This will set up a new demo environment that will show off the features of a Conjur Enterprise in conjunction with common devops tools. The tools are all docker containers that are all mapped to the same docker network to all for DNS resolution of the docker container name.
The demo uses the lastest version of Conjur v5
- Docker
- Ansible Engine
- Ansible Tower
- Jenkins
- Gogs
- Conjur CLI & Summoin
- Conjur Enterprise v5 or Conjur OSS
- Weavescope
- Splunk (Requires Conjur Enterprise v5)
- Clone this repo.
- Obtain the latest Conjur tar file and place it within the cDemo directory
named 'conjur.tar'. (or '.tar.gz' or '.tgz')
- If no tar file is located then cdemo will check for conjur docker registry access. If you set up your environment to access the private Conjur regsitry, then cdemo will use the latest Conjur Enterprise image. version is pulled directly from the registry.
cdemo
will automatically pull Conjur OSS if there is no tar file or Conjur docker registry access.
- Run
bin/install-ansible
- Verify that ansible 2.7.x has been installed by running
ansible --version
.
- Verify that ansible 2.7.x has been installed by running
- Edit
conjurDemo/inventory.yml
to include any machines to be stood up as demo machines, and to select which tools are installed. Set each tool variable to 'YES' to install it automatically. Set to 'NO' to skip it. Some services (Conjur, Gogs, Jenkins) are required and installation of cdemo will not finish without them. - Run
bin/install
to install cdemo. - To uninstall cdemo and its dependencies, run
bin/clean-environment
.
Note: Ansible with PAS jobs can be deployed by setting the variable
"ansible_pas: 'YES'" in conjurDemo/inventory.yml
By default, cdemo will build with Conjur Open Source which is available to everyone as LGPL software. However, if you have access to Conjur Enterprise, cdemo can use that instead.
In order to enable Conjur Enterprise, you need an archive containing the Conjur Enterprise appliance image in the root directory of cdemo (same as this readme.)
If you have access to a Docker registry containing Conjur Enterprise you can create the acrhive yourself like so:
$ docker image save registry.local/conjur-appliance:5.0-stable | gzip -c >conjur.tgz
If you don't have access, you can download the archive file from your CyberArk support vault or contact CyberArk sales to get access. After downloading the arcvhive file, move it to this folder.
Note: in order to be recognized as a Conjur Enterprise archive file, it must have one of these names:
conjur.tar
conjur.tar.gz
conjur.tgz
Any other archive file(s) will be ignored.
Use case: I have Conjur Enterprise in a local registry & don't want to mess with creating archive files
In this case, you can enable Conjur Enterprise with these steps:
- edit
cdemo/conjurDemo/roles/conjurConfig/defaults/main.yml
- change
conjur_version
toEE
- change
conjur_EE_image_name
to the fully qualified name of the Conjur Enterprise appliance image in your local registry.
Now cdemo will use Conjur Enterprise without requiring an archive file.
The Conjur CLI will be pre-configured to work with the Conjur container. Inside
the CLI container, the scripts folder is mounted to /scripts
.
- Centos 7 OS
- Internet Connection
- 4 vCPU
- 8 GB Ram
- 32 GB hdd space at minimum
- Ansible v2.7
The tools installed have a web interfaces that is made accessible to the host machine on the following network ports:
Tool | Port |
---|---|
Jenkins | 6060 |
Gogs | 10080 |
Ansible Tower | 8080 |
Conjur | 443 |
Weavescope | 4040 |
If using v5 Enterprise Edition:
Tool | Port |
---|---|
Splunk | 8000 |
- Jenkins - No credentials needed right now
- Conjur - U: admin P: Cyberark1
- Conjur - U: mike P: Cyberark1
- Conjur - U: paul P: Cyberark1
- Conjur - U: cindy P: Cyberark1
- Conjur - U: john P: Cyberark1
- Conjur - U: eva P: Cyberark1
- AWX - U: eva P: Cyberark1
- Gogs - U: eva P: Cyberark1
- Splunk - U: admin P: Cyberark1
Jenkins and Gogs are connected via an internal docker network. Updating a job in Gitlab will be reflected in the subsequent Jenkins job at runtime.
- JOB1_Summon - This job uses summon and the jenkins identity to pull a password with a simplified script
- JOB2_Containers - This job spins up 5 webapp and 5 tomcat containers that are all pulling back a password. Jenkins generates a hostfactory token for each set of containers and then passes through an identity through container environment variables. Each container will then pull a password every 5 seconds.
- JOB2_Rotation - This job rotates the secret being pulled by the containers.
- JOB2_StopContainers - This job kills all of the tomcat and webapp containers.
AWX and Gogs are connected via an internal docker network. All projects in AWX have source code in Gogs.
- LAB3_AnsibleBuildContainers (Jenkins) - Creates target for Ansible job.
- LAB3_AnsibleConjurIdentity - Pushes a conjur identity to a remote machine that is set up with the job above.
- LAB3_AnsibleConjurLookup - Returns a value from conjur is the ansible node has a conjur identity.
- LAB3_AnsibleStopContainers (Jenkins) - Removes target and clears awx known_hosts.
There are scripts that are copied into the conjur-cli
container that will
interact with Conjur via REST calls to step through:
- Hostfactory creation
- Identity creation using hostfactory token
- Pull password using identity
The scripts are located in /scripts. You can connect to the conjur-cli
container with:
$ sudo docker exec -it conjur-cli bash