Skip to content

A tour of Conjur including LDAP sync, scalable machine identity, policy-based mgmt, ssh key mgmt and Splunk integration.

Notifications You must be signed in to change notification settings

conjurdemos/cdemo

Repository files navigation

Cyberark Conjur Enterprise demonstration environment

This will set up a new demo environment that will show off the features of a Conjur Enterprise in conjunction with common devops tools. The tools are all docker containers that are all mapped to the same docker network to all for DNS resolution of the docker container name.

Conjur Appliance

The demo uses the lastest version of Conjur v5

DevOps tools

  • Docker
  • Ansible Engine
  • Ansible Tower
  • Jenkins
  • Gogs
  • Conjur CLI & Summoin
  • Conjur Enterprise v5 or Conjur OSS
  • Weavescope
  • Splunk (Requires Conjur Enterprise v5)

How to use

  1. Clone this repo.
  2. Obtain the latest Conjur tar file and place it within the cDemo directory named 'conjur.tar'. (or '.tar.gz' or '.tgz')
    • If no tar file is located then cdemo will check for conjur docker registry access. If you set up your environment to access the private Conjur regsitry, then cdemo will use the latest Conjur Enterprise image. version is pulled directly from the registry.
    • cdemo will automatically pull Conjur OSS if there is no tar file or Conjur docker registry access.
  3. Run bin/install-ansible
    • Verify that ansible 2.7.x has been installed by running ansible --version.
  4. Edit conjurDemo/inventory.yml to include any machines to be stood up as demo machines, and to select which tools are installed. Set each tool variable to 'YES' to install it automatically. Set to 'NO' to skip it. Some services (Conjur, Gogs, Jenkins) are required and installation of cdemo will not finish without them.
  5. Run bin/install to install cdemo.
  6. To uninstall cdemo and its dependencies, run bin/clean-environment.

Note: Ansible with PAS jobs can be deployed by setting the variable "ansible_pas: 'YES'" in conjurDemo/inventory.yml

Using cdemo with Conjur Enterprise

By default, cdemo will build with Conjur Open Source which is available to everyone as LGPL software. However, if you have access to Conjur Enterprise, cdemo can use that instead.

In order to enable Conjur Enterprise, you need an archive containing the Conjur Enterprise appliance image in the root directory of cdemo (same as this readme.)

If you have access to a Docker registry containing Conjur Enterprise you can create the acrhive yourself like so:

$ docker image save registry.local/conjur-appliance:5.0-stable | gzip -c >conjur.tgz

If you don't have access, you can download the archive file from your CyberArk support vault or contact CyberArk sales to get access. After downloading the arcvhive file, move it to this folder.

Note: in order to be recognized as a Conjur Enterprise archive file, it must have one of these names:

  • conjur.tar
  • conjur.tar.gz
  • conjur.tgz

Any other archive file(s) will be ignored.

Use case: I have Conjur Enterprise in a local registry & don't want to mess with creating archive files

In this case, you can enable Conjur Enterprise with these steps:

  1. edit cdemo/conjurDemo/roles/conjurConfig/defaults/main.yml
  2. change conjur_version to EE
  3. change conjur_EE_image_name to the fully qualified name of the Conjur Enterprise appliance image in your local registry.

Now cdemo will use Conjur Enterprise without requiring an archive file.

Conjur CLI information

The Conjur CLI will be pre-configured to work with the Conjur container. Inside the CLI container, the scripts folder is mounted to /scripts.

Requirements

  1. Centos 7 OS
  2. Internet Connection
  3. 4 vCPU
  4. 8 GB Ram
  5. 32 GB hdd space at minimum
  6. Ansible v2.7

Access web interfaces

The tools installed have a web interfaces that is made accessible to the host machine on the following network ports:

Tool Port
Jenkins 6060
Gogs 10080
Ansible Tower 8080
Conjur 443
Weavescope 4040

If using v5 Enterprise Edition:

Tool Port
Splunk 8000

Default Credentials

  • Jenkins - No credentials needed right now
  • Conjur - U: admin P: Cyberark1
  • Conjur - U: mike P: Cyberark1
  • Conjur - U: paul P: Cyberark1
  • Conjur - U: cindy P: Cyberark1
  • Conjur - U: john P: Cyberark1
  • Conjur - U: eva P: Cyberark1
  • AWX - U: eva P: Cyberark1
  • Gogs - U: eva P: Cyberark1
  • Splunk - U: admin P: Cyberark1

Gogs and Jenkins Jobs

Jenkins and Gogs are connected via an internal docker network. Updating a job in Gitlab will be reflected in the subsequent Jenkins job at runtime.

  1. JOB1_Summon - This job uses summon and the jenkins identity to pull a password with a simplified script
  2. JOB2_Containers - This job spins up 5 webapp and 5 tomcat containers that are all pulling back a password. Jenkins generates a hostfactory token for each set of containers and then passes through an identity through container environment variables. Each container will then pull a password every 5 seconds.
  3. JOB2_Rotation - This job rotates the secret being pulled by the containers.
  4. JOB2_StopContainers - This job kills all of the tomcat and webapp containers.

AWX , Gogs, and Jenkins Jobs

AWX and Gogs are connected via an internal docker network. All projects in AWX have source code in Gogs.

  1. LAB3_AnsibleBuildContainers (Jenkins) - Creates target for Ansible job.
  2. LAB3_AnsibleConjurIdentity - Pushes a conjur identity to a remote machine that is set up with the job above.
  3. LAB3_AnsibleConjurLookup - Returns a value from conjur is the ansible node has a conjur identity.
  4. LAB3_AnsibleStopContainers (Jenkins) - Removes target and clears awx known_hosts.

API Scripts

There are scripts that are copied into the conjur-cli container that will interact with Conjur via REST calls to step through:

  1. Hostfactory creation
  2. Identity creation using hostfactory token
  3. Pull password using identity

The scripts are located in /scripts. You can connect to the conjur-cli container with:

$ sudo docker exec -it conjur-cli bash

About

A tour of Conjur including LDAP sync, scalable machine identity, policy-based mgmt, ssh key mgmt and Splunk integration.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published