docs: add workload authentication method example for conjur

Author: Florian Perucki

charts/ggscout/examples/conjurcloud-workload/README.md

@@ -0,0 +1,66 @@
+# Conjur Cloud with Workload Authentication
+
+This example demonstrates how to configure ggscout to authenticate with Conjur Cloud using Workload authentication.
+
+## Prerequisites
+
+1. Access to a Conjur Cloud instance
+2. A Conjur workload with appropriate permissions
+3. Workload login ID and API key
+
+## Configuration
+
+### 1. Workload Setup
+
+In your Conjur Cloud instance, ensure you have:
+- A workload identity configured
+- Appropriate policies granting the workload access to secrets
+- The workload login ID and API key
+
+### 2. Update Configuration
+
+Edit the `secret.yaml` file to match your environment:
+
+- `CONJUR_WORKLOAD_LOGIN`: Your Conjur workload login ID (e.g., "host/my-app")
+- `CONJUR_WORKLOAD_API_KEY`: Your Conjur workload API key
+- `CONJUR_SUBDOMAIN`: Your Conjur Cloud subdomain
+- `GITGUARDIAN_API_KEY`: Your GitGuardian API token
+
+Edit the `values.yaml` file:
+
+- Update the GitGuardian endpoint URL if needed
+- Adjust the fetch and sync schedules as required
+
+### 3. Deploy with Helm
+
+```bash
+# Add the ggscout Helm repository
+helm repo add ggscout https://gitguardian.github.io/nhi-scout-helm-charts
+helm repo update
+
+# Apply the secret first
+kubectl apply -f secret.yaml
+
+# Install ggscout with Conjur Cloud Workload authentication
+helm install ggscout-conjur ggscout/ggscout -f values.yaml
+```
+
+## Verification
+
+Check that ggscout can authenticate with Conjur Cloud:
+
+```bash
+# Check the logs of the ggscout pods
+kubectl logs -l app.kubernetes.io/name=ggscout
+
+# Check if the CronJobs are running
+kubectl get cronjobs
+```
+
+## Troubleshooting
+
+1. **Authentication Issues**: Verify the workload login ID and API key are correct
+2. **Permission Issues**: Ensure the workload has proper policies to access the required secrets
+3. **Network Connectivity**: Verify ggscout pods can reach your Conjur Cloud instance
+
+For more details on Conjur Cloud workload authentication, refer to the [Conjur Cloud documentation](https://docs.cyberark.com/conjur-cloud/). 

charts/ggscout/examples/conjurcloud-workload/secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ggscout-secrets
+stringData:
+  # Conjur Workload authentication
+  CONJUR_WORKLOAD_LOGIN: "your-workload-login"
+  CONJUR_WORKLOAD_API_KEY: "your-workload-api-key"
+
+  # Conjur subdomain
+  CONJUR_SUBDOMAIN: "your-conjur-subdomain"
+
+  # GitGuardian API token
+  GITGUARDIAN_API_KEY: "your_gitguardian_token"

charts/ggscout/examples/conjurcloud-workload/values.yaml

@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=../../values.schema.json
+
+inventory:
+  config:
+    sources:
+      conjur_cloud:
+        type: conjurcloud
+        auth_mode: "workload"
+        login: "${CONJUR_WORKLOAD_LOGIN}"
+        api_key: "${CONJUR_WORKLOAD_API_KEY}"
+        fetch_all_versions: true
+        mode: "read/write" # Can be `read`, `write` or `read/write` depending on wether fetch and/or sync are enabled
+        subdomain: "${CONJUR_SUBDOMAIN}"
+
+    gitguardian:
+      endpoint: "https://api.gitguardian.com/v1"
+      api_token: "${GITGUARDIAN_API_KEY}"
+  jobs:
+    # Job to fetch defined sources
+    fetch:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every 15 minutes
+      schedule: '*/15 * * * *'
+      send: true
+    # Job to be able to sync/write secrets from GitGuardian into you vault
+    sync:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every minute
+      schedule: '* * * * *'
+
+envFrom:
+- secretRef:
+    name: ggscout-secrets

charts/ggscout/examples/hashicorpvault-k8s/README.md

@@ -55,8 +55,7 @@ EOF
 ```bash
 # Create Kubernetes auth role
 vault write auth/kubernetes/role/ggscout \
-    bound_service_account_names=ggscout-vault \
-    bound_service_account_namespaces=default \
+    bound_service_account_names=ggscout \
     policies=ggscout-policy \
     ttl=24h
 ```
@@ -67,8 +66,6 @@ vault write auth/kubernetes/role/ggscout \
 
 Edit the `secret.yaml` file to match your environment:
 
-- `KUBERNETES_SERVICE_ACCOUNT`: Must match the service account name in values.yaml
-- `KUBERNETES_NAMESPACE`: The namespace where ggscout will be deployed
 - `VAULT_K8S_ROLE`: The Vault role created above
 - `GITGUARDIAN_API_KEY`: Your GitGuardian API token
 
@@ -77,6 +74,8 @@ Edit the `values.yaml` file:
 - `vault_address`: Your Vault server URL
 - `path`: The Vault path to collect secrets from
 - `gitguardian.endpoint`: Your GitGuardian instance URL
+- `auth.k8s.service_account`: (Optional) Custom service account name
+- `auth.k8s.namespace`: (Optional) Kubernetes namespace for the service account
 
 ### 2. Deploy with Helm
 
@@ -101,7 +100,7 @@ Check that ggscout can authenticate with Vault:
 kubectl logs -l app.kubernetes.io/name=ggscout
 
 # Verify the service account was created
-kubectl get serviceaccount ggscout-vault
+kubectl get serviceaccount ggscout
 
 # Check if the CronJobs are running
 kubectl get cronjobs
@@ -114,4 +113,4 @@ kubectl get cronjobs
 3. **Network Connectivity**: Ensure ggscout pods can reach your Vault instance
 4. **Token Permissions**: Verify the Vault policy grants the necessary permissions
 
-For more detailed troubleshooting, enable debug logging by setting `log_level: debug` in the values.yaml file. 
+For more detailed troubleshooting, enable debug logging by setting `log_level: debug` in the values.yaml file.

charts/ggscout/examples/hashicorpvault-k8s/secret.yaml

@@ -4,12 +4,6 @@ kind: Secret
 metadata:
   name: ggscout-secrets
 stringData:
-  # Kubernetes service account name for Vault authentication
-  KUBERNETES_SERVICE_ACCOUNT: "ggscout-vault"
-
-  # Kubernetes namespace where ggscout is deployed
-  KUBERNETES_NAMESPACE: "default"
-
   # Vault Kubernetes authentication role
   VAULT_K8S_ROLE: "ggscout"
 

charts/ggscout/examples/hashicorpvault-k8s/values.yaml

@@ -10,8 +10,6 @@ inventory:
         auth:
           auth_mode: "k8s"
           k8s:
-            service_account: "${KUBERNETES_SERVICE_ACCOUNT}"
-            namespace: "${KUBERNETES_NAMESPACE}"
             role: "${VAULT_K8S_ROLE}"
         fetch_all_versions: true # Fetch all versions of secrets or not
         path: "secret/dev" # Vault path or unspecified
@@ -36,15 +34,6 @@ inventory:
       # Run every minute
       schedule: '* * * * *'
 
-# Service account configuration for Kubernetes authentication
-serviceAccount:
-  # Create a service account for Vault authentication
-  create: true
-  # Annotations can be used for IAM role bindings if needed
-  annotations: {}
-  # Use a specific name for the service account
-  name: "ggscout-vault"
-
 envFrom:
 - secretRef:
     name: ggscout-secrets