Merge pull request #41 from GitGuardian/fperucki/NHI-699

docs: add k8s authentication method example for hashicorp

Author: FlorianPerucki

charts/ggscout/examples/conjurcloud-workload/README.md

@@ -0,0 +1,66 @@
+# Conjur Cloud with Workload Authentication
+
+This example demonstrates how to configure ggscout to authenticate with Conjur Cloud using Workload authentication.
+
+## Prerequisites
+
+1. Access to a Conjur Cloud instance
+2. A Conjur workload with appropriate permissions
+3. Workload login ID and API key
+
+## Configuration
+
+### 1. Workload Setup
+
+In your Conjur Cloud instance, ensure you have:
+- A workload identity configured
+- Appropriate policies granting the workload access to secrets
+- The workload login ID and API key
+
+### 2. Update Configuration
+
+Edit the `secret.yaml` file to match your environment:
+
+- `CONJUR_WORKLOAD_LOGIN`: Your Conjur workload login ID (e.g., "host/my-app")
+- `CONJUR_WORKLOAD_API_KEY`: Your Conjur workload API key
+- `CONJUR_SUBDOMAIN`: Your Conjur Cloud subdomain
+- `GITGUARDIAN_API_KEY`: Your GitGuardian API token
+
+Edit the `values.yaml` file:
+
+- Update the GitGuardian endpoint URL if needed
+- Adjust the fetch and sync schedules as required
+
+### 3. Deploy with Helm
+
+```bash
+# Add the ggscout Helm repository
+helm repo add ggscout https://gitguardian.github.io/nhi-scout-helm-charts
+helm repo update
+
+# Apply the secret first
+kubectl apply -f secret.yaml
+
+# Install ggscout with Conjur Cloud Workload authentication
+helm install ggscout-conjur ggscout/ggscout -f values.yaml
+```
+
+## Verification
+
+Check that ggscout can authenticate with Conjur Cloud:
+
+```bash
+# Check the logs of the ggscout pods
+kubectl logs -l app.kubernetes.io/name=ggscout
+
+# Check if the CronJobs are running
+kubectl get cronjobs
+```
+
+## Troubleshooting
+
+1. **Authentication Issues**: Verify the workload login ID and API key are correct
+2. **Permission Issues**: Ensure the workload has proper policies to access the required secrets
+3. **Network Connectivity**: Verify ggscout pods can reach your Conjur Cloud instance
+
+For more details on Conjur Cloud workload authentication, refer to the [Conjur Cloud documentation](https://docs.cyberark.com/conjur-cloud/). 

charts/ggscout/examples/conjurcloud-workload/secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ggscout-secrets
+stringData:
+  # Conjur Workload authentication
+  CONJUR_WORKLOAD_LOGIN: "your-workload-login"
+  CONJUR_WORKLOAD_API_KEY: "your-workload-api-key"
+
+  # Conjur subdomain
+  CONJUR_SUBDOMAIN: "your-conjur-subdomain"
+
+  # GitGuardian API token
+  GITGUARDIAN_API_KEY: "your_gitguardian_token"

charts/ggscout/examples/conjurcloud-workload/values.yaml

@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=../../values.schema.json
+
+inventory:
+  config:
+    sources:
+      conjur_cloud:
+        type: conjurcloud
+        auth_mode: "workload"
+        login: "${CONJUR_WORKLOAD_LOGIN}"
+        api_key: "${CONJUR_WORKLOAD_API_KEY}"
+        fetch_all_versions: true
+        mode: "read/write" # Can be `read`, `write` or `read/write` depending on wether fetch and/or sync are enabled
+        subdomain: "${CONJUR_SUBDOMAIN}"
+
+    gitguardian:
+      endpoint: "https://api.gitguardian.com/v1"
+      api_token: "${GITGUARDIAN_API_KEY}"
+  jobs:
+    # Job to fetch defined sources
+    fetch:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every 15 minutes
+      schedule: '*/15 * * * *'
+      send: true
+    # Job to be able to sync/write secrets from GitGuardian into you vault
+    sync:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every minute
+      schedule: '* * * * *'
+
+envFrom:
+- secretRef:
+    name: ggscout-secrets

