Skip to content

Latest commit

 

History

History
99 lines (68 loc) · 9.02 KB

README.md

File metadata and controls

99 lines (68 loc) · 9.02 KB

strongDM

License Docs Twitter

strongDM Relay

This repo provides an implementation of a strongDM relay or gateway inside Kubernetes using Helm.

Learn more about deploying strongDM inside Kubernetes on our docs site.

Prerequisites

Note: In order to get a Gateway Token you'll need an external address to register. This external address is immutable after creation.

Installing the Chart

helm repo add strongdm https://helm.strongdm.com/stable/
helm install [RELEASE_NAME] strongdm/sdm-relay -f values.yaml
helm status [RELEASE_NAME]

See configuration below.

See helm install for command documentation.

Example of using an Admin Token to install a Relay

sdm login
adminToken=$(sdm admin tokens create --type admin-token --duration 9999999 --permissions relay:create "relay-create-$(date +%s)" | awk '{print $NF}' | base64)
helm install my-sdm-relay strongdm/sdm-relay --set global.secret.adminToken=$adminToken

For a gateway, provide SDM_GATEWAY_LISTEN_PORT_ADDR and any other desired values on the helm install command line or in a values.yaml file.

Upgrading the Chart

helm upgrade [RELEASE_NAME] strongdm/sdm-relay --install

See helm upgrade for command documentation.

Uninstalling the Chart

helm uninstall [RELEASE_NAME]

The command removes all the Kubernetes components associated with the release and deletes the release.

See helm uninstall for command documentation.

Running Multiple Gateways

If you are running multiple strongDM Gateways it is recommended having multiple points of ingress rather than using the same ingress point with different points. Our recommendation is using a one to one ratio with Loadbalancer to Gateway.

Also note that tokens can't be reused between Gateways and a replicaset of 1 is set by default to ensure a new Gateway will be deployed, but won't cause any token conflicts.

Configuration

The following table lists the configurable parameters of the strongDM relay/gateway chart and their default values.

Parameter Description Default Required
.global.gateway.enabled This is to enable the strongDM relay to accept incoming traffic when using a Gateway Token. false
.global.gateway.service.type The kind of service you'd like to run for the gateway. E.G. NodePort or Loadbalancer NodePort
.global.gateway.service.nodePort When service is set to NodePort this port needs to match what was set in the Admin UI. 30001
.global.gateway.service.loadBalancerIP When service is set to LoadBalancer and you'd like to assign the IP Address of an existing LB. None
.global.gateway.service.port The port you'd like to have the service listening on. If using NodePort this can be different then the port set in the Admin UI. 30001
.global.secret.token The base64 encoded value of the relay or gateway token generated in the Admin UI or CLI. Can be omitted if adminToken is provided. None
.global.secret.adminToken The base64 encoded value of the an admin token with relay:create permission. Used when to generate a new relay or gateway token when there is not one already set. None
.global.deployment.repository The image you'd like to use for the strongDM gateway/relay. public.ecr.aws/strongdm/relay
.global.deployment.tag The tag for the image you'd like to use for the strongDM gateway/relay. latest
.global.deployment.imagePullPolicy The policy for pulling a new image from the repo. Always
.global.extraEnvironmentVars Inject extra environment vars in the format key:value, if populated None
.configmap.SDM_ORCHESTRATOR_PROBES If you'd like to have a liveliness probe for the strongDM gateway/relay. 9090
.configmap.SDM_DOCKERIZED Setting this will automatically send logs to STDOUT overriding settings in AdminUI. true
.configmap.SDM_RELAY_LOG_FORMAT Format for the logs when stored locally. json
.configmap.SDM_RELAY_LOG_STORAGE If storing SDM Activites slowly you can change where they are stored. stdout
.configmap.SDM_RELAY_LOG_ENCRYPTION Change the encryption of the logs. plaintext
.configmap.SDM_RELAY_NAME Name to use if a new relay token is being generated. Must not match any existing token name. Omit to use automatically generated name. plaintext
.configmap.SDM_RELAY_TAGS Tags to use if a new relay token is being generated. (See sdm admin relays create -h for description) plaintext
.configmap.SDM_RELAY_MAINTENANCE_WINDOW Maintenance window to use if a new relay token is being generated. (See sdm admin relays create -h for description) plaintext
.configmap.SDM_GATEWAY_LISTEN_ADDR_PORT If a gateway token is to be generated, this is the address where it will listen, and it is required. plaintext
.configmap.SDM_GATEWAY_BIND_ADDR_PORT If a gateway token is to be generated, this is the address where it will bind. plaintext