Set up workloads (JWT-based authentication)

The following sections describe how to prepare the Kubernetes cluster with a Golden ConfigMap which contains Conjur connection credentials.

You then prepare the application namespace for application deployment.

Both of these tasks are achieved using Helm charts.

To perform these tasks, you need Kubernetes cluster admin permissions.

Supported workload setup methods

The following methods are supported for connecting to targets such as databases or web services.

Method

Description

Benefit

Kubernetes Authenticator Client

Use to authenticate the Pod to Conjur. Use the API or Summon to fetch the secrets to create connection.

Generic method to connect to targets. You can use this method for any target system.

CyberArk Secrets Provider for Kubernetes

Use an init container/sidecar or an application container to dynamically populate Kubernetes Secrets with the secrets from Conjur that are required by the application Pod.

Use secrets stored and managed in the CyberArk Vault using Conjur to consume them as Kubernetes Secrets leveraging PAM security while seamlessly deploying Kubernetes containers.

Before you start

  • Make sure you have Kubernetes admin permissions on a Kubernetes cluster (version 1.21 or later)

  • Make sure you have access to the Kubernetes namespace for your workload, for example, test-app-namespace

  • Make sure that Helm is installed and that you have access to the Helm charts for preparing namespaces in Kubernetes:

    Method

    Location

    Helm charts

    CyberArk Helm Charts repository

    Add the Helm chart repo to all Helm charts.

     
    $ helm repo add cyberark https://cyberark.github.io/helm-charts
    helm repo update
  • Make sure you have the Conjur CLI (v7.x+) installed and that you are logged in. For details, see Set up the Conjur CLI.

  • Make sure you have access to a running Follower

  • Make sure that a JWT Authenticator has been configured and allowlisted. For more information, contact your Conjur admin or see JWT-based Kubernetes authentication.

    The examples in the following sections follow on from the example JWT Authenticator configuration described in JWT-based Kubernetes authentication.

  • Collect the following information from the Conjur admin:

    JWT Authenticator

    The name of the configured and allowlisted JWT Authenticator, including the service ID

    Example: authn-jwt/dev-cluster

    Conjur account

    The account name used when deploying Conjur

    Example: myorg

    Conjur URL

    • If you deployed the Follower outside of Kubernetes, this is the Follower load balancer URL.

      Example: https://follower-lb.example.com

    • If you are deploying the Follower inside Kubernetes, this is the intended Conjur service URL within the Kubernetes cluster, in the following format: https://<follower-service-account>.<follower-namespace>.svc.cluster.local

      Example: https://conjur-follower.cyberark-conjur.svc.cluster.local

    Conjur certificate file

    The full path to the Conjur certificate file

    Example: path/to/conjur.pem

  • Make sure the Kubernetes cluster can connect to Conjur. This can be achieved by retrieving Conjur's endpoint CA. Retrieve the Conjur endpoint CA in PEM format and save it to a file.

    If you do not have a file containing the Conjur certificate, you can retrieve the Conjur certificate and save it to a file, for example, conjur.pem, with the command:

    openssl s_client -connect {{CONJUR_MASTER_HOSTNAME}}:443 \
      -showcerts </dev/null 2> /dev/null | \
      awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print $0}' \
      > "conjur.pem"

Prepare the Kubernetes cluster and Golden ConfigMap

In this section you install the cluster preparation Helm chart which creates a Golden ConfigMap, conjur-configmap, in the cyberark-conjur-jwt namespace in your cluster. The Golden ConfigMap contains Conjur connection details that can be used by all the supported workload setup methods.

Run the helm install command below, replacing:

  • Conjur connection details

  • JWT Authenticator endpoint name, for example dev-cluster

helm install "cluster-prep" cyberark/conjur-config-cluster-prep  -n "cyberark-conjur-jwt" \
      --create-namespace \
      --set conjur.account="<CONJUR_ACCOUNT>" \
      --set conjur.applianceUrl="<CONJUR_URL>" \
      --set conjur.certificateBase64=$(cat <CA_FILE_PATH> | base64) \
      --set authnK8s.authenticatorID="<AUTHN_JWT_ENDPOINT>" \
      --set authnK8s.clusterRole.create=false \
      --set authnK8s.serviceAccount.create=false

Prepare the application namespace

In this section you prepare your application namespace and service account so that the workload can communicate with Conjur and retrieve secrets.

Once prepared, the application namespace contains the following resources:

Resource

Description

Conjur connection ConfigMap

Contains references to Conjur credentials, taken from the Golden ConfigMap created in Prepare the Kubernetes cluster and Golden ConfigMap.

Authenticator RoleBinding

Grants permissions to the Conjur authenticator service account for the authenticator cluster role. This provides a list of Kubernetes API access permissions which are required to validate workload identities.

You prepare the application namespace using the namespace preparation Helm chart.

For clarity and consistency, in this task we prepare the test-app-namespace and create the test-app-sa service account, and we use these throughout the examples in the workload setup sections that follow.

  1. Run helm install command, replacing the parameters where relevant. The following command prepares the test-app-namespace namespace:

    helm install namespace-prep cyberark/conjur-config-namespace-prep \
    --create-namespace \
    --namespace test-app-namespace \
    --set conjurConfigMap.authnMethod="authn-jwt" \
    --set authnK8s.goldenConfigMap="conjur-configmap" \
    --set authnK8s.namespace="cyberark-conjur-jwt" \
    --set authnRoleBinding.create="false"
  2. Create a Kubernetes service account for the workload. The following command creates the test-app-sa service account in test-app-namespace:

    kubectl create serviceaccount test-app-sa -n test-app-namespace

    When multiple workloads are running in the same namespace and each workload needs access to different secrets, a dedicated service account should be created for each workload and its workload identity in Conjur.

    Each service account should be mapped into its relevant application Pod, and should be projected to the relevant application container.

Set up your workloads using one of the methods described in Supported workload setup methods.