Closed izgeri closed 3 years ago
Here is my current proposed solution and description of the problem: https://gist.github.com/BradleyBoutcher/2b8bf545f9bf13addf21eb3ffbe22725
This is a WIP, and I already have some good feedback from @diverdane I'll be adding tomorrow. I've also put together a proof-of-concept for the tool, which I will continue to work on tomorrow.
To provide some context for where/when this tool would be run, here's a draft of the high-level workflow:
### DONE ONCE:
### SIDECAR INJECTOR DEPLOYMENT (Done once, done by Kubernetes admin):
### NAMESPACE PREP (performed by Kubernetes admin)
helm install ...
using a namespace prep Helm chart and the "golden" ConfigMap, this creates the following in the application namespace:
= A conjur-connection-configmap (for sidecars, init containers, and Summon)
= authn-k8s RoleBinding### APP DEPLOYMENT
Here's a draft of the ConfigMaps and the RoleBinding that will come into play for this Issue and for Issue #2044:
### Example authn-k8s-configmap.yml ("golden" ConfigMap, one per K8s cluster):
apiVersion: v1
kind: ConfigMap
metadata:
name: authn-k8s-config-map
data:
authn-k8s: |
authenticatorID: my-authenticator-id
clusterRole: conjur-oss-conjur-authenticator
namespace: conjur-oss
serviceAccount: conjur-oss
# Secret which contains a service account token for authenticating
# K8s identities with Kubernetes API when DAP master/followers
# are outside of the K8s cluster. Secret is assumed to be in the
# data.authn-k8s.namespace field above.
serviceAccountSecret: conjur-oss conjur-oss-token-87sbm
conjur: |
url: "https://conjur-oss.conjur-oss.svc.cluster.local"
account: myConjurAccount
sslCertificate: |
-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIRAJwBd+VnZ7C9RqNHFEHtqAcwDQYJKoZIhvcNAQELBQAw
< = = = SNIP = = = >
4fRDZYLUuodUxPdyfltuKCPP6xaUSac+TG1fnr13kVGy1SuTGkJI+w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIRAPL/vb/wn5lCUDdpJ9xcJx4wDQYJKoZIhvcNAQELBQAw
< = = = SNIP = = = >
62v7weQABGU5rPL8AUj16ewVwG1TO2sguCEZw4E/jeYOa7pMAp70OjjXEntNPXjw
sw==
-----END CERTIFICATE-----
# For Kubernetes access from outside of the cluster
kubernetes: |
apiURL: "https://123456789ABCDEF123456789ABCDEF12.sk1.us-east-1.eks.amazonaws.com"
apiCertificate: |
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
< = = = SNIP = = = >
RedactedRedactedRedactedRedactedRedactedRedactedRedactedY2k=
-----END CERTIFICATE-----
platform: kubernetes
### Sample conjur-connection-configmap.yml (created in each app namespace as part of "Namespace Prep"):
apiVersion: v1
kind: ConfigMap
metadata:
name: conjur-connect-configmap
data:
authn-k8s: |
authenticatorID: my-authenticator-id
clusterRole: conjur-oss-conjur-authenticator
namespace: conjur-oss
serviceAccount: conjur-oss
conjur: |
account: myConjurAccount
sslCertificate: |
-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIRAJwBd+VnZ7C9RqNHFEHtqAcwDQYJKoZIhvcNAQELBQAw
< = = = SNIP = = = >
4fRDZYLUuodUxPdyfltuKCPP6xaUSac+TG1fnr13kVGy1SuTGkJI+w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIRAPL/vb/wn5lCUDdpJ9xcJx4wDQYJKoZIhvcNAQELBQAw
< = = = SNIP = = = >
62v7weQABGU5rPL8AUj16ewVwG1TO2sguCEZw4E/jeYOa7pMAp70OjjXEntNPXjw
sw==
-----END CERTIFICATE-----
url: "https://conjur-oss.conjur-oss.svc.cluster.local"
kubernetes: |
platform: kubernetes
### Example authn-k8s-role-binding.yml (created in each app namespace as part of "Namespace Prep").
I left fields templatized for this one:
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: conjur-authenticator-role-binding
namespace: {{ TEST_APP_NAMESPACE_NAME }}
subjects:
- kind: ServiceAccount
name: {{ AUTHN_K8S_SERVICE_ACCOUNT }}
namespace: {{ AUTHN_K8S_NAMESPACE }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ CONJUR_AUTHN_K8S_CLUSTER_ROLE }}
We should create an issue as follows: There exists a chart for all values needed for a K8s / OCP configmap
This chart should have the following information:
CONJUR_ACCOUNT
Certain variables can be confusing when we use different naming conventions, for example, "Conjur SSL Certificate" vs "Conjur CA Certificate". We should be sure to standardize these variables early, so we can include that information in the readme for this tool, and be consistent throughout our documentation for it as well.
@BradleyBoutcher you might find this page useful, as I've been trying to keep adding to it as a "source of truth" for client configs. please add anything that you note is missing, and feel free to reference this as you figure out the name / description / etc.
https://github.com/cyberark/dap-wiki/blob/master/reference/client-configuration.md
We'll also be referencing this page as we build out the OpenAPI SDK
Based on the outcome of #2030, propose a method for a Kubernetes operator to have a command-line tool that will generate a Conjur configuration ConfigMap in the format proposed in #2030.
We need to understand:
The outcome of this spike is a README that walks through the instructions for using this tool. The README will be used to plan the work required to implement the tool and complete #2027.
The README should be reviewed with the security architect to review the proposed plan and make sure privileged data is properly protected.
Some proposed options for the tool: