Integrations Overview

This lesson provides a high-level overview of

use cases and integrations for a Conjur
implementation.

Upon completion of this lesson the participant

will be able to:

► Preview resources available to learn more

about Conjur

Lesson ► Learn an overview of integrating Conjur

Objectives
with Jenkins

► Learn an overview of integrating Conjur

with Red Hat OpenShift and/or Kubernetes

► Discover additional tutorials and demos

2
available
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
 Documentation
& Resources

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

CyberArk Online
Documentation
• Access anytime from any device

• Fully searchable and indexed

• v10.1 to Latest

• Categorized by product and

function for ease of navigation

• Highlight and print features

https://docs.cyberark.com 4

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

CyberArk
Marketplace
• Search, Discover, and Download

• Extend the capabilities and

functionality of CyberArk solutions

• Trusted solutions developed by

CyberArk and certified partners

• Wide, diverse range of solutions

categorized and tagged for ease of
search and discovery

• Easily navigate by CyberArk

Solution, Category, Certification
and Support, or Developed by
CyberArk or specific vendor or https://cyberark-customers.force.com/mplace/s/ 5
software partner

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

CyberArk Tech
Community
• News & Announcements

• Forum and Knowledge Sharing

• Knowledgebase

• Enhancement Requests

https://cyberark-customers.force.com/s/
6

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Education
Resources
• Online access to a knowledgebase
with critical insight, industry trends,
practices, and standards, case
studies, and much more

• Search, Discover, and Download

• Access anytime from any device

• Download and access eBooks,

Case Studies, Webinars,
Whitepapers, Brochures,
Datasheets, and Solution Briefs
7
https://www.cyberark.com/resources/
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
 Integrations Overview

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Full integration support with CyberArk Vault
& Privilege Cloud
• Many out-of-the-box supported integrations
• DevOps toolchain, Cloud platforms and
container services, authentication methods,
logging, and more

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-
DAP/Latest/en/Content/HomeTilesLPs/LP-Tile4.htm

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Jenkins:
Securing Secrets

10

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

How Secrets are Managed/Stored inside Jenkins

• Secrets are automatically encrypted/decrypted

• Secrets retrieved using variables

• Logs and Pipeline output DO NOT expose secrets

• Secrets must be manually entered / stored

• Changing secrets requires manual effort requiring downtime

• Administrative difficulty leads to secrets not being managed

11

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 172k+ Jenkins
instances publicly
exposed

Only 19k+ using

HTTPS (Validation
is unknown)

12

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Cloudbees Jenkins Enterprise &
Open-source

13

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Integrates with CloudBees Jenkins Enterprise
and Open Source
• Retrieve secrets dynamically at run-time using Conjur
for use in Pipeline and/or Freestyle projects
• Central Secrets management and retrieval
• Audit and reporting functionality for compliance
• Role-based access controls (RBAC) for each application
and/or job to provision secure access to secrets
• Maintain least privilege and separation of duties through Conjur policy
• Supports JWT Authentication

For more information refer to:

Jenkins Integration 14

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Store and manage Secrets in Conjur database
• Provision Secrets authentication and
authorization to Conjur using Policy
• Conjur Jenkins Plugin installed on Jenkins host
• Jenkins Pipeline or Freestyle projects simply
reference Conjur Variable using configured
Jenkins ID

Policy Elements:
– Create and define one or more Jenkins hosts
– Grant each Jenkins host authentication access to
Conjur
– Grant each Jenkins host authorization access to 15
each Secret(s) in Conjur
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 1. Log in to Jenkins as an
administrator
2. Navigate to Jenkins → Manage
Jenkins → Manage Plugins
3. Search for Conjur Secrets plugin
and install
4. Restart Jenkins

Jenkins Plugins:
https://plugins.jenkins.io/conjur-credentials/ 16

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 1. Download the Conjur.hpi file from GitHub
2. Log in to Jenkins as an administrator
3. Navigate to Jenkins → Manage Jenkins →
Manage Plugins
4. Click the Advanced tab
5. In the Upload Plugin section, browse for the
Conjur.hpi file
6. Click Upload Plugin
7. Restart Jenkins

GitHub Download:
https://github.com/cyberark/conjur-credentials- 17

plugin/releases
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Conjur Jenkins Plugin Usage
PIPELINE CODE EXAMPLE FREESTYLE PROJECT EXAMPLE

Reference Secrets in Pipeline code Secrets are injected as environment

using withCredentials and variables to build steps of project
conjurSecretCredential

