To begin, make sure you have an instance of Conjur available to your Kubernetes cluster (either internally or externally). A quick start guide is available at the Conjur website. As you’re getting set up, take note of the hostname used for your Conjur service, as well as the account name you’re using. These will be needed for the next step.
Next, we start by adding the Secretless Broker sidecar to an existing service
definition. This includes adding the Secretless Broker container and a ConfigMap
for the Secretless Broker configuration. In this example, the Secretless Broker
will be configured to authenticate local connections to a remote PostgreSQL
database. For documentation on the other handlers available, visit
Handlers. Be sure to change the
CONJUR_APPLIANCE_URL and CONJUR_ACCOUNT environment variables to match your
own Conjur configuration.
---
apiVersion: apps/v1
kind: Pod
metadata:
name: my-service
namespace: demo
labels:
app: my-service
spec:
containers:
- name: secretless-broker
image: cyberark/secretless-broker:latest
args: ["-f", "/etc/secretless/secretless.yml"]
environment:
CONJUR_APPLIANCE_URL: http://conjur.internal
CONJUR_ACCOUNT: demo
CONJUR_AUTHN_LOGIN: host/my-service
CONJUR_AUTHN_API_KEY: ${CONJUR_AUTHN_API_KEY}
ports:
- containerPort: 5432
volumeMounts:
- name: config
mountPath: "/etc/secretless"
readOnly: true
# <-- Add your own container definition here -->
# - name: my-service
# image: my-service:latest
- name: config
configMap:
name: my-service-secretless-config
The next step is to define a Secretless Broker configuration. Write the
following YAML to a file named secretless.yml.
listeners:
- name: pg
protocol: pg
address: 0.0.0.0:5432
handlers:
- name: pg
listener: pg
credentials:
- name: address
provider: conjur
id: my-service/address
- name: username
provider: conjur
id: my-service/username
- name: password
provider: conjur
id: my-service/password
Create a new ConfigMap in Kubernetes using the newly created secretless.yml.
kubectl create configmap my-service-secretless-config --from-file=secretless.yml
Our secretless.yml uses the
conjur provider to resolve credentials
required to connect to PostgreSQL. Here we create a
Conjur policy
which defines our application, its credentials and permissions.
---
- !policy
id: my-service
body:
- &secrets
- !variable address
- !variable username
- !variable password
- !host
- !layer
- !grant
role: !layer
member: !host
- !permit
role: !layer
privileges: [ read, execute ]
resources: *secrets
Save the above policy as my-service.yml and load it into Conjur using the
following command, then export CONJUR_AUTHN_API_KEY to the value of api_key
returned in JSON.
$ conjur policy load root my-service.yml
Loaded policy 'root'
{
"created_roles": {
"demo:host:my-service": {
"id": "demo:host:my-service",
"api_key": "393rne9kpn5gy1xf6wa63jd17emkztvmt9xf2yq2ecphwa1c60cg2"
}
},
"version": 1
}
$ export CONJUR_AUTHN_API_KEY=393rne9kpn5gy1xf6wa63jd17emkztvmt9xf2yq2ecphwa1c60cg2
Apply the manifest. Once running, PostgreSQL will be available within the Pod at
localhost:5432. You may need to make a change to your applications
configuration to update the address of the database. References to username or
password can be safely removed.
sed '/s\${CONJUR_AUTHN_API_KEY}/$CONJUR_API_KEY/g' my-service.yml \
| kubectl apply -f -
We’ve just completed a quick deployment of the Secretless Broker to an existing application using Conjur.