Set up workloads (cert-based authentication)

The following sections describe how to set up your workloads to retrieve secrets from Conjur using certificate based authentication.

Supported setup methods

The following methods are supported for connecting to targets such as databases or web services.

Method

Description

Benefit

Kubernetes Authenticator Client

Use to authenticate the pod to Conjur. Use the API or Summon to fetch the secrets to create connection.

Generic method to connect to targets. You can use this method for any target system.

CyberArk Secrets Provider for Kubernetes

Use an init or application container to dynamically populate Kubernetes Secrets with the secrets from Conjur that are required by the application pod

Use secrets stored and managed in the CyberArk Vault using Conjur to consume them as Kubernetes Secrets leveraging PAS security while seamlessly deploying Kubernetes containers.

Secretless Broker Sidecar

Use the built in capabilities of Secretless to authenticate to the pod with Conjur and then open a connection to a supported target.

For details, see Secretless Service Connectors.

New secure approach for application connection where the secret is never exposed to the app.

Before you start

  • To set up your workload to authenticate to Conjur, ensure that a Kubernetes Authenticator has been configured and allowlisted. For more information, contact your Conjur admin or see Certificate-based Kubernetes authentication.

  • Make sure you have the Conjur CLI (v7.0.1+) installed and that you are logged in. For details, see Set up the Conjur CLI.

    If you have an earlier version of the Conjur CLI installed, adjust the commands used in this procedure accordingly. For details, see Conjur CLI (Docker-based).

Prepare the application namespace

In this section you prepare your application namespace with Kubernetes and Conjur credentials needed to connect to Conjur and retrieve secrets.

The prepared namespace contains the following resources:

Resource

Description

Conjur connection ConfigMap

Contains references to Conjur credentials, taken from the Golden ConfigMap. These credentials can be used to enable workloads to authenticate to Conjur to retrieve secrets securely.

Authenticator RoleBinding

Grants permissions to the Conjur authenticator service account for the authenticator cluster role. This provides a list of Kubernetes API access permissions which are required to validate workload identities.

You can prepare the application namespace using a Helm chart or a raw Kubernetes manifest file.

Make sure you have access to:

To prepare the application namespace:

  1. Create a ConfigMap and a RoleBinding in the test-app-namespace namespace:

     

    We recommend using this method to create the resources in your application namespace. However, if the Helm repo is not available, use the raw Kubernetes manifest (see the Raw Kubernetes manifest tab).

    During the Kubernetes Authenticator configuration, a Golden ConfigMap is created that contains Kubernetes and Conjur credentials. In the following procedure, you install a Helm chart which retrieves these credentials from the Golden ConfigMap and uses them to prepare the application namespace. For more information about the Golden Configmap, see Create Kubernetes resources for the Kubernetes Authenticator.

    1. Add the Helm chart repo to all Helm charts.

       
      $ helm repo add cyberark https://cyberark.github.io/helm-charts
      helm repo update
    2. Run the helm install command. In the following example, helm-install creates a ConfigMap and a RoleBinding in the test-app-namespace namespace using details from the Golden ConfigMap, conjur-configmap which is located in the cyberark-conjur namespace.

       
      $ helm install namespace-prep cyberark/conjur-config-namespace-prep \
        --namespace test-apps-namespace \
        --set authnK8s.goldenConfigMap="conjur-configmap" \
        --set authnK8s.namespace="cyberark-conjur"

    For more information on configurable parameters of the namespace preparation Helm chart and their default values, see Conjur namespace preparation Helm Chart Configuration.

     

    If you are able to use Helm charts, we recommend doing so. For details, click the Helm chart tab.

    1. Before you start, collect the following information:

      • Conjur account to be used by the Kubernetes Authenticator

      • Kubernetes Authenticator (service-ID) to use for authentication

      • Conjur certificate file (including the full path)

      You can get this information in one the following ways:

      • From the Conjur admin: Ask the Conjur admin for the Conjur details

      • From the Golden ConfigMap: Pull the data from the Golden ConfigMap (for OpenShift use oc in place of kubectl):

         
        $ kubectl get configmap conjur-configmap -o "jsonpath={.data}" -n cyberark-conjur
    2. Download the raw Kubernetes manifest, conjur-config-namespace-prep.yaml, from the Kubernetes Authenticator Client GitHub repository.

