Update deployment steps to use the new Helm chart

README.md

@@ -23,21 +23,17 @@ A quick start to deploy a sidecar to Kubernetes using Helm!
 #### Quick Start
 
 * Save the code below in a `values.yaml` file.
-    * Fill the parameters `controlPlane.host`, `sidecarId`, `forwardProxy.clientId`, 
-    and `forwardProxy.clientSecret` with the information from the `Cyral Templates` option
+    * Fill the parameters `cyral.controlPlane`, `cyral.sidecarId`, `cyral.credentials.clientId`, 
+    and `cyral.credentials.clientSecret` with the information from the `Cyral Templates` option
     in the `Deployment` tab of your sidecar details.
 
 ```yaml
-controlPlane:
-  host: ""
-
-sidecarId: ""
-
-forwardProxy:
-  clientId: ""
-  clientSecret: ""
-  secretName: sidecar-secret
-  secretKeyName: credentials.json
+cyral:
+  controlPlane: ""
+  sidecarId: ""
+  credentials:
+    clientId: ""
+    clientSecret: ""
 ​
 service:
   enabled: true
@@ -75,10 +71,10 @@ service:
     * `<VERSION>`: the version of your sidecar.
 
 ```bash
-helm repo add cyral https://charts.cyral.com
-helm upgrade -i <SIDECAR_RELEASE_NAME> cyral/cyral-sidecar \
-  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
+helm upgrade -i <SIDECAR_RELEASE_NAME> \
   --create-namespace \
+  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
+  oci://public.ecr.aws/cyral/helm/sidecar \
   --version <VERSION>
 ```
 
@@ -94,21 +90,17 @@ as part of the [repository configuration](https://cyral.com/docs/manage-reposito
 
 
 * Save the code below in a `values.yaml` file.
-    * Fill the parameters `controlPlane.host`, `sidecarId`, `forwardProxy.clientId`, 
-    and `forwardProxy.clientSecret` with the information from the `Cyral Templates` option
+    * Fill the parameters `cyral.controlPlane`, `cyral.sidecarId`, `cyral.credentials.clientId`, 
+    and `cyral.credentials.clientSecret` with the information from the `Cyral Templates` option
     in the `Deployment` tab of your sidecar details.
 
 ```yaml
-controlPlane:
-  host: ""
-
-sidecarId: ""
-
-forwardProxy:
-  clientId: ""
-  clientSecret: ""
-  secretName: sidecar-secret
-  secretKeyName: credentials.json
+cyral:
+  controlPlane: ""
+  sidecarId: ""
+  credentials:
+    clientId: ""
+    clientSecret: ""
 
 # Sets the node and inter-pod affinities so pods won't run
 # in the same node.
@@ -157,9 +149,9 @@ service:
     * `<VERSION>`: the version of your sidecar.
 
 ```bash
-helm repo add cyral https://charts.cyral.com
-helm upgrade -i <RELEASE_NAME> cyral/cyral-sidecar /
-  --namespace <SIDECAR_NAMESPACE> -f values.yaml /
+helm upgrade -i <RELEASE_NAME> \
+  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
+  oci://public.ecr.aws/cyral/helm/sidecar \
   --version <VERSION> --create-namespace
 ```
 
@@ -194,9 +186,9 @@ Use the following procedure to upgrade your sidecar:
     * `<VERSION>`: the version the sidecar should be upgraded to.
 
 ```bash
-helm upgrade -i <SIDECAR_NAMESPACE> cyral-sidecar /
-  --namespace <SIDECAR_NAMESPACE> -f values.yaml /
-  --repo https://charts.cyral.com /
+helm upgrade -i <RELEASE_NAME> \
+  --namespace <SIDECAR_NAMESPACE> -f values.yaml \
+  oci://public.ecr.aws/cyral/helm/sidecar \
   --version <VERSION>
 ```
 

docs/certificates.md

@@ -97,12 +97,13 @@ Suppose you created the secrets `my-tls-secret` and `my-ca-secret`, then
 provide the following to your values file:
 
 ```yaml
-certificateManager:
-  certificates:
-    tls:
-      existingSecret: "my-tls-secret"
-    ca:
-      existingSecret: "my-ca-secret"
+cyral:
+  sidecar:
+    certificates:
+      tls:
+        existingSecret: "my-tls-secret"
+      ca:
+        existingSecret: "my-ca-secret"
 ```
 
