Inserting secrets into a Tomcat application property file using Chef and Conjur.
In this tutorial, we'll:
- Create a host-factory that can bootstrap Conjur hosts into a layer
- Give that layer access to two secrets
- Converge a Chef run that:
- Assigns an identity to the host, given a host-factory token
- Inserts secrets into a Tomcat appliation property file
You'll need a Conjur appliance running and accessible from your workstation. Contact us for one if you don't already have it.
-
Install the ChefDK. We'll use test-kitchen and berkshelf to converge the node.
-
Install Docker. If you're on OSX, use docker-machine or boot2docker to create a VM.
-
Install the kitchen-docker driver.
$ chef gem install kitchen-docker
Our security policy is defined in policy.yml. Read this before moving on.
Apply the policy:
$ conjur policy load --namespace demo --as-group security_admin policy.yml
Create policy role 'demo/webapp1'
...
{}Now we can create a host factory token using the host factory loaded in the policy.
$ conjur hostfactory tokens create --duration-days 7 demo/webapp1/tomcat_factory
[
{
"token": "gn9gmre42zj1s0hz4g2gckgjn1k9dvw311jqe8z2qmd4b41gqw1mk",
"expiration": "2016-05-09T18:21:10+00:00",
"cidr": [
]
}
]The "token" field above is your host-factory token, the bearer token that you will use to bootstrap
new hosts into the tomcast_hosts layer. The token is valid for 7 days, as we've requested in the command above.
You will use this token in Step 3.
Our policy defined the names of secrets and permissions to them, but did not give them an initial value. That's why we can check our policy into source control, it contains no sensitive information.
Let's view our secrets with the Conjur CLI:
$ conjur variable list -i
"dustinops:variable:demo/tomcat_policy/database_password"
"dustinops:variable:demo/tomcat_policy/api_key"We applied the policy with the collection 'demo', so that is our namespace.
This is how it breaks down.
| dustinops | variable | demo | tomcat_policy | database_password |
|---|---|---|---|---|
| Account | Type | Policy collection | Policy name | Variable name |
We can now add values to our secrets with the Conjur CLI.
$ conjur variable values add demo/tomcat_policy/database_password dy9hA6glyd8Tann5yEj5
$ conjur variable values add demo/tomcat_policy/api_key nUp3Ji4op1Hu6flEc3ojWe'll export some variables to the environment that .kitchen.yml will
pass as attributes to the Chef run.
export CONJUR_HOST_FACTORY_TOKEN=<token from Step 1>
export CONJUR_HOST_IDENTITY="myhost5158" # choose a unique name
# These values are in your ~/.conjurrc
export CONJUR_ACCOUNT=<account>
export CONJUR_APPLIANCE_URL=<appliance_url>
export CONJUR_SSL_CERTIFICATE_PATH=<cert_file>
Converge the node with test-kitchen
kitchen converge
Our host has now been bootstrapped in the 'tomcat_hosts' layer.
You can verify its permissions in the Conjur UI at /ui/hosts/myhost5158/.
Log into the host and view the property file. It now contains the values you entered for the variables defined in your policy.
$ kitchen login # use 'kitchen' as the password if prompted
$ cat /etc/myapp.xml
<Context docBase="${basedir}/src/main/webapp" reloadable="true">
<!-- http://tomcat.apache.org/tomcat-7.0-doc/config/context.html -->
<Parameter name="database_password" value="dy9hA6glyd8Tann5yEj5"/>
<Environment name="app.devel.api" value="nUp3Ji4op1Hu6flEc3oj" type="java.lang.String" override="true"/>
</Context>