Spike: There is a tool to simplify the steps required to prepare a Kubernetes cluster to use the Conjur Kubernetes Authenticator

[izgeri]

Based on the outcome of #2030, propose a method for a Kubernetes operator to have a command-line tool that will generate a Conjur configuration ConfigMap in the format proposed in #2030.

We need to understand:

• What values the tool must have as inputs, and where those values are coming from. Whenever possible, we should get the values from the server without requiring input from the user.
• What steps the user must take to run the tool, with the goal of having as few steps as possible.
• Where the Conjur configuration ConfigMap will live (eg what namespace), with some initial ideas about how to simplify sharing it with other namespaces given permissions constraints.
• What the end state of the cluster will be after running the tool, which will be information we need as an input to #2028.

The outcome of this spike is a README that walks through the instructions for using this tool. The README will be used to plan the work required to implement the tool and complete #2027.

The README should be reviewed with the security architect to review the proposed plan and make sure privileged data is properly protected.

Some proposed options for the tool:

• Helm chart
• Standalone CLI
• Extending the Conjur Python CLI
• Bash scripts (ew)

[BradleyBoutcher]

Here is my current proposed solution and description of the problem: https://gist.github.com/BradleyBoutcher/2b8bf545f9bf13addf21eb3ffbe22725

This is a WIP, and I already have some good feedback from @diverdane I'll be adding tomorrow. I've also put together a proof-of-concept for the tool, which I will continue to work on tomorrow.

[diverdane]

To provide some context for where/when this tool would be run, here's a draft of the high-level workflow:

### DONE ONCE:

• Start out with a basic Conjur cluster
• Enable authn-k8s in your Conjur cluster (well documented steps, done only once per cluster so automation not as critical?)
• Retrieve the Conjur SSL cert
• BRADLEY'S AUTOMATION: Prompt user for content to generate a "golden" config, output a YAML thingy.
• Create the "golden" ConfigMap (in either Conjur, DAP follower, or new authn-k8s namespace)
• Generate and load authn-k8s Conjur policy (outside of scope of this sprint?)

### SIDECAR INJECTOR DEPLOYMENT (Done once, done by Kubernetes admin):

• Helm chart install an injector using "golden" ConfigMap (outside of scope of this sprint)

### NAMESPACE PREP (performed by Kubernetes admin)

• ROB's INVESTIGATION: Run helm install ... using a namespace prep Helm chart and the "golden" ConfigMap, this creates the following in the application namespace: = A conjur-connection-configmap (for sidecars, init containers, and Summon) = authn-k8s RoleBinding

### APP DEPLOYMENT

• Generate and load app-specific Conjur policy (host IDs, annotations, and secrets variables) (Which personna does this???)
• Create a "secrets mapping" ConfigMap to tell the authenticator sidecar or secrets provider init container where to get secrets from Conjur and where to put the values retrieved (env vars or files)
• Deploy the app, add annotations as necessary

[diverdane]

Here's a draft of the ConfigMaps and the RoleBinding that will come into play for this Issue and for Issue #2044:

https://app.zenhub.com/workspaces/community-and-integrations-team-5e28ab8f700a191286d5abe0/issues/cyberark/conjur/2044

### Example authn-k8s-configmap.yml ("golden" ConfigMap, one per K8s cluster):

apiVersion: v1
kind: ConfigMap
metadata:
  name: authn-k8s-config-map
data:
  authn-k8s: |
    authenticatorID: my-authenticator-id
    clusterRole: conjur-oss-conjur-authenticator
    namespace: conjur-oss
    serviceAccount: conjur-oss
    # Secret which contains a service account token for authenticating
    # K8s identities with Kubernetes API when DAP master/followers
    # are outside of the K8s cluster. Secret is assumed to be in the
    # data.authn-k8s.namespace field above.
    serviceAccountSecret: conjur-oss conjur-oss-token-87sbm

  conjur: |
    url: "https://conjur-oss.conjur-oss.svc.cluster.local"
    account: myConjurAccount
    sslCertificate: |
      -----BEGIN CERTIFICATE-----
      MIIDhDCCAmygAwIBAgIRAJwBd+VnZ7C9RqNHFEHtqAcwDQYJKoZIhvcNAQELBQAw
              < = = = SNIP = = = >
      4fRDZYLUuodUxPdyfltuKCPP6xaUSac+TG1fnr13kVGy1SuTGkJI+w==
      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----
      MIIC/TCCAeWgAwIBAgIRAPL/vb/wn5lCUDdpJ9xcJx4wDQYJKoZIhvcNAQELBQAw
              < = = = SNIP = = = >
      62v7weQABGU5rPL8AUj16ewVwG1TO2sguCEZw4E/jeYOa7pMAp70OjjXEntNPXjw
      sw==
      -----END CERTIFICATE-----

  # For Kubernetes access from outside of the cluster
  kubernetes: |
    apiURL: "https://123456789ABCDEF123456789ABCDEF12.sk1.us-east-1.eks.amazonaws.com"
    apiCertificate: |
      -----BEGIN CERTIFICATE-----
      MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
              < = = = SNIP = = = >
      RedactedRedactedRedactedRedactedRedactedRedactedRedactedY2k=
      -----END CERTIFICATE-----
    platform: kubernetes

### Sample conjur-connection-configmap.yml (created in each app namespace as part of "Namespace Prep"):

apiVersion: v1
kind: ConfigMap
metadata:
  name: conjur-connect-configmap
data:
  authn-k8s: |
    authenticatorID: my-authenticator-id
    clusterRole: conjur-oss-conjur-authenticator
    namespace: conjur-oss
    serviceAccount: conjur-oss

  conjur: |
    account: myConjurAccount
    sslCertificate: |
      -----BEGIN CERTIFICATE-----
      MIIDhDCCAmygAwIBAgIRAJwBd+VnZ7C9RqNHFEHtqAcwDQYJKoZIhvcNAQELBQAw
              < = = = SNIP = = = >
      4fRDZYLUuodUxPdyfltuKCPP6xaUSac+TG1fnr13kVGy1SuTGkJI+w==
      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----
      MIIC/TCCAeWgAwIBAgIRAPL/vb/wn5lCUDdpJ9xcJx4wDQYJKoZIhvcNAQELBQAw
              < = = = SNIP = = = >
      62v7weQABGU5rPL8AUj16ewVwG1TO2sguCEZw4E/jeYOa7pMAp70OjjXEntNPXjw
      sw==
      -----END CERTIFICATE-----
    url: "https://conjur-oss.conjur-oss.svc.cluster.local"

  kubernetes: |
    platform: kubernetes

### Example authn-k8s-role-binding.yml (created in each app namespace as part of "Namespace Prep").

I left fields templatized for this one:

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: conjur-authenticator-role-binding
  namespace: {{ TEST_APP_NAMESPACE_NAME }}
subjects:
  - kind: ServiceAccount
    name: {{ AUTHN_K8S_SERVICE_ACCOUNT }}
    namespace: {{ AUTHN_K8S_NAMESPACE }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ CONJUR_AUTHN_K8S_CLUSTER_ROLE }}

[BradleyBoutcher]

We should create an issue as follows: There exists a chart for all values needed for a K8s / OCP configmap

This chart should have the following information:

• Environment variable (if one exists). We should include the standard environment variable Conjur or the cluster might recognize, which can be found in pre-existing documentation elsewhere. Example: CONJUR_ACCOUNT
• Normalized name. This is the name we will refer to the value with throughout our documentation. Example: Conjur Account
• Description. A brief description of the value expected for this key. Example: Conjur account name

Certain variables can be confusing when we use different naming conventions, for example, "Conjur SSL Certificate" vs "Conjur CA Certificate". We should be sure to standardize these variables early, so we can include that information in the readme for this tool, and be consistent throughout our documentation for it as well.

[izgeri]

@BradleyBoutcher you might find this page useful, as I've been trying to keep adding to it as a "source of truth" for client configs. please add anything that you note is missing, and feel free to reference this as you figure out the name / description / etc.

https://github.com/cyberark/dap-wiki/blob/master/reference/client-configuration.md

We'll also be referencing this page as we build out the OpenAPI SDK