Earlier versions of Cyral's Helm chart for the sidecar did not follow best practices for formatting. In version 2.24, we've addressed this with a wide-ranging refactor of the chart, including renaming our parameters to follow common practice. Below, we explain the new chart structure and parameter names.
Changes
To describe the changes, we first list the individual field renaming changes and then explain the reorganization of the wire configuration and integration configuration.
Field changes
Below we list the isolated field changes.
General Configuration
Control Plane Configuration
Service configuration
Integration configuration
Example
FROM
forwardProxy:
controlPlane:
host: hhiu.cyral.com
httpPort: 8000
TO
controlPlane:
host: hhiu.cyral.com
ports:
http: 8000
Wire changes
Enabled Repositories
The serviceSidecar.repositoriesSupported variable has been removed, and in place there are specific fields for configuring each repository, including if it’s enabled or not. All repositories are supported by default and to disable a repository you must set <repositoryName>.enabled=false either on the values or on the helm CLI.
Examples
Disabling mysql
mysql:
enabled: false
Disabling rest and postgres
postgres:
enabled: false
rest:
enabled: false
Image Updates
Similarly to the enabled repositories, each repository has its own image configuration on its section on <repositoryName>.image. The format is the same for all repositories and services as follows:
image:
registry:
repository:
tag:
pullPolicy:
The registry path is put together this way:
{image.registry}/{image.repository}:{image.tag}
The registry can be overwritten in two ways:
Values.global.cyral.imageRegistry overrides cyral’s image on the registry, so any image that has, by default, a cyral docker registry now has Values.global.imageRegistry as its registry.
Values.global.imageRegistry overrides all (except for datadog’s) image registries, which include filebeat’s image also.
The pull policy for the images can also be set globally via the Values.image.pullPolicy value.
Examples:
Mysql image settings
mysql:
image:
registry: gcr.io/cyralinc
repository: cyral-mysql-wire
tag: v1.13.0
Registry overrides
global:
cyral:
imageRegistry: gcr.io/cyralinc
This would make all wire/cyral services images have gcr.io/cyralinc as their registries.
Port configuration
The port configuration can be set in two different ways. Each repository has its own <repositoryName>.ports.sidecar section, on which you can have a list of ports that will be named after <repositoryName>.name. There is also service.ports, which acts as the serviceSidecar.sidecarPorts, overriding all repositories ports and only exposing those ports on the sidecar service.
Example
Setting mysql ports via service configuration
FROM
serviceSidecar:
sidecarPorts: [5432]
TO
mysql:
ports:
sidecar: [5432]
This way, only the mysql ports are overwritten, and any other ports that are defined by default on the chart are still exposed on the service component. Disabling a wire also removes its ports from the service.
Overwriting all wire-specific ports
service:
ports: [5432]
This way, only the 5432 port will be exposed on the sidecar, overriding any other wire-defined port.
Data Port configuration
Each repository now has its <repositoryName>.ports.http, <repositoryName>.ports.grpc and <repositoryName>.ports.metrics fields (when applicable), which set its ports on the configuration.
Integration configuration
Log integration configuration
The log integration configuration has been changed to not be set via environment variables, but via specific fields in the filebeat container configuration.
Elasticsearch
FROM
filebeat:
enabled: true
extraEnvs:
- name: ELASTICSEARCH_HOSTS
value: address
- name: ELASTICSEARCH_USERNAME
value: username
- name: ELASTICSEARCH_PASSWORD
value: password
TO
filebeat:
elasticsearch:
hosts: hosts
# username and password are required
username: username
password: password
Logstash
The Logstash extension was also reorganized.
FROM
filebeat:
enabled: true
outputType: logstash
outputUseTLS: false
outputUseMutualAuthentication: false
outputUsePrivateCertificateChain: false
extraEnvs:
- name: LOGSTASH_HOSTS
value: hosts
TO
filebeat:
logstash:
hosts: hosts
output:
type: logstash
useTLS: false
useMutualAuthentication: false
usePrivateCertificateChain: false
Kafka
FROM
filebeat:
outputType: kafka
version: version
extraEnvs:
- name: KAFKA_HOSTS
value: hosts
- name: KAFKA_TOPIC
value: topic
TO
filebeat:
output:
type: kafka
kafka:
hosts: hosts
topic: topic
Vault Integration
The vault integration previously required adding extra volumes and extra volume mounts to mount the secret with the proper configurations. Now it has a field for specifying the secret that needs to be mounted.
FROM
vaultIntegration:
extraEnvs:
- name: VAULT_CACERT
value: /etc/certs/ca.pem
extraVolumeMounts:
- name: $VAULT_TLS_SECRET_NAME
mountPath: /etc/certs
readOnly: true
extraVolumes:
- name: $VAULT_TLS_SECRET_NAME
secret:
secretName: $VAULT_TLS_SECRET_NAME
TO
vaultIntegration:
tlsSecretName: $VAULT_TLS_SECRET_NAME
tlsSecretKey: ca.pem
Features added
Every container can now have extraEnvVars and extraVolumes attached to them via the specific wire/service configuration section on the values file.
ImagePullSecrets can now be added and will be appended to the secret that is created via Cyral's credentials (via global.imagePullSecrets ).
Vault integration now has a vaultIntegration.appRoleSecret that mounts a secret on /approle for approle based authentication to a vault server.