This repo provides an implementation of a strongDM relay or gateway inside Kubernetes using Helm.
Learn more about deploying strongDM inside Kubernetes on our docs site.
-
A Kubernetes Cluster v1.16+
-
Helm 3.0+
-
Git
-
If you are going to use Nginx Ingress Controller, then you will need to manually patch your services to allow TCP and UDP traffic
Note: In order to get a Gateway Token you'll need an external address to register. This is external address is immutable after creation.
helm repo add strongdm https://helm.strongdm.com/stable/
helm install [RELEASE_NAME] strongdm/sdm-relay -f values.yaml
helm status [RELEASE_NAME]See configuration below.
See helm install for command documentation.
helm upgrade [RELEASE_NAME] strongdm/sdm-relay --installSee helm upgrade for command documentation.
helm uninstall [RELEASE_NAME]The command removes all the Kubernetes components associated with the release and deletes the release.
See helm uninstall for command documentation.
If you are running multiple strongDM Gateways it is recommended having multiple points of ingress rather than using the same ingress point with different points. Our recommendation is using a one to one ratio with Loadbalancer to Gateway.
Also note that tokens can't be reused between Gateways and a replicaset of 1 is set by default to ensure a new Gateway will be deployed, but won't cause any token conflicts.
The following table lists the configurable parameters of the strongDM relay/gateway chart and their default values.
| Parameter | Description | Default | Required |
|---|---|---|---|
| .global.gateway.enabled | This is to enable the strongDM relay to accept incoming traffic when using a Gateway Token. | false | ☐ |
| .global.gateway.service.type | The kind of service you'd like to run for the gateway. E.G. NodePort or Loadbalancer |
NodePort |
☑ |
| .global.gateway.service.nodePort | When service is set to NodePort this port needs to match what was set in the Admin UI. |
30001 | ☐ |
| .global.gateway.service.loadBalancerIP | When service is set to LoadBalancer and you'd like to assign the IP Address of an existing LB. |
None | ☐ |
| .global.gateway.service.port | The port you'd like to have the service listening on. If using NodePort this can be different then the port set in the Admin UI. | 30001 | ☑ |
| .global.secret.token | The base64 encoded value of the relay or gateway token generated in the Admin UI. |
None | ☑ |
| .global.deployment.repository | The image you'd like to use for the strongDM gateway/relay. | quay.io/sdmrepo/relay | ☑ |
| .global.deployment.tag | The tag for the image you'd like to use for the strongDM gateway/relay. | latest | ☑ |
| .global.deployment.imagePullPolicy | The policy for pulling a new image from the repo. | Always | ☑ |
| .global.extraEnvironmentVars | Inject extra environment vars in the format key:value, if populated | None | ☐ |
| .configmap.SDM_ORCHESTRATOR_PROBES | If you'd like to have a liveliness probe for the strongDM gateway/relay. | 9090 | ☐ |
| .configmap.SDM_DOCKERIZED | Setting this will automatically send logs to STDOUT overriding settings in AdminUI. | true | ☐ |
| .configmap.SDM_RELAY_LOG_FORMAT | Format for the logs when stored locally. | json | ☐ |
| .configmap.SDM_RELAY_LOG_STORAGE | If storing SDM Activites slowly you can change where they are stored. | stdout | ☐ |
| .configmap.SDM_RELAY_LOG_ENCRYPTION | Change the encryption of the logs. | plaintext | ☐ |