Conjur Integration#
This guide shows how to automatically restart Kubernetes workloads when CyberArk Conjur secrets change using Stakater Reloader.
Integration Patterns#
| Pattern | How Secrets Arrive | Rotation | Reloader Compatibility | Guide |
|---|---|---|---|---|
| External Secrets Operator | ESO syncs to K8s Secret | ESO refresh interval | Best fit | ESO Guide |
| Sidecar | Sidecar updates K8s Secret | Sidecar refresh interval | Best fit | Sidecar Guide |
| CSI Driver | CSI mounts files + syncs to K8s Secret | CSI rotation interval | Works with secretObjects |
CSI Guide |
How It Works#
sequenceDiagram
actor Ops as Operator
participant C as CyberArk Conjur
participant Sync as Secret Sync<br/>(ESO / Sidecar / CSI)
participant K8s as Kubernetes Secret
participant RL as Reloader
participant Pod as Application Pod
Ops->>C: Rotate secret
loop Poll / refresh interval
Sync->>C: Fetch latest secret value
C-->>Sync: Updated value
end
Sync->>K8s: Update Secret data
K8s-->>RL: Watch event (Secret changed)
RL->>Pod: Trigger rolling restart
Note over Pod: New pod starts with updated secretPrerequisites#
- Kubernetes cluster (v1.19+)
- Helm v3+
- Conjur OSS or Enterprise
- Conjur CLI installed locally
- Stakater Reloader installed
- kubectl configured with cluster access
Install Stakater Reloader#
helm repo add stakater https://stakater.github.io/stakater-charts
helm install reloader stakater/reloader --namespace reloader --create-namespace
Common Setup Steps#
Step 1: Install Conjur OSS#
# Add CyberArk Helm repo
helm repo add cyberark https://cyberark.github.io/helm-charts
helm repo update
# Create namespace
kubectl create namespace conjur
# Generate data key
DATA_KEY=$(docker run --rm cyberark/conjur data-key generate)
# Install Conjur with authn-jwt enabled
helm install conjur cyberark/conjur-oss -n conjur \
--set account.name=myaccount \
--set account.create=true \
--set dataKey="$DATA_KEY" \
--set authenticators="authn\,authn-jwt/dev" \
--set ssl.hostname=conjur-conjur-oss.conjur.svc.cluster.local \
--wait --timeout 60s
Step 2: Configure Conjur CLI#
# Get admin API key
ADMIN_API_KEY=$(kubectl exec -n conjur deployment/conjur-conjur-oss -c conjur-oss -- \
conjurctl role retrieve-key myaccount:user:admin)
# Get the Conjur SSL certificate
kubectl get secret -n conjur conjur-conjur-ssl-cert \
-o jsonpath='{.data.tls\.crt}' | base64 -d > conjur.pem
# Initialize Conjur CLI (assumes Conjur is accessible via port-forward or ingress)
# Option 1: Port-forward for local access
kubectl port-forward -n conjur svc/conjur-conjur-oss 8443:443 &
# Initialize and login
conjur init \
--url https://localhost:8443 \
--account myaccount \
--ca-cert conjur.pem \
--force
conjur login -i admin -p $ADMIN_API_KEY
Step 3: Install Golden ConfigMap (Cluster Prep)#
CONJUR_SSL_CERT=$(kubectl get secret -n conjur conjur-conjur-ssl-cert \
-o jsonpath='{.data.tls\.crt}' | base64 -d)
helm install conjur-config-cluster cyberark/conjur-config-cluster-prep -n conjur \
--set conjur.account=myaccount \
--set conjur.applianceUrl="https://conjur-conjur-oss.conjur.svc.cluster.local" \
--set conjur.certificateBase64="$(echo -n "$CONJUR_SSL_CERT" | base64 -w0)" \
--set authnK8s.authenticatorID=dev \
--set authnK8s.serviceAccount.create=false
How Reloader Works#
- Secret Provider updates K8s Secret - Sidecar/ESO/CSI syncs secrets from Conjur
- Reloader detects change - Watches for Secret changes via Kubernetes API
- Pod restart triggered - Rolling restart of pods referencing the changed Secret
Reloader Annotations#
On Deployment:
metadata:
annotations:
reloader.stakater.com/search: "true"
On Secret (must be annotation, not label):
metadata:
annotations:
reloader.stakater.com/match: "true"