Deploy Conjur Kubernetes Follower

The Conjur Kubernetes Follower is designed for deployment inside your OpenShift/Kubernetes cluster. This topic describes how to deploy the Conjur Kubernetes Follower inside your cluster.

A Follower is a read only replica of the Leader. Followers are horizontally-scaling components that are typically configured behind a load balancer to handle all types of read requests, including authentication, permission checks, and secret fetches.

The Conjur Kubernetes Follower is specifically designed for deployment inside an OpenShift/Kubernetes cluster. It is unique in that it is a collection of microservices that run as separate containers as unprivileged (non-root) users within a Pod and, together, provide a scalable way to access the secrets stored in Conjur. For more information about the Conjur Kubernetes Follower and its architecture, see Conjur Kubernetes Follower.

  • Unless specifically noted otherwise, all references to Kubernetes apply to Self-hosted Kubernetes as well as Red Hat OpenShift and other supported Kubernetes-based implementations.
  • All references to Kubernetes namespaces intentionally include the OpenShift concept of project.
  • Followers for OpenShift/ Kubernetes integrations do not support selective replication.

System requirements

  • The Conjur Kubernetes Follower supports OpenShift v4 and other supported Kubernetes-based environments

    The following environments are not supported:

    • OpenShift v3

    • Kubernetes clusters v1.23 and later (not including OpenShift) whose Pod Security Standard policy is defined as “Restricted” at the namespace or cluster level. This security configuration prevents the Kubernetes Follower from initializing. Support for the Kubernetes Follower with these versions of Kubernetes will be available in future Conjur Enterprise release.

    In these cases deploy the Conjur Follower. For details, see Conjur Follower inside OpenShift/Kubernetes cluster.

  • The following table describes the recommended CPU and memory resource request values for deploying the Conjur Kubernetes Follower:

    Container

    CPU

    Memory

    Conjur

    1 CPU

    4 Gi

    PostgreSQL

    1 CPU

    4 Gi

    NGINX

    0.5 CPU

    200 Mi

    syslog-ng

    0.2 CPU

    100 Mi

    Info

    0.2 CPU

    100 Mi

Prerequisites

  • Make sure a JWT-based or cert-based authenticator is set up and enabled in Conjur. For details, see Authenticate OpenShift/Kubernetes

  • Make sure you have the Conjur CLI (v7.0.1+) installed and that you are logged in. For details, see Set up the Conjur CLI.

  • Deployment method:

    Deployment method Supported Kubernetes vendor

    OLM

    OpenShift v4

    You can install a Follower Operator in the OLM, and use this Operator to deploy Conjur Kubernetes Followers. In this case:

    • The OLM must be included in OpenShift v4

    • Your cluster must have access to the Red Hat product catalog

    Manual, using manifests

    You deploy the Conjur Kubernetes Follower manually by:

    1. Applying a manifest that installs the Follower Operator

    2. Applying a manifest that deploys the Conjur Kubernetes Follower using the Follower Operator.

    Download the conjur-<kubernetes/openshift>-follower-<version>-<SHA>.tgz archive from your organization's CyberArk Safe. For more information, contact CyberArk Customer Support.

    Then extract the content which includes the .tar files that you will need to install the Operator and Follower.

    All Conjur artifacts are cryptographically signed archives. We strongly recommend verifying archive signatures before installing them in your environment. For more information, see Verify signed Conjur artifacts.

Setup flow

  1. Install the Follower Operator

    This is done only once per Conjur version. When a new version of Conjur is released, the corresponding Follower Operator must be installed.

  2. Deploy the Conjur Kubernetes Follower

Step 1: Install the Follower Operator

The Conjur Follower Operator adds a ConjurFollower custom resource definition to your Kubernetes cluster. This resource enables deployment of the Conjur Kubernetes Follower inside your OpenShift/Kubernetes cluster.

In addition, the Conjur Follower Operator manages the lifecycle of the ConjurFollower Deployment created in the Kubernetes API. When a ConjurFollower custom resource is created, updated, or deleted, the Operator reconciles these changes in the ConjurFollower Deployment in Kubernetes.

To install the Conjur Follower Operator:

  1. Load the Operator and Conjur Kubernetes Follower images to your organization's image registry

    Follow this section if you are working with a non-OpenShift image registry, for example a privately hosted registry in AWS, or on-premises/other registry.

    In the Prerequisites section above, you extracted images from an archive file. Use these files in this section. The example below demonstrates a non-OpenShift deployment. If you are working with OpenShift, change kubernetes to openshift.

    1. Load the Operator image from operator/images to Docker, tag the image, and push it to your image registry:

      1. Load the image to Docker

        Run the following command, replacing <version>:

        $ docker load -q --input operator/images/conjur-kubernetes-follower-operator-<version>-<SHA>.tar

      2. Tag the image

        Run the following command, replacing <version> (two places), and replacing <image registry> with your organization's image registry:

        $ docker tag cyberark/conjur-kubernetes-follower-operator:<version> <image registry>/conjur-kubernetes-follower-operator:<version>

      3. Push the image to your image registry

        Run the following command, replacing <version>, and replacing <image registry> with your organization's image registry:

        $ docker push <image registry>/conjur-kubernetes-follower-operator:<version>

    2. Load each of the Conjur Kubernetes Follower images from follower/images to Docker, tag them, and push them to your image registry.

      For example, for the Configurator image:

      1. Load the image to Docker:

        $ docker load -q --input follower/images/conjur-kubernetes-follower-configurator-<version>-<SHA>.tar

      2. Tag the image: 

        $ docker tag cyberark/conjur-kubernetes-follower-configurator:<version> <image registry>/conjur-kubernetes-follower-configurator:<version>

      3. Push the image:

        $ docker push <image registry>/conjur-kubernetes-follower-configurator:<version>

      Repeat for each image.

    3. Open operator/manifests/operator.yaml and edit the image path for the Kubernetes Deployment resource, conjur-follower-operator-controller-manager. Update the value to the path where you pushed the Operator image earlier.

      For example:

      image-registry.myorg-image-registry.example.net/cyberark/conjur-kubernetes-follower-operator:<version>

      Save your changes.

    Follow this section if you are working with the OpenShift internal registry. Before you can use the Follower Operator and Conjur Kubernetes Follower, you need to ensure that the corresponding images can be pulled by these resources within their respective projects.

    1. Prepare projects for the Operator and the Conjur Kubernetes Follower:

      1. For the Follower Operator, prepare the conjur-follower-operator-system project:

        $ kubectl new-project conjur-follower-operator-system

      2. For the Conjur Kubernetes Follower, prepare the cyberark-conjur project. If you already have a project with this name, you can skip this step.

      3. $ kubectl new-project cyberark-conjur

    2. Load the Operator image in operator/images to Docker, tag the image, and push it to your image registry.

      Perform this step in the conjur-follower-operator-system project.

      Use the images in the set of extracted Conjur Kubernetes Follower files (see Prerequisites).

      1. Load the image to Docker.

        Run the following command, replacing <version>:

        $ docker load -q --input operator/images/conjur-openshift-follower-operator-<version>-<SHA>.tar

      2. Tag the image.

        Run the following command, replacing <version> (two places), and replacing <image registry TLD> with your organization's image registry:

        $ docker tag cyberark/conjur-openshift-follower-operator:<version> <image registry TLD>/conjur-follower-operator-system/conjur-openshift-follower-operator:<version>

      3. Push the image to the image registry.

        Run the following command, replacing <version>, and replacing <image registry TLD> with your organization's image registry:

        $ docker push <image registry TLD>/conjur-follower-operator-system/conjur-openshift-follower-operator:<version>

    3. Load and tag each of the Conjur Kubernetes Follower images and push them to your image registry

      Repeat the previous steps but this time in the cyberark-conjur project. Load and tag , all of the images under follower/images, and push them to the registry.

      For example, for the Configurator image:

      1. Load the image:

        $ docker load -q --input follower/images/conjur-openshift-follower-configurator-<version>-<SHA>.tar

      2. Tag the image: 

        $ docker tag cyberark/conjur-openshift-follower-configurator:<version> <image registry TLD>/cyberark-conjur/conjur-openshift-follower-configurator:<version>

      3. Push the image:

        $ docker push <image registry TLD>/cyberark-conjur/conjur-openshift-follower-configurator:<version>

    4. Open operators/manifests/operator.yaml and edit the image path for the Kubernetes Deployment resource, conjur-follower-operator-controller-manager. Update the value to the path where you pushed the Operator image earlier.

      For example:

      image-registry.openshift-image-registry.svc:5000/conjur-follower-operator-system/conjur-openshift-follower-operator:<version>

      Save your changes.

  2. Apply the Operator manifests (for OpenShift, replace kubectl with oc): 

    $ cd operator && kubectl apply -f manifests

  1. Go to the Conjur Follower Operator in Red Hat.

  2. Install the Operator as described in Red Hat's OperatorHub online help, noting the following when making your selections:

    • Installation mode: The Conjur Follower Operator watches all namespaces in the OpenShift cluster. Select your preferred installation mode.

    • Update approval: We strongly recommend using the Manual option. This gives you more control over the Conjur Kubernetes Follower version running in your OpenShift environment.

Step 2: Deploy the Conjur Kubernetes Follower

This section describes how to deploy the Conjur Kubernetes Follower inside the Kubernetes cluster.

  1. Make sure that you have the following:

    Conjur admin

    • A Kubernetes Authenticator or JWT Authenticator must be configured and enabled (allowlisted) in Conjur. For details, see:

    • A certificate for the Conjur Kubernetes Follower.

       

      • If you are using self-signed certificates, the seed generation webservice generates this certificate.

      • If you are using certificates signed by a third party, a Follower certificate with a subject name matching the FQDN of the service in Kubernetes (for example <service>.<namespace>.svc.cluster.local) needs to be loaded on the Leader.

        If such a certificate has not been loaded into the Leader, the Follower will fail to start successfully. This is because Conjur is not able to generate a valid certificate for the Follower when the Follower starts.

        For more information, contact CyberArk Customer Support

    Kubernetes cluster admin

    • The Conjur Follower Operator must be installed in your Kubernetes cluster. See Install the Follower Operator.

    • Access to the kubectl CLI (or oc for OpenShift).
    • Access to a running Conjur cluster. If your Conjur cluster deployment uses a load balancer, you need access to the load balancer.

  2. Conjur admin: To enable the Conjur Kubernetes Follower to connect to Conjur, it first needs to authenticate to Conjur.

    1. In this step, you give the Conjur Kubernetes Follower an identity in Conjur using policy.

      Save the following policy as conjur-follower-host.yaml:

      The policy:

      • Defines the Conjur Kubernetes Follower by its namespace, cyberark-conjur and by its service account, conjur-follower.

        These definitions are defined in the host annotations. For guidelines on how to define annotations, see Workload identity for Kubernetes (JWT-based authentication).

      • Gives the Conjur Kubernetes Follower permission to authenticate to Conjur and to use the seed service using the dev-cluster JWT Authenticator.

      - !host
    id: system:serviceaccount:cyberark-conjur:conjur-follower
    annotations:
      authn-jwt/dev-cluster/kubernetes.io/namespace: cyberark-conjur
      authn-jwt/dev-cluster/kubernetes.io/serviceaccount/name: conjur-follower

- !grant
  roles:
  - !group conjur/authn-jwt/dev-cluster/apps
  - !group conjur/seed-generation/consumers
  members:
  - !host system:serviceaccount:cyberark-conjur:conjur-follower

      The policy:

      • Defines the Conjur Kubernetes Follower by its namespace, cyberark-conjur, and its authentication container name, configurator.

        The Conjur Kubernetes Follower can also be defined by its service account, conjur-follower.

        These definitions are defined in the host annotations in the policy. For guidelines on how to define annotations, see Workload identity for Kubernetes (cert-based authentication).

      • Gives the Conjur Kubernetes Follower permission to authenticate to Conjur and to use the seed service using the dev-cluster Kubernetes Authenticator.

      - !host
  id: conjur-follower
  annotations:
    authn-k8s/namespace: cyberark-conjur
    authn-k8s/service-account: conjur-follower
    authn-k8s/authentication-container-name: configurator
   
- !grant
  roles:
  - !group conjur/authn-k8s/dev-cluster/consumers
  - !group conjur/seed-generation/consumers
  members:
  - !host conjur-follower

    2. Load the policy file to root:

      $ conjur policy load -f conjur-ocp-follower.yaml -b root

  3. You need Kubernetes admin permissions to create a ConfigMap.

    The Conjur Kubernetes Follower connects to the Conjur cluster using a TLS protected connection. This includes verifying the Conjur cluster with a Conjur certificate issued by your organization's Certificate Authority, for example conjur.pem.

    To enable the Conjur Kubernetes Follower to use this certificate, it must be stored in a ConfigMap.

    If you do not have a file containing the Conjur certificate, you can retrieve the Conjur certificate and save it to a file, for example, conjur.pem, with the command:

    openssl s_client -connect $CONJUR_MASTER_HOSTNAME:443 \
  -showcerts </dev/null 2> /dev/null | \
  awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print $0}' \
  > "conjur.pem"

    The following command stores the Conjur certificate, conjur.pem, in the cyberark-conjur namespace in a ConfigMap called conjur-cert:

    kubectl create configmap -n cyberark-conjur conjur-cert \
  --from-file=conjur.pem

  4. You need Kubernetes admin permissions to create a ConfigMap.

    If you have a Conjur configuration file (conjur.yml) that you want to apply to the Conjur Kubernetes Follower, you must store it in a Kubernetes ConfigMap or Secret.

    The following command stores the configuration file in the cyberark-conjur namespace, in a ConfigMap called conjur-config:

    kubectl create configmap -n cyberark-conjur conjur-config \
  --from-file=conjur.yml

  5. In this step, you deploy the Conjur Kubernetes Follower. If you installed the Follower Operator from the OperatorHub in OpenShift, use the OLM method to deploy the Conjur Kubernetes Follower. Otherwise use the manual deployment.

    In this step you deploy the Conjur Kubernetes Follower by applying a manifest.

    1. Go to the set of extracted Conjur Kubernetes Follower files (see Prerequisites).

    2. Under samples, open the ConjurFollower manifest, *ConjurFollower.yaml.

    3. Modify the values in the manifest as follows:

      Fields in Conjur Kubernetes Follower spec

      Description

      images:

      (Mandatory)

      The paths to the Docker registries containing the Conjur Kubernetes Follower container images.

      master:

      (Mandatory)

      Details about the Conjur cluster.

      • account - The account name used when setting up the Conjur cluster

        Example: myorg

      • authentication - The type of authentication:

        • For cert-based authn: authn-k8s (default)

        • For JWT-based authn: authn-jwt (mandatory)

      • audience - (JWT-based authn only) The token's audience. This is required only if the JWT Authenticator was defined with an audience variable, and the value must match the value that the variable was populated with, for example https://conjur.host.name/. For details, see Populate the policy variables.

        Otherwise audience is optional.

        Corresponds to the aud claim in the JWT.

      • authenticatorID - The service ID of the authenticator

        Example: dev-cluster

      • authLogin - (Use this for Cert-based authn only. Do not use for JWT-based authn) The name given to the application identity (host) that represents the Conjur Kubernetes Follower in Conjur, including the host/ prefix

        Example: host/conjur-ocp-follower

      • caCertificateFrom - Under From a ConfigMap enter ConfigMap key and name that you created earlier.

        Example:

        • key: conjur.pem

        • name: conjur-cert

      • hostname - The Conjur Leader FQDN. If there is a load balancer in front of the Conjur cluster, this is the load balancer FQDN.

        Example: lb.production.example.com

      configFileFrom:

      (Optional)

      Under From a ConfigMap enter ConfigMap key and name that you created earlier.

      Example:

      • Key: conjur.yml

      • Name: conjur-config

      replicas:

      (Mandatory)

      The number of Conjur Kubernetes Followers to deploy

      Default: 1

      This value can be updated after initially deploying the Conjur Kubernetes Follower

      resourceNames:

      (Optional)

      Modify the default Kubernetes resource names created for the Conjur Kubernetes Follower.

      Default value for each of these resources: conjur-follower

      Advanced Configuration

      (Optional)

      Advanced Conjur Kubernetes Follower configuration options:

      • Set up Conjur Kubernetes Follower environment variables

      • Modify the default Conjur Kubernetes Follower container resource limits

      • Determine the Conjur Kubernetes Follower image pull policy

      For example:

