From f98d274dd9b8ce9b53ab423543babed649fd7496 Mon Sep 17 00:00:00 2001 From: dan-transmit Date: Tue, 11 Jul 2023 20:16:45 +0300 Subject: [PATCH 1/3] Add option from datakey to be provided from existing secret --- CHANGELOG.md | 5 +++++ conjur-oss/Chart.yaml | 2 +- conjur-oss/README.md | 2 ++ conjur-oss/templates/deployment.yaml | 2 +- conjur-oss/templates/secrets.yaml | 2 ++ conjur-oss/values.schema.json | 9 ++++----- conjur-oss/values.yaml | 2 +- 7 files changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc39b19..e97de30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## Unreleased +## [2.1.0] - 2023-07-11 + +### Added +- Support for using existing secrets for data key + ## [2.0.6] - 2023-03-09 ### Changed diff --git a/conjur-oss/Chart.yaml b/conjur-oss/Chart.yaml index 7e5d574..345a5f4 100644 --- a/conjur-oss/Chart.yaml +++ b/conjur-oss/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: conjur-oss home: https://www.conjur.org -version: 2.0.6 +version: 2.1.0 description: A Helm chart for CyberArk Conjur icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg keywords: diff --git a/conjur-oss/README.md b/conjur-oss/README.md index c3e506a..3ca0a22 100644 --- a/conjur-oss/README.md +++ b/conjur-oss/README.md @@ -81,6 +81,8 @@ $ helm install \ https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v$VERSION/conjur-oss-$VERSION.tgz ``` +_Note: You can import conjur data key as a secret existing on your kubernetes cluster using `--set dataKeySecretRef=YOUR_SECRET_NAME` where the secret is contained within the key `key`. Note that it will overwrite usage of dataKey._ + _Note: The configured data key will be used to encrypt sensitive information in Conjur's database. This must be archived in a safe place._ diff --git a/conjur-oss/templates/deployment.yaml b/conjur-oss/templates/deployment.yaml index a69f05d..a33b998 100644 --- a/conjur-oss/templates/deployment.yaml +++ b/conjur-oss/templates/deployment.yaml @@ -149,7 +149,7 @@ spec: - name: CONJUR_DATA_KEY valueFrom: secretKeyRef: - name: {{ .Release.Name }}-conjur-data-key + name: {{ .Values.dataKeySecretRef | default (printf "%s-conjur-data-key" .Release.Name) }} key: key - name: DATABASE_URL valueFrom: diff --git a/conjur-oss/templates/secrets.yaml b/conjur-oss/templates/secrets.yaml index b1bd520..d7dd641 100644 --- a/conjur-oss/templates/secrets.yaml +++ b/conjur-oss/templates/secrets.yaml @@ -17,6 +17,7 @@ type: Opaque data: key: "{{ .Values.authenticators | b64enc }}" --- +{{- if not .Values.dataKeySecretRef }} apiVersion: v1 kind: Secret metadata: @@ -37,6 +38,7 @@ metadata: type: Opaque data: key: {{ .Values.dataKey | b64enc }} +{{- end }} --- {{- include "conjur-oss.database-password" . }} apiVersion: v1 diff --git a/conjur-oss/values.schema.json b/conjur-oss/values.schema.json index 1748264..91e1dbd 100644 --- a/conjur-oss/values.schema.json +++ b/conjur-oss/values.schema.json @@ -1,8 +1,5 @@ { "$schema": "http://json-schema.org/draft-07/schema", - "required": [ - "dataKey" - ], "properties": { "account": { "type": "object", @@ -58,9 +55,11 @@ } } }, + "dataKeySecretRef": { + "type": "string" + }, "dataKey": { - "type": "string", - "minLength": 1 + "type": "string" }, "deployment": { "properties": { diff --git a/conjur-oss/values.yaml b/conjur-oss/values.yaml index 27fdd85..148171e 100644 --- a/conjur-oss/values.yaml +++ b/conjur-oss/values.yaml @@ -7,7 +7,7 @@ # rather than setting these in a custom values YAML file. This avoids the # risk of leaving around residual values files containing this sensitive # information. - +dataKeySecretRef: account: # Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable # for the Conjur container. From 8e8f0198ca5ea9808fb5eba0e575078e69e9c564 Mon Sep 17 00:00:00 2001 From: dan-transmit Date: Wed, 12 Jul 2023 14:29:08 +0300 Subject: [PATCH 2/3] fix values.schema.json and documentation --- conjur-oss/README.md | 2 +- conjur-oss/values.schema.json | 28 ++++++++++++++++------------ conjur-oss/values.yaml | 3 ++- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/conjur-oss/README.md b/conjur-oss/README.md index 3ca0a22..614c811 100644 --- a/conjur-oss/README.md +++ b/conjur-oss/README.md @@ -81,7 +81,7 @@ $ helm install \ https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v$VERSION/conjur-oss-$VERSION.tgz ``` -_Note: You can import conjur data key as a secret existing on your kubernetes cluster using `--set dataKeySecretRef=YOUR_SECRET_NAME` where the secret is contained within the key `key`. Note that it will overwrite usage of dataKey._ +_Note: You can import conjur data key as a secret existing on your kubernetes cluster using `--set dataKeySecretRef=YOUR_SECRET_NAME` where the secret is contained within the key `key`. Note that you can't have dataKey and dataKeySecretRef together._ _Note: The configured data key will be used to encrypt sensitive information in Conjur's database. This must be archived in a safe place._ diff --git a/conjur-oss/values.schema.json b/conjur-oss/values.schema.json index 91e1dbd..f28323a 100644 --- a/conjur-oss/values.schema.json +++ b/conjur-oss/values.schema.json @@ -1,5 +1,13 @@ { "$schema": "http://json-schema.org/draft-07/schema", + "oneOf": [ + { + "required": ["dataKey"] + }, + { + "required": ["dataKeySecretRef"] + } + ], "properties": { "account": { "type": "object", @@ -30,9 +38,7 @@ "ssl": { "dependencies": { "cert": { - "required": [ - "key" - ] + "required": ["key"] } }, "properties": { @@ -56,10 +62,12 @@ } }, "dataKeySecretRef": { - "type": "string" + "type": "string", + "minLength": 1 }, "dataKey": { - "type": "string" + "type": "string", + "minLength": 1 }, "deployment": { "properties": { @@ -91,8 +99,8 @@ "tag": { "type": "string" }, - "pullPolicy": { - "type": "string" + "pullPolicy": { + "type": "string" } } } @@ -191,11 +199,7 @@ "ssl": { "dependencies": { "cert": { - "required": [ - "key", - "caCert", - "caKey" - ] + "required": ["key", "caCert", "caKey"] } }, "properties": { diff --git a/conjur-oss/values.yaml b/conjur-oss/values.yaml index 148171e..adb2ccf 100644 --- a/conjur-oss/values.yaml +++ b/conjur-oss/values.yaml @@ -7,7 +7,8 @@ # rather than setting these in a custom values YAML file. This avoids the # risk of leaving around residual values files containing this sensitive # information. -dataKeySecretRef: +dataKeySecretRef: "conjur-data-key" + account: # Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable # for the Conjur container. From 2c70306b047ff0a3a4b08eec0dd665c062a63389 Mon Sep 17 00:00:00 2001 From: dan-transmit Date: Wed, 12 Jul 2023 16:49:25 +0300 Subject: [PATCH 3/3] hide dataKeySecretRef key from values files and add inline comment --- conjur-oss/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/conjur-oss/values.yaml b/conjur-oss/values.yaml index adb2ccf..04bd923 100644 --- a/conjur-oss/values.yaml +++ b/conjur-oss/values.yaml @@ -7,7 +7,9 @@ # rather than setting these in a custom values YAML file. This avoids the # risk of leaving around residual values files containing this sensitive # information. -dataKeySecretRef: "conjur-data-key" + +# Alternatively use `dataKeySecretRef` to specify the name of the secret +# dataKeySecretRef: "conjur-data-key" account: # Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable