Skip to content
/ quickstart-sidecar-helm Public

Deploy a sidecar on a Kubernetes cluster using Helm

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cyral-quickstart/quickstart-sidecar-helm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
docs
docs
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Sidecar - Helm

A quick start to deploy a sidecar to Kubernetes using Helm!

Architecture

Kubernetes Architecture

Deployment

Requirements

Examples

Quick Start

  • Save the code below in a values.yaml file.
    • Fill the parameters cyral.controlPlane, cyral.sidecarId, cyral.credentials.clientId, and cyral.credentials.clientSecret with the information from the Cyral Templates option in the Deployment tab of your sidecar details.
    • Set image.tag with the sidecar version you want to deploy.
cyral:
  controlPlane: ""
  sidecarId: ""
  credentials:
    clientId: ""
    clientSecret: ""

image:
  # Sidecar version
  tag: ""

service:
  enabled: true
  type: LoadBalancer
  annotations:
    ####################### AWS Load Balancer #######################
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    # For a public-facing load balancer, change the value to
    # "internet-facing":
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    #################################################################

    ###################### GCP Load Balancer ########################
    ## In order to use a GCP load balancer instead, comment the
    ## AWS Load Balancer properties above and uncomment the line
    ## below. For a public-facing load balancer, change the value
    ## to "External":
    #cloud.google.com/load-balancer-type: "Internal"
    #################################################################

    ###################### Azure Load Balancer ######################
    ## In order to use a Azure load balancer instead, comment the
    ## AWS Load Balancer properties above and uncomment the line
    ## below. For a public-facing load balancer, change the value
    ## to "false":
    #service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    #################################################################
  • Open a command line terminal in the same folder you saved the file.
  • Run the following command to deploy your sidecar, replacing the following variables:
    • <SIDECAR_NAMESPACE>: your choice of namespace to be created. We recommend cyral- + <SIDECAR_ID> to help you locate your namespace on a busy cluster.
    • <SIDECAR_RELEASE_NAME>: the name of your release. We also recommend cyral- + <SIDECAR_ID> or some suffix to help locating the release.
    • <CHART_VERSION>: the Helm chart version.
helm upgrade -i <SIDECAR_RELEASE_NAME> \
  --create-namespace \
  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
  oci://public.ecr.aws/cyral/helm/sidecar \
  --version <CHART_VERSION>

The quick start example above will create the simplest configuration possible on your Kubernetes cluster and deploy a single sidecar instance behind the load balancer.

Make sure to allow for proper network connectivity from your cluster nodes to the databases that will be protected by your sidecar. The nodes must be able to connect to the databases using the ports that you defined as part of the repository configuration.

Production Starting Point

  • Save the code below in a values.yaml file.
    • Fill the parameters cyral.controlPlane, cyral.sidecarId, cyral.credentials.clientId, and cyral.credentials.clientSecret with the information from the Cyral Templates option in the Deployment tab of your sidecar details.
    • Set image.tag with the sidecar version you want to deploy.
cyral:
  controlPlane: ""
  sidecarId: ""
  credentials:
    clientId: ""
    clientSecret: ""

image:
  # Sidecar version
  tag: ""

# Sets the node and inter-pod affinities so pods won't run
# in the same node.
podAntiAffinityPreset: hard

# Number of pods
replicaCount: 2

service:
  # Ports that will be exposed by the sidecar to accept 
  # incoming connections.
  ports: [443, 3306, 5432, 27017, 27018, 27019]

  enabled: true
  type: LoadBalancer
  annotations:
    ####################### AWS Load Balancer #######################
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    # For a public-facing load balancer, change the value to
    # "internet-facing":
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    #################################################################

    ###################### GCP Load Balancer ########################
    ## In order to use a GCP load balancer instead, comment the
    ## AWS Load Balancer properties above and uncomment the line
    ## below. For a public-facing load balancer, change the value
    ## to "External":
    #cloud.google.com/load-balancer-type: "Internal"
    #################################################################

    ###################### Azure Load Balancer ######################
    ## In order to use a Azure load balancer instead, comment the
    ## AWS Load Balancer properties above and uncomment the line
    ## below. For a public-facing load balancer, change the value
    ## to "false":
    #service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    #################################################################
  • Open a command line terminal in the same folder you saved the file.
  • Run the following command to deploy your sidecar, replacing the following variables:
    • <RELEASE_NAME>: your choice of name for the deployment, if its a single sidecar in a namespace we'll typically use cyral-sidecar or cyral-sidecar-<SIDECAR_ID>
    • <SIDECAR_NAMESPACE>: your choice of namespace to be created. We recommend cyral- + <SIDECAR_ID> to help you locate your namespace on a busy cluster.
    • <VERSION>: the Helm chart version.
helm upgrade -i <RELEASE_NAME> \
  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
  oci://public.ecr.aws/cyral/helm/sidecar \
  --version <CHART_VERSION> --create-namespace

The example above will create a production-grade configuration and assumes you understand the basic concepts of a Cyral sidecar.

For a production configuration, we recommend that you define anti-affinity rules to prevent two sidecar pods from running in the same node. We also recommend that the nodes runs on different availability zones and that you properly assess the dimensions and number of pods required for your production workload.

Make sure to allow for proper network connectivity from your cluster nodes to the databases that will be protected by your sidecar. The nodes must be able to connect to the databases using the ports that you defined as part of the repository configuration.

See the next section for more details about the values file parameters.

Parameters

See the full list of parameters in the chart documentation.

Upgrade

Use the following procedure to upgrade your sidecar:

  • Open a command line terminal in the same folder you have your values.yaml file.
  • Run the following command to deploy your sidecar, replacing the following variables:
    • <SIDECAR_NAMESPACE>: the sidecar namespace.
    • <CHART_VERSION>: the Helm chart version.
helm upgrade -i <RELEASE_NAME> \
  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
  oci://public.ecr.aws/cyral/helm/sidecar \
  --version <CHART_VERSION>

Learn more in the sidecar upgrade procedures page.

Advanced

Instructions for advanced configurations are available in the chart's docs.

About

Deploy a sidecar on a Kubernetes cluster using Helm

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Contributors 5