Created
July 27, 2021 16:21
-
-
Save rahul0208/7c51e1642ce57b11809f39b2e0917239 to your computer and use it in GitHub Desktop.
Conjur Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: test-app-secretless | |
labels: | |
app: test-app-secretless | |
spec: | |
ports: | |
- protocol: TCP | |
port: 8080 | |
targetPort: 8080 | |
selector: | |
app: test-app-secretless | |
type: LoadBalancer | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: test-app-secretless | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: test-app-secretless | |
name: test-app-secretless | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: test-app-secretless | |
template: | |
metadata: | |
labels: | |
app: test-app-secretless | |
spec: | |
serviceAccountName: test-app-secretless | |
containers: | |
- image: cyberark/demo-app | |
imagePullPolicy: Always | |
name: test-app-secretless | |
ports: | |
- name: http | |
containerPort: 8080 | |
readinessProbe: | |
httpGet: | |
path: /pets | |
port: http | |
initialDelaySeconds: 15 | |
timeoutSeconds: 5 | |
env: | |
- name: DB_URL | |
value: mysql://localhost:3306/test_app | |
- image: cyberark/secretless-broker | |
imagePullPolicy: Always | |
name: secretless | |
args: ["-f", "/config/secretless.yaml"] | |
ports: | |
- containerPort: 5432 | |
env: | |
- name: MY_POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: MY_POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: MY_POD_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
- name : CONJUR_LOG_LEVEL | |
value : debug | |
- name: CONJUR_AUTHN_URL | |
value: "https://conjur-oss-2.cyberark.svc.cluster.local/authn-k8s/my-authenticator-id" | |
- name: CONJUR_APPLIANCE_URL | |
value: "https://conjur-oss-2.cyberark.svc.cluster.local" | |
- name: CONJUR_ACCOUNT | |
value: secrets-user | |
- name: CONJUR_AUTHN_LOGIN | |
value: "host/conjur/authn-k8s/my-authenticator-id/apps/test-app-secretless" | |
- name: CONJUR_SSL_CERTIFICATE | |
valueFrom: | |
configMapKeyRef: | |
name: develop | |
key: ssl-certificate | |
volumeMounts: | |
- name: config | |
mountPath: "/config" | |
readOnly: true | |
imagePullSecrets: | |
- name: dockerpullsecret | |
volumes: | |
- name: config | |
configMap: | |
name: test-app-secretless-config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
name: test-secretless-app-backend | |
namespace: develop | |
spec: | |
selector: | |
app: test-secretless-app-backend | |
ports: | |
- port: 3306 | |
targetPort: 3306 | |
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: secretless-mysql | |
namespace: develop | |
labels: | |
app: test-secretless-app-backend | |
spec: | |
serviceName: test-secretless-app-backend | |
selector: | |
matchLabels: | |
app: test-secretless-app-backend | |
template: | |
metadata: | |
labels: | |
app: test-secretless-app-backend | |
spec: | |
containers: | |
- name: test-secretless-app-backend | |
image: mysql/mysql-server:5.7 | |
imagePullPolicy: Always | |
ports: | |
- containerPort: 3306 | |
env: | |
- name: MYSQL_RANDOM_ROOT_PASSWORD | |
value: "yes" | |
- name: MYSQL_USER | |
value: test_app | |
- name: MYSQL_PASSWORD | |
value: TEST_APP_DB_PASSWORD | |
- name: MYSQL_DATABASE | |
value: test_app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- !group devops | |
- !group secrets_admin | |
- !group developer | |
# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint. | |
- !policy | |
id: conjur/authn-k8s/my-authenticator-id/apps | |
owner: !group devops | |
annotations: | |
description: Identities permitted to authenticate | |
body: | |
- !layer | |
annotations: | |
description: Layer of authenticator identities permitted to call authn svc | |
- &hosts | |
# Annotation-based authentication (host ID is an application name, and | |
# permitted application identities are listed as annotations) | |
- !host | |
id: test-app-secretless | |
annotations: | |
authn-k8s/namespace: develop | |
authn-k8s/service-account: test-app-secretless | |
authn-k8s/deployment: test-app-secretless | |
authn-k8s/authentication-container-name: secretless | |
kubernetes: "true" | |
# Host-ID based authentication (application identity in the host itself) | |
- !host | |
id: develop/*/* | |
annotations: | |
kubernetes/authentication-container-name: authenticator | |
openshift: "false" | |
- !host | |
id: develop/service_account/test-app-secretless | |
annotations: | |
kubernetes/authentication-container-name: secretless | |
kubernetes: "true" | |
- !host | |
id: develop/deployment/test-app-secretless | |
annotations: | |
kubernetes/authentication-container-name: secretless | |
kubernetes: "true" | |
- !grant | |
role: !layer | |
members: *hosts | |
- !policy | |
id: test-app | |
owner: !group devops | |
annotations: | |
description: This policy connects authn identities to an application identity. It defines a layer named for an application that contains the whitelisted identities that can authenticate to the authn-k8s endpoint. Any permissions granted to the application layer will be inherited by the whitelisted authn identities, thereby granting access to the authenticated identity. | |
body: | |
- !layer | |
# add authn identities to application layer so authn roles inherit app's permissions | |
- !grant | |
role: !layer | |
members: | |
- !layer /conjur/authn-k8s/my-authenticator-id/apps | |
- !policy | |
id: test-secretless-app-db | |
owner: !group secrets_admin | |
annotations: | |
description: This policy contains the creds to access the secretless app DB | |
body: | |
- &secretless-variables | |
- !variable password | |
- !variable url | |
- !variable port | |
- !variable host | |
- !variable username | |
- !permit | |
role: !layer /test-app | |
privileges: [ read, execute ] | |
resources: *secretless-variables | |
- !policy | |
id: conjur/authn-k8s/my-authenticator-id | |
body: | |
- !webservice | |
#if id is not assigned, | |
#it inherits the id from the policy | |
# CA cert and key for creating client certificates | |
- !policy | |
id: ca | |
body: | |
- !variable | |
id: cert | |
annotations: | |
description: CA cert for Kubernetes Pods. | |
- !variable | |
id: key | |
annotations: | |
description: CA key for Kubernetes Pods. | |
# permit a layer of allowlisted authn ids to call authn service | |
- !permit | |
resource: !webservice | |
privilege: [ read, authenticate ] | |
role: !layer /conjur/authn-k8s/my-authenticator-id/apps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "2" | |
services: | |
test-app-mysql: | |
protocol: mysql | |
listenOn: tcp://0.0.0.0:3306 | |
credentials: | |
host: | |
from: conjur | |
get: test-secretless-app-db/host | |
port: | |
from: conjur | |
get: test-secretless-app-db/port | |
username: | |
from: conjur | |
get: test-secretless-app-db/username | |
password: | |
from: conjur | |
get: test-secretless-app-db/password | |
sslmode: require |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment