infamousjoeg · September 24, 2025 18:57
diff --git a/01_ns_sa.sh b/01_ns_sa.sh
 #!/bin/bash

 kubectl create ns cyberark-poc
 kubectl create sa -n cyberark-poc cyberark-poc-app-sa
diff --git a/02_rolebindings.sh b/02_rolebindings.sh
 #!/bin/bash

 kubectl apply -f - <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: secrets-access
  namespace: cyberark-poc
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: [ "get", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  namespace: cyberark-poc
  name: secrets-access-binding
 subjects:
  - kind: ServiceAccount
    namespace: cyberark-poc
    name: cyberark-poc-app-sa
 roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: secrets-access
 EOF
diff --git a/03_cyberark_secretsmgr_cert.sh b/03_cyberark_secretsmgr_cert.sh
 #!/bin/bash

 # This will be set to CONJUR_SSL_CERTIFICATE in the configmap.sh script
 openssl s_client -showcerts -connect ${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud:443 < /dev/null 2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cyberark-secretsmgr.pem
diff --git a/04_configmap.sh b/04_configmap.sh
 #!/bin/bash

 # Create ConfigMap with Secrets Manager configuration
 kubectl apply -f - <<EOF
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: conjur-config
  namespace: cyberark-poc
 data:
  CONJUR_APPLIANCE_URL: "https://${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud/api"
  CONJUR_ACCOUNT: "conjur"
  CONJUR_AUTHN_URL: "https://${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud/api/authn-jwt/k8s"
  CONJUR_JWT_SERVICE_ID: "k8s"
  CONJUR_SSL_CERTIFICATE: |-
    <PASTE CONTENTS OF cyberark-secretsmgr.pem FROM STEP 03>
    (THE CONTENTS SHOULD REMAIN ON A NEW LINE JUST LIKE IN THE
    .PEM FILE AND SHOULD BE ALIGNED LIKE THIS IS 4 SPACES INDENTED)
 EOF
diff --git a/05_secrets.sh b/05_secrets.sh
 #!/bin/bash

 kubectl apply -f - <<EOF
 apiVersion: v1
 kind: Secret
 metadata:
  name: db-credentials
  namespace: cyberark-poc
 stringData:
  conjur-map: |-
    username: data/vault/SecretsManagerTestSafe/Database-MSSql-10.0.0.1-sa/username
    password: data/vault/SecretsManagerTestSafe/Database-MSSql-10.0.0.1-sa/password  
    address: data/vault/SecretsManagerTestSafe/Database-MSSql-10.0.0.1-sa/address
 EOF
diff --git a/06_deployment.sh b/06_deployment.sh
 #!/bin/bash

 kubectl apply -f - <<EOF
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: cyberark-poc-demo
  name: cyberark-poc-demo
  namespace: cyberark-poc
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: cyberark-poc-demo
  template:
    metadata:
      labels:
        app: cyberark-poc-demo
      annotations:
        conjur.org/container-mode: sidecar
        conjur.org/secrets-refresh-interval: 10s
    spec:
      serviceAccountName: cyberark-poc-app-sa
      containers:
        - name: demo-app
          image: busybox:1.35
          command: ["/bin/sh", "-c", "echo 'App starting with secrets:'; env | grep DB_; sleep 3600"]
          imagePullPolicy: IfNotPresent
          env:
            - name: DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: username
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: password
            - name: DB_HOST
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: address
        - image: 'cyberark/secrets-provider-for-k8s:latest'
          imagePullPolicy: IfNotPresent
          name: cyberark-secrets-provider-for-k8s
          volumeMounts:
          - name: conjur-status
            mountPath: /conjur/status
          - name: jwt-token
            mountPath: /var/run/secrets/tokens
          - mountPath: /run/conjur
            name: conjur-access-token
          - mountPath: /etc/conjur/ssl
            name: conjur-certs
          - mountPath: /conjur/podinfo
            name: podinfo
          env:
            - name: JWT_TOKEN_PATH
              value: /var/run/secrets/tokens/jwt
            - name: CONTAINER_MODE
              value: init
            - name: MY_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: K8S_SECRETS
              value: db-credentials
            - name: SECRETS_DESTINATION
              value: k8s_secrets
          envFrom:
            - configMapRef:
                name: conjur-config
      volumes:
        - name: conjur-status
          emptyDir:
            medium: Memory
        - name: jwt-token
          projected:
            sources:
              - serviceAccountToken:
                  path: jwt
                  expirationSeconds: 6000
                  audience: conjur
        - emptyDir:
            medium: Memory
          name: conjur-access-token
        - emptyDir:
            medium: Memory
          name: conjur-certs
        - downwardAPI:
            defaultMode: 420
            items:
            - fieldRef:
                apiVersion: v1
                fieldPath: metadata.annotations
              path: annotations
          name: podinfo
 EOF
	#!/bin/bash

