-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Kubernetes conjur deployment scripts exist (#2)
* initial attempt working end to end in GKE * check for registry path * demonstrate service account scope :) * move over helper for env var checking * rename all references of project to context * rename context to namespace * use internal docker registry for conjur appliance, use external IP for master access * remove demo, move deploy scripts to top folder * start fixing readme * add docker login instructs to readme, other minor fixes * make docker vars generic * Fixes from my run-through * move namespace creation into readme, reorder setup steps * readme updates * remove psql memory config, move namespace creation to manual step * add service address back to readme * provide CLI container manifest and instructions for using it * add namespace creation back in * replace link to CLI quickstart with link to usage * Ensure image pull secret is created in correct namespace * Fix ordering of bash options, -o pipefail is needed
- Loading branch information
1 parent
2f1b42b
commit a604ef2
Showing
25 changed files
with
856 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
standby-seed.tar | ||
haproxy.cfg | ||
tmp/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#!/bin/bash | ||
set -eo pipefail | ||
|
||
. utils.sh | ||
|
||
check_env_var "CONJUR_NAMESPACE_NAME" | ||
check_env_var "DOCKER_REGISTRY_URL" | ||
check_env_var "DOCKER_REGISTRY_PATH" | ||
check_env_var "CONJUR_ACCOUNT" | ||
check_env_var "CONJUR_ADMIN_PASSWORD" | ||
|
||
echo "Before we proceed..." | ||
|
||
# Confirm logged into Kubernetes. | ||
read -p "Are you logged in to a Kubernetes cluster (yes/no)? " choice | ||
case "$choice" in | ||
yes ) ;; | ||
* ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; | ||
esac | ||
|
||
read -p "Are you logged into the $DOCKER_REGISTRY_URL Docker registry (yes/no)? " choice | ||
case "$choice" in | ||
yes ) echo "Great! Let's go.";; | ||
* ) echo "You must login to your Docker registry before running this demo." && exit 1;; | ||
esac | ||
|
||
conjur_appliance_image=$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME | ||
|
||
# Confirms Conjur image is present. | ||
if [[ "$(docker images -q $conjur_appliance_image 2> /dev/null)" == "" ]]; then | ||
echo "You must have the Conjur v4 Appliance tagged as $conjur_appliance_image in your Docker engine to run this script." | ||
exit 1 | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Creating Conjur namespace." | ||
|
||
set_namespace default | ||
|
||
if has_namespace "$CONJUR_NAMESPACE_NAME"; then | ||
echo "Namespace '$CONJUR_NAMESPACE_NAME' exists, not going to create it." | ||
set_namespace $CONJUR_NAMESPACE_NAME | ||
else | ||
echo "Creating '$CONJUR_NAMESPACE_NAME' namespace." | ||
kubectl create namespace "$CONJUR_NAMESPACE_NAME" | ||
set_namespace $CONJUR_NAMESPACE_NAME | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Building and pushing haproxy image." | ||
|
||
pushd build/haproxy | ||
./build.sh | ||
popd | ||
|
||
docker_tag_and_push "haproxy" | ||
|
||
echo "Docker images pushed." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Creating Conjur cluster." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
if ! [ "${DOCKER_EMAIL}" = "" ]; then | ||
announce "Creating image pull secret." | ||
|
||
kubectl delete --ignore-not-found secret conjurregcred | ||
|
||
kubectl create secret docker-registry conjurregcred \ | ||
--docker-server=$DOCKER_REGISTRY_URL \ | ||
--docker-username=$DOCKER_USERNAME \ | ||
--docker-password=$DOCKER_PASSWORD \ | ||
--docker-email=$DOCKER_EMAIL | ||
fi | ||
|
||
conjur_appliance_image=$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME | ||
|
||
echo "deploying main cluster" | ||
sed -e "s#{{ CONJUR_APPLIANCE_IMAGE }}#$conjur_appliance_image#g" ./manifests/conjur-cluster.yaml | | ||
kubectl create -f - | ||
|
||
echo "deploying followers" | ||
sed -e "s#{{ CONJUR_APPLIANCE_IMAGE }}#$conjur_appliance_image#g" ./manifests/conjur-follower.yaml | | ||
sed -e "s#{{ AUTHENTICATOR_SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | | ||
kubectl create -f - | ||
|
||
sleep 10 | ||
|
||
echo "Waiting for Conjur pods to launch..." | ||
wait_for_node $(get_master_pod_name) | ||
|
||
echo "Cluster created." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Configuring master pod." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
