Conjur Configuration

app.yaml

apiVersion: v1
kind: Service
metadata:
  name: test-app-secretless
  labels:
    app: test-app-secretless
spec:
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
  selector:
    app: test-app-secretless
  type: LoadBalancer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-app-secretless
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-app-secretless
  name: test-app-secretless
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app-secretless
  template:
    metadata:
      labels:
        app: test-app-secretless
    spec:
      serviceAccountName: test-app-secretless
      containers:
      - image: cyberark/demo-app
        imagePullPolicy: Always
        name: test-app-secretless
        ports:
        - name: http
          containerPort: 8080
        readinessProbe:
          httpGet:
            path: /pets
            port: http
          initialDelaySeconds: 15
          timeoutSeconds: 5
        env:
          - name: DB_URL
            value: mysql://localhost:3306/test_app
      - image: cyberark/secretless-broker
        imagePullPolicy: Always
        name: secretless
        args: ["-f", "/config/secretless.yaml"]
        ports:
        - containerPort: 5432
        env:
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name : CONJUR_LOG_LEVEL
            value : debug
          - name: CONJUR_AUTHN_URL
            value: "https://conjur-oss-2.cyberark.svc.cluster.local/authn-k8s/my-authenticator-id"
          - name: CONJUR_APPLIANCE_URL
            value: "https://conjur-oss-2.cyberark.svc.cluster.local"
          - name: CONJUR_ACCOUNT
            value: secrets-user
          - name: CONJUR_AUTHN_LOGIN
            value: "host/conjur/authn-k8s/my-authenticator-id/apps/test-app-secretless"
          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: develop
                key: ssl-certificate
        volumeMounts:
        - name: config
          mountPath: "/config"
          readOnly: true
      imagePullSecrets:
        - name: dockerpullsecret
      volumes:
      - name: config
        configMap:
          name: test-app-secretless-config

mysql.yaml

---
kind: Service
apiVersion: v1
metadata:
  name: test-secretless-app-backend
  namespace: develop
spec:
  selector:
    app: test-secretless-app-backend
  ports:
    - port: 3306
      targetPort: 3306

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: secretless-mysql
  namespace: develop
  labels:
    app: test-secretless-app-backend
spec:
  serviceName: test-secretless-app-backend
  selector:
    matchLabels:
      app: test-secretless-app-backend
  template:
    metadata:
      labels:
        app: test-secretless-app-backend
    spec:
      containers:
      - name: test-secretless-app-backend
        image: mysql/mysql-server:5.7
        imagePullPolicy: Always
        ports:
          - containerPort: 3306
        env:
          - name: MYSQL_RANDOM_ROOT_PASSWORD
            value: "yes"
          - name: MYSQL_USER
            value: test_app
          - name: MYSQL_PASSWORD
            value: TEST_APP_DB_PASSWORD
          - name: MYSQL_DATABASE
            value: test_app

policy.yaml

---
- !group devops
- !group secrets_admin
- !group developer

# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint.
- !policy
  id: conjur/authn-k8s/my-authenticator-id/apps
  owner: !group devops
  annotations:
    description: Identities permitted to authenticate
  body:
  - !layer
    annotations:
      description: Layer of authenticator identities permitted to call authn svc
  - &hosts
    # Annotation-based authentication (host ID is an application name, and
    # permitted application identities are listed as annotations)
    - !host
      id: test-app-secretless
      annotations:
        authn-k8s/namespace: develop
        authn-k8s/service-account: test-app-secretless
        authn-k8s/deployment: test-app-secretless
        authn-k8s/authentication-container-name: secretless
        kubernetes: "true"


    # Host-ID based authentication (application identity in the host itself)
    - !host
      id: develop/*/*
      annotations:
        kubernetes/authentication-container-name: authenticator
        openshift: "false"

    - !host
      id: develop/service_account/test-app-secretless
      annotations:
        kubernetes/authentication-container-name: secretless
        kubernetes: "true"
    - !host
      id: develop/deployment/test-app-secretless
      annotations:
        kubernetes/authentication-container-name: secretless
        kubernetes: "true"

  - !grant
    role: !layer
    members: *hosts

- !policy
  id: test-app
  owner: !group devops
  annotations:
    description: This policy connects authn identities to an application identity. It defines a layer named for an application that contains the whitelisted identities that can authenticate to the authn-k8s endpoint. Any permissions granted to the application layer will be inherited by the whitelisted authn identities, thereby granting access to the authenticated identity.
  body:
  - !layer

  # add authn identities to application layer so authn roles inherit app's permissions
  - !grant
    role: !layer
    members:
    - !layer /conjur/authn-k8s/my-authenticator-id/apps

- !policy
  id: test-secretless-app-db
  owner: !group secrets_admin
  annotations:
    description: This policy contains the creds to access the secretless app DB

  body:
    - &secretless-variables
      - !variable password
      - !variable url
      - !variable port
      - !variable host
      - !variable username

    - !permit
      role: !layer /test-app
      privileges: [ read, execute ]
      resources: *secretless-variables

- !policy
  id: conjur/authn-k8s/my-authenticator-id

  body:
  - !webservice
      #if id is not assigned,
      #it inherits the id from the policy

# CA cert and key for creating client certificates
  - !policy
    id: ca
    body:
    - !variable
      id: cert
      annotations:
        description: CA cert for Kubernetes Pods.
    - !variable
      id: key
      annotations:
        description: CA key for Kubernetes Pods.

  # permit a layer of allowlisted authn ids to call authn service
  - !permit
    resource: !webservice
    privilege: [ read, authenticate ]
    role: !layer /conjur/authn-k8s/my-authenticator-id/apps

secretless-config.yaml

version: "2"
services:
  test-app-mysql:
    protocol: mysql
    listenOn: tcp://0.0.0.0:3306
    credentials:
      host:
        from: conjur
        get: test-secretless-app-db/host
      port:
        from: conjur
        get: test-secretless-app-db/port
      username:
        from: conjur
        get: test-secretless-app-db/username
      password:
        from: conjur
        get: test-secretless-app-db/password
      sslmode: require