	kubectl create ns cyberark-poc
	kubectl create sa -n cyberark-poc cyberark-poc-app-sa
	#!/bin/bash

	kubectl apply -f - <<EOF
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: secrets-access
	namespace: cyberark-poc
	rules:
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: [ "get", "update"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	namespace: cyberark-poc
	name: secrets-access-binding
	subjects:
	- kind: ServiceAccount
	namespace: cyberark-poc
	name: cyberark-poc-app-sa
	roleRef:
	kind: Role
	apiGroup: rbac.authorization.k8s.io
	name: secrets-access
	EOF
	#!/bin/bash

	# This will be set to CONJUR_SSL_CERTIFICATE in the configmap.sh script
	openssl s_client -showcerts -connect ${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud:443 < /dev/null 2> /dev/null \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cyberark-secretsmgr.pem
	#!/bin/bash

	# Create ConfigMap with Secrets Manager configuration
	kubectl apply -f - <<EOF
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: conjur-config
	namespace: cyberark-poc
	data:
	CONJUR_APPLIANCE_URL: "https://${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud/api"
	CONJUR_ACCOUNT: "conjur"
	CONJUR_AUTHN_URL: "https://${TENANT_SUBDOMAIN}.secretsmgr.cyberark.cloud/api/authn-jwt/k8s"
	CONJUR_JWT_SERVICE_ID: "k8s"
	CONJUR_SSL_CERTIFICATE: \|-
	<PASTE CONTENTS OF cyberark-secretsmgr.pem FROM STEP 03>
	(THE CONTENTS SHOULD REMAIN ON A NEW LINE JUST LIKE IN THE
	.PEM FILE AND SHOULD BE ALIGNED LIKE THIS IS 4 SPACES INDENTED)
	EOF
	#!/bin/bash

	kubectl apply -f - <<EOF
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: cyberark-poc-demo
	name: cyberark-poc-demo
	namespace: cyberark-poc
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: cyberark-poc-demo
	template:
	metadata:
	labels:
	app: cyberark-poc-demo
	annotations:
	conjur.org/container-mode: sidecar
	conjur.org/secrets-refresh-interval: 10s
	spec:
	serviceAccountName: cyberark-poc-app-sa
	containers:
	- name: demo-app
	image: busybox:1.35
	command: ["/bin/sh", "-c", "echo 'App starting with secrets:'; env \| grep DB_; sleep 3600"]
	imagePullPolicy: IfNotPresent
	env:
	- name: DB_USERNAME
	valueFrom:
	secretKeyRef:
	name: db-credentials
	key: username
	- name: DB_PASSWORD
	valueFrom:
	secretKeyRef:
	name: db-credentials
	key: password
	- name: DB_HOST
	valueFrom:
	secretKeyRef:
	name: db-credentials
	key: address
	- image: 'cyberark/secrets-provider-for-k8s:latest'
	imagePullPolicy: IfNotPresent
	name: cyberark-secrets-provider-for-k8s
	volumeMounts:
	- name: conjur-status
	mountPath: /conjur/status
	- name: jwt-token
	mountPath: /var/run/secrets/tokens
	- mountPath: /run/conjur
	name: conjur-access-token
	- mountPath: /etc/conjur/ssl
	name: conjur-certs
	- mountPath: /conjur/podinfo
	name: podinfo
	env:
	- name: JWT_TOKEN_PATH
	value: /var/run/secrets/tokens/jwt
	- name: CONTAINER_MODE
	value: init
	- name: MY_POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: K8S_SECRETS
	value: db-credentials
	- name: SECRETS_DESTINATION
	value: k8s_secrets
	envFrom:
	- configMapRef:
	name: conjur-config
	volumes:
	- name: conjur-status
	emptyDir:
	medium: Memory
	- name: jwt-token
	projected:
	sources:
	- serviceAccountToken:
	path: jwt
	expirationSeconds: 6000
	audience: conjur
	- emptyDir:
	medium: Memory
	name: conjur-access-token
	- emptyDir:
	medium: Memory
	name: conjur-certs
	- downwardAPI:
	defaultMode: 420
	items:
	- fieldRef:
	apiVersion: v1
	fieldPath: metadata.annotations
	path: annotations
	name: podinfo
	EOF