master_pod_name=$(get_master_pod_name) | ||
|
||
kubectl label --overwrite pod $master_pod_name role=master | ||
|
||
# Configure Conjur master server using evoke. | ||
kubectl exec $master_pod_name -- evoke configure master \ | ||
-h conjur-master \ | ||
--master-altnames localhost,conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ | ||
--follower-altnames conjur-follower,conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ | ||
-p $CONJUR_ADMIN_PASSWORD \ | ||
$CONJUR_ACCOUNT | ||
|
||
echo "Master pod configured." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Creating load balancer for master and standbys." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_NAMESPACE_NAME | ||
|
||
sed -e "s#{{ DOCKER_IMAGE }}#$docker_image#g" ./manifests/haproxy-conjur-master.yaml | | ||
kubectl create -f - | ||
|
||
wait_for_node 'haproxy-conjur-master' | ||
|
||
echo "Configuring load balancer..." | ||
|
||
# Update HAProxy config to reflect Conjur cluster and restart daemon. | ||
haproxy/update_haproxy.sh haproxy-conjur-master | ||
|
||
echo "Load balancer created and configured." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Configuring standbys." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
master_pod_name=$(get_master_pod_name) | ||
|
||
echo "Preparing standby seed files..." | ||
|
||
mkdir -p tmp | ||
kubectl exec $master_pod_name evoke seed standby conjur-standby > ./tmp/standby-seed.tar | ||
|
||
master_pod_ip=$(kubectl describe pod $master_pod_name | awk '/IP:/ { print $2 }') | ||
pod_list=$(kubectl get pods -l role=unset --no-headers | awk '{ print $1 }') | ||
|
||
for pod_name in $pod_list; do | ||
printf "Configuring standby %s...\n" $pod_name | ||
|
||
kubectl label --overwrite pod $pod_name role=standby | ||
|
||
copy_file_to_container "./tmp/standby-seed.tar" "/tmp/standby-seed.tar" "$pod_name" | ||
|
||
kubectl exec $pod_name evoke unpack seed /tmp/standby-seed.tar | ||
kubectl exec $pod_name -- evoke configure standby -i $master_pod_ip | ||
done | ||
|
||
rm -rf tmp | ||
|
||
echo "Standbys configured." | ||
echo "Starting synchronous replication..." | ||
|
||
mastercmd evoke replication sync | ||
|
||
echo "Standbys configured." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Configuring followers." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
master_pod_name=$(get_master_pod_name) | ||
|
||
echo "Preparing follower seed files..." | ||
|
||
mkdir -p tmp | ||
kubectl exec $master_pod_name evoke seed follower conjur-follower > ./tmp/follower-seed.tar | ||
|
||
master_pod_ip=$(kubectl describe pod $master_pod_name | awk '/IP:/ { print $2 }') | ||
pod_list=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }') | ||
|
||
for pod_name in $pod_list; do | ||
printf "Configuring follower %s...\n" $pod_name | ||
|
||
copy_file_to_container "./tmp/follower-seed.tar" "/tmp/follower-seed.tar" "$pod_name" | ||
|
||
kubectl exec $pod_name evoke unpack seed /tmp/follower-seed.tar | ||
kubectl exec $pod_name -- evoke configure follower | ||
done | ||
|
||
rm -rf tmp | ||
|
||
echo "Followers configured." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
announce " | ||
Conjur cluster is ready. | ||
Conjur UI address: | ||
https://$(get_master_service_ip):443 | ||
Conjur admin credentials: | ||
admin / $(rotate_api_key) | ||
" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,147 @@ | ||
# kubernetes-conjur-deploy | ||
Scripts for deploying Conjur to Kubernetes | ||
|
||
This repository contains scripts for deploying a Conjur v4 cluster to a | ||
Kubernetes environment. | ||
|
||
# Setup | ||
|
||
The Conjur deployment scripts pick up configuration details from local | ||
environment variables. The setup instructions below walk you through the | ||
necessary steps for configuring your Kubernetes environment and show you which | ||
variables need to be set before deploying. | ||
|
||
### Docker | ||
|
||
[Install Docker](https://www.docker.com/get-docker) on your local machine if you | ||
do not already have it. | ||
|
||
You must have push access to a Docker registry in order to run these deploy | ||
scripts. Provide the URL and full path of your registry: | ||
|
||
``` | ||
export DOCKER_REGISTRY_URL=<registry-domain> | ||
export DOCKER_REGISTRY_PATH=<registry-domain>/<additional-pathing> | ||
``` | ||
|
||
