concourse/concourse-chart

`conjurCertFile` param not properly referenced in concourse web when using Conjur as Credential Manager

mjenk664 opened this issue · 0 comments

mjenk664 commented

Use Case/Scenario

Problem:

After setting conjurCertFile: ./conjur.pem in my values.yaml, I created a sample pipeline in Concourse and ran it, but immediately received the following error:
failed to interpolate task config: undefined vars: team-secret-variable

I checked the concourse-web Pod logs, I found the following error being returned:
no such file or directory: ./conjur.pem

Steps to reproduce:

Set the following parameters in your values.yaml

concourse:
  web:
    ## Disable ku
    kubernetes:
      enabled: false
    conjur:
      ## Enable the use of Conjur as a credential manager
      enabled: true

      # URL of the Conjur instance.
      applianceUrl: https://conjur.example.com

      # Path used to to locate pipeline-level secret
      pipelineSecretTemplate: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

      # Path used to locate team-level secret
      teamSecretTemplate: concourse/{{.Team}}/{{.Secret}}

      # Path used to locate a vault or safe-level secret
      secretTemplate: concourse/{{.Secret}}
secrets:
  # Org account.
  conjurAccount: conjur

  # Host username. E.g host/concourse
  conjurAuthnLogin: host/concourse

  # Api key related to the host.
  conjurAuthnApiKey: 123456789ABCDEFGHIJ

  # Token file used if conjur instance is running in k8s or iam. E.g. /path/to/token_file
  conjurAuthnTokenFile:

  # Cert file used if conjur instance is using a self signed cert. E.g. /path/to/conjur.pem
  conjurCertFile: ./conjur.pem

Proposed Solution

After reviewing the templates/web-deployment.yaml manifest, it was discovered that the value of conjurCertFile used for the CONCOURSE_CONJUR_CERT_FILE environment variable was not being mounted properly to the concourse web pod.

To fix this, the concourse web-deployment manifest spec must be updated to mount the conjur CA cert as volume.