Conjur Integration#
🟢 Support level This integration is validated and supported in Reloader Enterprise. Community usage is possible, but without continuous validation or SLA
This guide shows how to automatically restart Kubernetes workloads when CyberArk Conjur secrets change using Stakater Reloader.
Integration Patterns#
| Pattern | How Secrets Arrive | Rotation | Reloader Compatibility | Guide |
|---|---|---|---|---|
| External Secrets Operator | ESO syncs to K8s Secret | ESO refresh interval | Best fit | ESO Guide |
| Sidecar | Sidecar updates K8s Secret | Sidecar refresh interval | Best fit | Sidecar Guide |
| CSI Driver | CSI mounts files + syncs to K8s Secret | CSI rotation interval | Works with secretObjects |
CSI Guide |
Architecture Overview#
┌─────────────────────────────────────────────────────────────────────────────┐
│ Golden ConfigMap Architecture │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Cluster Level (conjur namespace): │
│ ┌────────────────────────────────────────────────────────────────────────┐ │
│ │ conjur-config-cluster-prep (Helm Chart) │ │
│ │ ┌──────────────────┐ │ │
│ │ │ Golden ConfigMap │ Contains: CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, │ │
│ │ │ (conjur-configmap)│ CONJUR_SSL_CERTIFICATE, etc. │ │
│ │ └──────────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Application Namespace: │
│ ┌────────────────────────────────────────────────────────────────────────┐ │
│ │ conjur-config-namespace-prep (Helm Chart) │ │
│ │ ┌──────────────────┐ │ │
│ │ │ conjur-connect │ Copies connection info from Golden ConfigMap │ │
│ │ │ ConfigMap │ │ │
│ │ └──────────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌──────────────────────────────────────────────────────────────────┐ │ │
│ │ │ Application Pod │ │ │
│ │ │ ┌─────────────┐ ┌────────────────────────────────────┐ │ │ │
│ │ │ │ App │ │ Secrets Provider Sidecar │ │ │ │
│ │ │ │ Container │ │ - Reads from conjur-connect │ │ │ │
│ │ │ │ │ │ - Authenticates via JWT │ │ │ │
│ │ │ │ │ │ - Syncs secrets to K8s Secret │ │ │ │
│ │ │ └─────────────┘ └────────────────────────────────────┘ │ │ │
│ │ └──────────────────────────────────────────────────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Prerequisites#
- Kubernetes cluster (v1.19+)
- Helm v3+
- Conjur OSS or Enterprise
- Conjur CLI installed locally
- Stakater Reloader installed
- kubectl configured with cluster access
Install Stakater Reloader#
helm repo add stakater https://stakater.github.io/stakater-charts
helm install reloader stakater/reloader --namespace reloader --create-namespace
Common Setup Steps#
Step 1: Install Conjur OSS#
# Add CyberArk Helm repo
helm repo add cyberark https://cyberark.github.io/helm-charts
helm repo update
# Create namespace
kubectl create namespace conjur
# Generate data key
DATA_KEY=$(docker run --rm cyberark/conjur data-key generate)
# Install Conjur with authn-jwt enabled
helm install conjur cyberark/conjur-oss -n conjur \
--set account.name=myaccount \
--set account.create=true \
--set dataKey="$DATA_KEY" \
--set authenticators="authn\,authn-jwt/dev" \
--set ssl.hostname=conjur-conjur-oss.conjur.svc.cluster.local \
--wait --timeout 60s
Step 2: Configure Conjur CLI#
# Get admin API key
ADMIN_API_KEY=$(kubectl exec -n conjur deployment/conjur-conjur-oss -c conjur-oss -- \
conjurctl role retrieve-key myaccount:user:admin)
# Get the Conjur SSL certificate
kubectl get secret -n conjur conjur-conjur-ssl-cert \
-o jsonpath='{.data.tls\.crt}' | base64 -d > conjur.pem
# Initialize Conjur CLI (assumes Conjur is accessible via port-forward or ingress)
# Option 1: Port-forward for local access
kubectl port-forward -n conjur svc/conjur-conjur-oss 8443:443 &
# Initialize and login
conjur init \
--url https://localhost:8443 \
--account myaccount \
--ca-cert conjur.pem \
--force
conjur login -i admin -p $ADMIN_API_KEY
Step 3: Install Golden ConfigMap (Cluster Prep)#
CONJUR_SSL_CERT=$(kubectl get secret -n conjur conjur-conjur-ssl-cert \
-o jsonpath='{.data.tls\.crt}' | base64 -d)
helm install conjur-config-cluster cyberark/conjur-config-cluster-prep -n conjur \
--set conjur.account=myaccount \
--set conjur.applianceUrl="https://conjur-conjur-oss.conjur.svc.cluster.local" \
--set conjur.certificateBase64="$(echo -n "$CONJUR_SSL_CERT" | base64 -w0)" \
--set authnK8s.authenticatorID=dev \
--set authnK8s.serviceAccount.create=false
How Reloader Works#
- Secret Provider updates K8s Secret - Sidecar/ESO/CSI syncs secrets from Conjur
- Reloader detects change - Watches for Secret changes via Kubernetes API
- Pod restart triggered - Rolling restart of pods referencing the changed Secret
Reloader Annotations#
On Deployment:
metadata:
annotations:
reloader.stakater.com/search: "true"
On Secret (must be annotation, not label):
metadata:
annotations:
reloader.stakater.com/match: "true"