    3. Open the manifest in a text editor and enter the following information:

      Placeholder

      Description

      CONJUR_ACCOUNT

      Conjur account, for example, myorg

      CONJUR_APPLIANCE_URL

      Conjur URL

      CONJUR_AUTHN_URL

      Authenticator URL. Provide the Conjur URL and the authenticator's service ID, for example, dev-cluster

      CONJUR_SSL_CERTIFICATE

      Conjur certificate file, for example, path/to/conjur.pem

      CONJUR_AUTHENTICATOR_ID

      Kubernetes Authenticator service ID, for example, dev-cluster

    4. Apply the configuration to the application namespace, test-app-namespace (for OpenShift use oc in place of kubectl):

       
      $ kubectl apply -f conjur-config-namespace-prep.yaml --namespace test-app-namespace
  2. Create a Kubernetes service account for the application. The following command creates the test-app-sa service account in test-app-namespace:

    kubectl create serviceaccount test-app-sa -n test-app-namespace

    Create a Kubernetes service account for the workload. The following command creates the test-app-sa service account in test-app-namespace:

    kubectl create serviceaccount test-app-sa -n test-app-namespace

The application namespace now contains its own ConfigMap, RoleBinding, and ServiceAccount resources. All applications in the namespace can use these resources to connect to Conjur and authenticate using the Kubernetes Authenticator.

The prepared namespace contains a Conjur connection ConfigMap with references to Conjur credentials. These credentials can be used to enable workloads to authenticate to Conjur to retrieve secrets securely.

You can prepare the application namespace using a raw Kubernetes manifest file.

Make sure you have access to the Kubernetes namespace for your workload, for example, test-app-namespace

To prepare the application namespace:

  1. Create a ConfigMap in the test-app-namespace namespace:

    1. Before you start, collect the following information from your Conjur admin:

      • Conjur account to be used by the Kubernetes Authenticator

      • Kubernetes Authenticator (service-ID) to use for authentication

      • Conjur certificate file (including the full path)

    2. Copy the following manifest, and save it as namespace-prep.yml:

      ---
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: conjur-connect
        labels:
          app.kubernetes.io/name: "conjur-connect-configmap"
          app.kubernetes.io/instance: "conjur-default-configmap"
          app.kubernetes.io/part-of: "conjur-config"
          conjur.org/name: "conjur-connect-configmap"
      data:
        CONJUR_ACCOUNT: <Insert-Conjur-Account-Here>
        CONJUR_APPLIANCE_URL: https://insert.conjur.appliance.url.here
        CONJUR_AUTHN_URL: https://insert.conjur.appliance.url.here/authn-k8s/<Insert-Authenticator-ID-Here>
        CONJUR_SSL_CERTIFICATE: |- 
          <Insert-Conjur-SSL-Certificate-Here>
        CONJUR_AUTHENTICATOR_ID: <Insert-Authenticator-ID-Here>
    3. Enter the following information:

      Placeholder

      Description

      CONJUR_ACCOUNT

      Conjur account, for example, myorg

      CONJUR_APPLIANCE_URL

      Conjur URL

      CONJUR_AUTHN_URL

      Authenticator URL. Provide the Conjur URL and the authenticator's service ID, for example, dev-cluster

      CONJUR_SSL_CERTIFICATE

      Conjur certificate file, for example, path/to/conjur.pem

      CONJUR_AUTHENTICATOR_ID

      Kubernetes Authenticator service ID, for example, dev-cluster

    4. Apply the configuration to the application namespace, test-app-namespace:

       
      $ kubectl apply -f conjur-config-namespace-prep.yaml --namespace test-app-namespace
  2. Create a Kubernetes service account for the application. The following command creates the test-app-sa service account in test-app-namespace:

    kubectl create serviceaccount test-app-sa -n test-app-namespace

The application namespace now contains its own ConfigMap and ServiceAccount resources. All applications in the namespace can use these resources to connect to Conjur and authenticate using the Kubernetes Authenticator.

Set up your workloads using one of the methods described in Supported setup methods.