Set up workloads (cert-based authentication)

The following sections describe how to set up your workloads to retrieve secrets from Conjur using certificate based authentication.

Supported setup methods

The following methods are supported for connecting to targets such as databases or web services.

Method	Description	Benefit
Kubernetes Authenticator Client	Use to authenticate the pod to Conjur. Use the API or Summon to fetch the secrets to create connection.	Generic method to connect to targets. You can use this method for any target system.
CyberArk Secrets Provider for Kubernetes	Use an init or application container to dynamically populate Kubernetes Secrets with the secrets from Conjur that are required by the application pod	Use secrets stored and managed in the CyberArk Vault using Conjur to consume them as Kubernetes Secrets leveraging PAM - Self-Hosted security while seamlessly deploying Kubernetes containers.
Secretless Broker Sidecar	Use the built in capabilities of Secretless to authenticate to the pod with Conjur and then open a connection to a supported target. For details, see Secretless Service Connectors.	New secure approach for application connection where the secret is never exposed to the app.

Method

Description

Benefit

Kubernetes Authenticator Client

Use to authenticate the pod to Conjur. Use the API or Summon to fetch the secrets to create connection.

Generic method to connect to targets. You can use this method for any target system.

CyberArk Secrets Provider for Kubernetes

Use an init or application container to dynamically populate Kubernetes Secrets with the secrets from Conjur that are required by the application pod

Use secrets stored and managed in the CyberArk Vault using Conjur to consume them as Kubernetes Secrets leveraging PAM - Self-Hosted security while seamlessly deploying Kubernetes containers.

Secretless Broker Sidecar

Use the built in capabilities of Secretless to authenticate to the pod with Conjur and then open a connection to a supported target.

For details, see Secretless Service Connectors.

New secure approach for application connection where the secret is never exposed to the app.

Before you start

To set up your workload to authenticate to Conjur, ensure that a Kubernetes Authenticator has been configured and allowlisted. For more information, contact your Conjur admin or see Certificate-based Kubernetes authentication.
Make sure you have the Conjur CLI (v7.x+) installed and that you are logged in. For details, see Set up the Conjur CLI.

Prepare the application namespace

In this section you prepare your application namespace with Kubernetes and Conjur credentials needed to connect to Conjur and retrieve secrets.

Kubernetes
Rancher

The prepared namespace contains the following resources:

Resource	Description
Conjur connection ConfigMap	Contains references to Conjur credentials, taken from the Golden ConfigMap. These credentials can be used to enable workloads to authenticate to Conjur to retrieve secrets securely.
Authenticator RoleBinding	Grants permissions to the Conjur authenticator service account for the authenticator cluster role. This provides a list of Kubernetes API access permissions which are required to validate workload identities.

You can prepare the application namespace using a Helm chart or a raw Kubernetes manifest file.

Make sure you have access to:

the Kubernetes namespace for your workload, for example, test-app-namespace

the relevant resource for preparing namespaces in Kubernetes

Method	Location
Helm charts	CyberArk Helm Charts repository
Raw manifests	CyberArk raw manifest repository

To prepare the application namespace:

Create a ConfigMap and a RoleBinding in the test-app-namespace namespace:

Helm chart
Raw Kubernetes manifest

We recommend using this method to create the resources in your application namespace. However, if the Helm repo is not available, use the raw Kubernetes manifest (see the Raw Kubernetes manifest tab).

During the Kubernetes Authenticator configuration, a Golden ConfigMap is created that contains Kubernetes and Conjur credentials. In the following procedure, you install a Helm chart which retrieves these credentials from the Golden ConfigMap and uses them to prepare the application namespace. For more information about the Golden Configmap, see Create Kubernetes resources for the Kubernetes Authenticator.

Add the Helm chart repo to all Helm charts.

$ helm repo add cyberark https://cyberark.github.io/helm-charts
helm repo update

Run the helm install command. In the following example, helm-install creates a ConfigMap and a RoleBinding in the test-app-namespace namespace using details from the Golden ConfigMap, conjur-configmap which is located in the cyberark-conjur namespace.

$ helm install namespace-prep cyberark/conjur-config-namespace-prep \
  --namespace test-apps-namespace \
  --set authnK8s.goldenConfigMap="conjur-configmap" \
  --set authnK8s.namespace="cyberark-conjur"

For more information on configurable parameters of the namespace preparation Helm chart and their default values, see Conjur namespace preparation Helm Chart Configuration.

If you are able to use Helm charts, we recommend doing so. For details, click the Helm chart tab.