 The choice between providing a `tls`, a `ca` secret or *both* will depend on the repositories

docs/database-accounts/environment-variables.md

@@ -66,13 +66,12 @@ With the secret created, you need to add an environment variable to the `authent
 field of the `values.yaml` file used to create the sidecar.
 
 ```yaml
-authenticator:
-  extraEnvs:
-  - name: CYRAL_DBSECRETS_<env-var-configured-in-the-control-plane>
-    valueFrom:
-      secretKeyRef:
-        name: $SECRET_NAME
-        key: credentials
+extraEnvs:
+- name: CYRAL_DBSECRETS_<env-var-configured-in-the-control-plane>
+  valueFrom:
+    secretKeyRef:
+      name: $SECRET_NAME
+      key: credentials
 ```
 
 ## Multiple credentials in a single secret
@@ -132,17 +131,16 @@ kubectl apply -f secret.yaml
 To add them all, just add multiple environment variables in the `values.yaml` file.
 
 ```yaml
-authenticator:
-  extraEnvs:
-  - name: CYRAL_DBSECRETS_<repo1 env var>
-    valueFrom:
-      secretKeyRef:
-        name: $SECRET_NAME
-        key: repo1
-  - name: CYRAL_DBSECRETS_<repo2 env var>
-    valueFrom:
-      secretKeyRef:
-        name: $SECRET_NAME
-        key: repo2
+extraEnvs:
+- name: CYRAL_DBSECRETS_<repo1 env var>
+  valueFrom:
+    secretKeyRef:
+      name: $SECRET_NAME
+      key: repo1
+- name: CYRAL_DBSECRETS_<repo2 env var>
+  valueFrom:
+    secretKeyRef:
+      name: $SECRET_NAME
+      key: repo2
   ...
 ```

docs/metrics.md

@@ -7,36 +7,23 @@ on the `Prometheus` configuration for your `Kubernetes` cluster. You can
 set the metrics port by adding the following to your `values.yaml` file:
 
 ```yaml
-metrics:
-  port: 9000 # this is the default value
+containerPorts:
+  metrics: 9000 # this is the default value
 ```
 
-By default, this port will be exposed on the `Service` object created by the `helm` chart.
-To disable its exposure, you can add the following to your `values.yaml` file:
+By default, this port will not be exposed on the `Service` object created by the `helm` chart.
+To enable its exposure, you can add the following to your `values.yaml` file:
 
 ```yaml
-metrics:
-  expose: false
+service:
+  ports:
+    metrics: 9000
+  targetPort:
+    metrics: metrics
 ```
 
 ## Prometheus configuration
 
-### Service Monitor discovery configuration
-
-The sidecar `helm` chart packages a `ServiceMonitor` object which can be used
-in conjunction with a [`prometheus operator`](https://github.com/prometheus-operator/prometheus-operator) to
-monitor all pods in the sidecar's `Deployment`. To enable the service monitor, you
-can add the following to your `values.yaml` file:
-
-```yaml
-metrics:
-  serviceMonitor:
-    enabled: true
-```
-
-**NOTE:** There are many other configuration options for the `ServiceMonitor` object,
-you can look at the default `values.yaml` file to know all the options.
-
 ### Annotation based Prometheus discovery configuration
 
 You can add common `Prometheus` annotations by adding the following

docs/port-configuration.md

@@ -3,13 +3,9 @@
 A single Cyral sidecar cluster usually monitors and protects many
 repositories of different types. To make it easy for data users to
 connect to these repositories using the port numbers they're
-accustomed to, the sidecar cluster exposes multiple ports, which
-are neatly organized in each repo's section of the provided values
-file.
-
-You can restrict or increase the set of exposed ports by either changing
-the exposed ports for each repository or by overriding all ports on the main
-service configuration of the `values.yaml` file.
+accustomed to, the sidecar cluster exposes multiple ports.
+You can restrict or increase the set of exposed ports by changing
+the exposed ports in the `values.yaml` file.
 
