StrongDM Client Containers in Kubernetes With Helm
Last modified on March 1, 2023
Overview
This guide provides instructions to add the StrongDM native client container to your Kubernetes cluster. We will focus on using Helm charts to accomplish this goal. For more, read about the benefits of using Helm.
Prerequisites
To successfully follow the steps in this guide, you must meet the following general requirements:
- Ensure that you are an Administrator in StrongDM.
- Have a running Kubernetes cluster with publicly accessibly nodes and stable IPs.
- Install the
kubectlcommand-line tool to interact with your Kubernetes clusters. - Obtain a valid StrongDM service token.
- Run a Kubernetes cluster v1.16+.
- Install Helm 3.0+ and Git locally.
- If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.
Create a Service Token
Use the steps below to create a service token in the Admin UI. Service tokens allow programmatic access to StrongDM resources. For more, see Service Accounts.
- Go to the Admin UI and select Users from the main navigation.
- Click Add Service.
- Enter a name for the service account. User information, such as name or email address, is not necessary since service accounts facilitate machine-to-machine communication.
- Click Create service account.
- A modal appears with the service token. Copy the token and set it aside, being careful to capture every character. You need it again in the next step.
- On macOS, encode the resulting token in base64 using
echo -n [token-string] | base64. PowerShell and Windows commands may differ.
Install the sdm-client Helm Chart
To leverage the flexibility of Helm, we created charts to deploy your StrongDM client container across your Kubernetes clusters. For more, see our StrongDM charts repository. You can use the following steps to install the client container with Helm.
Follow the steps to create a service token. You need this token in step 4.
Add the StrongDM chart repository.
helm repo add strongdm https://helm.strongdm.com/stable/The output confirms the chart was added:
"strongdm" has been added to your repositoriesTo obtain the chart deployment files, clone the StrongDM charts repository. You need to complete this for the next step.
Go to the cloned local copy of the StrongDM charts repository created in the previous step. It contains a local copy of the sdm-client values.yaml file that can be used as a template.
Open this local
values.yamlfile to view and configure chart parameters listed in the following table. Make sure to add the Base64-encoded value of the service token you generated.Parameter Required Default Description .global.service.type Optional ClusterIPDetermines the kind of service to run, for example ClusterIPorLoadbalancer.global.secret.token Required None Includes the Base64-encoded value of the service token generated in the Admin UI .global.deployment.replicas Optional 1Shows the number of container replicas to run for the deployment .global.deployment.repository Required quay.io/sdmrepo/clientIdentifies the location to pull the image for the StrongDM client; this can be any repository or a local image (for example, sdm-custom-image:latest).global.deployment.tag Required latestAssigns tags for the image used for the StrongDM client .global.deployment.imagePullPolicy Required AlwaysShows the policy for pulling a new image from the repo .global.deployment.ports Optional None Indicates the port the service listens on; ports coincide with the port you expose from StrongDM .configmap.SDM_DOCKERIZED Optional trueSends logs automatically to STDOUT when set to true, overriding settings in the Admin UIInstall the chart archive. Replace
<RELEASE_NAME>with a unique and meaningful value to help track package deployments and releases. The value after the-fflag includes the path or URL to your YAML file. To learn more, see the helm install reference documentation.helm install <RELEASE_NAME> strongdm/sdm-client -f myvalues.yamlNAME: sdm-client-070722 LAST DEPLOYED: Thu Jul 7 16:50:24 2022 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Thank you for installing sdm-client using helm. If you run into any errors please reach out to support@strongdm.com. Your release is named sdm-client-070722. To learn more about the release, try: helm status sdm-client-070722 helm get all sdm-client-070722You can runhelm status <RELEASE_NAME>to confirm the status of the deployment.Confirm the StrongDM client is running in your cluster:
kubectl get allNAME READY STATUS RESTARTS AGE pod/sdm-client-070722-deployment-b954bdfb8-bjtzk 1/1 Running 0 4m42s pod/sdm-gateway-070722-deployment-847fcf75f9-c7854 1/1 Running 0 6h35m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 45h service/sdm-client-070722-svc ClusterIP 10.100.241.189 <none> 15432/TCP,15433/TCP 4m42s service/sdm-gateway-070722-svc NodePort 10.100.24.181 <none> 30001:30001/TCP 6h35m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/sdm-client-070722-deployment 1/1 1 1 4m43s deployment.apps/sdm-gateway-070722-deployment 1/1 1 1 6h35m NAME DESIRED CURRENT READY AGE replicaset.apps/sdm-client-070722-deployment-b954bdfb8 1 1 1 4m43s replicaset.apps/sdm-gateway-070722-deployment-847fcf75f9 1 1 1 6h35m
Upgrade the sdm-client Helm chart
To upgrade the sdm-client Helm chart, run the following command. For more, see the helm upgrade command documentation.
helm upgrade <RELEASE_NAME> strongdm/sdm-client --install
Uninstall the sdm-client Helm chart
You can uninstall the Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.
helm uninstall <RELEASE_NAME>
If any errors occur, please contact support@strongdm.com for help.