Before you start, collect the following information:

Conjur account to be used by the Kubernetes Authenticator
Kubernetes Authenticator (service-ID) to use for authentication
Conjur certificate file (including the full path)

You can get this information in one the following ways:

From the Conjur admin: Ask the Conjur admin for the Conjur details

From the Golden ConfigMap: Pull the data from the Golden ConfigMap (for OpenShift use oc in place of kubectl):

$ kubectl get configmap conjur-configmap -o "jsonpath={.data}" -n cyberark-conjur

Download the raw Kubernetes manifest, conjur-config-namespace-prep.yaml, from the Kubernetes Authenticator Client GitHub repository.

Open the manifest in a text editor and enter the following information:

Placeholder	Description
`CONJUR_ACCOUNT`	Conjur account, for example, `myorg`
`CONJUR_APPLIANCE_URL`	Conjur URL
`CONJUR_AUTHN_URL`	Authenticator URL. Provide the Conjur URL and the authenticator's service ID, for example, `dev-cluster`
`CONJUR_SSL_CERTIFICATE`	Conjur certificate file, for example, `path/to/conjur.pem`
`CONJUR_AUTHENTICATOR_ID`	Kubernetes Authenticator service ID, for example, `dev-cluster`

Apply the configuration to the application namespace, test-app-namespace (for OpenShift use oc in place of kubectl):

$ kubectl apply -f conjur-config-namespace-prep.yaml --namespace test-app-namespace

Create a Kubernetes service account for the application. The following command creates the test-app-sa service account in test-app-namespace:
```
kubectl create serviceaccount test-app-sa -n test-app-namespace
```
Create a Kubernetes service account for the workload. The following command creates the test-app-sa service account in test-app-namespace:
```
kubectl create serviceaccount test-app-sa -n test-app-namespace
```

The application namespace now contains its own ConfigMap, RoleBinding, and ServiceAccount resources. All applications in the namespace can use these resources to connect to Conjur and authenticate using the Kubernetes Authenticator.

The prepared namespace contains a Conjur connection ConfigMap with references to Conjur credentials. These credentials can be used to enable workloads to authenticate to Conjur to retrieve secrets securely.

You can prepare the application namespace using a raw Kubernetes manifest file.

Make sure you have access to the Kubernetes namespace for your workload, for example, test-app-namespace

To prepare the application namespace:

Create a ConfigMap in the test-app-namespace namespace:

Before you start, collect the following information from your Conjur admin:
- Conjur account to be used by the Kubernetes Authenticator
- Kubernetes Authenticator (service-ID) to use for authentication
- Conjur certificate file (including the full path)

Copy the following manifest, and save it as namespace-prep.yml:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: conjur-connect
  labels:
    app.kubernetes.io/name: "conjur-connect-configmap"
    app.kubernetes.io/instance: "conjur-default-configmap"
    app.kubernetes.io/part-of: "conjur-config"
    conjur.org/name: "conjur-connect-configmap"
data:
  CONJUR_ACCOUNT: <Insert-Conjur-Account-Here>
  CONJUR_APPLIANCE_URL: https://insert.conjur.appliance.url.here
  CONJUR_AUTHN_URL: https://insert.conjur.appliance.url.here/authn-k8s/<Insert-Authenticator-ID-Here>
  CONJUR_SSL_CERTIFICATE: |- 
    <Insert-Conjur-SSL-Certificate-Here>
  CONJUR_AUTHENTICATOR_ID: <Insert-Authenticator-ID-Here>

Enter the following information:

Placeholder	Description
`CONJUR_ACCOUNT`	Conjur account, for example, `myorg`
`CONJUR_APPLIANCE_URL`	Conjur URL
`CONJUR_AUTHN_URL`	Authenticator URL. Provide the Conjur URL and the authenticator's service ID, for example, `dev-cluster`
`CONJUR_SSL_CERTIFICATE`	Conjur certificate file, for example, `path/to/conjur.pem`
`CONJUR_AUTHENTICATOR_ID`	Kubernetes Authenticator service ID, for example, `dev-cluster`

Apply the configuration to the application namespace, test-app-namespace:

$ kubectl apply -f conjur-config-namespace-prep.yaml --namespace test-app-namespace

Create a Kubernetes service account for the application. The following command creates the test-app-sa service account in test-app-namespace:
```
kubectl create serviceaccount test-app-sa -n test-app-namespace
```

The application namespace now contains its own ConfigMap and ServiceAccount resources. All applications in the namespace can use these resources to connect to Conjur and authenticate using the Kubernetes Authenticator.

Set up your workloads using one of the methods described in Supported setup methods.