charts/ggscout/examples/hashicorpvault-k8s/README.md

@@ -0,0 +1,116 @@
+# HashiCorp Vault with Kubernetes Authentication
+
+This example demonstrates how to configure ggscout to authenticate with HashiCorp Vault using Kubernetes authentication when running in a Kubernetes cluster.
+
+## Prerequisites
+
+1. HashiCorp Vault with Kubernetes auth method enabled
+2. Proper Vault policies and roles configured
+3. ggscout deployed in a Kubernetes cluster
+
+## Vault Configuration
+
+### 1. Enable Kubernetes Auth Method
+
+```bash
+# Enable Kubernetes auth method
+vault auth enable kubernetes
+```
+
+See HashiCorp Vault reference [documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuration)
+
+### 2. Configure Kubernetes Auth Method
+
+```bash
+# Configure the Kubernetes auth method
+vault write auth/kubernetes/config \
+    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
+    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+```
+
+### 3. Create Vault Policy
+
+```bash
+# Create policy for ggscout
+vault policy write ggscout-policy - <<EOF
+# Allow reading secrets from KV2 engine
+path "secret/data/*" {
+  capabilities = ["read", "list"]
+}
+
+path "secret/metadata/*" {
+  capabilities = ["read", "list"]
+}
+
+# Allow reading from KV1 engine (if used)
+path "secret/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+```
+
+### 4. Create Vault Kubernetes Role
+
+```bash
+# Create Kubernetes auth role
+vault write auth/kubernetes/role/ggscout \
+    bound_service_account_names=ggscout \
+    policies=ggscout-policy \
+    ttl=24h
+```
+
+## Deployment
+
+### 1. Update Configuration
+
+Edit the `secret.yaml` file to match your environment:
+
+- `VAULT_K8S_ROLE`: The Vault role created above
+- `GITGUARDIAN_API_KEY`: Your GitGuardian API token
+
+Edit the `values.yaml` file:
+
+- `vault_address`: Your Vault server URL
+- `path`: The Vault path to collect secrets from
+- `gitguardian.endpoint`: Your GitGuardian instance URL
+- `auth.k8s.service_account`: (Optional) Custom service account name
+- `auth.k8s.namespace`: (Optional) Kubernetes namespace for the service account
+
+### 2. Deploy with Helm
+
+```bash
+# Add the ggscout Helm repository
+helm repo add ggscout https://gitguardian.github.io/nhi-scout-helm-charts
+helm repo update
+
+# Apply the secret first
+kubectl apply -f secret.yaml
+
+# Install ggscout with Kubernetes authentication
+helm install ggscout-vault ggscout/ggscout -f values.yaml
+```
+
+## Verification
+
+Check that ggscout can authenticate with Vault:
+
+```bash
+# Check the logs of the ggscout pods
+kubectl logs -l app.kubernetes.io/name=ggscout
+
+# Verify the service account was created
+kubectl get serviceaccount ggscout
+
+# Check if the CronJobs are running
+kubectl get cronjobs
+```
+
+## Troubleshooting
+
+1. **Service Account Issues**: Ensure the service account name matches between `values.yaml` and `secret.yaml`
+2. **Vault Role Binding**: Verify the Vault role is bound to the correct service account and namespace
+3. **Network Connectivity**: Ensure ggscout pods can reach your Vault instance
+4. **Token Permissions**: Verify the Vault policy grants the necessary permissions
+
+For more detailed troubleshooting, enable debug logging by setting `log_level: debug` in the values.yaml file.

charts/ggscout/examples/hashicorpvault-k8s/secret.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ggscout-secrets
+stringData:
+  # Vault Kubernetes authentication role
+  VAULT_K8S_ROLE: "ggscout"
+
+  # GitGuardian API token
+  GITGUARDIAN_API_KEY: "your_gitguardian_token"

charts/ggscout/examples/hashicorpvault-k8s/values.yaml

@@ -0,0 +1,39 @@
+---
+# yaml-language-server: $schema=../../values.schema.json
+
+inventory:
+  config:
+    sources:
+      hashicorpvault:
+        type: hashicorpvault
+        vault_address: "https://your-vault-address-here.com"
+        auth:
+          auth_mode: "k8s"
+          k8s:
+            role: "${VAULT_K8S_ROLE}"
+        fetch_all_versions: true # Fetch all versions of secrets or not
+        path: "secret/dev" # Vault path or unspecified
+        mode: "read/write" # Can be `read`, `write` or `read/write` depending on wether fetch and/or sync are enabled
+    # To upload, set the gitguardian URL and tokens. Ensure the endpoint path ends with /v1
+    # This is optional: omit this to prevent uploading and to only test collection.
+    gitguardian:
+      endpoint: "https://api.gitguardian.com/v1"
+      api_token: "${GITGUARDIAN_API_KEY}"
+  jobs:
+    # Job to fetch defined sources
+    fetch:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every 15 minutes
+      schedule: '*/15 * * * *'
+      send: true
+    # Job to be able to sync/write secrets from GitGuardian into you vault
+    sync:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every minute
+      schedule: '* * * * *'
+
+envFrom:
+- secretRef:
+    name: ggscout-secrets