search

cyberark / secrets-provider-for-k8s

Cyberark secrets provider for k8s
Apache License 2.0
26 stars 11 forks source link

Add optional hostAliases to values.yaml #289

Open liavyona opened 3 years ago

liavyona commented 3 years ago

Is your feature request related to a problem? Please describe.

When using Conjur OSS helm charm in EKS for example, helm generates the certificate for the Conjur server if not provided by user. The certificate will be related to some DNS names such as {{ Release.name }}, {{ Release.name }}.{{ Release.Namesapce }}, , {{ Release.name }}.{{ Release.Namesapce }}.svc and {{ .Values.ssl.hostname }}.

The problem is when enabling external service for Conjur {{ Values.service.external.enabled }}, the ELB for the Conjur will have a random URL generated by AWS (https://a6b74d226668a4f69baed82f1acee1a3-1525512072.eu-central-1.elb.amazonaws.com). When passing the ELB url and the conjur.pem the SecretProvider will fail due to a discrepancy between the hostname of the URL and the DNS names from the certificate. image

As Conjur OSS helm chart enables me to control a custom hostname (DNS name for the certificate), I would like to add a new entity to /etc/hosts with the custom name and the actual ip address of the ELB url so I can use the SecretProvider with Conjur url as the custom name I control.

Describe the solution you would like

Under Job.spec.template.spec add the following optional (using values.yaml) the hostAliases:

    spec:
    {{ if .Values.environment.conjur.domain }}
      hostAliases:
        - ip: {{ .Values.environment.conjur.ip}}
          hostnames:
          - {{ .Values.environment.conjur.domain}}
     {{ end }}
      serviceAccountName: {{ .Values.rbac.serviceAccount.name }}

The result:

    spec:
      hostAliases:
        - ip: "35.158.250.20"
          hostnames:
          - "custom.domainname.com"
      serviceAccountName: {{ .Values.rbac.serviceAccount.name }}

Additional context

While the actual URL of Conjur is https://a6b74d226668a4f69baed82f1acee1a3-1525512072.eu-central-1.elb.amazonaws.com, I have the custom.domainname.com as a DNS name, so I passed the configuration above and the following values:

  conjur:
    # DAP/Conjur account name as defined during initial DAP/Conjur configuration.
    account: cyberark
    # URL of service defined for DAP Follower/Conjur.
    applianceUrl: https://custom.domainname.com
    # URL for the Kubernetes authenticator with which the Secrets Provider will authenticate.
    authnUrl: https://custom.domainname.com/authn-k8s/prod
    # Host that authenticates Secrets Provider to DAP/Conjur.
    authnLogin: host/conjur/authn-k8s/prod/apps/secret-provider-host

And got the following result: image image

Tovli commented 3 years ago

@liavyona thanks Can you advise why not use dns cname to have static DNS? this will allow you to easily create the needed cert, no? I think we shouldn't expect users to work with random urls...

liavyona commented 3 years ago

As I said @Tovli, we use the conjur oss helm chart on EKS with a load balancer in order to externalize the Conjur server. The url will be random. So I added this change because in the Conjur oss helm chart I can pass domain name that will be included in the generated CA certificate and I can use this domain with the actual ip address of the service to run the SP without any errors