search

cyberark / conjur-oss-helm-chart

Helm chart for deploying Conjur OSS to Kubernetes
Apache License 2.0
27 stars 23 forks source link

Conjur authenticator support in GCP #12

Closed ismarc closed 5 years ago

ismarc commented 5 years ago

When deployed into Google Cloud Platform via the Google Cloud Marketplace, the Conjur OSS helm chart will expose a mechanism to enable any authenticator(s) and run any additional services required for the authenticators to function properly.

When deploying from Google Cloud Marketplace:

  1. From the Google Cloud Marketplace page https://console.cloud.google.com/marketplace/details/cyberark/conjur-open-source the user selects configure (Fig 1).
  2. The user selects the project they want to launch Conjur into
  3. Under Click to Deploy on GKE (Fig 2), the user
    1. Selects the cluster to launch into
    2. Selects the namespace to launch into
    3. Provides the app instance name to use
    4. Optionally provides the Postgres URL. If one is not supplied, a pod with Postgres is launched for the user.
    5. Optionally provides a list of authenticators to enable

Conjur will then be deployed into the cluster and namespace selected with the app instance name provided. It will use the supplied Postgres URL (or generated one for a launched Postgres instance) with the provided authenticators enabled. All additional services necessary (mTLS support for authn-k8s, etc.) to support the authenticators will be provided.

The assumption is that it is a single OSS instance communicating with an authn-k8s client (via sidecar or init container) deployed to a pod using service accounts. mTLS is assumed to be intra-cluster rather than the larger inter-cluster setup.

A scripted version of the client process is available at https://github.com/conjurdemos/kubernetes-conjur-demo and is expected to work with the above deployed Conjur OSS instance.

When deploying a client:

  1. Create application namespace
  2. Load Conjur policies into the Conjur OSS instance (see https://github.com/conjurdemos/kubernetes-conjur-demo/tree/master/policy for example policy templates)
  3. Initialize the certificate authority (see https://github.com/conjurdemos/kubernetes-conjur-demo/blob/master/3_init_conjur_cert_authority.sh)
  4. Store the Conjur certificate for application use (see https://github.com/conjurdemos/kubernetes-conjur-demo/blob/master/4_store_conjur_cert.sh)
  5. Build and push client containers into Kubernetes registry.
  6. Deploy test application to Kubernetes cluster (see https://github.com/conjurdemos/kubernetes-conjur-demo/blob/master/6_deploy_test_app.sh)
  7. Verify client application can pull secrets

Right now, there is no way to enable different authenticators and even if enabled additional support is needed for the authenticators (such as mTLS for the kubernetes authenticator). This limits the capabilities and benefit of using Conjur. All authenticators should be usable when deployed via the helm chart.

Specific support is needed for kubernetes, it needs to support authn-k8s authentication within the same cluster between the Conjur OSS (master) instance and clients (conjur-authn-k8s-client) sidecar or init container using service accounts.

Fig 1

screen shot 2018-12-04 at 2 31 11 pm

Fig 2

screen shot 2018-12-04 at 2 34 18 pm
sgnn7 commented 5 years ago

More info: "Single instance of OSS that can communicate with a k8s authn client deployed to a pod"

Expectation (from the info we have right now) is that this mTLS is intra-cluster rather than the larger inter-cluster setup.

brikelly commented 5 years ago

@ismarc What is the experience for getting a secret to an app deployed in GCP after the steps outlined above? In other words, these steps describe getting Conjur running on GCP, but how does one use it to go end-to-end?

sgnn7 commented 5 years ago

This is now waiting on Google to do the final "release" to marketplace.

From them:

Great news! Thanks for the update. I will keep you posted on the progress.

Regards,
Jeevan
sgnn7 commented 5 years ago

This is released now: https://console.cloud.google.com/marketplace/details/cyberark/conjur-open-source has tag v1.3

brikelly commented 5 years ago

Can we mark all the sub stories complete and push this to Released now? @sgnn7 @ismarc @garkler