on how to use the Helm chart, including:
- Prequisite information that needs to be gathered from a Conjur admin (not including Conjur SSL cert).
- Instructions on how to retrieve the Conjur SSL certificate based on the Conjur URL
- Table of configurable values
- Examples on how Helm upgrade can be used to modify values used by a chart

`NOTES.txt` requirements

NOTES.txt should announce completion, maybe listing objects that have been deployed

Environments on Which to Test

For this implementation, it should be sufficient to test this Helm chart on:

Conjur OSS
Either Kubernetes cluster (can be KinD or GKE) or OpenShift, pick one

DoD:

Required files have been created
Helm chart tested on setups described in "Environments on Which to Test" above
Helm install creates Golden ConfigMap, ServiceAccount, ClusterRole using default enable/disable flags
Disabling of ServiceAccount creation works for helm install
Disabling of ClusterRole creation works for helm install
Helm upgrade works as expected
Requirements listed above are all met

izgeri commented 3 years ago

@diverdane will this include programmatically retrieving the Conjur SSL certificate, as we researched in cyberark/conjur#2038?

diverdane commented 3 years ago

@izgeri - Re. Conjur SSL certificate retrieval, I've added a requirement that the README.md must include step-by-step instructions on how a user can retrieve the Conjur SSL certificate using the Golang code and steps that @doodlesbykumbi developed and documented.

FYI: For future consideration, there may be a way to make this a little more seamless for the Kubernetes admin by integrating the Golang code that does Conjur SSL cert retrieval with the Helm chart by using Helm chart "Post Renderer": https://helm.sh/docs/topics/advanced/#post-rendering The post renderer could be a bash script or it could be wrapped in the Helm Go SDK: https://helm.sh/docs/topics/advanced/#go-sdk

cyberark / conjur-authn-k8s-client