Closed kgilpin closed 7 years ago
Is this summon-conjur behavior, or should the Docker image that holds summon/summon-conjur handle this?
We don't want to have to customize every Docker image that uses Summon to have to do this, which is why we want the provider to do it automatically.
In a K8s flow, the application container will be using Summon as the entrypoint. Summon can be provided to the application container by a volume link from the authentication sidecar. K8s doesn't provide a way to order the startup of the containers, so we want Summon to be smart enough to wait for the file $CONJUR_AUTHN_TOKEN_FILE to exist.
Yeah but summon has nothing to do w/ conjur env vars. We're talking about summon-conjur
right? I thought we could release an official summon-conjur
Docker image with all this baked in, and people could use that.
"summon has nothing to do w/ conjur env vars."
Summon doesn't, but summon-conjur
does. summon
needs to be the entrypoint for the application container.
If I configure a container with CONJUR_APPLIANCE_URL, CONJUR_ACCOUNT, and CONJUR_AUTHN_TOKEN_FILE, and I make summon
and summon-conjur
available in that container, then I want to be able to use summon
as the entrypoint, and I want summon-conjur
to wait for CONJUR_AUTHN_TOKEN_FILE to exist.
summon
and summon-conjur
don't need to be part of the application image; they can be part of the authentication sidecar image, and provided to the application container via shared volume.
Alright, that makes sense, thank you :)
This was resolved in #13.
When summon-conjur is used in a Pod scenario, the Conjur access token is provided as a file path.
This provider should wait for the file to exist. This will give a sidecar container time to login and obtain the first access token.