 ## Changing a single repository exposed ports
 
@@ -18,27 +14,14 @@ defined ports not get exposed in the main service. For example, by default,
 the `mysql` section of the `values.yaml` file contains this definition:
 
 ```yaml
-mysql:
-  enabled: true
-  ...
-  ports:
-    ...
-    # ports that are added to the sidecar service
-    sidecar:
-      - 3306
-      - 3307
-      - 3308
- ...
+containerPorts:
+  mysql: 3306
+  pg: 5432
 ```
 
-This means that the ports `3306`, `3307` and `3308` will be exposed in the
-sidecar service. To increase or decrease the ports exposed for `mysql`, you can
-add or remove ports from the `mysql.sidecar.ports` section of the `values.yaml` file.
-This is analogous for all repositories, that is, you can change the `<repo>.sidecar.ports`
-section to add or remove specific ports from the exposed list.
-
-**NOTE:** If a repository is disabled, that is, the `<repo>.enabled` key is set to `false`,
-none of its ports will be exposed in the service.
+This means that the ports `3306` and `5432` will be exposed in the
+sidecar service. To increase or decrease the ports exposed, you can
+add or remove ports from the `containerPorts` section of the `values.yaml` file.
 
 ## Overriding all exposed ports
 
@@ -51,8 +34,11 @@ and only expose the ports defined in that section.
 service:
   ...
   ports:
-    - 5432
-    - 3306
+    mysql: 3306
+    pg: 5432
+  targetPort:
+    mysql: mysql
+    pg: pg
 ```
 
 The above example makes no port but `3306` and `5432` be exposed on the service.

docs/pre-existing-sa.md

@@ -50,11 +50,10 @@ accounts. Below, we explain how to do this.
 
 3. **Modify the values.yaml file**: The downloaded `values.yaml` files
    need to be modified to use the above-created service account.
-   Note that `rbac.create` must be set to false:
+   Note that `serviceAccount.create` must be set to false:
 
    ```yaml
-    rbac:
-        serviceAccount:
-            name: $SIDECAR_SA
+    serviceAccount:
+        name: $SIDECAR_SA
         create: false
    ```

docs/public-load-balancer.md

@@ -14,9 +14,10 @@ By default, EKS provisions an internal facing load balancer for a `LoadBalancer`
 you need to add the following annotations on the `service.annotations` field of the values file:
 
 ```yaml
-annotations:
-service.beta.kubernetes.io/aws-load-balancer-type: "external"
-service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+service:
+    annotations:
+        service.beta.kubernetes.io/aws-load-balancer-type: "external"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
 ```
 
 You can view a full list of possible annotations on [this page](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations).
@@ -25,8 +26,9 @@ You can view a full list of possible annotations on [this page](https://kubernet
 By default, OKE provisions a public IP for any `LoadBalancer` service. You can add the following annotation on the `service.annotations` field of the values file if you want OKE to provision an internal load balancer:
 
 ```yaml
-annotations:
-service.beta.kubernetes.io/oci-load-balancer-internal: "true"
+service:
+    annotations:
+        service.beta.kubernetes.io/oci-load-balancer-internal: "true"
 ```
 
 If needed, you can check [OCI](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm) docs for any special needs for your deployment.

docs/resources.md

@@ -1,57 +1,21 @@
 # Setting resources for a Helm sidecar
 
-The sidecar deployment is composed of many containers, and all of these containers can have
-[resource requirements and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) attached to them.
+The sidecar deployment is composed of a single container, which can have
+[resource requirements and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) attached to it.
 
-## Setting default requests and limits to all containers on the sidecar
+## Setting default requests and limits to the sidecar container
 
-To set the default resources for all containers on the sidecar, add the following lines
+To set the default resources for the sidecar container, add the following lines
 to your `values.yaml` file.
 
 ```yaml
 resources:
   limits:
-    cpu: 100m
-    memory: 20Mi
+    cpu: 400m
+    memory: 8096Mi
   requests:
-    cpu: 50m
-    memory: 10Mi
-```
-
-**NOTE:** The above are the recommended settings for the sidecar. Remember that these are for
-**each** container in the sidecar, and not for the whole sidecar.
-
-## Setting resources for a single container
-To set up resources for a single container, go to the `container` section of the values file
-and add these lines to it:
-
-```yaml
-<repo>:
-  resources:
-    limits:
-      cpu: 100m
-      memory: 20Mi
-    requests:
-      cpu: 50m
-      memory: 10Mi
-```
-
-You can set the limits and requests to whatever matches your infrastructure capabilities.
-For example, if you want to have the `mysql` container require 1 cpu and 100MB of memory,
-set this on your `values.yaml`:
-
-```yaml
-mysql:
-  resources:
-    requests:
-      cpu: 1
-      memory: 100Mi
+    cpu: 100m
+    memory: 4096Mi
 ```
 
-**NOTE:** Setting the resources for a single container overrides the default resources
-for that container.
-
-
-
-
-
+**NOTE:** The above are the recommended settings for the sidecar.