diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d507ad..a529221 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,27 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [Unreleased] +## [v2.0.0] - 2020-06-17 + +### Added +- Adds password authentication for the backend Postgres database connection. +- Adds TLS support between the Conjur pod and the Postgres pod. +- Adds default auto-generation of the Postgres connection password and + TLS certificate. +- Adds default auto-rotation of the following for `helm upgrade`: + - Conjur TLS CA signing certificate and signed certificate for Conjur + - Postgres database TLS certificate and key +- Adds mechanism for user to set their own TLS CA and signed certificates + for Conjur. + +### Changed +- Pins default Conjur version to current stable release 1.5. +- Sets default pullPolicy for Nginx and Postgres to `Always`. + +### Fixed +- Fixes an issue with the use of persistent volume store so that the + Postgres database contents are preserved across pod resets + and helm upgrades. ## [v1.3.8] - 2019-12-20 @@ -64,7 +84,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added - First version of chart available. -[Unreleased]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.8...HEAD +[Unreleased]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.0...HEAD +[2.0.0]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.8...v2.0.0 [1.3.8]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.7...v1.3.8 [1.3.7]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.6...v1.3.7 [1.3.6]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v1.3.5...v1.3.6 diff --git a/conjur-oss/Chart.yaml b/conjur-oss/Chart.yaml index 64a4f26..6e4fdfa 100644 --- a/conjur-oss/Chart.yaml +++ b/conjur-oss/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: conjur-oss home: https://www.conjur.org -version: 1.3.8 +version: 2.0.0 description: A Helm chart for CyberArk Conjur icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg keywords: diff --git a/conjur-oss/README.md b/conjur-oss/README.md index 932976d..e2f3b2f 100644 --- a/conjur-oss/README.md +++ b/conjur-oss/README.md @@ -1,4 +1,4 @@ -# conjur-oss +# Conjur OSS Helm Chart [CyberArk Conjur Open Source](https://www.conjur.org) is a powerful secrets management solution, tailored specifically to the unique infrastructure requirements of @@ -12,88 +12,252 @@ Conjur Open Source is part of the CyberArk Privileged Access Security Solution w --- -## Prerequisites - +## Table of Contents + +- [Prerequisites and Guidelines](#prerequisites-and-guidelines) +- [Installing the Chart](#installing-the-chart) + * [Simple Install](#simple-install) + * [Custom Installation](#custom-installation) + + [Example: Installation Using Command Line Arguments](#example-installation-using-command-line-arguments) + + [Example: Installation Using Custom YAML File](#example-installation-using-custom-yaml-file) + * [Installing Conjur with an External Postgres Database](#installing-conjur-with-an-external-postgres-database) + * [Auto-Generated Configuration](#auto-generated-configuration) +- [Upgrading, Modifying, or Migrating a Conjur OSS Helm Deployment](#upgrading-modifying-or-migrating-a-conjur-oss-helm-deployment) +- [Configuration](#configuration) + * [PostgreSQL Database Password Restrictions](#postgresql-database-password-restrictions) +- [Deleting the Conjur Deployment](#deleting-the-conjur-deployment) + * [Uninstalling the Chart via Helm Delete](#uninstalling-the-chart-via-helm-delete) + * [Cleaning Up Kubernetes Secrets Not Managed by Helm](#cleaning-up-kubernetes-secrets-not-managed-by-helm) +- [Contributing](#contributing) + +## Prerequisites and Guidelines + +- Installation to an isolated Kubernetes cluster or namespace is highly + recommended in order to facilitate limiting of direct access to Conjur + Kubernetes resources to security administrators. Here, the term isolated + refers to: + * No workloads besides Conjur and its backend database running in the + Kubernetes cluster/namespace. + * Kubernetes and Helm access to the cluster/namespace is limited to + security administrators via Role-Based Access Control (RBAC). - Kubernetes 1.7+ +- Helm v3+. The chart may work with older versions of + Helm but that deployment isn't specifically supported. +- Installation on OpenShift is not currently supported. +- It is recommended that auto-upgrades of Kubernetes version not be + used in the Kubernetes platform in which Conjur is deployed. Kubernetes + version upgrades should be done in concert with Conjur version upgrades + to ensure compatibility between Conjur and Kubernetes. ## Installing the Chart -The Chart can be installed from a GitHub release Chart tarball or from source. +The Chart can be installed from a GitHub release Chart tarball or by cloning +this GitHub repository. All releases: https://github.com/cyberark/conjur-oss-helm-chart/releases -### Simple install - -Install latest Conjur with integrated Postgres. +### Simple Install -_Note: These commands require Helm v3+ as-written. Remove the deployment name if using Helm v2._ +To install Conjur with an integrated Postgres database: ```sh-session -$ helm install conjur-oss \ - --set dataKey="$(docker run --rm cyberark/conjur data-key generate)" \ - https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz +$ CONJUR_NAMESPACE= +$ kubectl create namespace "$CONJUR_NAMESPACE" +$ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" +$ HELM_RELEASE= +$ helm install \ + -n "$CONJUR_NAMESPACE" \ + --set dataKey="$DATA_KEY" \ + "$HELM_RELEASE" \ + https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz ``` -This will deploy the latest version of `cyberark/conjur`. -The Conjur `ClusterIP` service is not exposed outside the cluster. +_Note: The configured data key will be used to encrypt sensitive information +in Conjur's database. This must be archived in a safe place._ + +_Note: These commands require Helm v3+ as-written. If using Helm v2, use +arguments `--name conjur-oss` in place of `conjur-oss`._ + +_Note: It is highly recommended that custom, signed SSL certificates be used +rather than using auto-generated certificates for external Conjur access and +for integrated Postgres database access (see +[Custom Installation](#custom-installation) below). + Conjur is running HTTPS on port 443 (9443 within the cluster) with a self-signed certificate. A PostgreSQL deployment is created to store Conjur state. -Note that you can also install from source by cloning this repository and running +Note that you can also install from source by cloning this repository and running: ```sh-session -helm install conjur-oss \ - --set dataKey="$(docker run --rm cyberark/conjur data-key generate)" \ - ./conjur-oss +$ CONJUR_NAMESPACE= +$ kubectl create namespace "$CONJUR_NAMESPACE" +$ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" +$ HELM_RELEASE= +$ helm install \ + -n "$CONJUR_NAMESPACE" \ + --set dataKey="$DATA_KEY" \ + "$HELM_RELEASE" \ + ./conjur-oss ``` ### Custom Installation -All important chart values can be customized and the following shows how to install -a specific version of Conjur, enable additional Kubernetes-API authentications, -generate self-signed SSL certificates, expose Conjur outside of the cluster, -and configure it to connect to a remote database: +All important chart values can be customized. The table in the +[Configuration](#configuration) section below describes customizable +chart values. + +Values can be customized