Last active
February 23, 2021 01:38
-
-
Save rpothier/2d279e315d86e21529fe1278676501d4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Invoking Summon from a Pod Volume Mount | |
@startuml | |
hide footbox | |
title Invoking Summon from a Pod Volume Mount | |
participant "K8s API Server" as ks | |
participant "Conjur Server" as cs | |
participant "K8s Authn Client" as kc | |
database "Shared Pod Memory" as shared | |
participant "Summon Init" as init | |
participant "Summon\n[Inside Shared Volume]" as sum | |
participant "Application" as app | |
autonumber | |
init -> shared: Init container retrieves the\nSummon binary and stores\nit in the shared volume | |
kc -> cs: Authentication Request | |
cs -> cs: Validate * | |
cs -> ks: Request to Inject Signed \nCertificate Into Pod | |
cs -> kc: 202: Accepted | |
loop | |
kc -> kc: Wait for Signed Certificate | |
end | |
ks -> kc: Inject Signed Certificate Into Pod | |
kc -> cs: Authenticate with Certificate | |
cs -> cs: Validate * | |
cs -> kc: Access Token (Short Lived) | |
kc -> shared: Access Token Written | |
app -> sum: App startup invokes the\nSummon binary from\nthe shared volume | |
sum -> shared: Read Access Token | |
activate shared | |
shared -> sum: | |
deactivate shared | |
sum -> cs: Summon Authenticates Using Access Token and Request Secrets | |
cs -> cs: Validate Token | |
cs -> sum: Return Secrets to Summon Provider | |
sum -> app: Summon injects sectrets\ninto the app | |
sum -> app: Summon runs the app\nas a subprocess | |
note over cs | |
* Validate: | |
1. Authenticator is Enabled | |
2. Webservice Exists and host has access to it | |
3. Pod exists | |
4. Host authentication annotations match request | |
5. Authn container exists | |
end note | |
@enduml | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment