Open in app

Sign in

Write

Sign in

Simple Cyberark Conjur-OSS with OCP4

Surote Wongpaiboon
4 min readJul 6, 2023

Pre-req

  • OCP4 with LoadBalancer service — I use Metallb Operator with L2 adv (I Think we can use NodePort instead but need to modify helm value)
  • Helm

Setting Up CyberArk Conjur with Helm install

$ helm version --short
v3.10.1+g9f88ccb
$ helm repo add cyberark <https://cyberark.github.io/helm-charts>
$ helm repo update
$ helm search repo conjur
NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
cyberark/conjur-config-cluster-prep     0.2.1                           A Helm chart for preparing a Kubernetes cluster...
cyberark/conjur-config-namespace-prep   0.1.3                           A Helm chart which prepares a Namespace for usi...
cyberark/conjur-oss                     2.0.6                           A Helm chart for CyberArk Conjur

Create new project on OCP name conjur

$ oc new-project conjur
Now using project "conjur" on server "<https://xx.xx.xx.local:6443>".

You can add applications to this project with the 'new-app' command. For example, try:
    oc new-app rails-postgresql-example
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
    kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname

Download helm conjur to local with helm pull cyberark/conjur-oss

Note that the server certificate is written to /root/conjur-default.pem, and the default domain — conjur.myorg.com — is used as Common Name.change

Below is the helm installation command with default helm value

$ DATA_KEY=$(podman run --rm cyberark/conjur data-key generate)
$ helm upgrade conjur cyberark/conjur-oss --install --set dataKey="${DATA_KEY}" --set authenticators="authn\\,authn-k8s/demo" --version 2.0.6 --namespace conjur

give permission to run postgresql statefulset on OCP

$ oc adm policy add-scc-to-user anyuid -z default -n conjur
$ oc adm policy add-scc-to-user anyuid -z conjur-conjur-oss -n conjur

Create user default for conjur

$ oc get pod -n conjur
NAME                                READY   STATUS    RESTARTS   AGE
conjur-conjur-oss-fbbcf6d97-fnbgw   2/2     Running   0          67m
conjur-postgres-0                   1/1     Running   0          165m


$ oc get svc
NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)         AGE
conjur-conjur-oss           NodePort       172.30.102.237   <none>         443:31973/TCP   3h32m
conjur-conjur-oss-ingress   LoadBalancer   172.30.233.214   192.168.2.91   443:32593/TCP   3h32m
conjur-postgres             ClusterIP      172.30.200.233   <none>         5432/TCP        3h32m
oc exec -it conjur-conjur-oss-fbbcf6d97-fnbgw -c conjur-oss -- conjurctl account create default
Created new account 'default'
Token-Signing Public Key: -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwdAf/orjp6mVVdAhgA5
FZ0FSB1dh8g67WliTgrAUiQyBHYp+r/Ondl7PYyitPr6pLpma+JhP+ZyRQrpGhv9
Hpy5ni/Xueo3yst/BNk1scAduH/s1oAQqfEgfI1HmfJO0X1D8aolsXAa/ZHEBlye
4e2OvFYYkZYYRxYufPtbrBn5HvLzH8gVF3w6MKB/VsH+2qy/jfwpo77n3+27WGyF
8t7MyG1pp29niEg0ttZNe1ehd3DNUogYGba52IkNuwOzAM+eQla6yojZTrHuGaLu
2VQ0Q0ob+0qOmeXMI3+CCYP/JZyk5YofYJ7F4qB4Uv+PkhTIgC+Y8/r1at1+2OiC
ywIDAQAB
-----END PUBLIC KEY-----
API key for admin: 2jmeafs24bewqk1j1t8ay2kve7kb68tgf41anfxj4nj1bjf6gpms5

run conjur-cli connect to conjur-server with cyberark/conjur-cli:5

because I install with default helm value the certificate was generate with [conjur.myorg.com](<http://conjur.myorg.com>) as default we need to add /etc/hosts manually.

podman run --rm -it cyberark/conjur-cli:5

root@af09773ee376:/# echo "192.168.2.91 conjur.myorg.com" >> /etc/hosts

Connect to the conjur server and login with admin password is the API key for admin: ...see above...

root@af09773ee376:/# conjur init --url=https://conjur.myorg.com --account=default

SHA1 Fingerprint=6D:5B:98:17:28:F3:FD:01:9D:92:4D:C3:18:AA:FA:5A:DA:33:05:25

Please verify this certificate on the appliance using command:
              openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

Trust this certificate (yes/no): yes
Wrote certificate to /root/conjur-default.pem
Wrote configuration to /root/.conjurrc
root@af09773ee376:/# conjur authn login -u admin
Please enter admin's password (it will not be echoed):
Logged in

Create simple policy for conjur name policy.yaml

root@af09773ee376:/# vi policy.yaml
- !policy
  id: BotApp
  body:
  - !user Dave
  - !host myDemoApp
  - !variable secretVar
  - !variable dbkey
  - !permit
    role: !user Dave
    privileges: [read, update, execute]
    resource: !variable secretVar
  - !permit
    role: !host myDemoApp
    privileges: [read, execute]
    resource: !variable secretVar
  - !permit
    role: !host myDemoApp
    privileges: [read, execute]
    resource: !variable dbkey

Load policy to the server then you will get the api_key use for retrieving the variables

root@af09773ee376:/# conjur policy load root policy.yaml
Loaded policy 'root'
{
  "created_roles": {
    "default:user:Dave@BotApp": {
      "id": "default:user:Dave@BotApp",
      "api_key": "8s2gen2yz5tnegbvy43h2yd2vdk53re3byr58234s3hv62ydmc66"
    },
    "default:host:BotApp/myDemoApp": {
      "id": "default:host:BotApp/myDemoApp",
      "api_key": "22nb523b4yve01czsaba1sbnfse1tn9awh6j070s3sdce5j2k7dv17"
    }
  },
  "version": 1
}

List policy and add dbkey variable for testing the value is surote4321

root@af09773ee376:/# conjur list
[
  "default:host:BotApp/myDemoApp",
  "default:policy:BotApp",
  "default:policy:root",
  "default:user:admin",
  "default:user:Dave@BotApp",
  "default:variable:BotApp/dbkey",
  "default:variable:BotApp/secretVar"
]
root@af09773ee376:/# conjur variable values add BotApp/dbkey surote4321
Value added

I use docker image docker.io/praqma/network-multitool as a test application

Remote shell to the test pod and authentication with api_keyto retrieve the conjur_token

Then use the conjur_token to retrieve our secret in my case name dbkey from scope BotApp

oc rsh -n demo-1 busybox-nettool-698b966b64-79hsk

~ $ curl -d "22nb523b4yve01czsaba1sbnfse1tn9awh6j070s3sdce5j2k7dv17" -k https://conjur-conjur-oss.conjur.svc.cluster.local/authn/default/host%2FBotApp%2FmyDemoApp/authenticate >
 /tmp/conjur_token
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   710    0   656  100    54  20102   1654 --:--:-- --:--:-- --:--:-- 22187

~ $ CONT_SESSION_TOKEN=$(cat /tmp/conjur_token| base64 | tr -d '\r\n')

~ $ curl -s -k -H "Content-Type: application/json" -H "Authorization: Token token=\"$CONT_SESSION_TOKEN\"" https://conjur-conjur-oss.conjur.svc.cluster.local/secrets/default/var
iable/BotApp%2Fdbkey
surote4321
~ $

This is manual retrieving secret. If you need Automated Token Retrieval check the link REF below.

REF:
https://developer.cyberark.com/blog/setting-up-conjur-on-openshift/

Openshift
Conjur
Cyberark
Key Management
Kubernetes

--

--

Surote Wongpaiboon

Written by Surote Wongpaiboon

22 Followers

nothing but sleeper

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams