[SalesForce case] 698331 Need Product feedback on proposed UX for OpenShift

[garkler-zz]

Salesforce case https://cyberark.my.salesforce.com/5002J00001F0WID

From the customer

We’d like help from Cyberark addressing the “cons” in the last email around logging and permissions:

It turns out an init container can create secrets that are referenced by the second container, before they are created.

Assuming there’s some way to retrieve all secrets from Conjur for a given app, we could run a 2nd init container after the 1st Conjur init container which gets the Conjur key. This 2nd init container could get all the secrets from Conjur and create Openshift secrets for each of them. The app team wouldn’t have to change their code or container – they’d just add the 2 init containers to their deployment config.

Cons:

1. there is no way to see the logs from an init container in the Logs tab. Might be difficult to debug it.
2. We’d have to give the ‘default’ service identity permissions to list, view, create, and maybe delete secrets. This is because there is no way to run an init container as a different service account from the main container.

App team’s deployment config (in actuality, there’d be another init container for Conjur):

When the real app container runs, it has the secret:

I gave up trying to create the secrets inside the init container using the oc command line. I had to use the REST API directly and used the Java client.

[jvanderhoof]

My TL;DR: "Conjur secrets can be resolved directly into OCP/K8s secrets." I'd like to see us put a Feature Spec together for this effort.