diff --git a/CHANGELOG.md b/CHANGELOG.md index fc39b19..e97de30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## Unreleased +## [2.1.0] - 2023-07-11 + +### Added +- Support for using existing secrets for data key + ## [2.0.6] - 2023-03-09 ### Changed diff --git a/conjur-oss/Chart.yaml b/conjur-oss/Chart.yaml index 7e5d574..345a5f4 100644 --- a/conjur-oss/Chart.yaml +++ b/conjur-oss/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: conjur-oss home: https://www.conjur.org -version: 2.0.6 +version: 2.1.0 description: A Helm chart for CyberArk Conjur icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg keywords: diff --git a/conjur-oss/README.md b/conjur-oss/README.md index c3e506a..614c811 100644 --- a/conjur-oss/README.md +++ b/conjur-oss/README.md @@ -81,6 +81,8 @@ $ helm install \ https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v$VERSION/conjur-oss-$VERSION.tgz ``` +_Note: You can import conjur data key as a secret existing on your kubernetes cluster using `--set dataKeySecretRef=YOUR_SECRET_NAME` where the secret is contained within the key `key`. Note that you can't have dataKey and dataKeySecretRef together._ + _Note: The configured data key will be used to encrypt sensitive information in Conjur's database. This must be archived in a safe place._ diff --git a/conjur-oss/templates/deployment.yaml b/conjur-oss/templates/deployment.yaml index a69f05d..a33b998 100644 --- a/conjur-oss/templates/deployment.yaml +++ b/conjur-oss/templates/deployment.yaml @@ -149,7 +149,7 @@ spec: - name: CONJUR_DATA_KEY valueFrom: secretKeyRef: - name: {{ .Release.Name }}-conjur-data-key + name: {{ .Values.dataKeySecretRef | default (printf "%s-conjur-data-key" .Release.Name) }} key: key - name: DATABASE_URL valueFrom: diff --git a/conjur-oss/templates/secrets.yaml b/conjur-oss/templates/secrets.yaml index b1bd520..d7dd641 100644 --- a/conjur-oss/templates/secrets.yaml +++ b/conjur-oss/templates/secrets.yaml @@ -17,6 +17,7 @@ type: Opaque data: key: "{{ .Values.authenticators | b64enc }}" --- +{{- if not .Values.dataKeySecretRef }} apiVersion: v1 kind: Secret metadata: @@ -37,6 +38,7 @@ metadata: type: Opaque data: key: {{ .Values.dataKey | b64enc }} +{{- end }} --- {{- include "conjur-oss.database-password" . }} apiVersion: v1 diff --git a/conjur-oss/values.schema.json b/conjur-oss/values.schema.json index 1748264..f28323a 100644 --- a/conjur-oss/values.schema.json +++ b/conjur-oss/values.schema.json @@ -1,7 +1,12 @@ { "$schema": "http://json-schema.org/draft-07/schema", - "required": [ - "dataKey" + "oneOf": [ + { + "required": ["dataKey"] + }, + { + "required": ["dataKeySecretRef"] + } ], "properties": { "account": { @@ -33,9 +38,7 @@ "ssl": { "dependencies": { "cert": { - "required": [ - "key" - ] + "required": ["key"] } }, "properties": { @@ -58,6 +61,10 @@ } } }, + "dataKeySecretRef": { + "type": "string", + "minLength": 1 + }, "dataKey": { "type": "string", "minLength": 1 @@ -92,8 +99,8 @@ "tag": { "type": "string" }, - "pullPolicy": { - "type": "string" + "pullPolicy": { + "type": "string" } } } @@ -192,11 +199,7 @@ "ssl": { "dependencies": { "cert": { - "required": [ - "key", - "caCert", - "caKey" - ] + "required": ["key", "caCert", "caKey"] } }, "properties": { diff --git a/conjur-oss/values.yaml b/conjur-oss/values.yaml index 27fdd85..04bd923 100644 --- a/conjur-oss/values.yaml +++ b/conjur-oss/values.yaml @@ -8,6 +8,9 @@ # risk of leaving around residual values files containing this sensitive # information. +# Alternatively use `dataKeySecretRef` to specify the name of the secret +# dataKeySecretRef: "conjur-data-key" + account: # Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable # for the Conjur container.