Conjur-OSS Helm Deployment Fails

Secrets Management - Conjur, Secrets Hub & CP
,
1

Hi All,

I’m trying to deploy Conjur-OSS following the instructions here:

The deployment fails but replacing a the datakey token with a static token resolved the issue:

user@ubuntu:~$ helm inspect chart cyberark/conjur-oss

apiVersion: v1
description: A Helm chart for CyberArk Conjur
home: https://www.conjur.org
icon: https://xebialabs-clients-iglusjax.stackpathdns.com/assets/files/logos/CyberArkConjurLogoWhiteBlue.png
keywords:
- security
- secrets management
maintainers:
- email: conj_maintainers@cyberark.com
name: Conjur Maintainers
name: conjur-oss
sources:
- GitHub - cyberark/conjur-oss-helm-chart: Helm chart for deploying Conjur OSS to Kubernetes
- GitHub - cyberark/conjur: CyberArk Conjur automatically secures secrets used by privileged users and machine identities
version: 1.3.8

user@ubuntu:~$ helm install conjur-oss
–set dataKey=“$(docker run --rm cyberark/conjur data-key generate)” cyberark/conjur-oss

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See ‘docker run --help’.
Error: execution error at (conjur-oss/templates/secrets.yaml:36:11): ‘dataKey’ has no value, it must be provided!

user@ubuntu:~$ helm install conjur-oss --set dataKey=“8gMR9T8H/G46xZpNHCjqwOBaxao9CE=” cyberark/conjur-oss

NAME: conjur-oss
LAST DEPLOYED: Thu Mar 19 06:28:37 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
1. Get the application URLs. These should match the configured SSL values:
- https://conjur.myorg.com

Any comments/guidance what am i missing?
Thanks,
Alex

2

Hi @Alex, the important part of your error message is here:

This happens when you install Docker without adding your user to the Docker group (see here for more details) which is relatively uncommon (it also only affects Linux). The setup you are currently using is more secure so your approach can be used fine but you have to split that command into two parts where you invoke the key generator with sudo first:

$ sudo docker run --rm cyberark/conjur data-key generate
<generated key>

$ helm install conjur-oss --set dataKey="<generated key>" cyberark/conjur-oss
3

@Alex: I have opened the issue to track this here: https://github.com/cyberark/conjur-oss-helm-chart/issues/42

4

Hi Sgnn7,

I managed to resolve it by running docker with sudo:

helm install conjur-oss --set dataKey=“$(sudo docker run --rm cyberark/conjur data-key generate)” cyberark/conjur-oss

Thanks,
Alex

5

Great to hear! :slight_smile:

PS: Inlined sudo may not work everywhere which is why I skipped it in the suggestion but I’m glad it works!

6

Is this a recommended method ? or should i use a different method?
It also would be helpful to have some next steps after a successful deployment.

7

Is this a recommended method ? or should i use a different method?

We will need to test this out to make sure that this is the case (this is why there is an open issue for it). I think in some circumstances, the sudo operation may fail or request a password in a subshell without letting the user know so the two0line method approach is definitely less likely to result in failures.

It also would be helpful to have some next steps after a successful deployment.

If helm chart succeeds, it should in theory print this template to the CLI which should be adequate. If it’s not it might be a good idea to open an issue for it in the relevant repo.