either by: +- By including `helm install` command line arguments of the form + `--set =` for any non-default configuration values (see the + [Example: Installation Using Command Line Arguments](#example-installation-using-command-line-arguments) + section below. +- Creating a custom version of the `values.yaml` file (see the + [Example: Installation Using Custom YAML File](#example-installation-using-custom-yaml-file) + section below). + +_Note: When using non-default values for Helm install or upgrade, +the user is advised:_ +- _Setting configurable parameters to non-default values may result in a + combination of settings that may not have been tested._ +- _Using component images other than the defaults may introduce security + vulnerabilities._ + +_Note: It is recommended that any custom chart values that are sensitive in +nature should be set on the Helm command line rather than in a custom values +file (to avoid the risk of the custom values file not getting deleted after +use). An example of how to do this for `database.url` is shown below._ + +#### Example: Installation Using Command Line Arguments +The following shows how to install a Conjur deployment with: +- A specific version of Conjur +- A custom domain name to use for accessing Conjur from outside of the cluster -**custom-values.yaml** +```sh-session +$ CONJUR_NAMESPACE=my-conjur-namespace +$ kubectl create --namespace "$CONJUR_NAMESPACE" +$ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" +$ HELM_ARGS="--set dataKey=$DATA_KEY \ + --set image.tag=1.5.1 \ + --set image.pullPolicy=IfNotPresent \ + --set ssl.hostname=custom.domainname.com +$ helm install \ + -n "$CONJUR_NAMESPACE" \ + $HELM_ARGS \ + conjur-oss \ + https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz +``` + +#### Example: Installation Using Custom YAML File +The following shows how to install a Conjur deployment with: +- A specific version of Conjur +- Additional Kubernetes-API authenticators enabled +- A custom domain name to use for accessing Conjur from outside of the cluster -```yaml +First, create a custom values file: + +```sh-session +$ DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)" +$ cat >custom-values.yaml </conjur-oss-.tgz +$ CONJUR_NAMESPACE=my-conjur-namespace +$ kubectl create --namespace "$CONJUR_NAMESPACE" +$ helm install \ + -n "$CONJUR_NAMESPACE" \ + -f custom-values.yaml \ + conjur-oss \ + https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz ``` *NOTE:* If using the Kubernetes authenticator for Conjur, the `account` value -(see [Configuration](#Configuration)) must match the initial Conjur account +(see [Configuration](#configuration)) must match the initial Conjur account created. For example, given the following command: ```sh-session -$ kubectl exec $POD_NAME --container=conjur-oss conjurctl account create default +$ kubectl exec -n "$CONJUR_NAMESPACE" "$POD_NAME" --container=conjur-oss conjurctl account create default ``` The chart value for `account` would be expected to equal `default`. -## Uninstalling the Chart +### Installing Conjur with an External Postgres Database -To uninstall/delete the `my-release` deployment: +You can configure Conjur to use an external (non-integrated) Postgres database +by running `helm install` with the following command line argument (or +setting the equivalent field in a custom values.yaml file): ``` -$ helm delete my-release + --set database.url= ``` -The command removes all the Kubernetes components -associated with the chart and deletes the release. +If this chart value is not explicitly set, then an integrated Postgres +database will be deployed along with Conjur. + +### Auto-Generated Configuration + +By default, a `helm install` of the Conjur OSS helm chart will include +automatic generation of the following configuration: + +- Postgres database password (for integrated Postgres database only). + + _Note: The database password configuration is not used when an external + Postgres database is configured._ + + The database password for an integrated Postgres database is automatically + generated if it is not set explicitly. Alternatively, the database password + can be set explicitly by including the following `helm install` command + line argument (or by setting the equivalent field in a custom values.yaml + file): + + ``` + --set database.password= + ``` + +- Postgres database SSL certificate and key (for integrated Postgres + database only). + + Alternatively, these values can be set explicitly with the following + `helm install` arguments (or by setting the equivalent field in a custom + values.yaml file): + + ``` + --set database.ssl.cert= + --set database.ssl.key= + ``` + +- Conjur SSL CA signing certificate and SSL self-signed certificate. + + Alternatively, these values can be set explicitly with the following + `helm install` arguments: + + ``` + --set ssl.caCert= + --set ssl.caKey= + --set ssl.cert= + --set ssl.key= + ``` + +## Upgrading, Modifying, or Migrating a Conjur OSS Helm Deployment + +This Helm chart supports modifications or upgrades of a Conjur deployment via +`helm upgrade`. This includes tasks such as rotating SSL certificates. + +For details on how to upgrade or modify an existing Conjur OSS Helm deployment, +or migrate Conjur configuration from on Conjur OSS Helm deployment to a new, +separate Conjur OSS Helm deployment, please see the +[UPGRADING.md](UPGRADING.md) markdown file. ## Configuration @@ -104,18 +268,21 @@ The following table lists the configurable parameters of the Conjur OSS chart an |`account`|Name of the Conjur account to be used by the Kubernetes authenticator|`"default"`| |`authenticators`|List of authenticators that Conjur will whitelist and load.|`"authn"`| |`conjurLabels`|Extra Kubernetes labels to apply to Conjur resources|`{}`| -|`databaseUrl`|PostgreSQL connection string. If left blank, a PostgreSQL deployment is created.|`""`| +|`database.url`|PostgreSQL connection string. If left blank, an integrated PostgreSQL deployment is created.|`""`| +|`database.password`|PostgreSQL database password string. Unused if an external Postgres database is configured. See [PostgreSQL Database Password Restrictions](#postgresql-database-password-restrictions) below.|`""`| +|`database.ssl.Cert`|PostgreSQL TLS x509 certificate, base64 encoded.|`""`| +|`database.ssl.key`|PostgreSQL TLS private key, base64 encoded.|`""`| |`dataKey`|Conjur data key, 32 byte base-64 encoded string for data encryption.|`""`| |`deployment.annotations`|Annotations for Conjur deployment|`{}`| |`image.repository`|Conjur Docker image repository|`"cyberark/conjur"`| -|`image.tag`|Conjur Docker image tag|`"latest"`| +|`image.tag`|Conjur Docker image tag|`"1.5"`| |`image.pullPolicy`|Pull policy for Conjur Docker image|`"Always"`| |`nginx.image.repository`|NGINX Docker image repository|`"nginx"`| |`nginx.image.tag`|NGINX Docker image tag|`"1.15"`| |`nginx.image.pullPolicy`|Pull policy for NGINX Docker image|`"IfNotPresent"`| |`postgres.image.pullPolicy`|Pull policy for postgres Docker image|`"IfNotPresent"`| |`postgres.image.repository`|postgres Docker image repository|`"postgres"`| -|`postgres.image.tag`|postgres Docker image tag|`"10.1"`| +|`postgres.image.tag`|postgres Docker image tag|`"10.12"`| |`postgres.persistentVolume.create`|Create a peristent volume to back the PostgreSQL data|`true`| |`postgres.persistentVolume.size`|Size of persistent volume to be created for PostgreSQL|`"8Gi"`| |`postgres.persistentVolume.storageClass`|Storage class to be used for PostgreSQL persistent volume claim|`nil`| @@ -134,6 +301,67 @@ The following table lists the configurable parameters of the Conjur OSS chart an |`ssl.hostname`|Hostname and Common Name for generated certificate and ingress|`"conjur.myorg.com"`| |`postgresLabels`|Extra Kubernetes labels to apply to Conjur PostgreSQL resources|`{}`| +### PostgreSQL Database Password Restrictions +The following restrictions apply to the PostgreSQL database password: + +- Password must only contain the following: + - Digits (0-9) + - Letters (A-Z,a-z) + - The special characters: + ["-", ".", "_", or "~"] +- Password length must be less than or equal to 64 characters. + +## Deleting the Conjur Deployment + +Uninstalling or deleting a Conjur deployment involves two steps: +- Running `helm delete` to delete Kubernetes resources that are + managed directly by Helm as part of the Conjur Helm release. +- Using `kubectl delete` to delete Kubernetes secrets that are associated + with the Conjur release, but are not managed directly by Helm. + +### Uninstalling the Chart via Helm Delete +To uninstall/delete resources that are associated with a Conjur deployment +that are directly managed by Helm, use `helm delete`: + +```sh-session + $ CONJUR_NAMESPACE="" + $ HELM_RELEASE="conjur-oss" + $ helm delete -n "$CONJUR_NAMESPACE" "$HELM_RELEASE" +``` + +### Cleaning Up Kubernetes Secrets Not Managed by Helm + +Following a `helm delete` of a Conjur deployment, there may be some +residual Kubernetes secrets that have not been deleted. This will happen +whenever secrets are created for "auto-generated" Conjur configuration. +Such secrets are decorated with a "pre-install" Helm hook annotation, +essentially making these secrets "self-managed" from a Helm perspective. +The benefit to having these secrets become "self-managed" is that it prevents +loss of that configuration as a result of `helm upgrade` operations. The +downside is that those secrets are no longer cleaned up as part of +`helm delete`. + +The Kubernetes secrets that may need to be manually deleted following +`helm delete` are: + +|Secret Name|Description|When is Manual Deletion Required?| +|-----------|-----------|---------------------------------| +|`-conjur-database-password`|Database Password|When created (i.e. database URL not explicitly set)| +|`-conjur-database-ssl`|Database SSL Certificate|When auto-generated (i.e. not explicitly set)| +|`-conjur-database-url`|Database URL|When auto-generated (i.e. not explicitly set)| +|`-conjur-data-key`|Data encryption key|Always| +|`-conjur-ssl-ca-cert`|Conjur SSL CA Certificate|When auto-generated (i.e. not explicitly set)| +|`-conjur-ssl-cert`|Conjur SSL Access Certificate|When auto-generated (i.e. not explicitly set)| + +To delete the residual "self-managed" Kubernetes secrets associated with +the Conjur deployment, run the following: + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ kubectl delete secrets -n "$CONJUR_NAMESPACE" --selector="release=$HELM_RELEASE" +``` + ## Contributing This chart is maintained at diff --git a/conjur-oss/UPGRADING.md b/conjur-oss/UPGRADING.md new file mode 100644 index 0000000..7179bd2 --- /dev/null +++ b/conjur-oss/UPGRADING.md @@ -0,0 +1,560 @@ +# Upgrading, Modifying, or Migrating a Conjur OSS Helm Deployment + +This guide describes how to upgrade, modify, or migrate data from a +[CyberArk Conjur Open Source](https://www.conjur.org) (Conjur OSS) +installation that has been deployed using the +[Conjur OSS Helm Chart](https://github.com/cyberark/conjur-oss-helm-chart/conjur-oss). + +There are two main scenarios covered in this document: +- Upgrading/Modifying an existing Conjur OSS Helm release +- Migrating configuration from an existing Conjur OSS Helm release + to a new Conjur OSS Helm Release + +For more details about installing Conjur OSS or contributing to Conjur OSS +Helm chart development, please refer to the +[Conjur OSS Helm Chart repository](https://github.com/cyberark/conjur-oss-helm-chart/conjur-oss). + +To see what Conjur OSS Helm chart configurations can be upgraded/updated, +please refer to the [Configuration](README.md#configuration) section of +the Conjur OSS Helm chart [README.md](README.md) file. + +--- + +## Table of Contents + +- [Prerequisites and Guidelines](#prerequisites-and-guidelines) +- [Upgrading/Modifying a Conjur OSS Helm Release](#upgradingmodifying-a-conjur-oss-helm-release) + * [Running Helm Upgrade](#running-helm-upgrade) + + [Example: Upgrading Conjur Version](#example-upgrading-conjur-version) + + [Example: Upgrading NGINX Version](#example-upgrading-nginx-version) + * [Rotating the SSL Certificate for an Integrated Postgres Database](#rotating-the-ssl-certificate-for-an-integrated-postgres-database) + * [Rotating the Conjur SSL CA and Access Certificates](#rotating-the-conjur-ssl-ca-and-access-certificates) + * [Updating the Database URL for an External Postgres Database](#updating-the-database-url-for-an-external-postgres-database) +- [Migrating Conjur OSS Configuration to a New Conjur OSS Helm Release](#migrating-conjur-oss-configuration-to-a-new-conjur-oss-helm-release) + * [Overview](#overview) + * [Assumptions and Limitations](#assumptions-and-limitations) + * [Migrating Conjur OSS Configuration With Integrated Postgres Database](#migrating-conjur-oss-configuration-with-integrated-postgres-database) + + [Step 1: Save Helm State and Kubernetes Secrets Data](#step-1-save-helm-state-and-kubernetes-secrets-data) + + [Step 2: Save Postgres Database State](#step-2-save-postgres-database-state) + + [Step 3: Uninstall Original Conjur OSS Helm Release](#step-3-uninstall-original-conjur-oss-helm-release) + + [Step 4: Helm Install a New Conjur OSS Deployment](#step-4-helm-install-a-new-conjur-oss-deployment) + + [Step 5: Restore the Postgres Database](#step-5-restore-the-postgres-database) + + [Step 6: Redeploy helm chart with updated 'replicaCount'](#step-6-redeploy-helm-chart-with-updated-replicaCount) + * [Migrating Conjur OSS Configuration With External Postgres Database](#migrating-conjur-oss-configuration-with-external-postgres-database) + + [Step 1: Save Helm State and Kubernetes Secrets Data](#step-1-save-helm-state-and-kubernetes-secrets-data) + + [Step 2: Uninstall Original Conjur OSS Helm Release](#step-2-uninstall-original-conjur-oss-helm-release) + + [Step 3: Helm Install a New Conjur OSS Deployment](#step-3-helm-install-a-new-conjur-oss-deployment) + +## Prerequisites and Guidelines + +Please refer to the +[Prerequisites and Guidelines](README.md#prerequisites-and-guidelines) +section of Conjur OSS helm chart [README.md](README.md) file for overall +prerequisites and guidelines for using the Conjur OSS helm chart. + +## Upgrading/Modifying a Conjur OSS Helm Release + +This Helm chart supports modifications or upgrades of a Conjur deployment via +`helm upgrade`. There are three upgrade scenarios to consider, depending on +whether there are any major (breaking) version changes for the release +components: + +- Conjur +- NGINX +- Postgres + +and depending on whether the Helm chart used for upgrade is different than +that used for Helm install: + +|Component Version Changes|Chart Version Used for Upgrade|Currently Supported?|Notes| +|-------------------------|------------------------------|:------------------:|:---:| +|Minor (i.e. non-breaking)|Same version as Helm install|**YES**|| +|Minor (i.e. non-breaking)|Different version than Helm install|**YES**|| +|Major (breaking)|Same or different than Helm install|**NO**|**Note 1, Note 2**| + +_**Note 1**: To determine if a version change/bump is considered a breaking change, refer +to this repository's `CHANGELOG.md` file for the respective current vs. new +helm chart version._ + +_**Note 2**: Details on how upgrades involving breaking changes to Conjur, NGINX, + or PostgreSQL) will be supported in future releases are TBD._ + +### Running Helm Upgrade + +To perform a Helm upgrade, run the following (replacing `` +with your Conjur deployment namespace): + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + < INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \ + "$HELM_RELEASE" \ + https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v/conjur-oss-.tgz +``` + +Or if you've cloned the https://github.com/cyberark/conjur-oss-helm-chart +repository (replacing `` with your Conjur deployment namespace): + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + < INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +Some notes: + +- The `--reuse-values` is required to preserve any non-default values + that were used during your previous `helm install`. +- `--recreate-pods` is required to ensure that pods are using the latest + configuration from Kubernetes `secrets` and `configMaps` following + `helm upgrade`. +- Custom values that can be set via `--set` are described in the + [Custom Installation](README.md#custom-installation) section of the + [README.md](README.md) file. +- The master data key used in the `helm install` is preserved for `helm + upgrade` operations. It is not possible to modify the master data key + via `helm upgrade`. +- The database password used by an integrated Postgres database is preserved + for `helm upgrade`. It is not possible to modify the database password + via `helm upgrade`. +- By default, the Postgres database SSL self-signed certificate and key are + preserved for `helm upgrade`. To rotate the database SSL certificate and + key, see the + [Rotating the SSL Certificate for an Integrated Postgres Database](#rotating-the-ssl-certificate-for-an-integrated-postgres-database) + section below. +- By default, the Conjur CA certificate and self-signed certificate (for + external access) are preserved for `helm upgrade`. To rotate the Conjur + CA and self-signed certificates, see the + [Rotating the Conjur SSL CA and Self-Signed Certificates](#rotating-the-conjur-ssl-ca-and-self-signed-certificates) + section below. + +#### Example: Upgrading Conjur Version + +For example, to upgrade the version of Conjur that is used in the Conjur +deployment, run the following: + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + --set image.tag="" \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +#### Example: Upgrading NGINX Version + +For example, to change the version of NGINX that is used in the Conjur +deployment, run the following: + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + --set nginx.image.tag="" \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +### Rotating the SSL Certificate for an Integrated Postgres Database + +If a Helm deployment of Conjur OSS included the deployment of an integrated +Postgres database (i.e. the `database.url` chart value was not explicitly +set for `helm install`), then `helm upgrade` operations will by default +preserve the self-signed SSL certificate and key used to access the +integrated database. + +Alternatively, the integrated database SSL certificate and key can be +manually updated (or "rotated") as follows: + +1. Generate a self-signed certificate and key. + +2. Delete the Kubernetes secret for the database SSL certificate. (Note: + this is optional if the current database SSL certificate was set + explicitly, but mandatory if the SSL certificate and key were + auto-generated by the Conjur OSS Helm chart): + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ CERT_SECRET=$(kubectl get secrets \ + -n "$CONJUR_NAMESPACE" \ + -l "app=conjur-oss,release=$HELM_RELEASE" \ + -o name \ + | grep conjur-database-ssl) +$ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET" +``` + +3. Run `helm upgrade`, setting the certificate values from Step 1: + +```sh-session +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + --set database.ssl.cert="" \ + --set database.ssl.key="" \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +### Rotating the Conjur SSL CA and Access Certificates + +By default, a `helm upgrade` operation will preserve the SSL CA certificate +and key used for signing and the SSL certificate and key used for +external Conjur access. + +Alternatively, the Conjur SSL CA and SSL access certificates can be manually +updated (or "rotated") as follows: + +1. Generate an SSL CA self-signing certificate and key and a self-signed + certificate and key for external Conjur access. + +2. Delete the Kubernetes secrets for the Conjur CA signing certificate and + the Conjur self-signed certificate. (Note: This step is optional if the + current Conjur CA and self-signed certificates were set explicitly, but + mandatory if these certificates were auto-generated by the Conjur + OSS Helm chart): + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ CA_SECRET=$(kubectl get secrets \ + -n "$CONJUR_NAMESPACE" \ + -l "app=conjur-oss,release=$HELM_RELEASE" \ + -o name \ + | grep conjur-ssl-ca-cert) +$ kubectl delete -n "$CONJUR_NAMESPACE" "$CA_SECRET" +$ CERT_SECRET=$(kubectl get secrets \ + -n "$CONJUR_NAMESPACE" \ + -l "app=conjur-oss,release=$HELM_RELEASE" \ + -o name \ + | grep conjur-ssl-cert) +$ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET" +``` + +3. Run `helm upgrade`, setting the certificate values from Step 1: + +```sh-session +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + --set ssl.caCert="" \ + --set ssl.caKey="" \ + --set ssl.cert="" \ + --set ssl.key="" \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +### Updating the Database URL for an External Postgres Database + +If you are using an external Postgres database for your Conjur deployment +(i.e. you had explicitly set the `database.url` chart value in your +prior `helm install`), then by default any `helm upgrade` operation that +uses the `--reuse-values` flag will preserve that `database.url` value. + +On the other hand, if you need to update the `database.url` connection +string for some reason (e.g. the domain name or password for +the external Postgres database has been changed), then you **must +update the database URL by doing a `helm upgrade` that uses the command +line argument `--set "database.url="`**: + +```sh-session +$ CONJUR_NAMESPACE="" +$ HELM_RELEASE="conjur-oss" +$ helm upgrade \ + -n "$CONJUR_NAMESPACE" \ + --reuse-values \ + --recreate-pods \ + --set "database.url=" \ + "$HELM_RELEASE" \ + ./conjur-oss +``` + +## Migrating Conjur OSS Configuration to a New Conjur OSS Helm Release + +### Overview + +In some cases, it may be desirable to migrate Conjur configuration from +one Conjur OSS Helm release to a new, separate Helm release. For example, +you may want to migrate your Conjur OSS deployment to a different +Kubernetes provider, or you may want to move your Conjur OSS deployment +to a more secure Kubernetes environment. + +This section provides the steps for extracting Conjur configuration from +an existing Conjur OSS Helm deployment, and restoring that Conjur configuration +on a new, separate Conjur OSS Helm deployment. + +The backup operation from the original Conjur OSS deployment involves +extracting Conjur OSS state from three sources: + +- Kubernetes secrets +- Helm state +- Postgres database state + +The restore operation to the new Conjur OSS deployment involves: + +- Running `helm init` to restore Helm state and Kubernetes secrets +- Postgres restore of Conjur's database state + +### Assumptions and Limitations + +- Currently, _the version of Conjur for the new Conjur OSS deployment + **MUST** be the same as the version of Conjur on the original Conjur + OSS deployment_. (Support for migration to different versions of Conjur + may be available in the future, but this will require schema translation + logic that is TBD). +- For deployments using an integrated Postgres database, _the **major** + version of Postgres in the new Conjur OSS deployment must be the + same as the **major** version of Postgres in the original deployment_. +- For simplicity, the instructions described here will include the + recreation of only a critical **subset** of Helm state from the old Conjur + deployment to new deployment. It is possible to modify the steps to + include transfer of more Helm state, but that is left out-of-scope for + simplicity in these instructions. + + The Helm values that are included in the migration described here: + - `account` + - `authenticators` + - `database.password` + - `database.url` + - `dataKey` + + The Helm values that are left out for simplicity and brevity are all + other Helm chart values listed in the + [Configuration](README.md#configuration) section of the + [README.md](README.md) file. + +- _**All instructions that follow assume that you are in the base of + https://github.com/cyberark/conjur-oss-helm-chart repo**_ + +### Migrating Conjur OSS Configuration With Integrated Postgres Database + +When a Conjur OSS Helm deployment includes an integrated (internal) Postgres +database, the procedure for migrating Conjur OSS state to a new Conjur OSS +Helm deployment is as follows: + +#### Step 1: Save Helm State and Kubernetes Secrets Data + +_This assumes that only Conjur is in the specified namespace. + If not, manually set the `helm_chart_name` variable_ + +(Replace `` with your Conjur deployment namespace.) + +```sh-session +$ namespace="" + +$ helm_chart_name=$(helm list -n "$namespace" -q) +$ account=$(helm show values "$helm_chart_name" | \ + awk '/^account:/{print $2}' | \ + sed -e 's/^"//' -e 's/"$//') +$ authenticators=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-authenticators" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +$ data_key=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-data-key" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +``` + +Next, check your Conjur OSS chart version: + +```sh-session +$ helm show chart "$helm_chart_name"| awk '/^version:/{print $2}' +``` + +If your Conjur OSS chart version is 2.0.0 or newer, then you will also need +to store the database password: +```sh-session +$ db_password=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-database-password" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +``` + +#### Step 2: Save Postgres Database State + +```sh-session +# Get name of the Postgres pod in the current deployment +$ postgres_old_pod=$(kubectl get pods \ + -n "$namespace" \ + -l "app=conjur-oss-postgres" \ + -o jsonpath="{.items[0].metadata.name}") + +# Run the `pg_dump` utility to create a database archive file +$ kubectl exec -it \ + -n "$namespace" \ + $postgres_old_pod \ + -- pg_dump -U postgres -c -C --column-inserts \ + --inserts -f /dbdump.tar -F tar + +# Copy the database archive file from the Postgres pod to your local machine +$ kubectl cp -n "$namespace" $postgres_old_pod:dbdump.tar dbdump.tar +``` + +#### Step 3: Uninstall Original Conjur OSS Helm Release + +Run `helm uninstall ...` to delete the original Conjur OSS Helm release +and delete any residual, "self-managed" Kubernetes secrets. + +**WARNING: This will remove your old certificates!** + +```sh-session +$ helm uninstall -n "$namespace" $helm_chart_name +$ kubectl delete secrets -n "$namespace" -l release="$helm_chart_name" +``` + +#### Step 4: Helm Install a New Conjur OSS Deployment + +**WARNING: This will possibly change your external service IP!** + +_This new deployment is unusable in this state as a regular deployment since + the `replicaCount` is temporarily set to 0 (which is intentional). The + `helm upgrade` in [Step 6](#step-6-redeploy-helm-chart-with-updated-replicacount) + below will enable it._ + +```sh-session +$ namespace="" +$ helm_chart_name=conjur-oss +$ helm install \ + -n "$namespace" \ + --set account="$account" \ + --set authenticators="$authenticators" \ + --set database.password="$db_password" \ + --set dataKey="$data_key" \ + --set replicaCount=0 \ + $helm_chart_name \ + ./conjur-oss +``` + +#### Step 5: Restore the Postgres Database + +_We use the `template1` part of the connection string to delete and recreate the database. +This assumes that database names have not changed between upgrades. Replace `postgres` in the +`sed` command if your connection string used a different database name._ + +```sh-session +# Get the name of the Postgres pod in the new deployment +$ postgres_new_pod=$(kubectl get pods \ + -n "$namespace" \ + -l "app=conjur-oss-postgres" \ + -o jsonpath="{.items[0].metadata.name}") + +# Copy the database archive file from your local machine to the Postgres +# pod in the new deployment +$ kubectl cp -n "$namespace" ./dbdump.tar $postgres_new_pod:/dbdump.tar + +# Run the `pg_restore` utility to restore the database archive file to +# the Postgres pod. +$ pg_restore_connection_string=$(kubectl get secret \ + -n "$namespace" \ + ${helm_chart_name}-conjur-database-url \ + -o jsonpath="{.data.key}" | \ + base64 --decode | \ + sed 's/postgres?/template1?/') +$ kubectl exec -it -n "$namespace" \ + $postgres_new_pod \ + -- pg_restore -C -c -d "$pg_restore_connection_string" /dbdump.tar + +# Remove the database archive file from the Postgres pod +$ kubectl exec -it -n "$namespace" \ + $postgres_new_pod \ + -- rm -rf /dbdump.tar +``` + +#### Step 6: Redeploy Helm Chart With Updated `replicaCount` + +```sh-session +$ helm upgrade -n "$namespace" \ + --reuse-values \ + --recreate-pods \ + --set replicaCount="1" \ + $helm_chart_name \ + ./conjur-oss +``` + +### Migrating Conjur OSS Configuration With External Postgres Database + +When a Conjur OSS Helm deployment includes an external Postgres database, +the procedure for migrating Conjur OSS state to a new Conjur OSS Helm +deployment is as follows: + +#### Step 1: Save Helm State and Kubernetes Secrets Data + +_This assumes that only Conjur is in the specified namespace. + If not, manually set the `helm_chart_name` variable_ + +```sh-session +$ namespace="" + +$ helm_chart_name=$(helm list -n "$namespace" -q) +$ account=$(helm show values "$helm_chart_name" | \ + awk '/^account:/{print $2}' | \ + sed -e 's/^"//' -e 's/"$//') +$ authenticators=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-authenticators" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +$ data_key=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-data-key" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +$ db_url=$(kubectl get secret \ + -n "$namespace" \ + "${helm_chart_name}-conjur-database-url" \ + -o jsonpath="{.data.key }" | \ + base64 --decode) +``` + +#### Step 2: Uninstall Original Conjur OSS Helm Release + +Run `helm uninstall ...` to delete the original Conjur OSS Helm release +and delete any residual, "self-managed" Kubernetes secrets. + +**WARNING: This will remove your old certificates!** + +```sh-session +$ helm uninstall -n "$namespace" $helm_chart_name +$ kubectl delete secrets -n "$namespace" -l release="$helm_chart_name" +``` + +#### Step 3: Helm Install a New Conjur OSS Deployment + +**WARNING: This will possibly change your external service IP!** + +```sh-session +$ namespace="" +$ helm_chart_name=conjur-oss +$ helm install \ + -n "$namespace" \ + --set account="$account" \ + --set authenticators="$authenticators" \ + --set database.url="$db_url" \ + --set dataKey="$data_key" \ + $helm_chart_name \ + ./conjur-oss +``` diff --git a/conjur-oss/templates/NOTES.txt b/conjur-oss/templates/NOTES.txt index fcaff02..eb2e57e 100644 --- a/conjur-oss/templates/NOTES.txt +++ b/conjur-oss/templates/NOTES.txt @@ -8,7 +8,9 @@ It may take 1-10 minutes for the LoadBalancer IP to be available. You can watch the status of the progress by running: - kubectl get svc -w {{ template "conjur-oss.fullname" . }}-ingress + kubectl get svc \ + --namespace {{ .Release.Namespace }} \ + -w {{ template "conjur-oss.fullname" . }}-ingress and waiting until you have a value in "EXTERNAL-IP" column. @@ -42,7 +44,10 @@ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} \ -l "app={{ template "conjur-oss.name" . }},release={{ .Release.Name }}" \ -o jsonpath="{.items[0].metadata.name}") - kubectl exec $POD_NAME --container={{ .Chart.Name }} conjurctl account create {{ .Values.account | quote }} + kubectl exec --namespace {{ .Release.Namespace }} \ + $POD_NAME \ + --container={{ .Chart.Name }} \ + -- conjurctl account create {{ .Values.account | quote }} Note that the conjurctl account create command gives you the public key and admin API key for the account administrator you created. diff --git a/conjur-oss/templates/_helpers.tpl b/conjur-oss/templates/_helpers.tpl index 95037d9..9948de2 100644 --- a/conjur-oss/templates/_helpers.tpl +++ b/conjur-oss/templates/_helpers.tpl @@ -50,6 +50,28 @@ Generate CA and end user certificate for NGINX {{- $_ := set . "certKey" ($cert.Key | b64enc) }} {{- end -}} +{{/* +Use the database password chart value if provided, or generate a +64-character, random, alphanumeric password for the backend database +*/}} +{{- define "conjur-oss.database-password" -}} +{{- if .Values.database.password }} +{{- $_ := set . "dbPassword" (.Values.database.password | trunc 64) }} +{{- else }} +{{- $_ := set . "dbPassword" (randAlphaNum 64) }} +{{- end }} +{{- end -}} + +{{/* +Generate self-signed certificate for the backend database +*/}} +{{- define "conjur-oss.database-cert-gen" -}} +{{- $expiration := .Values.database.ssl.expiration | int -}} +{{- $cert := genSelfSignedCert "pg" nil nil $expiration -}} +{{- $_ := set . "dbCrt" ($cert.Cert | b64enc) }} +{{- $_ := set . "dbKey" ($cert.Key | b64enc) }} +{{- end -}} + {{/* Return the most recent RBAC API available */}} diff --git a/conjur-oss/templates/postgres.yaml b/conjur-oss/templates/postgres.yaml index 55daca8..62c63b2 100644 --- a/conjur-oss/templates/postgres.yaml +++ b/conjur-oss/templates/postgres.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.databaseUrl "" }} +{{ if eq .Values.database.url "" }} --- apiVersion: v1 kind: Service @@ -20,7 +20,7 @@ spec: selector: *AppPostgresServiceLabels --- apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ .Release.Name }}-postgres labels: &AppPostgresLabels @@ -34,6 +34,7 @@ metadata: {{ toYaml . | indent 4 }} {{- end }} spec: + serviceName: {{ .Release.Name }}-postgres replicas: 1 selector: matchLabels: *AppPostgresLabels @@ -47,14 +48,34 @@ spec: - image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}" imagePullPolicy: {{ .Values.postgres.image.pullPolicy }} name: postgres -{{ if .Values.postgres.persistentVolume.create }} + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/tls.crt", "-c", "ssl_key_file=/etc/certs/tls.key"] + env: + - name: POSTGRES_HOST_AUTH_METHOD + value: password + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-conjur-database-password + key: key + - name: PGDATA + value: /var/lib/postgresql/data/pgdata volumeMounts: - - mountPath: "/var/lib/postgresql" - name: postgres-data +{{ if .Values.postgres.persistentVolume.create }} + - name: postgres-data + mountPath: "/var/lib/postgresql/data" +{{- end }} + - name: ssl-certs + mountPath: "/etc/certs" + readOnly: true volumes: +{{ if .Values.postgres.persistentVolume.create }} - name: postgres-data persistentVolumeClaim: claimName: {{ .Release.Name }}-conjur-oss-pvc {{- end }} ---- + - name: ssl-certs + secret: + secretName: {{ .Release.Name }}-conjur-database-ssl + # Set file permissions to 0600 (which corresponds to 384 decimal) + defaultMode: 384 {{ end }} diff --git a/conjur-oss/templates/secrets.yaml b/conjur-oss/templates/secrets.yaml index 42a45aa..e9fb35a 100644 --- a/conjur-oss/templates/secrets.yaml +++ b/conjur-oss/templates/secrets.yaml @@ -31,10 +31,14 @@ metadata: {{- with .Values.conjurLabels }} {{ toYaml . | indent 4 }} {{- end }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation type: Opaque data: - key: "{{ required "'dataKey' has no value, it must be provided!" .Values.dataKey | b64enc }}" + key: {{ required "'Values.dataKey' is required for helm install. For helm upgrade, use '--reuse-values' command line flag" .Values.dataKey | b64enc }} --- +{{- include "conjur-oss.database-password" . }} apiVersion: v1 kind: Secret metadata: @@ -49,10 +53,69 @@ metadata: {{- with .Values.conjurLabels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if not .Values.database.url }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation +{{- end }} type: Opaque data: - {{ if .Values.databaseUrl }} - key: {{ .Values.databaseUrl | b64enc }} + {{ if .Values.database.url }} + key: {{ .Values.database.url | b64enc }} {{ else }} - key: {{ printf "postgres://postgres@%v-postgres/postgres" .Release.Name | b64enc }} + key: {{ printf "postgres://postgres:%s@%v-postgres/postgres?sslmode=require" .dbPassword .Release.Name | b64enc }} {{ end }} + +{{ if eq .Values.database.url "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-conjur-database-password + labels: + app: {{ template "conjur-oss.name" . }} + chart: {{ template "conjur-oss.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: service +{{- with .Values.conjurLabels }} +{{ toYaml . | indent 4 }} +{{- end }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation +type: Opaque +data: + key: {{ .dbPassword | b64enc }} +--- +{{- include "conjur-oss.database-cert-gen" . }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-conjur-database-ssl + labels: + app: {{ template "conjur-oss.name" . }} + chart: {{ template "conjur-oss.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/component: service +{{- with .Values.conjurLabels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- if not .Values.database.ssl.cert }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation +{{- end }} +type: kubernetes.io/tls +data: +{{- if .Values.database.ssl.cert }} + tls.crt: {{ .Values.database.ssl.cert }} + tls.key: {{ required "'Values.database.ssl.key' has no value, it must be provided!" .Values.database.ssl.key }} +{{- else }} + tls.crt: {{ .dbCrt }} + tls.key: {{ .dbKey }} +{{- end }} +{{ end }} diff --git a/conjur-oss/templates/ssl-cert.yaml b/conjur-oss/templates/ssl-cert.yaml index b87d7df..f6ba1f6 100644 --- a/conjur-oss/templates/ssl-cert.yaml +++ b/conjur-oss/templates/ssl-cert.yaml @@ -14,10 +14,20 @@ metadata: {{- with .Values.conjurLabels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if not .Values.ssl.caCert }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation +{{- end }} type: kubernetes.io/tls data: +{{- if .Values.ssl.caCert }} + tls.crt: {{ .Values.ssl.caCert }} + tls.key: {{ required "'Values.ssl.caKey' must be provided!" .Values.ssl.caKey }} +{{- else }} tls.crt: {{ .caCrt }} tls.key: {{ .caKey }} +{{- end }} --- apiVersion: v1 kind: Secret @@ -33,7 +43,17 @@ metadata: {{- with .Values.conjurLabels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if not .Values.ssl.caCert }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation +{{- end }} type: kubernetes.io/tls data: +{{- if .Values.ssl.caCert }} + tls.crt: {{ required "'Values.ssl.cert' must be provided!" .Values.ssl.cert }} + tls.key: {{ required "'Values.ssl.key' must be provided!" .Values.ssl.key }} +{{- else }} tls.crt: {{ .certCrt }} tls.key: {{ .certKey }} +{{- end }} diff --git a/conjur-oss/values.yaml b/conjur-oss/values.yaml index 9faedae..ff33c58 100644 --- a/conjur-oss/values.yaml +++ b/conjur-oss/values.yaml @@ -1,62 +1,105 @@ # Default values for conjur-oss. -# Name of Conjur account to be created + +# NOTE: It is recommended that any chart values that contain sensitive +# information (e.g. database.password, database.url, and SSL certificates +# and keys) be set on the command line with a `--set key=value` argument +# rather than setting these in a custom values YAML file. This avoids the +# risk of leaving around residual values files containing this sensitive +# information. + + +# Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable +# for the Conjur container. account: "default" +# Affinity rules to apply to the Conjur pod to indicate to Kubernetes scheduler +# which nodes would be most appropriate for Conjur pod placement. See: +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node affinity: {} -# Conjur whitelisted authenticators. Maps as CONJUR_AUTHENTICATORS env variable. +# Conjur whitelisted authenticators, presented as a comma-separated list. +# Maps to CONJUR_AUTHENTICATORS env variable for the Conjur container. authenticators: "authn" # Additional labels to apply to all conjur resources conjurLabels: {} -# PostgreSQL connection string. If left blank, a PostgreSQL deployment is created. -databaseUrl: "" +database: + # PostgreSQL connection password. If left blank, a pseudo-random, + # 64-character alphanumeric password will be auto-generated. + # Note that this value will be ignored for Helm upgrade operations. + password: "" + + ssl: + # Backend database SSL certificate and private key. These should be + # base64-encoded strings. If these values are not set, a self-signed + # certificate will be auto-generated. + cert: "" + key: "" + # Expiration for an auto-generated cert. + expiration: 365 # days + + # PostgreSQL connection string. If left blank, a PostgreSQL deployment + # is created. This value will be ignored for Helm upgrade operations + # (i.e. value used for install is reused). + url: "" # Conjur data key, 32 byte base-64 encoded string for data encryption. # Generate one with `docker run --rm cyberark/conjur data-key generate`. dataKey: "" +# Annotations to apply to the Conjur deployment. deployment: annotations: {} image: pullPolicy: Always repository: cyberark/conjur # https://hub.docker.com/r/cyberark/conjur/ - tag: latest - -nodeSelector: {} + tag: 1.5 nginx: image: - pullPolicy: IfNotPresent + pullPolicy: Always repository: nginx # https://hub.docker.com/_/nginx/ tag: '1.15' +# nodeSelector (node selection constraints) to apply to the Conjur pod. Refer to: +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +nodeSelector: {} + postgres: image: - pullPolicy: IfNotPresent + pullPolicy: Always repository: postgres # https://hub.docker.com/_/postgres/ - tag: '10.1' + tag: '10.12' persistentVolume: create: true size: 8Gi storageClass: -# Additional labels to apply to all conjur resources +# Additional labels to apply to all postgres-related resources postgresLabels: {} +# Indicates whether the Conjur ClusterRole and ClusterRoleBinding should be +# created. This should be set to true, unless there is already a Conjur +# deployment in a separate namespace that has already created these +# cluster-wide resources. rbac: create: true # Number of Conjur pods to run replicaCount: 1 -# We usually recommend not to specify default resources and to leave this as a conscious -# choice for the user. This also increases chances charts run on environments with little -# resources, such as Minikube. If you do want to specify resources, uncomment the following -# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# Conjur container resource limits and requests. It is recommended that +# these Conjur-specific limits/requests remain unset, and instead let the +# Conjur container resources be constrained by namespace-wide limit ranges +# and resource quotas. The namespace-wide resource limitations are +# typically set by a cluster administrator to values that make sense for +# the host Kubernetes platform. +# +# If you do want to specify resources, uncomment the following lines, adjust +# them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi @@ -82,6 +125,14 @@ serviceAccount: name: ssl: + # Conjur CA certificate and key, and signed certificate and key. These + # should be base64-encoded. If left blank, CA certificate and signed + # certificate will be auto-generated. + caCert: "" + caKey: "" + cert: "" + key: "" + expiration: 365 # days hostname: "conjur.myorg.com" altNames: [] @@ -92,4 +143,15 @@ test: # automatically deleted upon test completion, # regardless of test success or failure. +serviceAccount: + # Indicates whether Conjur service account should be created or not. + # Typically set to `true`, unless the service account has already been + # created outside of this Helm chart workflow. + create: true + # Suffix to apply to the Conjur service account name. + name: + +# Tolerations to apply to the Conjur pod to indicate to the Kubernetes +# scheduler which nodes should be avoided for Conjur pod placement. See: +# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration tolerations: [] diff --git a/e2e/custom-stuff.yml b/e2e/custom-stuff.yml index 8b1a4b5..04a9630 100644 --- a/e2e/custom-stuff.yml +++ b/e2e/custom-stuff.yml @@ -1,6 +1,6 @@ authenticators: "authn-k8s/minikube,authn" dataKey: "GENERATED_DATAKEY" # docker run --rm -it cyberark/conjur data-key generate -databaseUrl: "postgres://postgres:PASSWORD@POSTGRES_ENDPOINT/postgres" +database.url: "postgres://postgres:PASSWORD@POSTGRES_ENDPOINT/postgres" image: tag: "1.0.1-stable" diff --git a/e2e/delete-conjur.sh b/e2e/delete-conjur.sh index 1d3ed20..327c717 100755 --- a/e2e/delete-conjur.sh +++ b/e2e/delete-conjur.sh @@ -1,15 +1,19 @@ -#!/usr/bin/env bash -e +#!/usr/bin/env bash -set -o pipefail +set -eo pipefail -source ../is_helm_v2.sh +source ../is-helm-v2.sh if [ "$(which jq)" == "" ]; then echo "ERROR: Could not find jq utility!" exit 1 fi -conjur_releases=$(helm list -c --output=json | jq -r '.Releases[] | select(.Chart | match("conjur-oss-.*")) | .Name') +helm_list_args="--output=json" +if [ ! -z "$CONJUR_NAMESPACE" ]; then + helm_list_args="$helm_list_args -n $CONJUR_NAMESPACE" +fi +conjur_releases=$(helm list $helm_list_args | jq -r '.[] | select(.chart | match("conjur-oss-.*")) | .name') if [ "${conjur_releases}" == "" ]; then echo "ERROR: Could not find any deployed Conjur releases!" @@ -19,9 +23,23 @@ fi for conjur_release in ${conjur_releases}; do echo "Deleting Conjur release '${conjur_release}'..." if is_helm_v2; then - helm delete --purge "${conjur_release}" - else + helm_del_args="$helm_del_args --purge" + fi + if [ ! -z "$CONJUR_NAMESPACE" ]; then + helm_del_args="$helm_del_args -n $CONJUR_NAMESPACE" + fi + if [ -z "$helm_del_args" ]; then helm delete "${conjur_release}" + else + helm delete $helm_del_args "${conjur_release}" + fi + + if [ -z "$CONJUR_NAMESPACE" ]; then + kubectl delete secrets --selector="release=${conjur_release}" + else + kubectl delete secrets \ + -n "$CONJUR_NAMESPACE" \ + --selector="release=${conjur_release}" fi done diff --git a/e2e/install-conjur-no-pv.sh b/e2e/install-conjur-no-pv.sh index 1e2c448..bc18b76 100755 --- a/e2e/install-conjur-no-pv.sh +++ b/e2e/install-conjur-no-pv.sh @@ -1,6 +1,14 @@ #!/bin/bash -e -helm install conjur-e2e \ - --set dataKey="$(docker run --rm cyberark/conjur data-key generate)" \ - --set postgres.persistentVolume.create="false" \ - ../conjur-oss +data_key="$(docker run --rm cyberark/conjur data-key generate)" +helm_args="--set dataKey=$data_key \ + --set postgres.persistentVolume.create=false" + +if [ ! -z "$CONJUR_NAMESPACE" ]; then + if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then + kubectl create namespace "$CONJUR_NAMESPACE" + fi + helm_args="$helm_args -n $CONJUR_NAMESPACE" +fi + +helm install $helm_args conjur-e2e ../conjur-oss diff --git a/e2e/install-conjur.sh b/e2e/install-conjur.sh index e71e267..673e4bf 100755 --- a/e2e/install-conjur.sh +++ b/e2e/install-conjur.sh @@ -1,5 +1,13 @@ #!/bin/bash -e -helm install conjur-e2e \ - --set dataKey="$(docker run --rm cyberark/conjur data-key generate)" \ - ../conjur-oss +data_key="$(docker run --rm cyberark/conjur data-key generate)" +helm_args="--set dataKey=$data_key" + +if [ ! -z "$CONJUR_NAMESPACE" ]; then + if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then + kubectl create namespace "$CONJUR_NAMESPACE" + fi + helm_args="$helm_args -n $CONJUR_NAMESPACE" +fi + +helm install $helm_args conjur-e2e ../conjur-oss diff --git a/e2e/install-helm.sh b/e2e/install-helm.sh deleted file mode 100755 index 3e5bac4..0000000 --- a/e2e/install-helm.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -e - -kubectl create -f rbac-config.yaml - -helm init --service-account tiller diff --git a/e2e/rbac-config.yaml b/e2e/rbac-config.yaml deleted file mode 100644 index 1fcf47d..0000000 --- a/e2e/rbac-config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: tiller - namespace: kube-system diff --git a/helm-upgrade.sh b/helm-upgrade.sh new file mode 100755 index 0000000..233b5b8 --- /dev/null +++ b/helm-upgrade.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -eo pipefail + +# USAGE: +# ./helm_upgrade.sh [set-chart-values-arguments] +# +# Note that for helm upgrades, any settings for the following chart values +# will be ignored: +# dataKey +# database.password +# database.url +# since these values (and their Kubernetes respective secrets) will remain +# unchanged across Helm upgrades. + +# For Helm upgrade operations, the --reuse-values command line flag must +# be used in order to preserve any non-default values that were used +# during helm install. +# +# Also, force the recreation of pods, since Helm isn't aware that pods need +# to be started e.g. for when configmaps or secrets are changed. +HELM_ARGS="$@ --reuse-values --recreate-pods" + +if [ ! -z "$CONJUR_NAMESPACE" ]; then + HELM_ARGS="$HELM_ARGS -n $CONJUR_NAMESPACE" +fi + +# Find the helm release (it will contain 'conjur-oss-' in its chart name) +helm_release=$(helm list --output=json | jq -r '.[] | select(.chart | match("conjur-oss-.*")) | .name') + +helm upgrade $HELM_ARGS $helm_release ./conjur-oss diff --git a/is_helm_v2.sh b/is-helm-v2.sh similarity index 100% rename from is_helm_v2.sh rename to is-helm-v2.sh diff --git a/run.sh b/run.sh index a777fc1..41c2ff1 100755 --- a/run.sh +++ b/run.sh @@ -1,18 +1,30 @@ -#!/bin/bash -e +#!/bin/bash -source ./is_helm_v2.sh +set -eo pipefail -HELM_ARGS="$@" +source ./is-helm-v2.sh + +HELM_RELEASE=${HELM_RELEASE:-conjur-oss} if [ -z "$HELM_ARGS" ]; then + # Generate database data-key data_key="$(docker run --rm cyberark/conjur data-key generate)" - HELM_ARGS="--set dataKey=$data_key" + HELM_ARGS="$@ --set dataKey=$data_key" + + if is_helm_v2; then + echo "Helm version is 2" + HELM_ARGS="$HELM_ARGS --name $HELM_RELEASE" + else + echo "Helm version is 3 or newer" + HELM_ARGS="$HELM_ARGS $HELM_RELEASE" + fi fi -if is_helm_v2; then - HELM_ARGS="$HELM_ARGS --name conjur-oss" -else - HELM_ARGS="$HELM_ARGS conjur-oss" +if [ ! -z "$CONJUR_NAMESPACE" ]; then + if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then + kubectl create namespace "$CONJUR_NAMESPACE" + fi + HELM_ARGS="$HELM_ARGS -n $CONJUR_NAMESPACE" fi helm install $HELM_ARGS ./conjur-oss diff --git a/test-minimal.sh b/test-minimal.sh index 4b346e7..6970eff 100755 --- a/test-minimal.sh +++ b/test-minimal.sh @@ -1,6 +1,6 @@ #!/bin/bash -e -source ./is_helm_v2.sh +source ./is-helm-v2.sh # This script runs the minimal helm test, without relies on external load # balancers or persistent volumes. This is suitable for environment where diff --git a/test.sh b/test.sh index 3a89c8c..67d422e 100755 --- a/test.sh +++ b/test.sh @@ -1,6 +1,8 @@ -#!/bin/bash -e +#!/bin/bash -source ./is_helm_v2.sh +set -eo pipefail + +source ./is-helm-v2.sh # Run Helm test # @@ -24,6 +26,8 @@ source ./is_helm_v2.sh # Defaults to false. # HELM_INSTALL_TIMEOUT: Helm install timeout. Defaults to `900` for # Helm V2 and `900s` for newer versions of Helm. +# CONJUR_NAMESPACE: Namespace to use for Conjur deployment. The +# namespace is created if it doesn't exist. # Command line arguments for this script are passed to `helm test`. HELM_TEST_ARGS="$@" @@ -47,19 +51,36 @@ fi # of the helm test. if is_helm_v2; then HELM_TEST_ARGS="${HELM_TEST_ARGS} --cleanup" + HELM_DEL_ARGS="${HELM_DEL_ARGS} --purge" +fi + +if [ ! -z "$CONJUR_NAMESPACE" ]; then + if ! kubectl get namespace "$CONJUR_NAMESPACE" 2>/dev/null; then + kubectl create namespace "$CONJUR_NAMESPACE" + fi + HELM_INSTALL_ARGS="${HELM_INSTALL_ARGS} -n $CONJUR_NAMESPACE" + HELM_TEST_ARGS="${HELM_TEST_ARGS} -n $CONJUR_NAMESPACE" + HELM_DEL_ARGS="${HELM_DEL_ARGS} -n $CONJUR_NAMESPACE" fi RELEASE_NAME="helm-chart-test-$(date -u +%Y%m%d-%H%M%S)" +DATABASE_USER="postgres" +DATABASE_PASSWORD="postgres-password" function delete_release() { echo "==========================================" echo "Deleting Conjur Helm release $RELEASE_NAME" echo "==========================================" - if is_helm_v2; then - helm del --purge "$RELEASE_NAME" + if [ ! -z "HELM_DEL_ARGS" ]; then + helm del "$HELM_DEL_ARGS " "$RELEASE_NAME" else helm del "$RELEASE_NAME" fi + if [ -z "$CONJUR_NAMESPACE" ]; then + kubectl delete secrets --selector=release=$RELEASE_NAME + else + kubectl delete secrets -n "$CONJUR_NAMESPACE" --selector=release=$RELEASE_NAME + fi } echo "=======================================================" @@ -89,5 +110,9 @@ helm test $HELM_TEST_ARGS "$RELEASE_NAME" if [[ (! is_helm_v2) && ("$HELM_TEST_LOGGING" == true) ]]; then # Test pod log has been displayed, so it's safe to delete the test pod. - kubectl delete pod -l release="$RELEASE_NAME" + if [ -z "$CONJUR_NAMESPACE" ]; then + kubectl delete pod -l release="$RELEASE_NAME" + else + kubectl delete pod -n "$CONJUR_NAMESPACE" -l release="$RELEASE_NAME" + fi fi