Version 2.24 changes in the Helm chart for Cyral sidecars

Earlier versions of Cyral's Helm chart for the sidecar did not follow best practices for formatting. In version 2.24, we've addressed this with a wide-ranging refactor of the chart, including renaming our parameters to follow common practice. Below, we explain the new chart structure and parameter names. 

Changes

To describe the changes, we first list the individual field renaming changes and then explain the reorganization of the wire configuration and integration configuration.

Field changes

Below we list the isolated field changes.

General Configuration

Control Plane Configuration

Service configuration

Integration configuration

Example

FROM

forwardProxy:

 controlPlane:

   host: hhiu.cyral.com

   httpPort: 8000

TO

controlPlane:

 host: hhiu.cyral.com

 ports:

   http: 8000

Wire changes

Enabled Repositories

The serviceSidecar.repositoriesSupported variable has been removed, and in place there are specific fields for configuring each repository, including if it’s enabled or not. All repositories are supported by default and to disable a repository you must set <repositoryName>.enabled=false either on the values or on the helm CLI.

Examples

Disabling mysql

mysql:

 enabled: false

Disabling rest and postgres

postgres:

 enabled: false

rest:

 enabled: false

Image Updates

Similarly to the enabled repositories, each repository has its own image configuration on its section on <repositoryName>.image. The format is the same for all repositories and services as follows:

image:

 registry:

 repository:

 tag:

 pullPolicy:

The registry path is put together this way:

{image.registry}/{image.repository}:{image.tag}

The registry can be overwritten in two ways:

• Values.global.cyral.imageRegistry overrides cyral’s image on the registry, so any image that has, by default, a cyral docker registry now has Values.global.imageRegistry as its registry.

• Values.global.imageRegistry overrides all (except for datadog’s) image registries, which include filebeat’s image also.

The pull policy for the images can also be set globally via the Values.image.pullPolicy value.

Examples:

Mysql image settings

mysql:

 image:

   registry: gcr.io/cyralinc

   repository: cyral-mysql-wire

   tag: v1.13.0

Registry overrides

global:

 cyral:

   imageRegistry: gcr.io/cyralinc

This would make all wire/cyral services images have gcr.io/cyralinc as their registries.

Port configuration

The port configuration can be set in two different ways. Each repository has its own <repositoryName>.ports.sidecar section, on which you can have a list of ports that will be named after <repositoryName>.name. There is also service.ports, which acts as the serviceSidecar.sidecarPorts, overriding all repositories ports and only exposing those ports on the sidecar service.

Example

Setting mysql ports via service configuration

FROM

serviceSidecar:

 sidecarPorts: [5432]

TO

mysql:

 ports:

   sidecar: [5432]

This way, only the mysql ports are overwritten, and any other ports that are defined by default on the chart are still exposed on the service component. Disabling a wire also removes its ports from the service.

Overwriting all wire-specific ports

service:

 ports: [5432]

This way, only the 5432 port will be exposed on the sidecar, overriding any other wire-defined port.

Data Port configuration

Each repository now has its <repositoryName>.ports.http, <repositoryName>.ports.grpc and <repositoryName>.ports.metrics fields (when applicable), which set its ports on the configuration.

Integration configuration

Log integration configuration

The log integration configuration has been changed to not be set via environment variables, but via specific fields in the filebeat container configuration.

Elasticsearch

FROM

filebeat:

 enabled: true

 extraEnvs:

   - name: ELASTICSEARCH_HOSTS

     value: address

   - name: ELASTICSEARCH_USERNAME

     value: username

   - name: ELASTICSEARCH_PASSWORD

     value: password

TO

filebeat:

   elasticsearch:

     hosts: hosts

     # username and password are required

     username: username

     password: password

Logstash

The Logstash extension was also reorganized.

FROM

filebeat:

 enabled: true

 outputType: logstash

 outputUseTLS: false

 outputUseMutualAuthentication: false

 outputUsePrivateCertificateChain: false

 extraEnvs:

  - name: LOGSTASH_HOSTS

    value: hosts

TO

filebeat:

 logstash:

   hosts: hosts

 output:

   type: logstash

   useTLS: false

   useMutualAuthentication: false

   usePrivateCertificateChain: false

Kafka

FROM

filebeat:

 outputType: kafka

 version: version

 extraEnvs:

  - name: KAFKA_HOSTS

    value: hosts

  - name: KAFKA_TOPIC

    value: topic

TO

filebeat:

 output:

   type: kafka

 kafka:

   hosts: hosts

   topic: topic

Vault Integration

The vault integration previously required adding extra volumes and extra volume mounts to mount the secret with the proper configurations. Now it has a field for specifying the secret that needs to be mounted.

FROM

vaultIntegration:

 extraEnvs:

   - name: VAULT_CACERT

     value: /etc/certs/ca.pem

 extraVolumeMounts:

   - name: $VAULT_TLS_SECRET_NAME

     mountPath: /etc/certs

     readOnly: true

extraVolumes:

 - name: $VAULT_TLS_SECRET_NAME

   secret:

     secretName: $VAULT_TLS_SECRET_NAME

TO

vaultIntegration:

 tlsSecretName: $VAULT_TLS_SECRET_NAME

 tlsSecretKey: ca.pem

Features added

• Every container can now have extraEnvVars and extraVolumes attached to them via the specific wire/service configuration section on the values file.

• ImagePullSecrets can now be added and will be appended to the secret that is created via Cyral's credentials (via global.imagePullSecrets ).

• Vault integration now has a vaultIntegration.appRoleSecret that mounts a secret on /approle for approle based authentication to a vault server.