      apiVersion: conjur.cyberark.com/v1
kind: ConjurFollower
metadata:
  name: my-conjur-follower
  namespace: cyberark-conjur
  labels:
    app: conjur-follower
spec:
  replicas: 1
  master:
    hostname: conjur-master.mycompany.local
    account: demo
    authentication: authn-jwt
    audience: https://conjur.host.name/
    authenticatorID: my-authenticator-id
    caCertificateFrom:
      configMapKeyRef:
        name: conjur-master-ca.crt
        key: ca.crt
  images:
    conjur: cyberark/conjur-kubernetes-follower-conjur
    info: cyberark/conjur-kubernetes-follower-info
    nginx: cyberark/conjur-kubernetes-follower-nginx
    postgres: cyberark/conjur-kubernetes-follower-postgres
    configurator: cyberark/conjur-kubernetes-follower-configurator
    syslogNg: cyberark/conjur-kubernetes-follower-syslog-ng
      apiVersion: conjur.cyberark.com/v1
kind: ConjurFollower
metadata:
  name: follower
  namespace: cyberark-conjur
  labels:
    app: conjur-follower
spec:
  replicas: 1
  master:
    hostname: lb.production.example.com
    account: myorg
    authenticatorID: dev-cluster
    authnLogin: host/conjur-follower
    caCertificateFrom:
      configMapKeyRef:
        name: conjur-cert
        key: conjur.pem
  # optional
  configFileFrom:
    configMapKeyRef:
      name: conjur-config
      key: conjur.yml
  # optional (conjur-follower is the default value for each of these fields)
  resourceNames:
    serviceAccount: conjur-follower
    service: conjur-follower
    deployment: conjur-follower
  images:
    conjur: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/conjur
    info: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/info
    nginx: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/nginx
    postgres: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/postgres
    configurator: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/configurator
    syslogNg: image-registry.openshift-image-registry.svc:5000/cyberark-conjur/syslog-ng

    4. Load the manifest into the cyberark-conjur namespace.

    1. In Red Hat, go to the installed Conjur Follower Operator.

    2. Select the ConjurFollower tab, and click Create Conjur Follower.

    3. Complete the following details in the form—these are marked with a red asterisk (*):

      Field

      Description

      Image paths

      (Mandatory)

      The paths to the Docker registries containing the Conjur Kubernetes Follower container images.

      Conjur Cluster Configuration

      (Mandatory)

      Details about the Conjur cluster.

      • Conjur Account - The account name used when setting up the Conjur cluster

        Example: myorg

      • authentication - The type of authentication:

        • For cert-based authn: authn-k8s (default)

        • For JWT-based authn: authn-jwt (mandatory)

      • audience - (JWT-based authn only) The token's audience. This is required only if the JWT Authenticator was defined with an audience variable, and the value must match the value that the variable was populated with, for example https://conjur.host.name/. For details, see Populate the policy variables.

        Otherwise audience is optional.

        Corresponds to the aud claim in the JWT.

      • Authenticator Service ID - The service ID of the authenticator

        Example: dev-cluster

      • Application Identity - The name given to the application identity (host) that represents the Conjur Kubernetes Follower in Conjur, including the host/ prefix

        Example: host/conjur-ocp-follower

      • CA Certificate - Under From a ConfigMap enter ConfigMap key and name that you created earlier.

        Example:

        • Key: conjur.pem

        • Name: conjur-cert

      • Conjur Cluster FQDN - The Conjur Leader FQDN. If there is a load balancer in front of the Conjur cluster, this is the load balancer FQDN.

        Example: lb.production.example.com

      Conjur Config File

      (Optional)

      Under From a ConfigMap enter ConfigMap key and name that you created earlier.

      Example:

      • Key: conjur.yml

      • Name: conjur-config

      Replicas

      (Mandatory)

      The number of Conjur Kubernetes Followers to deploy

      Default: 1

      This value can be updated after initially deploying the Conjur Kubernetes Follower
      Advanced Configuration

      (Optional)

      Advanced Conjur Kubernetes Follower configuration options:

      • Set up Conjur Kubernetes Follower environment variables

      • Modify the default Conjur Kubernetes Follower container resource limits

      • Determine the Conjur Kubernetes Follower image pull policy

      • Modify the default Kubernetes resource names created for the Conjur Kubernetes Follower

    4. Click Create.

  6. On the Conjur Follower Operator page, check the status of the Conjur Kubernetes Follower you just deployed.

    A healthy Conjur Kubernetes Follower has the status, Ready.

  7. After creating the Conjur Kubernetes Follower, you can update the number of replicas at any time. On the Conjur Follower Operator page, click the Conjur Kubernetes Follower to open the Follower's details and update the Replicas value.

Operator FAQs

For information about version support, see the Release Notes.

By default, the provided manifests install the Operator in the conjur-follower-operator-system namespace

One, that is the ConjurFollower.

The Conjur Follower Operator watches all namespaces for events related to ConjurFollowers.

The ServiceAccount, ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings needed by the Operator can be seen in operator/manifests/crds.yaml

App owner: Set up workloads in Kubernetes