Skip to content

Latest commit

 

History

History
174 lines (136 loc) · 8.7 KB

README.md

File metadata and controls

174 lines (136 loc) · 8.7 KB

Cyral Crawler Helm Chart

Deploy the Cyral Repo Crawler as a Kubernetes CronJob via Helm

Build a value file and run the following command

helm upgrade -i <release_name> oci://public.ecr.aws/cyral/helm/crawler --version <version_tag> -f <your_value_file.yaml>

Deployment Values Examples

Credentials provided directly in value file

controlPlane: tenant.app.cyral.com
credentials:
    clientId: <api_client_id>
    clientSecret: <api_client_secret>
cronjob:
    repoName: <data repo name>
    repoCredentials:
        username: <data repo username>
        password: <data repo password>

Externally managed secrets

If you manage your secrets manually or with an operator you can use the existingSecret option. This is useful for secrets operators like the AWS or Vault secrets operator.

controlPlane: tenant.app.cyral.com
credentials:
    existingSecret: <secret name>
cronjob:
    repoName: <data repo name>
    repoCredentials:
        existingSecret: <secret name>

For the control plane credentials we expect a clientId and clientSecret key

kubectl create secret generic cpcreds --from-literal=clientId=$CLIENT_ID --from-literal=clientSecret=$CLIENT_SECRET

For the repo credentials we expect a username and password key

kubectl create secret generic datarepocreds --from-literal=username=$USERNAME --from-literal=password=$PASSWORD

Vault Annotations

If you arent using the Vault Secrets Operator and would like to use the annotation based approach, you can set it up in the following way.

This example provides both the database credentials and the control plane credentials

controlPlane: "stable.dev.cyral.com"
cronjob:
  repoName: myrepo
  podAnnotations:
      vault.hashicorp.com/agent-inject: "true"
      vault.hashicorp.com/agent-pre-populate-only : "true"
      vault.hashicorp.com/role: myrole
      vault.hashicorp.com/tls-skip-verify: "true"
      vault.hashicorp.com/secret-volume-path-config.yaml: "/etc/cyral"
      # Because we're using a merge function, the go template for vault needs to be escaped
      vault.hashicorp.com/agent-inject-template-config.yaml: |
        {{ "{{" }}- with secret "vault/db/myrepo" }}
        "repo-user": "{{ "{{" }} .Data.data.username }}"
        "repo-password": "{{ "{{" }} .Data.data.password }}"
        {{ "{{" }}- end }}
        {{ "{{" }}- with secret "vault/cp/creds" }}
        "cyral-client-id": "{{ "{{" }} .Data.data.clientId }}"
        "cyral-client-secret": "{{ "{{" }} .Data.data.clientSecret }}"
        {{ "{{" }}- end }}

Install and Run On-Demand

clone/download this repository and generate a values file.

helm install $name .
kubectl create job --from=cronjob/$name $jobname

Advanced Options (Oracle/Snowflake)

For scanning oracle or snowflake additional configuration needs to be added

For Oracle the service name needs to be provided (typically it should be set to ORCL)

cronjob:
  env:
    - name: REPO_CRAWLER_REPO_ADVANCED
      value: "{\"oracle\":{\"service-name\":\"ORCL\"}}"

For Snowflake we need to specify some additional information: Account, Role and Warehouse

cronjob:
  env:
      - name: REPO_CRAWLER_REPO_ADVANCED
        value: "{\"snowflake\":{\"account\":\"$account\",\"role\":\"$role\",\"warehouse\":\"$warehouse\"}}"

Parameters

Required parameters

Parameters related to connection to the Cyral control plane

Name Description Value
controlPlane host name of the control plane. typically tenant.app.cyral.com ""
credentials.existingSecret Utilize a pre-existing secret for control plane credentials ""
credentials.clientId The Cyral Client ID to be used for connecting to the control plane ""
credentials.clientSecret The Cyral Client Secret to be used for connecting to the control plane ""
credentials.annotations Annotations for the secret {}
credentials.labels Labels for the secret {}

Cronjob configuration parameters

Name Description Value
cronjob.repoName Data repo name to be scanned ""
cronjob.repoHost host address to use to connect to the database. If not provided it will be pulled from the control plane ""
cronjob.annotations {}
cronjob.podAnnotations Used to apply annotations to the job pod itself. Useful for Vault {}
cronjob.labels {}
cronjob.env Additonal environment variables (used for advanced configuration) {}
cronjob.schedule Schedule for when to run the crawler 0 0 * * 6
cronjob.restartPolicy Never
cronjob.resources Job Resource definition

Cronjob service account

Name Description Value
cronjob.serviceAccount.create true
cronjob.serviceAccount.annotations {}
cronjob.serviceAccount.labels {}
cronjob.serviceAccount.name ""

Cronjob repo credentials

Name Description Value
cronjob.repoCredentials.annotations {}
cronjob.repoCredentials.labels {}
cronjob.repoCredentials.existingSecret ""
cronjob.repoCredentials.username ""
cronjob.repoCredentials.password ""

Optional Configuration

Name Description Value
imageRegistry Image registry to pull the crawler image from public.ecr.aws/cyral
tag Version/Tag of image to pull v0.12.5
imagePullPolicy Pull policy configuration IfNotPresent
imagePullSecrets Image pull secret configuration ""
kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ""
nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) ""
fullnameOverride String to fully override common.names.fullname template with a string ""
commonAnnotations Common annotations to add to all resources. {}
commonLabels Common labels to add to all resources. {}
clusterDomain Kubernetes cluster domain cluster.local