There is an initial cluster prep helm chart

[izgeri]

Overview

This user story requires the definition of a cluster prep helm chart, including:

• values.yaml file
• templates/golden_configmap.yaml templated manifest
• templates/service_account.yaml templated manifest
• templates/clusterrole.yaml templated manifest
• README.md explaining basic usage and a table of configurable values
• templates/NOTES.txt simply announcing completion, maybe listing objects that have been deployed

Desired Implementation

Out of Scope:

• values.schema.json (covered in Issue The cluster prep helm chart includes schema validation #233)
• Unit test based on unittest framework (covered in Issue The cluster prep helm chart has helm unit tests #234)
• Helm test validation (covered in Issue There is a helm test for the cluster prep helm chart #228)

Kubernetes Objects to be Created for Helm install/upgrade

When helm install ... is invoked on this Helm chart, there should be two Kubernetes objects created in the authenticator Namespace:

• Golden (Reference) ConfigMap
• Authenticator ServiceAccount
• Authenticator ClusterRole

Sample Golden ConfigMap Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a Golden ConfigMap that looks similar to the following:

apiVersion: v1
kind: ConfigMap
metadata:
  name: authn-k8s-config-map
  labels:
    app.kubernetes.io/name: golden-configmap
    app.kubernetes.io/component: conjur-config
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
data:
  # authn-k8s Configuration
  authnK8sAuthenticatorID: my-authenticator-id
  authnK8sClusterRole: conjur-authenticator-clusterrole
  authnK8sNamespace: conjur-ns
  authnK8sServiceAccount: conjur-sa

  # Conjur Configuration
  conjurAccount: myConjurAccount
  conjurApplianceUrl: https://conjur.conjur-ns.svc.cluster.local
  conjurSslCertificate: <Unencoded Conjur SSL certificate>
  conjurSslCertificateBase64: <base64 encoded Conjur SSL certificate>

Sample ClusterRole Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a ClusterRole that looks similar to the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: authn-k8s-clusterrole
    app.kubernetes.io/component: authn-k8s-permissions
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
  name: authn-k8s
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - serviceaccounts
  verbs:
  - get
  - list
- apiGroups:
  - extensions
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
  - get

Sample ServiceAccount Manifest

When helm install ... is invoked using this Helm chart, Helm should render a manifest for a ServiceAccount that looks similar to the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/name: authn-k8s-serviceaccount
    app.kubernetes.io/component: authn-k8s-identity
    app.kubernetes.io/instance: <Authenticator Namespace>
    app.kubernetes.io/part-of: authn-k8s-cluster-config
    app.kubernetes.io/managed-by: helm
    helm.sh/chart: <Chart name>-<Chart version>
  name: authn-k8s

Helm chart Files to be created

This Helm chart requires the creation of the following files in the chart subdirectory:

• values.yaml file
• templates/golden_configmap.yaml templated manifest
• templates/authn_serviceaccount.yaml templated manifest
• templates/authn_clusterrole.yaml templated manifest
• README.md explaining basic usage, upgrade examples, and a table of configurable values
• templates/NOTES.txt simply announcing completion, maybe listing objects that have been deployed

values.yaml requirements

The values.yaml file created for this Helm chart must contain the fields that are listed in
the "Kubernetes Cluster Prep Helm Chart Value" column of the
"User Input: Information Gathered for Kubernetes Cluster Preparation" section of this
document: https://cyberark365.sharepoint.com/:w:/s/Conjur/EbhBd0DKYt1MstzSj-4sWOkBssiD23FAHA4JgW-2V2YwrA?e=04gdla.

Additional "control knobs"

The values.yaml file should also include a couple of other "control knobs":

• authnK8s.rbac.enable
  This is needed to enable/disable creation of the authn-k8s ClusterRole.
  This is future-proofing: There may be cases in the future whereby someone might want
  to share ClusterRoles across multiple authn-k8s authenticators.
• authnK8s.serviceAccount.enable
  This is for future-proofing. For some deployments, e.g. with the Conjur OSS Helm chart,
  there already exists a ServiceAccount that can be used/re-used.

Default values

The values.yaml file should provide the following default values:

• conjur.account defaults to "default"
• authnK8s.rbac.enable defaults to true
• authnK8s.serviceAccount.enable defaults to true

Template manifests requirements

The template manifests must enforce that required values have been explicitly defined.
Required values are those fields in the values.yaml file that are indicated as
"Mandatory" in the "Kubernetes Cluster Prep Helm Chart Value" column of the
"User Input: Information Gathered for Kubernetes Cluster Preparation" section of this
document: https://cyberark365.sharepoint.com/:w:/s/Conjur/EbhBd0DKYt1MstzSj-4sWOkBssiD23FAHA4JgW-2V2YwrA?e=04gdla.

README.md requirements

The README.md must include:

• Overview of the intended use of the chart.
• Step-by-step instructions on how to use the Helm chart, including:
  • Prequisite information that needs to be gathered from a Conjur admin (not including Conjur SSL cert).
  • Instructions on how to retrieve the Conjur SSL certificate based on the Conjur URL
  • Table of configurable values
  • Examples on how Helm upgrade can be used to modify values used by a chart

NOTES.txt requirements

NOTES.txt should announce completion, maybe listing objects that have been deployed

Environments on Which to Test

For this implementation, it should be sufficient to test this Helm chart on:

• Conjur OSS
• Either Kubernetes cluster (can be KinD or GKE) or OpenShift, pick one

DoD:

• Required files have been created
• Helm chart tested on setups described in "Environments on Which to Test" above
• Helm install creates Golden ConfigMap, ServiceAccount, ClusterRole using default enable/disable flags
• Disabling of ServiceAccount creation works for helm install
• Disabling of ClusterRole creation works for helm install
• Helm upgrade works as expected
• Requirements listed above are all met

[izgeri]

@diverdane will this include programmatically retrieving the Conjur SSL certificate, as we researched in cyberark/conjur#2038?

[diverdane]

@izgeri - Re. Conjur SSL certificate retrieval, I've added a requirement that the README.md must include step-by-step instructions on how a user can retrieve the Conjur SSL certificate using the Golang code and steps that @doodlesbykumbi developed and documented.

FYI: For future consideration, there may be a way to make this a little more seamless for the Kubernetes admin by integrating the Golang code that does Conjur SSL cert retrieval with the Helm chart by using Helm chart "Post Renderer":
https://helm.sh/docs/topics/advanced/#post-rendering
The post renderer could be a bash script or it could be wrapped in the Helm Go SDK:
https://helm.sh/docs/topics/advanced/#go-sdk