rpothier · February 18, 2021 20:32
diff --git a/sidecar-injector-flow.png b/sidecar-injector-flow.png
diff --git a/summon-sidecar-injector.txt b/summon-sidecar-injector.txt
 # Flow chart of summun with the proposed sidecar injector
 @startuml
 hide footbox
 title Using Summon with Authn Kubernetes Sidecar and Sidecar Injector

 participant "K8s API Server" as ks
 participant "Conjur Server" as cs
 participant "K8s Authn Client" as kc
 participant "Summon" as sum
 database "Shared Pod Memory" as shared
 participant "Application" as app

 autonumber
 group Pod
 group Sidecar [As a sidecar container, the K8s Client runs this sequence as a\ncontinuous process, generating a refreshed token every six minutes]
    kc -> cs: Authentication Request
    cs -> cs: Validate *
    cs -> ks: Request to Inject Signed \nCertificate Into Pod
    cs -> kc: 202: Accepted
        loop 
            kc -> kc: Wait for Signed Certificate
        end
    ks -> kc: Inject Signed Certificate Into Pod
    kc -> cs: Authenticate with Certificate
    cs -> cs: Validate *
    cs -> kc: Access Token (Short Lived)

    kc -> shared: Access Token Written

 group Init [As an init container, the K8s Client will exit here\nrather than running as a continuous process]
    autonumber stop
    kc -X kc
 end

 autonumber 11
 sum -> shared: Read Access Token
 activate shared
 autonumber stop
 shared -> sum: 
 deactivate shared
 autonumber 12
 sum -> cs: Summon Authenticates Using Access Token and Request Secrets
 cs -> cs: Validate Token
 cs -> sum: Return Secrets to Summon Provider

 group Loop [Summun injects every n seconds]
    sum -> shared: Summon Inject Secrets\nby writing files\nin the Shared Volume

 end
 end
 group Loop [Application polls as needed]
    app -> shared: App Reads\nthe files from\nthe Shared Volume
    autonumber stop
    activate shared
    shared -> app:
    deactivate shared
 end
 note over  cs
 * Validate:
 1. Authenticator is Enabled
 2. Webservice Exists and host has access to it
 3. Pod exists
 4. Host authentication annotations match request
 5. Authn container exists
 end note
 end
 @enduml%
	# Flow chart of summun with the proposed sidecar injector
	@startuml
	hide footbox
	title Using Summon with Authn Kubernetes Sidecar and Sidecar Injector

	participant "K8s API Server" as ks
	participant "Conjur Server" as cs
	participant "K8s Authn Client" as kc
	participant "Summon" as sum
	database "Shared Pod Memory" as shared
	participant "Application" as app

	autonumber
	group Pod
	group Sidecar [As a sidecar container, the K8s Client runs this sequence as a\ncontinuous process, generating a refreshed token every six minutes]
	kc -> cs: Authentication Request
	cs -> cs: Validate *
	cs -> ks: Request to Inject Signed \nCertificate Into Pod
	cs -> kc: 202: Accepted
	loop
	kc -> kc: Wait for Signed Certificate
	end
	ks -> kc: Inject Signed Certificate Into Pod
	kc -> cs: Authenticate with Certificate
	cs -> cs: Validate *
	cs -> kc: Access Token (Short Lived)

	kc -> shared: Access Token Written

	group Init [As an init container, the K8s Client will exit here\nrather than running as a continuous process]
	autonumber stop
	kc -X kc
	end

	autonumber 11
	sum -> shared: Read Access Token
	activate shared
	autonumber stop
	shared -> sum:
	deactivate shared
	autonumber 12
	sum -> cs: Summon Authenticates Using Access Token and Request Secrets
	cs -> cs: Validate Token
	cs -> sum: Return Secrets to Summon Provider

	group Loop [Summun injects every n seconds]
	sum -> shared: Summon Inject Secrets\nby writing files\nin the Shared Volume

	end
	end
	group Loop [Application polls as needed]
	app -> shared: App Reads\nthe files from\nthe Shared Volume
	autonumber stop
	activate shared
	shared -> app:
	deactivate shared
	end
	note over cs
	* Validate:
	1. Authenticator is Enabled
	2. Webservice Exists and host has access to it
	3. Pod exists
	4. Host authentication annotations match request
	5. Authn container exists
	end note
	end
	@enduml%