18

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Kubernetes / Openshift:
Securing Secrets

19

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur Openshift / FEATURES/BENEFITS:
• Simple, secure and seamless method for
Kubernetes Integration retrieving secrets in containers
Overview • Robust authentication and authorization
incorporating Conjur security policy
OBJECTIVE/PURPOSE:
• Segregation of Duty between applications
Secure Secrets for applications – SoD using Conjur policy for Security Teams
running in RedHat OpenShift or (access control) & DevOps (application control)
Google Kubernetes Engine (GKE)
• Secrets rotation and centralized auditing &
reporting
SUPPORTED AUTHENTICATORS: • Conjur Follower running inside OpenShift /
Kubernetes
authn-k8s (End-to-end encryption of
secrets through mutual TLS) – Elastic, scalable, and high-performance
(scale-out made easy: Add Followers)
authn-jwt (JSON web token
authentication with JWT provider)
20

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur HA Cluster:
Deploy Leader and Standbys Application Namespace Conjur HA Cluster
outside of Kubernetes
K8S Authenticator Client Standby
Master Standby
Conjur Followers: Shared Volume
Pod
Deploy Followers inside or outside Application Container

CyberArk Summon
Kubernetes to sync w/ HA Cluster
Conjur Follower
(separate namespace) Namespace
Follower Service
K8S Authenticator Client
Shared Volume
Sidecar / Init Container: Application Container
Pod

Used to authenticate applications CyberArk Summon

Pod
Conjur Follower
Pod
Conjur Follower
& authenticator & authenticator
using Conjur access tokens. Deploy
in application namespace

Application(s) Container: To use authn-k8s native authentication,

Deploy in application namespace Follower(s) must be inside Kubernetes
21

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 authn-k8s: Kubernetes authenticator client is required to run in the same pod as the application code

Method Description

init An init container does not run continuously and therefore uses fewer resources.
Run the Kubernetes Authenticator Client as an init container for applications that do not need
to fetch rotated secrets; that is, the application\s are not using the Conjur rotator services.
The init container provides the application with one initial access token and then it exits.
The application uses the token to get its required secrets and does not require any further
Conjur access. The provided access token expires after 8 minutes.

sidecar A sidecar container runs continuously along with your application.

Run the Kubernetes Authenticator Client as a sidecar for applications that need continuous
access to Conjur to fetch updated secrets when they are rotated.
The sidecar is a continuous process, generating a refreshed token value every few minutes
(6 minutes, by default). An access token has a time-to-live of 8 minutes. 22

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
Each option uses the same strong authentication method which leverages native pod attributes
Push to
Secretless Broker APIs Summon
Kubernetes Secrets

Brokers the connection to Uses API calls to retrieve Fetches secrets and Uses Init container to fetch
the target resource secrets makes them available to secrets and push them into
the application as Kubernetes Secrets
environment variables

KEY ADVANTAGES

• No Secrets delivered to the • Available APIs for Java, • No code change required • Easier deployment
application Ruby, Go, .NET • CyberArk open source • Native experience for
• No code changes required • RESTAPI developers that already use
• Supports rotations Kubernetes Secrets

OTHER CONSIDERATIONS

• Requires a service • Requires code change in • Rotations are not supported • Uses Kubernetes RBAC and
connector to the target the application – requires a pod restart Audit functions (vs. central
(select from list of available when password changes CyberArk functions)
connectors) • Deployments requires more • Secrets are stored externally
steps to the pod in Kubernetes 23
Secrets.

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur
Demos & Quickstart

24

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Github: Conjur Demos
Conjur Demos
• Tour Conjur with hands-on
demos
• Learn topics including:
– Scalable machine identity
– Policy-based management
– Secure secrets retrieval
– Integrations

Requirements:
✓ Conjur Secrets Manager
Enterprise or Conjur Open Source
https://github.com/conjurdemos
✓ Clone GitHub repository
25

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
Github: Conjur Quickstart
Conjur Quickstart
• Sample installation guide
of Conjur Open Source
using Docker compose
• Step by step guide to
quickly demonstrate
Conjur using a demo app
to securely retrieve secrets

Requirements:
✓ Linux host running Docker
✓ Clone GitHub repository
26
https://github.com/cyberark/conjur-quickstart
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 Summary

27

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 In this session we discussed:

• Conjur Integrations Documentation &

Resources

• Conjur Jenkins Integration Overview

• Conjur OpenShift / Kubernetes Integration

Overview

• Demos & QuickStart Resources

Lab Section Exercise

28

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Thank You

29

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com