Kubernetes conjur deployment scripts exist #2
Conversation
README.md
Outdated
| Conjur image from your registry: | ||
|
|
||
| ``` | ||
| kubectl create secret docker-registry conjurregcred \ |
There was a problem hiding this comment.
If you create the secret here it will be in the wrong namespace. CONJUR_NAMESPACE_NAME namespace hasn't been created yet.
There was a problem hiding this comment.
Fixed this by instructing the user to create the namespace and secret before running the scripts.
README.md
Outdated
| id: conjur/authn-k8s/{{ SERVICE_ID }} | ||
| ``` | ||
|
|
||
| The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster |
There was a problem hiding this comment.
I think we want to say "Kubernetes cluster" instead of "Kubernetes node" here. This makes it seem like Conjur should only be deployed on one node, when multiple nodes should be used for a production setup.
I see we use the same language in the OpenShift README as well.
I think we should change it there too.
build/conjur_server/conjur.json
Outdated
| @@ -0,0 +1,5 @@ | |||
| { | |||
| "postgresql": { | |||
| "allocated_memory_kb": 100000 | |||
There was a problem hiding this comment.
I know we do this for testing, but I wonder about the performance effects of this in a live traffic setup.
There was a problem hiding this comment.
Removed this for now. I'm guessing it's an artifact copied over demos that ran in a user's local environment and thus had constrained resources.
1_create_conjur_namespace.sh
Outdated
| # Must run as root to unpack Conjur seed files on standbys for high availability. | ||
| # TODO: replace this overprivileging with a service account + role + role binding | ||
|
|
||
| # TODO: perhaps clusterroles should be defined independent of these scripts. for one this could delete an important clusterrole for user, unwittingly |
There was a problem hiding this comment.
Yes I think we should explain this more up front, because you need to have the cluster-admin role to load the authenticator-role manifest.
There was a problem hiding this comment.
Moved this out to the README.
8_print_config.sh
Outdated
| conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local | ||
|
|
||
| Outside the cluster: | ||
| https://$conjur_master_ip:443 |
There was a problem hiding this comment.
I got to this step, but am unable to connect the Conjur CLI, it just hangs
./8_print_config.sh
++++++++++++++++++++++++++++++++++++++
Conjur cluster is ready.
Addresses for the Conjur Master service:
Inside the cluster:
conjur-master.conjur-dustinc.svc.cluster.local
Outside the cluster:
https://35.193.179.143
Conjur login credentials:
admin / xxxxx
conjur init -h 35.193.149.143 -f ~/.conjurrc.k8s
... no go
There was a problem hiding this comment.
Addressed this by providing a manifest and instructions for running a CLI container within k8s, which allows you to just use conjur-master as your hostname.
dustinmm80
deleted the
CONJ-4981--kubernetes-conjur-deployment-scripts-exist
branch
CNJR-2988: Update NGINX config
CONJ-4981