rpothier · February 23, 2021 01:38
diff --git a/Invoking-Summon-from-a-Pod-Volume-Mount.png b/Invoking-Summon-from-a-Pod-Volume-Mount.png
diff --git a/Invoking-Summon-from-a-Pod-Volume-Mount.txt b/Invoking-Summon-from-a-Pod-Volume-Mount.txt
 #  Invoking Summon from a Pod Volume Mount
 @startuml
 hide footbox
 title Invoking Summon from a Pod Volume Mount

 participant "K8s API Server" as ks
 participant "Conjur Server" as cs
 participant "K8s Authn Client" as kc
 database "Shared Pod Memory" as shared
 participant "Summon Init" as init
 participant "Summon\n[Inside Shared Volume]" as sum
 participant "Application" as app

 autonumber
 init -> shared: Init container retrieves the\nSummon binary and stores\nit in the shared volume
 kc -> cs: Authentication Request
 cs -> cs: Validate *
 cs -> ks: Request to Inject Signed \nCertificate Into Pod
 cs -> kc: 202: Accepted
 loop 
    kc -> kc: Wait for Signed Certificate
 end
 ks -> kc: Inject Signed Certificate Into Pod
 kc -> cs: Authenticate with Certificate
 cs -> cs: Validate *
 cs -> kc: Access Token (Short Lived)
 kc -> shared: Access Token Written
 app -> sum: App startup invokes the\nSummon binary from\nthe shared volume
 sum -> shared: Read Access Token
 activate shared
 shared -> sum: 
 deactivate shared
 sum -> cs: Summon Authenticates Using Access Token and Request Secrets
 cs -> cs: Validate Token
 cs -> sum: Return Secrets to Summon Provider
 sum -> app: Summon injects sectrets\ninto the app
 sum -> app: Summon runs the app\nas a subprocess

 note over  cs
 * Validate:
 1. Authenticator is Enabled
 2. Webservice Exists and host has access to it
 3. Pod exists
 4. Host authentication annotations match request
 5. Authn container exists
 end note
 @enduml
	# Invoking Summon from a Pod Volume Mount
	@startuml
	hide footbox
	title Invoking Summon from a Pod Volume Mount

	participant "K8s API Server" as ks
	participant "Conjur Server" as cs
	participant "K8s Authn Client" as kc
	database "Shared Pod Memory" as shared
	participant "Summon Init" as init
	participant "Summon\n[Inside Shared Volume]" as sum
	participant "Application" as app

	autonumber
	init -> shared: Init container retrieves the\nSummon binary and stores\nit in the shared volume
	kc -> cs: Authentication Request
	cs -> cs: Validate *
	cs -> ks: Request to Inject Signed \nCertificate Into Pod
	cs -> kc: 202: Accepted
	loop
	kc -> kc: Wait for Signed Certificate
	end
	ks -> kc: Inject Signed Certificate Into Pod
	kc -> cs: Authenticate with Certificate
	cs -> cs: Validate *
	cs -> kc: Access Token (Short Lived)
	kc -> shared: Access Token Written
	app -> sum: App startup invokes the\nSummon binary from\nthe shared volume
	sum -> shared: Read Access Token
	activate shared
	shared -> sum:
	deactivate shared
	sum -> cs: Summon Authenticates Using Access Token and Request Secrets
	cs -> cs: Validate Token
	cs -> sum: Return Secrets to Summon Provider
	sum -> app: Summon injects sectrets\ninto the app
	sum -> app: Summon runs the app\nas a subprocess

	note over cs
	* Validate:
	1. Authenticator is Enabled
	2. Webservice Exists and host has access to it
	3. Pod exists
	4. Host authentication annotations match request
	5. Authn container exists
	end note
	@enduml