Last active
February 18, 2021 20:32
-
-
Save rpothier/f0cfd1964aef2fe8002f3a40e3b37f83 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Flow chart of summun with the proposed sidecar injector | |
@startuml | |
hide footbox | |
title Using Summon with Authn Kubernetes Sidecar and Sidecar Injector | |
participant "K8s API Server" as ks | |
participant "Conjur Server" as cs | |
participant "K8s Authn Client" as kc | |
participant "Summon" as sum | |
database "Shared Pod Memory" as shared | |
participant "Application" as app | |
autonumber | |
group Pod | |
group Sidecar [As a sidecar container, the K8s Client runs this sequence as a\ncontinuous process, generating a refreshed token every six minutes] | |
kc -> cs: Authentication Request | |
cs -> cs: Validate * | |
cs -> ks: Request to Inject Signed \nCertificate Into Pod | |
cs -> kc: 202: Accepted | |
loop | |
kc -> kc: Wait for Signed Certificate | |
end | |
ks -> kc: Inject Signed Certificate Into Pod | |
kc -> cs: Authenticate with Certificate | |
cs -> cs: Validate * | |
cs -> kc: Access Token (Short Lived) | |
kc -> shared: Access Token Written | |
group Init [As an init container, the K8s Client will exit here\nrather than running as a continuous process] | |
autonumber stop | |
kc -X kc | |
end | |
autonumber 11 | |
sum -> shared: Read Access Token | |
activate shared | |
autonumber stop | |
shared -> sum: | |
deactivate shared | |
autonumber 12 | |
sum -> cs: Summon Authenticates Using Access Token and Request Secrets | |
cs -> cs: Validate Token | |
cs -> sum: Return Secrets to Summon Provider | |
group Loop [Summun injects every n seconds] | |
sum -> shared: Summon Inject Secrets\nby writing files\nin the Shared Volume | |
end | |
end | |
group Loop [Application polls as needed] | |
app -> shared: App Reads\nthe files from\nthe Shared Volume | |
autonumber stop | |
activate shared | |
shared -> app: | |
deactivate shared | |
end | |
note over cs | |
* Validate: | |
1. Authenticator is Enabled | |
2. Webservice Exists and host has access to it | |
3. Pod exists | |
4. Host authentication annotations match request | |
5. Authn container exists | |
end note | |
end | |
@enduml% |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment