Earlier versions of Cyral's Helm chart for the sidecar did not follow best practices for formatting. In version 2.24, we've addressed this with a wide-ranging refactor of the chart, including renaming our parameters to follow common practice. Below, we explain the new chart structure and parameter names.
To describe the changes, we first list the individual field renaming changes and then explain the reorganization of the wire configuration and integration configuration.
Below we list the isolated field changes.
Control Plane Configuration
The serviceSidecar.repositoriesSupported variable has been removed, and in place there are specific fields for configuring each repository, including if it’s enabled or not. All repositories are supported by default and to disable a repository you must set <repositoryName>.enabled=false either on the values or on the helm CLI.
Disabling rest and postgres
Similarly to the enabled repositories, each repository has its own image configuration on its section on <repositoryName>.image. The format is the same for all repositories and services as follows:
The registry path is put together this way:
The registry can be overwritten in two ways:
Values.global.cyral.imageRegistry overrides cyral’s image on the registry, so any image that has, by default, a cyral docker registry now has Values.global.imageRegistry as its registry.
Values.global.imageRegistry overrides all (except for datadog’s) image registries, which include filebeat’s image also.
The pull policy for the images can also be set globally via the Values.image.pullPolicy value.
Mysql image settings
This would make all wire/cyral services images have gcr.io/cyralinc as their registries.
The port configuration can be set in two different ways. Each repository has its own <repositoryName>.ports.sidecar section, on which you can have a list of ports that will be named after <repositoryName>.name. There is also service.ports, which acts as the serviceSidecar.sidecarPorts, overriding all repositories ports and only exposing those ports on the sidecar service.
Setting mysql ports via service configuration
This way, only the mysql ports are overwritten, and any other ports that are defined by default on the chart are still exposed on the service component. Disabling a wire also removes its ports from the service.
Overwriting all wire-specific ports
This way, only the 5432 port will be exposed on the sidecar, overriding any other wire-defined port.
Data Port configuration
Each repository now has its <repositoryName>.ports.http, <repositoryName>.ports.grpc and <repositoryName>.ports.metrics fields (when applicable), which set its ports on the configuration.
Log integration configuration
The log integration configuration has been changed to not be set via environment variables, but via specific fields in the filebeat container configuration.
- name: ELASTICSEARCH_HOSTS
- name: ELASTICSEARCH_USERNAME
- name: ELASTICSEARCH_PASSWORD
# username and password are required
The Logstash extension was also reorganized.
- name: LOGSTASH_HOSTS
- name: KAFKA_HOSTS
- name: KAFKA_TOPIC
The vault integration previously required adding extra volumes and extra volume mounts to mount the secret with the proper configurations. Now it has a field for specifying the secret that needs to be mounted.
- name: VAULT_CACERT
- name: $VAULT_TLS_SECRET_NAME
- name: $VAULT_TLS_SECRET_NAME
Every container can now have extraEnvVars and extraVolumes attached to them via the specific wire/service configuration section on the values file.
ImagePullSecrets can now be added and will be appended to the secret that is created via Cyral's credentials (via global.imagePullSecrets ).
Vault integration now has a vaultIntegration.appRoleSecret that mounts a secret on /approle for approle based authentication to a vault server.