There is a helm chart for deploying a sample app with a Conjur sidecar

[izgeri]

Is your feature request related to a problem? Please describe.

This issue proposes creating a Helm chart plus a Helm Subchart to deploy a sample application for testing Conjur Kubernetes authentication using Summon and an authn-k8s sidecar container.

In order to allow for this methodology to be extensible to adding future sample application deployments using other authenticators, the proposal is to implement this Helm chart with the following structure in mind:

• A "main" Helm chart. This chart sets global values used by all sample applications in subcharts, and supports a selectable list of sample applications / authenticators that must be deployed. In other words, one application or multiple applications can be selected for deployment using the underlying application subcharts.
• (THIS ISSUE) An 'app-summon-sidecar' subchart for deploying a sample app with Summon and an authn-k8s sidecar.
• (FUTURE ISSUE) An 'app-secretless-sidecar' subchart for deploying a sample app that uses Secretless Broker
• (FUTURE ISSUE) An 'app-secrets-provider-sidecar' subchart for deploying a sample app that uses Secrets Provider as a sidecar container
• (FUTURE ISSUE) An 'app-secrets-provider-standalone' subchart - for deploying a sample app that uses Secrets Provider as a standalone container

Allowing the authenticators to be selectable as a list will facilitate using this Helm chart to be used in multiple scenarios, e.g.:

• CI where we want to test all types of authenticators
• Incremental/iterative development and test for a given type of authenticator
• Quick-start guide where just one authenticator type will do

The types of sidecar/init containers to select from should include:
- Secrets Provider init container
- Secrets Provider standalone "app" Pod
- Secretless Broker
- Authn-k8s sidecar

The sidecar/init/app containers in each case should get their Conjur connection information by volume mounting to a
Conjur Connect ConfigMap that has been deployed using the cluster prep Helm chart (Issue #227) and the Application Namespace prep Helm chart (Issue #236).

The intent is to provide a Helm chart that can be easily used in conjunction with the cluster prep Helm chart and the application Namespace prep Helm chart.

Implementation details

Use of Lists in Chart Values

In values.yaml file

In the values.yaml file for this Helm chart, the selection of authenticators to deploy/test will look like this:

# Authenticator types to deploy and test. Multiple authenticator types
# can be selected. All enabled authenticator types (along with their
# associated sample application container) will be deployed to the
# same application Namespace. The default is to enable only an authn-k8s
# sidecar container. Uncomment authenticator types as desired.
authenticators:
    - authn-k8s
    #- secretless-broker
    #- secrets-provider-init
    #- secrets-provider-standalone

Selecting authenticators on the helm command line

The selection of authenticators to deploy and test can be done on the helm install ... and helm upgrade ...
command lines using the command line option --set authenticators="{<comma separated list of authenticators>}".

For example, to enable deployment and testing for both authn-k8s and secretless-broker sidecar authenticators, the command line would look something like this:

helm install --set authenticators="{authn-k8s,secretless-broker}" my-app-release .

Conditionally including all or parts of a manifest template based on authenticators selection

In the manifest templates that are defined in the templates directory, all or parts of a manifest template can be included in what's being rendered by Helm using the Helm built-in has syntax. For example, to conditionally include a manifest template when authn-k8s authenticator is enabled, the syntax would be:

{{ if has "authn-k8s" .Values.authenticators }}
    < authn-k8s manifest stuff would go here >
{{ end }}

Converting/Porting Scripts and Templates from conjurdemos/kubernetes-conjur-demo

This work basically involves converting the following script and
templates from conjurdemos/kubernetes-conjur-demo to a Helm chart:
- 7_app_deploy.sh
- kubernetes/*
- openshift/*
but with the application/authenticator combinations being deployed one-at-a-time by the Helm chart.

Out of Scope

• Creating subchart for app + Secretless Broker
• Creating subchart for app + Secrets Provider sidecar container
• Creating subchart for app + Secrets Provider standalone
• Creating a README.md file for the main Helm chart or the subchart
• Creating a values.schema.json for the main Helm chart or the subchart.
• Development of a Helm test for this chart is not included in this issue.
• Development of a helm-unittest for this chart is not included in this issue.

Prototype for this design

Example values.yaml for main chart:

# Default values for Application Deploy Helm chart
# This is a YAML-formatted file.

global:
  conjur:
    conjurConnConfigMap: "conjur-conn-configmap"

  appServiceType: "NodePort"

# Authenticator types to deploy and test. Multiple authenticator types
# can be selected. All enabled authenticator types (along with their
# associated sample application container) will be deployed to the
# same application Namespace. The default is to enable only an authn-k8s
# sidecar container. Uncomment authenticator types as desired.
authenticators:
  - authn-k8s
  #- secretless-broker
  #- secrets-provider-init
  #- secrets-provider-standalone

Example values.yaml for app-summon-sidecar subchart:

# Default values for the Application Namespace Prep Helm chart
# This is a YAML-formatted file.

app:
  image:
    repository: "cyberark/test-app-summon-sidecar"
    tag: "latest"
    pullPolicy: "always"
 
authnClient:
  image:
    repository: "cyberark/authn-k8s-client"
    tag: "latest"
    pullPolicy: "always"

conjur:
  authnConfigMap:
    create: true
    name: "conjur-authn-configmap"
  authnLogin:

Example Conjur authn Configmap template:

{{- if has "authn-k8s" .Values.authenticators -}}
apiVersion: v1
kind: ConfigMap
metadata:
    name: {{ .Values.conjur.authnConfigMap.name }}
    labels:
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
      app.kubernetes.io/name: authn-configmap
      app.kubernetes.io/component: "app-conjur-authn-config"
      app.kubernetes.io/instance: {{ .Release.Namespace }}
      app.kubernetes.io/part-of: "authn-k8s-app-config"
      helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
data:
    # authn-k8s Configuration 
    conjurAuthnLogin: {{ required "A valid conjurAuthnLogin is required!" .Values.conjur.authnLogin }}
{{- end }}

Example Test App Deployment manifest template

{{- if has "authn-k8s" .Values.authenticators -}}
apiVersion: v1
kind: Service
metadata:
  name: test-app-summon-sidecar
  labels:
    app: test-app-summon-sidecar
spec:
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
  selector:
    app: test-app-summon-sidecar
  type: {{ .Values.global.appServiceType }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-app-summon-sidecar
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-app-summon-sidecar
  name: test-app-summon-sidecar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app-summon-sidecar
  template:
    metadata:
      labels:
        app: test-app-summon-sidecar
    spec:
      serviceAccountName: test-app-summon-sidecar
      containers:
      - image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }}
        imagePullPolicy: {{ .Values.app.image.pullPolicy }}
        name: test-app
        ports:
        - name: http
          containerPort: 8080
        readinessProbe:
          httpGet:
            path: /pets
            port: http
          initialDelaySeconds: 15
          timeoutSeconds: 5
        env:
          - name: CONJUR_AUTHN_TOKEN_FILE
            value: /run/conjur/access-token
        envFrom:
          - configMapRef:
            name: {{ .Values.global.conjur.conjurConnConfigMap }}
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
            readOnly: true
      - image: {{ .Values.authnClient.image.repository }}:{{ .Values.authnClient..image.tag }}
        imagePullPolicy: {{ .Values.authnClient.image.pullPolicy }}
        name: authenticator
        env:
          - name: CONTAINER_MODE
            value: sidecar
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: CONJUR_AUTHN_LOGIN
            valueFrom:
              configMapKeyRef:
                name: {{ .Values.conjur.authnConfigMap }}
                key: conjurAuthnLogin
        envFrom:
          - configMapRef:
            name: {{ .Values.global.conjur.connConfigMap }}
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
      imagePullSecrets:
        - name: dockerpullsecret
      volumes:
        - name: conjur-access-token
          emptyDir:
            medium: Memory
{{- end }}

Starting point for Helm source

Follow-Up User Stories

• Issue The sample application Helm chart has a README.md file #264
• Issue The sample application Helm chart has a values.schema.json file #265
• Issue The sample application Helm chart has unit tests #266
• Issue Scripts to build Pet Store application containers are ported from kubernetes-conjur-demo #267
• Issue Scripts or a Helm test is implemented to verify apps are correctly authenticating #268
• Issue The app deploy Helm chart supports deployment of app + Secretless Broker sidecar #271
• Issue The app deploy Helm chart supports deployment of app + Secrets Provider init container #272
• Issue The app deploy Helm chart supports deployment of app + Secrets Provider standalone container #273

DoD

• Helm values.yaml created for main chart with:
  • Supports a list that can be used to select one or more sidecar/init containers to use with a samle application
• Helm values.yaml created for app subchart
• Helm manifest templates created for application/Summon + authn-k8s sidecar
• Helm chart successfully deploys (application/Summon + authn-k8s sidecar container).
  This Helm deployment assumes that the following is already available (not part of this issue):
  • Conjur instance with application policy already loaded
  • Kubernetes cluster prep Helm chart has already been Helm installed
  • Application Namespace prep Helm chart has already been Helm installed
• Helm chart includes a templates/NOTES.txt that announces app/authenticator has been deployed
• Helm chart deployment successfully authenticates with a Conjur instance and retrieves secrets.
  This can be tested as follows:
  - Run the Conjur OSS Helm chart Kubernetes-in-Docker example script. This creates Conjur OSS, 4 app instances, and loads Conjur policy for authen-k8s and app secrets.
  - Delete the example application deployments in the app Namespace
  - Run Helm install using the kubernetes-cluster-prep Helm chart to create a Golden ConfigMap
  - Run Helm install using the application-namespace-prep Helm chart to create a Conjur COnnect ConfigMap
  - Run Helm install to create an application in the same app Namespace. This should use the same deployment name, serviceAccount, etc. that a deployment had used in the Conjur OSS Helm chart KinD example script, so that the identity of the application Pod matches the existing security policy in Conjur.
  - Get authenticator / application Pod to authenticate and access secrets from Conjur