GitHub - cyberark/conjur-k8s-csi-provider (original) (raw)
CyberArk Secrets Manager Provider for Secrets Store CSI Driver
CyberArk Secrets Manager's integration for theKubernetes Secrets Store CSI Driver, which injects secrets into Kubernetes environments viaContainer Storage Interface volumes.
Secrets Manager Provider for Secrets Store CSI Driver is part of the CyberArk ConjurOpen Source Suite of tools.
Certification level
This repo is a Trusted level project. It is supported by CyberArk and has been verified to work with Secrets Manager, Self-Hosted. For more detailed information on our certification levels, seeour community guidelines.
Requirements
| Dependency | Minimum Version |
|---|---|
| Go | 1.22.0 |
| Kubernetes | 1.19.0 |
| Secrets Store CSI Driver | 1.3.0 |
| Conjur OSS / Secrets Manager, Self-Hosted / Secrets Manager, SaaS | 1.17.3 / 12.5 / Current |
Openshift
The Secrets Manager CSI Provider has been tested against the following Openshift versions:
| Oldest | Current |
|---|---|
| 4.12 | 4.15 |
Usage
- Create and configure a JWT Authenticator instance in Secrets Manager
Load the following Secrets Manager policy samples to setup AuthnJWT.
Each workload in Kubernetes is represented as a Secrets Managerhost, specified by identifying annotations.
- !host
id: system:serviceaccount:app-namespace:default
annotations:
authn-jwt/kube/kubernetes.io/namespace: app-namespace
authn-jwt/kube/kubernetes.io/serviceaccount/name: default
The following policy YAML creates an AuthnJWT instancekubeto authenticate workloads in Kubernetes using their ServiceAccount tokens, and permits the createdhostto authenticate with the service. ThehostID is the value of the claim in the JWT token specified by thetoken-app-propertyauthenticator variable. - !policy
id: conjur/authn-jwt/kube
body:- !webservice
Uncomment one of following variables depending on the public availability
of the Service Account Issuer Discovery service in Kubernetes:
If the service is publicly available, uncomment 'jwks-uri'.
If the service is not available, uncomment 'public-keys'.
- !variable
id: jwks-uri
- !variable
id: public-keys
Used with 'jwks-uri'.
Uncomment ca-cert if the JWKS website cert isn't trusted by conjur
- !variable
id: ca-cert
Used with 'public-keys'.
This variable contains what "iss" in the JWT.
- !variable
id: issuer
This variable contains what "aud" is the JWT.
- !variable
id: audience
This variable tells Secrets Manager which claim in the JWT to use to determine the
Secrets Manager host identity.
- !variable
id: token-app-property # Most likely set to "sub" for Kubernetes
Used with 'token-app-property'.
This variable will hold the Secrets Manager policy path that contains the Secrets Manager
host identity found by looking at the claim entered in token-app-property.
- !variable
id: identity-path
- !permit
role: !host /system:serviceaccount:app-namespace:default
privilege: [ read, authenticate ]
resource: !webservice
Create variables that contain secret content required by your application, and permit thehostto access them.
- !policy
id: db-credentials
body:- &variables
- !variable url
- !variable username
- !variable password
- !permit
role: !host /system:serviceaccount:app-namespace:default
privileges: [ read, execute ]
resource: *variables
Refer to ourdocumentationfor more information on JWT Authentication.
- &variables
- Install the Secrets Store CSI Driver Helm chart
$ helm repo add secrets-store-csi-driver \
https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
$ helm install csi-secrets-store \
secrets-store-csi-driver/secrets-store-csi-driver \
--wait \
--namespace kube-system \
--set 'tokenRequests[0].audience=conjur'
Refer to the Secrets Store CSI Driverdocumentationfor more information andbest practicesfor installing the CSI Driver. - Install the Secrets Manager Provider Helm chart
$ helm repo add cyberark \
https://cyberark.github.io/helm-charts
$ helm install conjur-csi-provider \
cyberark/conjur-k8s-csi-provider \
--wait \
--namespace kube-system
See the Helm chart configuration table for additional customization options. - Create a
SecretProviderClass
Configuration is passed to the Secrets Manager provider via aSecretProviderClassthrough thespec.parametersfield.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: credentials-from-conjur
spec:
provider: conjur
parameters:
conjur.org/configurationVersion: 0.2.0
account: myAccount
applianceUrl: http://myorg.conjur.com
authnId: authn-jwt/kube
sslCertificate: |
-----BEGIN CERTIFICATE-----
MIIDhDCCAmy...njemCrVXIWw==
-----END CERTIFICATE-----
See the SecretProviderClass configuration table for additional customization options.