If you are using a private registry, you will also need to provide login | ||
credentials that are used by the deployment scripts to create a [secret for | ||
pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-in-the-cluster-that-holds-your-authorization-token): | ||
|
||
``` | ||
export DOCKER_USERNAME=<your-username> | ||
export DOCKER_PASSWORD=<your-password> | ||
export DOCKER_EMAIL=<your-email> | ||
``` | ||
|
||
Please make sure that you are logged in to the registry before deploying. | ||
|
||
### Kubernetes | ||
|
||
Before deploying Conjur, you must first use `kubectl` to connect to your | ||
Kubernetes environment with a user that has the `cluster-admin` role. The user | ||
must be able to create namespaces and cluster roles. | ||
|
||
#### Conjur Namespace | ||
|
||
Provide the name of a namespace in which to deploy Conjur: | ||
|
||
``` | ||
export CONJUR_NAMESPACE_NAME=<my-namespace> | ||
``` | ||
|
||
#### The `conjur-authenticator` Cluster Role | ||
|
||
Conjur's Kubernetes authenticator requires the following privileges: | ||
|
||
- [`"get"`, `"list"`] on `"pods"` for confirming a pod's namespace membership | ||
- [`"create"`, `"get"`] on "pods/exec" for injecting a certificate into a pod | ||
|
||
The deploy scripts include a manifest that defines the `conjur-authenticator` | ||
cluster role, which grants these privileges. Create the role now (note that | ||
your user will need to have the `cluster-admin` role to do so): | ||
|
||
``` | ||
kubectl create -f ./manifests/conjur-authenticator-role.yaml | ||
``` | ||
|
||
### Conjur | ||
|
||
#### Appliance Image | ||
|
||
You need to obtain a Docker image of the Conjur v4 appliance and push it to your | ||
Docker registry with the tag: | ||
|
||
``` | ||
$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME | ||
``` | ||
|
||
#### Appliance Configuration | ||
|
||
When setting up a new Conjur installation, you must provide an account name and | ||
a password for the admin account: | ||
|
||
``` | ||
export CONJUR_ACCOUNT=<my_account_name> | ||
export CONJUR_ADMIN_PASSWORD=<my_admin_password> | ||
``` | ||
|
||
Conjur uses [declarative policy](https://developer.conjur.net/policy) to control | ||
access to secrets. After deploying Conjur, you need to load a policy that | ||
defines a `webservice` to represent the Kubernetes authenticator: | ||
|
||
``` | ||
- !policy | ||
id: conjur/authn-k8s/{{ SERVICE_ID }} | ||
``` | ||
|
||
The `SERVICE_ID` should describe the Kubernetes cluster in which your Conjur | ||
deployment resides. For example, it might be something like `kubernetes/prod`. | ||
For Conjur configuration purposes, you need to provide this value to the Conjur | ||
deploy scripts like so: | ||
|
||
``` | ||
export AUTHENTICATOR_SERVICE_ID=<service_id> | ||
``` | ||
|
||
This `service_id` can be anything you like, but it's important to make sure | ||
that it matches the value that you intend to use in Conjur Policy. | ||
|
||
# Usage | ||
|
||
### Deploying Conjur | ||
|
||
Run `./start` to deploy Conjur. This executes the numbered scripts in sequence | ||
to create and configure a Conjur cluster comprised of one Master, two Standbys, | ||
and two read-only Followers. The final step will print out the necessary info | ||
for interacting with Conjur through the CLI or UI. | ||
|
||
### Conjur CLI | ||
|
||
The deploy scripts include a manifest for creating a Conjur CLI container within | ||
the Kubernetes environment that can then be used to interact with Conjur. Deploy | ||
the CLI pod and SSH into it: | ||
|
||
``` | ||
kubectl create -f ./manifests/conjur-cli.yaml | ||
kubectl exec -it [cli-pod-name] bash | ||
``` | ||
|
||
Once inside the CLI container, use the admin credentials to connect to Conjur: | ||
|
||
``` | ||
conjur init -h conjur-master | ||
``` | ||
|
||
Follow our [CLI usage instructions](https://developer.conjur.net/cli#quickstart) | ||
to get started with the Conjur CLI. | ||
|
||
### Conjur UI | ||
|
||
Visit the Conjur UI URL in your browser and login with the admin credentials to | ||
access the Conjur UI. | ||
|
||
# Test App Demo | ||
|
||
The [kubernetes-conjur-demo repo](https://github.com/conjurdemos/kubernetes-conjur-demo) | ||
sets up test applications that retrieve secrets from Conjur and serves as a | ||
useful reference when setting up your own applications to integrate with Conjur. |
Oops, something went wrong.