From 5856356a2c05beeff7b30fc6313be7c6167bcc0f Mon Sep 17 00:00:00 2001 From: Wilson de Carvalho <796900+wcmjunior@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:40:17 -0700 Subject: [PATCH] Docs improvements (#10) * Docs improvements * Add sidecar version --- README.md | 264 ++++++++++++++----------- docs/certificates.md | 111 +++++++++++ docs/metrics.md | 84 ++++++++ docs/node-scheduling.md | 63 ++++++ docs/port-configuration.md | 64 ++++++ docs/pre-existing-sa.md | 59 ++++++ docs/public-load-balancer.md | 39 ++++ docs/resources.md | 22 +++ docs/s3-browser.md | 24 +++ docs/values-file.md | 3 + templates/common/_images.tpl | 15 -- values.yaml | 371 ++++++++++++++++------------------- 12 files changed, 789 insertions(+), 330 deletions(-) create mode 100644 docs/certificates.md create mode 100644 docs/metrics.md create mode 100644 docs/node-scheduling.md create mode 100644 docs/port-configuration.md create mode 100644 docs/pre-existing-sa.md create mode 100644 docs/public-load-balancer.md create mode 100644 docs/resources.md create mode 100644 docs/s3-browser.md create mode 100644 docs/values-file.md diff --git a/README.md b/README.md index 562c362..dd5e48c 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,26 @@ -# Cyral Sidecar +# Cyral sidecar Helm chart -## TL;DR +Use this Helm chart to deploy a sidecar to your Kubernetes environment. -```console -helm install cyral-sidecar oci://public.ecr.aws/cyral/helm/sidecar -``` - -## Introduction - -Helm chart to deploy Cyral Sidecar. +Refer to the [quickstart guide](https://github.com/cyral-quickstart/quickstart-sidecar-helm#readme) +for more information on how to use this chart or upgrade your sidecar. ## Prerequisites - Kubernetes 1.23+ - Helm 3.8.0+ -## Installing the Chart +## Usage -To install the chart with the release name `cyral-sidecar`: +### Installing the Chart ```console -helm install cyral-sidecar oci://REGISTRY_NAME/REPOSITORY_NAME/%%CHART_NAME%% +helm install cyral-sidecar oci://public.ecr.aws/cyral/helm/sidecar ``` -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Cyral, you need to use `REGISTRY_NAME=cyralinc.docker.io` and `REPOSITORY_NAME=cyralcharts`. - -The command deploys Cyral Sidecar on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart +### Uninstalling the Chart To uninstall/delete the `cyral-sidecar` deployment: @@ -41,113 +30,162 @@ helm delete cyral-sidecar The command removes all the Kubernetes components associated with the chart and deletes the release. -## Advanced Configuration +## Advanced Instructions for advanced deployment configurations are available for the following topics: -* [Memory limits](docs/memlim.md) +* [Enable the S3 File Browser](./docs/s3-browser.md) +* [Expose to the Internet](./docs/public-load-balancer.md) +* [Memory limits](./docs/memlim.md) +* [Node scheduling](./docs/node-scheduling.md) +* [Restrict repositories' ports](./docs/port-configuration.md) +* [Set up database accounts through environment variables](./docs/database-accounts/environment-variables.md) +* [Set up database accounts through AWS Secrets Manager](./docs/database-accounts/aws-secrets-manager.md) +* [Set up resources](./docs/resources.md) +* [Sidecar certificates](./docs/certificates.md) +* [Sidecar instance metrics](./docs/metrics.md) +* [Use a pre-existing service account](./docs/pre-existing-sa.md) +* [Values file reference](./docs/values-file.md) ## Parameters -### Global parameters +### Required Cyral configuration + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------ | ----- | +| `cyral.sidecarId` | Sidecar identifier | `""` | +| `cyral.controlPlane` | Address of the control plane - .cyral.com | `""` | +| `cyral.credentials.clientId` | The client ID assigned to the sidecar. Optional - required only if existingSecret is not provided. | `""` | +| `cyral.credentials.clientSecret` | The client secret assigned to the sidecar. Optional - required only if existingSecret is not provided. | `""` | +| `image.tag` | Cyral Sidecar image tag (this is the sidecar version) | `""` | + +### Certificates configuration + +| Name | Description | Value | +| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ----- | +| `cyral.sidecar.certificates.ca.existingSecret` | Name of an existing Kubernetes secret containing a private key and a certificate for the internal CA. | `""` | +| `cyral.sidecar.certificates.tls.existingSecret` | Name of an existing Kubernetes secret containing a private key and a certificate to terminate TLS connections. | `""` | -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +### Cyral deployment properties configuration -### Common parameters +| Name | Description | Value | +| ------------------------------------------- | ----------------------------------------------------------------------------------- | ----------------- | +| `cyral.deploymentProperties.cloud` | Cloud provider where the Cyral Sidecar is hosted. | `""` | +| `cyral.deploymentProperties.deploymentType` | Deployment type choosen to deploy the Cyral Sidecar. Defaults to `helm-kubernetes`. | `helm-kubernetes` | +| `cyral.deploymentProperties.endpoint` | Fully qualified domain name that will be used to access the Cyral Sidecar. | `""` | + +### Snowflake configuration + +| Name | Description | Value | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `cyral.sidecar.snowflake.idpCertificate` | The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks. | `""` | +| `cyral.sidecar.snowflake.sidecarIdpCertificate` | The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. | `""` | +| `cyral.sidecar.snowflake.sidecarIdpPrivateKey` | The private key used to sign SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. | `""` | +| `cyral.sidecar.snowflake.SSOLoginURL` | The IdP SSO URL for the IdP being used with Snowflake. | `""` | + +### Other Cyral configuration + +| Name | Description | Value | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `cyral.credentials.existingSecret` | Name of an existing Kubernetes secret containing client ID and client secret. The secret must contain the `clientId` and `clientSecret` keys. | `""` | +| `cyral.sidecar.dnsName` | Fully qualified domain name that will be used to access the Cyral Sidecar | `""` | + +### Common configuration | Name | Description | Value | | ------------------- | ----------------------------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | -| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `""` | -| `fullnameOverride` | String to fully override common.names.fullname template with a string | `""` | | `commonAnnotations` | Common annotations to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template | `{}` | | `commonLabels` | Common labels to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template | `{}` | | `clusterDomain` | Kubernetes cluster domain | `cluster.local` | +| `fullnameOverride` | String to fully override common.names.fullname template with a string | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `""` | -### Cyral Sidecar deployment parameters - -| Name | Description | Value | -| --------------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `hard` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `image.registry` | Cyral Sidecar image registry | `public.ecr.aws/cyral` | -| `image.repository` | Cyral Sidecar image repository | `cyral-sidecar` | -| `image.tag` | Cyral Sidecar image tag (required, usually this is the sidecar version) | `""` | -| `image.digest` | Cyral Sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Cyral Sidecar image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Cyral Sidecar image pull secrets | `[]` | -| `image.debug` | Enable image debug mode | `false` | -| `replicaCount` | Number of Cyral Sidecar replicas to deploy | `1` | -| `extraEnvVars` | Extra environment variables to be set on Cyral Sidecar containers | `[]` | -| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | -| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | - -### Cyral Sidecar deployment parameters - -| Name | Description | Value | -| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | -| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | -| `extraVolumes` | Array of extra volumes to be added to the Cyral Sidecar deployment (evaluated as template). Requires setting `extraVolumeMounts` | `[]` | -| `serviceAccount.create` | Enable creation of ServiceAccount for Cyral Sidecar pod | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | -| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `true` | -| `rbac.create` | Create Role and RoleBinding | `true` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `podSecurityContext.enabled` | Enabled Cyral Sidecar pods' Security Context | `true` | -| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `podSecurityContext.fsGroup` | Set Cyral Sidecar pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `65534` | -| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `containerPorts` | Map of all ports inside Cyral Sidecar container | `{}` | -| `extraContainerPorts` | Array of additional container ports for the Cyral Sidecar container | `[]` | -| `service.type` | Service type | `LoadBalancer` | -| `service.ports` | Map of Cyral Sidecar service ports | `{}` | -| `service.nodePorts` | Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. | `{}` | -| `service.targetPort` | Target port reference value for the Loadbalancer service types can be specified explicitly. | `{}` | -| `service.clusterIP` | Cyral Sidecar service Cluster IP | `""` | -| `service.loadBalancerIP` | LoadBalancer service IP address | `""` | -| `service.loadBalancerSourceRanges` | Cyral Sidecar service Load Balancer sources | `[]` | -| `service.loadBalancerClass` | service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.annotations` | Service annotations | `{}` | -| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | - -### Cyral configuration parameters - -| Name | Description | Value | -| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -| `cyral.sidecarId` | Sidecar identifier | `""` | -| `cyral.controlPlane` | Address of the control plane - .cyral.com | `""` | -| `cyral.credentials.existingSecret` | Name of an existing Kubernetes secret containing client ID and client secret. The secret must contain the `clientId` and `clientSecret` keys. | `""` | -| `cyral.credentials.clientId` | The client ID assigned to the sidecar. Optional - required only if existingSecret is not provided. | `""` | -| `cyral.credentials.clientSecret` | The client secret assigned to the sidecar. Optional - required only if existingSecret is not provided. | `""` | -| `cyral.sidecar.dnsName` | Fully qualified domain name that will be used to access the Cyral Sidecar | `""` | -| `cyral.sidecar.certificates.tls.existingSecret` | Name of an existing Kubernetes secret containing a private key and a certificate to terminate TLS connections. | `""` | -| `cyral.sidecar.certificates.ca.existingSecret` | Name of an existing Kubernetes secret containing a private key and a certificate for the internal CA. | `""` | -| `cyral.sidecar.snowflake.SSOLoginURL` | The IdP SSO URL for the IdP being used with Snowflake. | `""` | -| `cyral.sidecar.snowflake.idpCertificate` | The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks. | `""` | -| `cyral.sidecar.snowflake.sidecarIdpCertificate` | The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. | `""` | -| `cyral.sidecar.snowflake.sidecarIdpPrivateKey` | The private key used to sign SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. | `""` | -| `cyral.deploymentProperties.cloud` | Cloud provider where the Cyral Sidecar is hosted. | `""` | -| `cyral.deploymentProperties.endpoint` | Fully qualified domain name that will be used to access the Cyral Sidecar. | `""` | -| `cyral.deploymentProperties.deploymentType` | Deployment type choosen to deploy the Cyral Sidecar. Defaults to `helm-kubernetes`. | `helm-kubernetes` | +### Deployment configuration + +| Name | Description | Value | +| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `affinity` | Affinity for pod assignment | `{}` | +| `extraEnvVars` | Extra environment variables to be set on Cyral Sidecar containers | `[]` | +| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `extraVolumes` | Array of extra volumes to be added to the Cyral Sidecar deployment (evaluated as template). Requires setting `extraVolumeMounts` | `[]` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `hard` | +| `replicaCount` | Number of Cyral Sidecar replicas to deploy | `1` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | + +### Image configuration + +| Name | Description | Value | +| ------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `image.debug` | Enable image debug mode | `false` | +| `image.digest` | Cyral Sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Cyral Sidecar image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Cyral Sidecar image pull secrets | `[]` | +| `image.registry` | Cyral Sidecar image registry | `public.ecr.aws/cyral` | +| `image.repository` | Cyral Sidecar image repository | `cyral-sidecar` | + +### Ports configuration + +| Name | Description | Value | +| --------------------- | ------------------------------------------------------------------- | ----- | +| `containerPorts` | Map of all ports inside Cyral Sidecar container | `{}` | +| `extraContainerPorts` | Array of additional container ports for the Cyral Sidecar container | `[]` | + +### RBAC configuration + +| Name | Description | Value | +| ------------- | --------------------------- | ------ | +| `rbac.create` | Create Role and RoleBinding | `true` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | + +### Security context configuration + +| Name | Description | Value | +| --------------------------------------------------- | --------------------------------------------------------- | ---------------- | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `65534` | +| `podSecurityContext.enabled` | Enabled Cyral Sidecar pods' Security Context | `true` | +| `podSecurityContext.fsGroup` | Set Cyral Sidecar pod's Security Context fsGroup | `1001` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | + +### Service account configuration + +| Name | Description | Value | +| --------------------------------------------- | --------------------------------------------------------- | ------ | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `true` | +| `serviceAccount.create` | Enable creation of ServiceAccount for Cyral Sidecar pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | + +### Service configuration + +| Name | Description | Value | +| ---------------------------------- | ------------------------------------------------------------------------------------------- | -------------- | +| `service.annotations` | Service annotations | `{}` | +| `service.clusterIP` | Cyral Sidecar service Cluster IP | `""` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.loadBalancerClass` | service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `service.loadBalancerIP` | LoadBalancer service IP address | `""` | +| `service.loadBalancerSourceRanges` | Cyral Sidecar service Load Balancer sources | `[]` | +| `service.nodePorts` | Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. | `{}` | +| `service.ports` | Map of Cyral Sidecar service ports | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.targetPort` | Target port reference value for the Loadbalancer service types can be specified explicitly. | `{}` | +| `service.type` | Service type | `LoadBalancer` | diff --git a/docs/certificates.md b/docs/certificates.md new file mode 100644 index 0000000..d3cbe48 --- /dev/null +++ b/docs/certificates.md @@ -0,0 +1,111 @@ +# Configuring certificates for Helm sidecars + +You can use Cyral's default [sidecar-created +certificate](https://cyral.com/docs/sidecars/certificates/overview#sidecar-created-certificate) or use a +[custom certificate](https://cyral.com/docs/sidecars/certificates/overview#custom-certificate) to secure +the communications performed by the sidecar. + +In this page we provide two ways of deploying a custom certificate to +your `helm` sidecar: + +- using `cert-manager` to provision the certificate automatically on your cluster; or +- provisioning a certificate signed by the Certificate Authority of your choice. + +The first approach creates a stack for certificate management based on +a set of certificate signing and validation methods. The second approach +creates a `kubernetes` secret containing the information from the +provisioned certificate. + +## `cert-manager` provisioned certificate + +This set of instructions makes use of [`cert-manager`](https://cert-manager.io/docs/), an extension to `kubernetes` +that uses CRDs to easily manage certificates from different sources. + +### Prerequisites + +1. Have a [Kubernetes cluster](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#creating-a-deployment) deployed. +2. [Install Helm 3](https://helm.sh/docs/intro/install/). +3. Have [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) permissions to install CRDs. + +### Installing cert-manager + +`cert-manager` installation is well documented in [their documentation](https://cert-manager.io/docs/installation/). We recommend +installing it using `helm`. + +To install the latest version of `cert-manager`, run the following command: +```bash +helm upgrade -i cert-manager cert-manager -n cert-manager --repo https://charts.jetstack.io --create-namespace --set installCRDs=true +``` + +### Creating an issuer + +An `Issuer` is a `cert-manager` resource that configures how your certificate will be validated. The issuer's configuration will vary +with your cloud provider and validation method. Refer to the [project documentation](https://cert-manager.io/docs/configuration/) to create an issuer. + + +### Creating the certificate + +After creating an issuer, you need to create a `Certificate` resource so that `cert-manager` starts the validation process for your domain using the +configuration created in the `Issuer` from the last step. The certificate should look something like this: + +```yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: acme-crt + namespace: +spec: + secretName: + dnsNames: + - my-sidecar.my-domain.com + issuerRef: + name: + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + group: cert-manager.io +``` + +This will trigger a chain that will eventually create a `tls` secret with the name `` on the `` namespace. + +**The secret name must be provided to the sidecar Helm chart. See [how to do +it here](#provide-custom-certificate-to-the-sidecar).** + +**WARNING:** By default, the sidecar contains permissions to `get` and `watch` `v1/Secret` resources in the namespace +it's created in. If you are using a custom `ServiceAccount`, make sure it has these permissions attached to it. + +## Provide custom certificate to the sidecar + +To provide a custom certificate to the sidecar, first create a secret then provide the +secret name in the values file of the Helm chart. + +The `helm` sidecar makes use of [tls secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) to load +custom certificates. + +You can create the secret from a PEM encoded certificate file and a key file using the following command: +```bash +kubectl create secret tls my-tls-secret \ + --cert=path/to/cert/file \ + --key=path/to/key/file \ + --namespace +``` + +To make the sidecar use your custom certificate, provide the name of the secret +to the sidecar Helm chart. + +Suppose you created the secrets `my-tls-secret` and `my-ca-secret`, then +provide the following to your values file: + +```yaml +cyral: + sidecar: + certificates: + tls: + existingSecret: "my-tls-secret" + ca: + existingSecret: "my-ca-secret" +``` + +The choice between providing a `tls`, a `ca` secret or *both* will depend on the repositories +used by your sidecar. See the certificate type used by each repository in the +[sidecar certificates](https://cyral.com/docs/sidecars/deployment/certificates#sidecar-certificate-types) page. \ No newline at end of file diff --git a/docs/metrics.md b/docs/metrics.md new file mode 100644 index 0000000..b69554e --- /dev/null +++ b/docs/metrics.md @@ -0,0 +1,84 @@ +# Reading metrics from Helm sidecars + +**NOTE:** You can look at all the metrics definitions and what they mean on our [metrics reference page](https://cyral.com/docs/sidecars/monitoring/metrics) + +Metric collection on the `helm` sidecar can be configured in numerous ways, depending +on the `Prometheus` configuration for your `Kubernetes` cluster. You can +set the metrics port by adding the following to your `values.yaml` file: + +```yaml +containerPorts: + metrics: 9000 # this is the default value +``` + +By default, this port will not be exposed on the `Service` object created by the `helm` chart. +To enable its exposure, you can add the following to your `values.yaml` file: + +```yaml +service: + ports: + metrics: 9000 + targetPort: + metrics: metrics +``` + +## Prometheus configuration + +### Service Monitor discovery configuration + +The sidecar `helm` chart packages a `ServiceMonitor` object which can be used +in conjunction with a [`prometheus operator`](https://github.com/prometheus-operator/prometheus-operator) to +monitor all pods in the sidecar's `Deployment`. To enable the service monitor, you +can add the following to your `values.yaml` file: + +```yaml +metrics: + serviceMonitor: + enabled: true +``` + +**NOTE:** There are many other configuration options for the `ServiceMonitor` object, +you can look at the default `values.yaml` file to know all the options. + +### Annotation based Prometheus discovery configuration + +You can add common `Prometheus` annotations by adding the following +to your `values.yaml` file: + +```yaml +podAnnotations: + "prometheus.io/scrape": "true" + "prometheus.io/port": "9000" +``` + +**NOTE:** You can look at configuring `Prometheus` service discovery for `Kubernetes` +on [Prometheus' documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config) + +## Datadog configuration + +Datadog metric scraping on Kubernetes can be done in several different ways, and +refer to [their documentation](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2) for +a more in depth explanation on Datadog metrics collection on Kubernetes. + +Metrics are exposed through the `metrics-aggregator` container, on the `metrics.port` port, and are on `OpenMetrics` format, +so a sample annotation you can create by changing your `values.yaml` file is the following: + +```yaml +podAnnotations: + ad.datadoghq.com/metrics-aggregator.checks: | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + "openmetrics_endpoint": "http://%%host%%:9000/metrics ", + "namespace": "cyral", + "metrics": ["cyral*", "up"] + } + ] + } + } +``` + +This example would expose any metrics starting with `cyral` and the `up` metric +to Datadog, on the `cyral` namespace. diff --git a/docs/node-scheduling.md b/docs/node-scheduling.md new file mode 100644 index 0000000..ece5d33 --- /dev/null +++ b/docs/node-scheduling.md @@ -0,0 +1,63 @@ +# Scheduling nodes for a Helm sidecar + +There are many ways to specify to which nodes your sidecar should and should +not be scheduled to. + +## Node Selectors + +In the `cyral-sidecar` chart, use the variable `nodeSelector` to force +your sidecar pods to run on a specific set of Kubernetes cluster +nodes. The syntax uses a label-value pair to specify the nodes: + +```yaml +nodeSelector: + SOME_LABEL: SOME_VALUE +``` + +Learn more about [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). + +## Node Affinity + +To set the node affinity for the pods, use the variable `affinity`. This will let you use +a very expressive language to define affinities and anti affinities for each pod on the deployment. + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/e2e-az-name + operator: In + values: + - e2e-az1 + - e2e-az2 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value +``` + +**TIP**: You can configure presets for pod anti-affinity and pod affinity using the +`podAntiAffinityPreset` and `podAffinityPreset` keys in the [values file](./values-file.md#deployment-configuration). + +Learn more about [affinity and anti affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +## Pod tolerations + +You can set tolerations for your pod, so that it doesn't get scheduled to a tainted +node. To set the tolerations use the variable `tolerations`. + +```yaml +tolerations: +- key: "key1" + operator: "Equal" + value: "value1" + effect: "NoSchedule" +``` + +Learn more about [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). diff --git a/docs/port-configuration.md b/docs/port-configuration.md new file mode 100644 index 0000000..01fccb8 --- /dev/null +++ b/docs/port-configuration.md @@ -0,0 +1,64 @@ +# Restricting ports where users connect to repositories + +A single Cyral sidecar cluster usually monitors and protects many +repositories of different types. To make it easy for data users to +connect to these repositories using the port numbers they're +accustomed to, the sidecar cluster exposes multiple ports. +You can restrict or increase the set of exposed ports by changing +the exposed ports in the `values.yaml` file. + +## Declaring container ports + +On the `values.yaml` file, you can find different parameters related +to ports exposure. The `containerPorts` object specifies which ports +the container will listen on. It has a map of `: `, +where `` is an arbitrary name for the port and `` +is an integer to the TCP port. These are the same port numbers used to bind +data repositories on the Control Plane. + +```yaml +containerPorts: + mysql: 3306 + pg: 5432 + mongodb0: 27017 + mongodb1: 27018 + mongodb2: 27019 +``` + +The above example declares some port names (`mysql`, `pg`, `mongodb0`, `mongodb1`, +and `mongodb2`) and their corresponding port numbers. We can refer to these port +names later on to expose them through a Kubernetes service. + +## Exposing container ports + +To expose container ports to external traffic or to other pods within the cluster, you need to set +service ports. The `service` object defines `ports` and `targetPorts`. The `ports` property specifies +the ports the Service will expose, while `targetPort` maps the Service ports to the container's +`containerPorts` declared previously. + +In `service.ports`, you define a map of `: ` where the Kubernetes service +will listen on. Then, you can use `service.targetPorts` to map service ports to container ports +in the format `: `. For instance, assuming you defined a +container port as `mysql: 3306` and a service port as `mysql: 3306`, you can set `mysql: mysql` +in `targetPorts` to create a link between them. + +Following is an example of how to set service ports. + +```yaml +service: + ... + ports: + mysql: 3306 + pg: 5432 + mongodb0: 27017 + mongodb1: 27018 + mongodb2: 27019 + targetPort: + mysql: mysql + pg: pg + mongodb0: mongodb0 + mongodb1: mongodb1 + mongodb2: mongodb2 +``` + +The above example expose ports `3306`, `5432`, `27017`, `27018`, and `27019` on the service. diff --git a/docs/pre-existing-sa.md b/docs/pre-existing-sa.md new file mode 100644 index 0000000..02d276d --- /dev/null +++ b/docs/pre-existing-sa.md @@ -0,0 +1,59 @@ +# Using a pre-existing service account for a Helm sidecar + +When the sidecar is deployed, it creates a role to access some of the +Kubernetes APIs. You may wish to retain control over roles and role +binding, and you may wish to do this outside of your Helm charts. You +can accomplish this by deploying the sidecar using external service +accounts. Below, we explain how to do this. + +1. **Create the service account**: You can deploy the Cyral sidecar using + a Kubernetes service account that you create and manage. Here, + we'll create a service account. In this command, + - `SIDECAR_NAMESPACE` is the Kubernetes namespace where the Cyral + sidecar cluster will run + - `SIDECAR_SA` is the Kubernetes service account that will deploy and + run the Cyral sidecar cluster + + ``` + kubectl create sa -n $SIDECAR_NAMESPACE $SIDECAR_SA + ``` + +2. **Create the roles and role bindings**: The Cyral sidecar + requires 3 separate roles: + - a role for the *sidecar exporter* (service that sends sidecar health + metrics to the Cyral management console), + - a role for the sidecar’s *log shipper* that sends + log data to services such as ELK, and + - a role for *accessing the Kubernetes secret* with credentials + needed to access the Cyral control plane. + + Follow the examples below, replacing the names in angle brackets + with names suitable for your environment: + + ``` + kubectl create role --verb=get --resource=services -n $SIDECAR_NAMESPACE + + kubectl create role --verb=get,watch,list --resource=pods -n $SIDECAR_NAMESPACE + + kubectl create role --verb=get,watch,patch --resource=secrets -n $SIDECAR_NAMESPACE + ``` + + Bind the roles to the service account: + + ``` + kubectl create rolebinding --role= --serviceaccount=$SIDECAR_NAMESPACE:$SIDECAR_SA --namespace $SIDECAR_NAMESPACE + + kubectl create rolebinding --role= --serviceaccount=$SIDECAR_NAMESPACE:$SIDECAR_SA --namespace $SIDECAR_NAMESPACE + + kubectl create rolebinding --role= --serviceaccount=$SIDECAR_NAMESPACE:$SIDECAR_SA --namespace $SIDECAR_NAMESPACE + ``` + +3. **Modify the values.yaml file**: The downloaded `values.yaml` files + need to be modified to use the above-created service account. + Note that `serviceAccount.create` must be set to false: + + ```yaml + serviceAccount: + name: $SIDECAR_SA + create: false + ``` diff --git a/docs/public-load-balancer.md b/docs/public-load-balancer.md new file mode 100644 index 0000000..0eede4e --- /dev/null +++ b/docs/public-load-balancer.md @@ -0,0 +1,39 @@ +# Exposing a Helm sidecar to the Internet + +To expose the sidecar to the Internet, so it's reachable outside the cluster, we use a `LoadBalancer` type service. +This tells your cluster to provision a load balancer. This request has a different behavior depending on the cloud +provider of your cluster. + +## GKE (GCP) + +By default, GKE provisions a public IP for any `LoadBalancer` service. If needed, you can check [GKE docs](https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters) for any special needs for your deployment. + +## EKS (AWS) + +By default, EKS provisions an internal facing load balancer for a `LoadBalancer` service. To make the load balancer provision a public IP address, +you need to add the following annotations on the `service.annotations` field of the values file: + +```yaml +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "external" + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" +``` + +You can view a full list of possible annotations on [this page](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations). + +## OKE (OCI) +By default, OKE provisions a public IP for any `LoadBalancer` service. You can add the following annotation on the `service.annotations` field of the values file if you want OKE to provision an internal load balancer: + +```yaml +service: + annotations: + service.beta.kubernetes.io/oci-load-balancer-internal: "true" +``` + +If needed, you can check [OCI](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm) docs for any special needs for your deployment. + +## AKS (Azure) +By default, AKS provisions a public IP for any `LoadBalancer` service. If needed, you can check +[AKS docs](https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard#use-the-public-standard-load-balancer) +for any special needs for your deployment. diff --git a/docs/resources.md b/docs/resources.md new file mode 100644 index 0000000..1cbfcd9 --- /dev/null +++ b/docs/resources.md @@ -0,0 +1,22 @@ +# Setting resources for a Helm sidecar + +The sidecar deployment is composed of a single container, which can have +[resource requirements and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) attached to it. + +## Setting default requests and limits to the sidecar container + +To set the default resources for the sidecar container, add the following lines +to your `values.yaml` file. + +```yaml +resources: + limits: + cpu: 2 + memory: 8096Mi + requests: + cpu: 1 + memory: 4096Mi +``` + +**NOTE:** The above are the recommended settings for the sidecar. We advise that +you adjust the limits based on your workload and the available resources. diff --git a/docs/s3-browser.md b/docs/s3-browser.md new file mode 100644 index 0000000..5d7391a --- /dev/null +++ b/docs/s3-browser.md @@ -0,0 +1,24 @@ +#### Enable the S3 File Browser + +To configure the sidecar to work on the S3 File Browser, set the following extra parameters under the service key of your values file: + +``` +cyral: + sidecar: + dnsName: "" # ex: "sidecar.custom-domain.com" +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:::certificate/" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443 +``` + +The CNAME provided in `cyral.sidecar.dnsName` must be created +after the deployment pointing to the sidecar load balancer. +See [Add a CNAME or A record for the sidecar](https://cyral.com/docs/sidecars/manage/alias). + +All the Helm parameters used above are documented in the +[values file configuration reference](./values-file.md). +For more details about the S3 File Browser configuration, check the +[Enable the S3 File Browser](https://cyral.com/docs/how-to/enable-s3-browser) +documentation. diff --git a/docs/values-file.md b/docs/values-file.md new file mode 100644 index 0000000..8a37441 --- /dev/null +++ b/docs/values-file.md @@ -0,0 +1,3 @@ +# Values file configuration reference + +Refer to the [parameters section](https://github.com/cyralinc/helm-sidecar?tab=readme-ov-file#parameters) in the Helm chart repository for the options available to configure your Helm sidecar in the `values.yaml` file. diff --git a/templates/common/_images.tpl b/templates/common/_images.tpl index 84240a4..d50e07e 100644 --- a/templates/common/_images.tpl +++ b/templates/common/_images.tpl @@ -12,11 +12,6 @@ Return the proper image name {{- $repositoryName := .imageRoot.repository -}} {{- $separator := ":" -}} {{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} {{- if .imageRoot.digest }} {{- $separator = "@" -}} {{- $termination = .imageRoot.digest | toString -}} @@ -35,16 +30,6 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- define "common.images.pullSecrets" -}} {{- $pullSecrets := list }} - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- range .images -}} {{- range .pullSecrets -}} {{- if kindIs "map" . -}} diff --git a/values.yaml b/values.yaml index a518a13..146d367 100644 --- a/values.yaml +++ b/values.yaml @@ -1,126 +1,175 @@ # Copyright Cyral, Inc. # SPDX-License-Identifier: APACHE-2.0 -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## +## @section Required Cyral configuration +## @param cyral.sidecarId Sidecar identifier +## @param cyral.controlPlane Address of the control plane - .cyral.com +## @param cyral.credentials.clientId The client ID assigned to the sidecar. Optional - required only if existingSecret is not provided. +## @param cyral.credentials.clientSecret The client secret assigned to the sidecar. Optional - required only if existingSecret is not provided. +## @param image.tag Cyral Sidecar image tag (this is the sidecar version) -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets [array] Global Docker registry secret names as an array -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] -## @section Common parameters -## +## @section Certificates configuration +## @param cyral.sidecar.certificates.ca.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate for the internal CA. +## @param cyral.sidecar.certificates.tls.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate to terminate TLS connections. + +## @section Cyral deployment properties configuration +## @param cyral.deploymentProperties.cloud Cloud provider where the Cyral Sidecar is hosted. +## @param cyral.deploymentProperties.deploymentType Deployment type choosen to deploy the Cyral Sidecar. Defaults to `helm-kubernetes`. +## @param cyral.deploymentProperties.endpoint Fully qualified domain name that will be used to access the Cyral Sidecar. + +## @section Snowflake configuration +## @param cyral.sidecar.snowflake.idpCertificate The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks. +## @param cyral.sidecar.snowflake.sidecarIdpCertificate The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. +## @param cyral.sidecar.snowflake.sidecarIdpPrivateKey The private key used to sign SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. +## @param cyral.sidecar.snowflake.SSOLoginURL The IdP SSO URL for the IdP being used with Snowflake. + +## @section Other Cyral configuration +## @param cyral.credentials.existingSecret Name of an existing Kubernetes secret containing client ID and client secret. The secret must contain the `clientId` and `clientSecret` keys. +## @param cyral.sidecar.dnsName Fully qualified domain name that will be used to access the Cyral Sidecar +## @section Common configuration +## @param commonAnnotations Common annotations to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template +## @param commonLabels Common labels to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template +## @param clusterDomain Kubernetes cluster domain +## @param fullnameOverride String to fully override common.names.fullname template with a string ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" ## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname template with a string -## -fullnameOverride: "" -## @param commonAnnotations Common annotations to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template -## + +## @section Deployment configuration +## @param affinity Affinity for pod assignment +## @param extraEnvVars Extra environment variables to be set on Cyral Sidecar containers +## @param extraEnvVarsCM ConfigMap with extra environment variables +## @param extraEnvVarsSecret Secret with extra environment variables +## @param extraVolumes Array of extra volumes to be added to the Cyral Sidecar deployment (evaluated as template). Requires setting `extraVolumeMounts` +## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. +## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param replicaCount Number of Cyral Sidecar replicas to deploy +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## @param tolerations Tolerations for pod assignment. Evaluated as a template. + +## @section Image configuration +## @param image.debug Enable image debug mode +## @param image.digest Cyral Sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Cyral Sidecar image pull policy +## @param image.pullSecrets Cyral Sidecar image pull secrets +## @param image.registry [default: public.ecr.aws/cyral] Cyral Sidecar image registry +## @param image.repository [default: cyral-sidecar] Cyral Sidecar image repository + +## @section Ports configuration +## @param containerPorts [object] Map of all ports inside Cyral Sidecar container +## @param extraContainerPorts Array of additional container ports for the Cyral Sidecar container + +## @section RBAC configuration +## @param rbac.create Create Role and RoleBinding +## @param rbac.rules Custom RBAC rules to set + +## @section Security context configuration +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param podSecurityContext.enabled Enabled Cyral Sidecar pods' Security Context +## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.sysctls [array] Set kernel settings using the sysctl interface + +## @section Service account configuration +## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. +## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod +## @param serviceAccount.create Enable creation of ServiceAccount for Cyral Sidecar pod +## @param serviceAccount.name The name of the ServiceAccount to use. + +## @section Service configuration +## @param service.annotations Service annotations +## @param service.clusterIP Cyral Sidecar service Cluster IP +## @param service.externalTrafficPolicy Enable client source IP preservation +## @param service.loadBalancerClass service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) +## @param service.loadBalancerIP LoadBalancer service IP address +## @param service.loadBalancerSourceRanges Cyral Sidecar service Load Balancer sources +## @param service.nodePorts [object] Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. +## @param service.ports [object] Map of Cyral Sidecar service ports +## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" +## @param service.sessionAffinityConfig Additional settings for the sessionAffinity +## @param service.targetPort [object] Target port reference value for the Loadbalancer service types can be specified explicitly. +## @param service.type Service type + +cyral: + sidecarId: "" + controlPlane: "" + + credentials: + clientId: "" + clientSecret: "" + existingSecret: "" + + sidecar: + dnsName: "" + + certificates: + ca: + existingSecret: "" + tls: + existingSecret: "" + + snowflake: + SSOLoginURL: "" + idpCertificate: "" + sidecarIdpCertificate: "" + sidecarIdpPrivateKey: "" + + deploymentProperties: + cloud: "" + endpoint: "" + deploymentType: helm-kubernetes + commonAnnotations: {} -## @param commonLabels Common labels to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template -## commonLabels: {} -## @param clusterDomain Kubernetes cluster domain -## clusterDomain: cluster.local -## @section Cyral Sidecar deployment parameters +fullnameOverride: "" +kubeVersion: "" +nameOverride: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: hard -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. ## E.g. ## key: "kubernetes.io/e2e-az-name" - ## key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. ## E.g. ## values: ## - e2e-az1 ## - e2e-az2 - ## + type: "" values: [] -## @param affinity Affinity for pod assignment + +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +podAffinityPreset: "" +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +podAntiAffinityPreset: hard + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set ## affinity: {} -## Cyral Sidecar image -## ref: https://hub.docker.com/r/cyral/sidecar/tags/ -## @param image.registry [default: public.ecr.aws/cyral] Cyral Sidecar image registry -## @param image.repository [default: cyral-sidecar] Cyral Sidecar image repository -## @param image.tag Cyral Sidecar image tag (required, usually this is the sidecar version) -## @param image.digest Cyral Sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy Cyral Sidecar image pull policy -## @param image.pullSecrets Cyral Sidecar image pull secrets -## @param image.debug Enable image debug mode -## -image: - registry: public.ecr.aws/cyral - repository: cyral-sidecar - tag: "" - digest: "" - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Enable debug mode - ## - debug: false -## @param replicaCount Number of Cyral Sidecar replicas to deploy -## -## @param extraEnvVars Extra environment variables to be set on Cyral Sidecar containers + ## E.g: ## extraEnvVars: ## - name: FOO ## value: BAR ## extraEnvVars: [] -## @param extraEnvVarsCM ConfigMap with extra environment variables -## extraEnvVarsCM: "" -## @param extraEnvVarsSecret Secret with extra environment variables -## extraEnvVarsSecret: "" -## @section Cyral Sidecar deployment parameters + replicaCount: 1 -## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: ## requests: @@ -131,41 +180,50 @@ replicaCount: 1 ## memory: 1024Mi ## resources: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template. ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} -## @param tolerations Tolerations for pod assignment. Evaluated as a template. ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] -## @param extraVolumes Array of extra volumes to be added to the Cyral Sidecar deployment (evaluated as template). Requires setting `extraVolumeMounts` ## extraVolumes: [] + ## Pods Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for Cyral Sidecar pod - ## create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the `common.names.fullname` template name: "" - ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. ## Only used if `create` is `true`. - ## annotations: {} - ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod - ## automountServiceAccountToken: true + +## ref: https://hub.docker.com/r/cyral/sidecar/tags/ +image: + registry: public.ecr.aws/cyral + repository: cyral-sidecar + tag: "" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + pullSecrets: [] + ## Enable debug mode + debug: false + ## Role Based Access ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -## @param rbac.create Create Role and RoleBinding -## rbac: create: true - ## @param rbac.rules Custom RBAC rules to set ## e.g: ## rules: ## - apiGroups: @@ -177,14 +235,9 @@ rbac: ## - list ## rules: [] + ## Cyral Sidecar pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enabled Cyral Sidecar pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls [array] Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup -## podSecurityContext: enabled: true fsGroupChangePolicy: Always @@ -193,17 +246,9 @@ podSecurityContext: value: "0" supplementalGroups: [] fsGroup: 1001 + ## Cyral Sidecar containers' Security Context. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## containerSecurityContext: enabled: true seLinuxOptions: null @@ -214,9 +259,8 @@ containerSecurityContext: allowPrivilegeEscalation: false seccompProfile: type: "RuntimeDefault" + ## Configures the ports Cyral Sidecar listens on -## @param containerPorts [object] Map of all ports inside Cyral Sidecar container -## containerPorts: metrics: 9000 denodo0: 9996 @@ -233,20 +277,18 @@ containerPorts: redshift: 5439 s3: 453 snowflake: 443 -## @param extraContainerPorts Array of additional container ports for the Cyral Sidecar container ## e.g: ## extraContainerPorts: ## - 4317 ## extraContainerPorts: [] -## Cyral Sidecar Service properties -## + service: - ## @param service.type Service type - ## type: LoadBalancer - ## @param service.ports [object] Map of Cyral Sidecar service ports - ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + nodePorts: + sidecar: [] + ports: metrics: 9000 denodo0: 9996 @@ -263,16 +305,9 @@ service: redshift: 5439 s3: 453 snowflake: 443 - ## - ## @param service.nodePorts [object] Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - sidecar: [] - ## @param service.targetPort [object] Target port reference value for the Loadbalancer service types can be specified explicitly. + ## Listeners for the Loadbalancer can be custom mapped to the any Cyral Sidecar service. ## Example: Mapping the mysql listener to targetPort mysql [mysql: mysql] - ## targetPort: denodo0: denodo0 denodo1: denodo1 @@ -288,95 +323,27 @@ service: redshift: redshift s3: s3 snowflake: snowflake - ## @param service.clusterIP Cyral Sidecar service Cluster IP ## e.g.: ## clusterIP: None - ## clusterIP: "" - ## @param service.loadBalancerIP LoadBalancer service IP address ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## loadBalancerIP: "" - ## @param service.loadBalancerSourceRanges Cyral Sidecar service Load Balancer sources ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g: ## loadBalancerSourceRanges: ## - 10.10.10.0/24 - ## loadBalancerSourceRanges: [] - ## @param service.loadBalancerClass service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## loadBalancerClass: "" - ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" ## If "ClientIP", consecutive client requests will be directed to the same Pod ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 - ## sessionAffinityConfig: {} - ## @param service.annotations Service annotations ## This can be used to set the LoadBalancer service type to internal only. ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## annotations: {} - ## @param service.externalTrafficPolicy Enable client source IP preservation ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## externalTrafficPolicy: Cluster -## @section Cyral configuration parameters - -## Cyral parameters -## -cyral: - ## @param cyral.sidecarId Sidecar identifier - sidecarId: "" - ## @param cyral.controlPlane Address of the control plane - .cyral.com - controlPlane: "" - ## Cyral credentials - ## - credentials: - ## @param cyral.credentials.existingSecret Name of an existing Kubernetes secret containing client ID and client secret. The secret must contain the `clientId` and `clientSecret` keys. - existingSecret: "" - ## @param cyral.credentials.clientId The client ID assigned to the sidecar. Optional - required only if existingSecret is not provided. - clientId: "" - ## @param cyral.credentials.clientSecret The client secret assigned to the sidecar. Optional - required only if existingSecret is not provided. - clientSecret: "" - ## Cyral Sidecar parameters - ## - sidecar: - ## @param cyral.sidecar.dnsName Fully qualified domain name that will be used to access the Cyral Sidecar - dnsName: "" - ## Cyral Sidecar certificates parameters - ## - certificates: - ## @param cyral.sidecar.certificates.tls.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate to terminate TLS connections. - tls: - existingSecret: "" - ## @param cyral.sidecar.certificates.ca.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate for the internal CA. - ca: - existingSecret: "" - ## Snowflake parameters - ## - snowflake: - ## @param cyral.sidecar.snowflake.SSOLoginURL The IdP SSO URL for the IdP being used with Snowflake. - SSOLoginURL: "" - ## @param cyral.sidecar.snowflake.idpCertificate The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks. - idpCertificate: "" - ## @param cyral.sidecar.snowflake.sidecarIdpCertificate The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. - sidecarIdpCertificate: "" - ## @param cyral.sidecar.snowflake.sidecarIdpPrivateKey The private key used to sign SAML Assertions generated by the sidecar. Required if using SSO with Snowflake. - sidecarIdpPrivateKey: "" - ## Deployment properties - ## - deploymentProperties: - ## @param cyral.deploymentProperties.cloud Cloud provider where the Cyral Sidecar is hosted. - cloud: "" - ## @param cyral.deploymentProperties.endpoint Fully qualified domain name that will be used to access the Cyral Sidecar. - endpoint: "" - ## @param cyral.deploymentProperties.deploymentType Deployment type choosen to deploy the Cyral Sidecar. Defaults to `helm-kubernetes`. - deploymentType: helm-kubernetes