This repo provides an implementation of a strongDM relay or gateway inside Kubernetes using Helm.
Learn more about deploying strongDM inside Kubernetes on our docs site.
-
A Kubernetes Cluster v1.16+
-
Helm 3.0+
-
Git
-
If you are going to use Nginx Ingress Controller, then you will need to manually patch your services to allow TCP and UDP traffic
-
Either a strongDM Gateway/Relay Token or else an Admin Token with the
relay:create
permission which will be used to generate the gateway/relay token.
Note: In order to get a Gateway Token you'll need an external address to register. This external address is immutable after creation.
helm repo add strongdm https://helm.strongdm.com/stable/
helm install [RELEASE_NAME] strongdm/sdm-relay -f values.yaml
helm status [RELEASE_NAME]
See configuration below.
See helm install for command documentation.
sdm login
adminToken=$(sdm admin tokens create --type admin-token --duration 9999999 --permissions relay:create "relay-create-$(date +%s)" | awk '{print $NF}' | base64)
helm install my-sdm-relay strongdm/sdm-relay --set global.secret.adminToken=$adminToken
For a gateway, provide SDM_GATEWAY_LISTEN_PORT_ADDR and any other desired values on the helm install
command line or in a values.yaml
file.
helm upgrade [RELEASE_NAME] strongdm/sdm-relay --install
See helm upgrade for command documentation.
helm uninstall [RELEASE_NAME]
The command removes all the Kubernetes components associated with the release and deletes the release.
See helm uninstall for command documentation.
If you are running multiple strongDM Gateways it is recommended having multiple points of ingress rather than using the same ingress point with different points. Our recommendation is using a one to one ratio with Loadbalancer to Gateway.
Also note that tokens can't be reused between Gateways and a replicaset of 1 is set by default to ensure a new Gateway will be deployed, but won't cause any token conflicts.
The following table lists the configurable parameters of the strongDM relay/gateway chart and their default values.
Parameter | Description | Default | Required |
---|---|---|---|
.global.gateway.enabled | This is to enable the strongDM relay to accept incoming traffic when using a Gateway Token. | false | ☐ |
.global.gateway.service.type | The kind of service you'd like to run for the gateway. E.G. NodePort or Loadbalancer |
NodePort |
☑ |
.global.gateway.service.nodePort | When service is set to NodePort this port needs to match what was set in the Admin UI. |
30001 | ☐ |
.global.gateway.service.loadBalancerIP | When service is set to LoadBalancer and you'd like to assign the IP Address of an existing LB. |
None | ☐ |
.global.gateway.service.port | The port you'd like to have the service listening on. If using NodePort this can be different then the port set in the Admin UI. | 30001 | ☑ |
.global.secret.token | The base64 encoded value of the relay or gateway token generated in the Admin UI or CLI. Can be omitted if adminToken is provided. |
None | ☑ |
.global.secret.adminToken | The base64 encoded value of the an admin token with relay:create permission. Used when to generate a new relay or gateway token when there is not one already set. |
None | ☐ |
.global.deployment.repository | The image you'd like to use for the strongDM gateway/relay. | public.ecr.aws/strongdm/relay | ☑ |
.global.deployment.tag | The tag for the image you'd like to use for the strongDM gateway/relay. | latest | ☑ |
.global.deployment.imagePullPolicy | The policy for pulling a new image from the repo. | Always | ☑ |
.global.extraEnvironmentVars | Inject extra environment vars in the format key:value, if populated | None | ☐ |
.configmap.SDM_ORCHESTRATOR_PROBES | If you'd like to have a liveliness probe for the strongDM gateway/relay. | 9090 | ☐ |
.configmap.SDM_DOCKERIZED | Setting this will automatically send logs to STDOUT overriding settings in AdminUI. | true | ☐ |
.configmap.SDM_RELAY_LOG_FORMAT | Format for the logs when stored locally. | json | ☐ |
.configmap.SDM_RELAY_LOG_STORAGE | If storing SDM Activites slowly you can change where they are stored. | stdout | ☐ |
.configmap.SDM_RELAY_LOG_ENCRYPTION | Change the encryption of the logs. | plaintext | ☐ |
.configmap.SDM_RELAY_NAME | Name to use if a new relay token is being generated. Must not match any existing token name. Omit to use automatically generated name. | plaintext | ☐ |
.configmap.SDM_RELAY_TAGS | Tags to use if a new relay token is being generated. (See sdm admin relays create -h for description) | plaintext | ☐ |
.configmap.SDM_RELAY_MAINTENANCE_WINDOW | Maintenance window to use if a new relay token is being generated. (See sdm admin relays create -h for description) | plaintext | ☐ |
.configmap.SDM_GATEWAY_LISTEN_ADDR_PORT | If a gateway token is to be generated, this is the address where it will listen, and it is required. | plaintext | ☐ |
.configmap.SDM_GATEWAY_BIND_ADDR_PORT | If a gateway token is to be generated, this is the address where it will bind. | plaintext | ☐ |