5. Deploy an application
Define secrets in the application pod's conjur.org/secrets annotation and reference the SecretProviderClass in the pod's volumes.
apiVersion: v1 kind: Pod metadata: name: app namespace: app-namespace annotations: conjur.org/secrets: | - "relative/path/fileA.txt": "db-credentials/url" - "relative/path/fileB.txt": "db-credentials/username" - "relative/path/fileC.txt": "db-credentials/password" spec: serviceAccountName: default containers: - name: app image: alpine:latest imagePullPolicy: Always command: [ "/bin/sh", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] volumeMounts: - name: conjur-csi-provider-volume mountPath: /mnt/secrets-store readOnly: true securityContext: allowPrivilegeEscalation: false volumes: - name: conjur-csi-provider-volume csi: driver: 'secrets-store.csi.k8s.io' readOnly: true volumeAttributes: secretProviderClass: "credentials-from-conjur"
Configuration
Secrets Manager Provider Helm chart
The following table lists the configurable parameters of the Secrets Manager Provider Helm chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| daemonSet.name | Name given to Provider DaemonSet and child Pods | conjur-k8s-csi-provider |
| daemonSet.image.repo | Secrets Manager Provider Docker image repository | cyberark/conjur-k8s-csi-provider |
| daemonSet.image.tag | Secrets Manager Provider Docker image tag | latest |
| daemonSet.image.pullPolicy | Pull Policy for Secrets Manager Provider Docker image | IfNotPresent |
| provider.name | Name used to reference Secrets Manager Provider instance | conjur |
| provider.healthPort | Port to expose Secrets Manager Provider health server | 8080 |
| provider.socketDir | Directory of socket connections to the Secrets Store CSI Driver | /var/run/secrets-store-csi-providers |
| securityContext | Security configuration to be applied to Secrets Manager Provider container | { privileged: false, allowPrivilegeEscalation: false} |
| serviceAccount.create | Controls whether or not a ServiceAccout is created | true |
| serviceAccount.name | Name of the ServiceAccount associated with Provider Pods | conjur-k8s-csi-provider |
| labels | Map of labels applied to Provider DaemonSet and child Pods | {} |
| annotations | Map of annotations applied to Provider DaemonSet and child Pods | {} |
SecretProviderClass
The following table lists the configurable parameters on the Secrets Manager Provider'sSecretProviderClass instances.
| Field | Description | Example |
|---|---|---|
| spec.parameters.account | Secrets Manager account used during authentication | myAccount |
| spec.parameters.applianceUrl | Secrets Manager Appliance URL | https://myorg.conjur.com |
| spec.parameters.authnId | Type and service ID of desired Secrets Manager authenticator | authn-jwt/service-id |
| spec.parameters.conjur.org/configurationVersion | Secrets Manager CSI Provider configuration version | 0.2.0 |
| spec.parameters.identity | Secrets Manager identity used during authentication and authorization (Optional. Only used when token-app-property authenticator field is not used.) | botApp |
| spec.parameters.secrets | Multiline string describing map of relative filepaths to Secrets Manager variable IDs. NOTE: This parameter is ignored when conjur.org/configurationVersion is 0.2.0 or higher. Instead use application pod annotations. | - "relative/path/fileA.txt": "conjur/path/varA"- "relative/path/fileB.txt": "conjur/path/varB" |
| spec.parameters.sslCertificate | Conjur Appliance certificate | -----BEGIN CERTIFICATE-----MIIDhDCCAmy...njemCrVXIWw==-----END CERTIFICATE----- |
Contributing
Please read our Contributing Guide.
Community Support
Our primary channel for support is through our CyberArk Commons communityhere.
Code Maintainers
CyberArk Secrets Manager Team
License
Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this software except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
For the full license text see LICENSE.