CyberArk Conjur Service Broker for VMware Tanzu

This documentation describes the CyberArk Conjur Service Broker for VMware Tanzu. This Service Broker provides Conjur machine identity management and authentication, policy-based authorization, and other Conjur services to your VMware Tanzu applications and microservices.

Overview

The CyberArk Conjur Service Broker for VMware Tanzu registers a service broker with VMware Tanzu and exposes its service plans on the Marketplace. Developers can then create applications that access a Conjur instance. The Service Broker provides the interface between your VMware Tanzu applications and a Conjur instance.

The CyberArk Conjur Service Broker for VMware Tanzu installs a buildpack that leverages the Conjur Summon tool. Summon fetches secrets from Conjur using the binding ID from your VMware Tanzu service as the unique application identity.

Key Features

CyberArk Conjur Service Broker for VMware Tanzu includes the following key features:

  • After you configure the tile and bind applications to service instances, your VMware Tanzu applications, containers, and microservices assume a host identity in Conjur. This identity enables secure access to secrets stored in Conjur.
  • If you have an existing Conjur instance, you can grant privileges to VMware Tanzu applications to access the existing Conjur secrets through Conjur policy.
  • Conjur integrates easily into the VMware Tanzu environment and the VMware Tanzu developer workflow.
  • The strong authentication model provided by Conjur is available to VMware Tanzu applications.
  • The Conjur role-based policy model for authorizations applies to applications running in VMware Tanzu.
  • Access to secrets is configurable at the VMware Tanzu application level, making it easy to ensure least privilege access.

Product Snapshot

The following table provides version and version-support information about CyberArk Conjur Service Broker for VMware Tanzu.

Element Details
Tile version v1.2.0
Release date August 7, 2020
Software component version CyberArk Conjur Service Broker - v1.1.3
CyberArk Conjur Buildpack - v2.1.4
Compatible Ops Manager version(s) v2.6.x, v2.7.x, v2.8.x, and v2.9.x
Compatible Tanzu Application Service version(s) v2.6.x, v2.7.x, v2.8.x, and v2.9.x
BOSH stemcell version Ubuntu Xenial
IaaS support AWS, Azure, GCP, OpenStack, and vSphere

Requirements

CyberArk Conjur Service Broker for VMware Tanzu has the following requirements:

  • You must have an existing Conjur instance installed. The Conjur instance may be external to the VMware Tanzu environment. Supported versions are:

    • CyberArk Dynamic Access Provider (DAP), v10.9 and later
    • Conjur Enterprise, v4.9.12.0 and later
      • Use v4.9.17.0 or later to search for CF hosts in the Conjur UI
    • Conjur Open Source, v1.0 and later
      • We strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.
  • If you are pushing multiple buildpacks using the Cloud Foundry CLI, ensure that your Cloud Foundry CLI version is greater than 6.38. See the Cloud Foundry documentation on using multiple buildpacks for more information.

  • To configure the VMware Tanzu tile, you must know the following information about your Conjur installation:

    Conjur Account Specified when Conjur is installed and configured. For hosted Conjur, the account is usually an email address that you specify on the web form.
    URL of the Conjur Instance May be the Conjur master load balancer if deploying in a High Availability (HA) configuration.
    Conjur Host Id for Service Broker Valid Conjur identity for a host that has update and create privileges on VMware Tanzu-related Conjur policy. The Service Broker uses these credentials to add and remove host identities as you deploy and remove VMware Tanzu applications. See Recommendations.
    Conjur API key The Conjur API key associated with the Conjur Host Id for the service broker above.
    VMware Tanzu Conjur Policy Branch ID
    (Recommended)
    For production Conjur appliances, CyberArk strongly recommends a Conjur policy dedicated to VMware Tanzu; otherwise, the Conjur root policy is the default. See Recommendations for more information.
    URL of the Conjur Follower Load Balancer
    (Conjur Enterprise v5.x+)
    (Optional)
    If deploying a cluster in an HA configuration, you can specify a URL for VMware Tanzu apps to connect to a Conjur follower to retrieve secret values rather than through the Conjur master. Cyberark strongly recommends that you supply a load balanced follower address to support easier scalability.
    X.509 CA Certificate Chain for Conjur
    (Required for TLS/HTTPS connections to Conjur)
    The PEM encoded X.509 certificate chain for the Conjur server.

    This certificate chain may be retrieved from the Conjur server using the command:
    $ openssl s_client -showcerts -servername [CONJUR_DNS_NAME] \
        -connect [CONJUR_DNS_NAME]:443 < /dev/null 2> /dev/null \
        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
                

  • The Conjur Service Broker requires that each space have its own service instance.

    Conjur Service instances may not be shared across spaces. In the interest of least privilege, a single Conjur service instance must be provisioned in each space where it is needed, using:

    $ cf create-service cyberark-conjur community my-service-instance-name
  • (Conjur EE v4.x only) Conjur Host Factory

    The Service Broker requires a Conjur host factory to use when adding host identities. The examples in Recommendations include host factory definitions. If a host factory is not properly defined, a health check near the end of tile installation will report the condition, and the tile installation will fail.

Recommendations

Create a Dedicated Conjur Policy for VMware Tanzu

CyberArk strongly recommends that you create a Conjur policy dedicated to VMware Tanzu before installing the VMware Tanzu tile. This policy should include a unique identifier for the foundation (e.g. production) to make managing Conjur policy easier across multiple VMware Tanzu installation.

The syntax for defining a Conjur Policy with ID pcf/production is as follows:

- !policy
  id: pcf
  body:
  - !policy
    id: production

This can be loaded into the root policy or any desired Conjur policy branch. Host identities for VMware Tanzu-deployed applications will be loaded into the pcf/production Conjur policy branch when the applications are bound to a Conjur service instance.

A dedicated Conjur policy for VMware Tanzu supports least privilege principles in the following ways:

  • The secrets, host identities, and access control policies for your VMware Tanzu-deployed applications are isolated from other resources stored in Conjur.
  • Conjur access privileges required by the Service Broker, DevOps teams, and your applications can be limited in scope to the dedicated Conjur policy for VMware Tanzu.
  • You can give a limited set of Conjur users access to the dedicated Conjur policy for VMware Tanzu, with even finer-grained permissions possible within the VMware Tanzu policy itself.
  • For Conjur Enterprise (v4), you can define the host factory layer in the dedicated Conjur policy for VMware Tanzu, rather than in the root policy.

When creating the dedicated Conjur policy for VMware Tanzu, consider the following:

  • The Service Broker requires create and update privileges on the policy to add and remove host identities. Members of the group that owns the policy have those privileges.
  • VMware Tanzu DevOps personnel need access to Conjur to declare application secrets and grant privileges to the applications to access those secrets.
  • For Conjur Enterprise (v4), a host factory is required. Both the ID of the layer and the host factory must use the syntax [policy-id]-apps, where apps is a constant. For example, pcf/production-apps is used in the policy example shown below where the dedicated policy for VMware Tanzu is called pcf/production.

To create a dedicated Conjur policy for VMware Tanzu, do the following:

Step 1

Create a policy using the following example as a guide. Save the policy as a YAML file (such as your-pcf-policy-file.yml below).

- !host
  id: pcf-service-broker
  annotations:
    platform: pivotalcloudfoundry

- !group
  id: pcf-admin-group

- !grant
  role: !group pcf-admin-group
  member: !host pcf-service-broker

# Allow host read access to its own resource, to read annotations
- !permit
  role: !host pcf-service-broker
  privilege: read
  resource: !host pcf-service-broker

- !policy
  id: pcf                            # Policy ID does not have to be pcf
  body:
  - !policy
    id: production                   # Multiple VMware Tanzu Foundations may be identified using
                                     # a sub-policy branch, e.g. "production".
    owner: !group /pcf-admin-group   # Owners have complete privileges on the policy

    # The policy body, layer, and host factory
    # are required for Conjur EE v4:
    body:

    # Layer name and host-factory name must be [policy-id]-apps
    - !layer pcf/production-apps

    - !host-factory
      id: pcf/production-apps
      layers: [ !layer pcf/production-apps ]

This policy file creates a host/pcf-service-broker host that can be used as the CONJUR_AUTHN_LOGIN role in the tile configuration. The pcf-service-broker host is a member of the pcf-admin-group group, which owns the pcf/production policy, so it has create and update privileges on that policy as required.

The VMware Tanzu policy has a pcf/production-apps layer and corresponding host factory. If using Conjur v4, application hosts will be added to the pcf/production-apps layer via the pcf-apps host factory when the application is bound to a Conjur service instance.

Step 2

Load the policy into Conjur as follows (in this example, we are loading it into the root policy):

For Conjur Enterprise v4:

$ conjur policy load --as-group security_admin your-pcf-policy-file.yml

NOTE: You may have to first install the policy plugin for the Conjur CLI. If you receive this message when loading the policy:

$ conjur policy load ...
error: Unknown command 'policy'

Then you may install the policy plugin using the command:

$ conjur plugin install policy
Successfully installed conjur-asset-policy-0.13.0
1 gem installed

For Conjur Open Source and Conjur Enterprise v5:

$ conjur policy load root your-pcf-policy-file.yml

Loading this policy the first time will output the API key for the pcf-service-broker host. Save this key to use when configuring the VMware Tanzu tile below.

Step 3

In the CyberArk Conjur Service Broker for VMware Tanzu tile configuration:

  • For VMware Tanzu Conjur Policy Branch ID, use the fully-qualified ID of the dedicated Conjur policy for VMware Tanzu (pcf/production in the above example).

  • For Conjur Login, use a Conjur host who is a member of the Conjur group that owns the VMware Tanzu policy (host/pcf-service-broker in the example above). The host also needs to be permitted to read its own annotations.

  • For Conjur API Key, use that host’s API key. The admin who created the role can retrieve the value with this command:

    $ conjur host rotate_api_key -h pcf-service-broker

Using the Default Root Policy

If you decide to leave the VMware Tanzu Conjur Policy Namespace blank in the tile configuration (that is, you choose to use the default root policy), consider the following:

  • You are not following least privilege best practice.
  • The Conjur host identity that you provide on tile installation must have create and update privileges on the root policy, which means that it will be privileged to edit any policy in your Conjur installation.
  • The Service Broker will add host identities for your VMware Tanzu applications to the root policy.
  • The VMware Tanzu DevOps teams will be altering policy files in the root policy.
  • For integration with Conjur v4, a Host Factory named apps is required. Add the following layer declaration to the root policy:

    - !layer apps
    
    - !host-factory
    id: apps
    layers: [ !layer apps ]
    

Limitations

There are no known limitations.

Feedback

If you have a feature request, questions, or information about a bug, please email VMware Tanzu Feedback list or send an email to CyberArk Support.

License

Copyright 2019 CyberArk

Licensed under the Apache License, Version 2.0 (the “License”). You may not use this software except in compliance with the License. You may obtain a copy of the License at:

http://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.