Thanks for your interest in Conjur. Before contributing, please take a moment to read and sign our Contributor Agreement. This provides patent protection for all Conjur users and allows CyberArk to enforce its license terms. Please email a signed copy to oss@cyberark.com. For general contribution and community guidelines, please see the community repo.
Table of contents generated with markdown-toc
Before getting started, the following tools need to be installed:
- Git to manage source code
- Docker to manage dependencies and runtime environments
- Docker Compose to orchestrate Docker environments
The dev directory contains a docker-compose.yml file which creates a development
environment :
- A Conjur Open Source instance
- An Ansible control node
- Managed nodes to push tasks to
To use it:
-
Install dependencies (as above)
-
To use the dev environment, clone the Collection repository and run the setup script:
$ git clone https://github.com/cyberark/ansible-conjur-collection.git $ cd ansible-conjur-collection/dev $ ./start.sh
When the Conjur and Ansible containers have been successfully setup, the terminal prints the following:
...
PLAY RECAP *********************************************************************
ansibleplugingtestingconjurhostidentity-test_app_centos-1 : ok=17 ...
ansibleplugingtestingconjurhostidentity-test_app_centos-2 : ok=17 ...
ansibleplugingtestingconjurhostidentity-test_app_ubuntu-1 : ok=16 ...
ansibleplugingtestingconjurhostidentity-test_app_ubuntu-2 : ok=16 ...Your Conjur instance will be configured with the following:
- Account:
cucumber - User:
admin - Password: Run
conjurctl role retrieve-key cucumber:user:admininside the Conjur container shell to retrieve the admin user API key
- Official documentation for Conjur's Ansible integration
- Conjur Collection on Ansible Galaxy
- Ansible documentation for the Conjur collection
Unit tests are only available for the Conjur Variable Lookup plugin. To run these tests:
./dev/test_unit.sh
The collection has integration tests for both the Variable Lookup plugin and the Host Identity role that will validate each against live Conjur and Ansible containers.
To run all tests:
./ci/test.sh -a
To run the tests for a particular module:
./ci/test.sh -d <role or plugin name>
Integration tests can be run against Conjur Enterprise by adding the -e flag:
./ci/test/sh -e -a
From a clean instance of main, perform the following actions to release a new version of this plugin:
-
Update the version number in
galaxy.ymlandCHANGELOG.md- Verify that all changes for this version in
CHANGELOG.mdare clear and accurate, and are followed by a link to their respective issue - Create a PR with these changes
- Verify that all changes for this version in
-
Create an annotated tag with the new version, formatted as
v##.##.##- This will kick off an automated script which publish the release to Ansible Galaxy
-
Create the release on GitHub for that tag
- Build the release package with
./ci/build_release - Attach package to Github Release
- Build the release package with
Generate the master key, which will be used to encrypt Conjur's database. Store this value as an environment variable.
docker compose run --no-deps --rm conjur data-key generate > data_key
export CONJUR_DATA_KEY="$(< data_key)"Start the Conjur OSS environment. An account, named cucumber, will be
automatically created.
docker compose up -d conjurRetrieve the admin user's API key, and store the value in an environment variable.
export CLI_CONJUR_AUTHN_API_KEY="$(docker compose exec conjur conjurctl role retrieve-key cucumber:user:admin)"Start the Conjur CLI container. The CLI will be automatically authenticated as
the user cucumber:user:admin.
docker compose up -d conjur_cliPolicy defines Conjur entities and the relationships between them. An entity can be a policy, a host, a user, a layer, a group, or a variable.
Check out the policy file, and load it into Conjur:
docker compose exec conjur_cli cat /policy/root.yml
docker compose exec conjur_cli conjur policy load root /policy/root.ymlAlso, load a dummy secret value into the ansible/target-password variable.
This is a variable required by remote nodes in order to complete their workloads.
docker compose exec conjur_cli conjur variable values add ansible/target-password S3cretV@lueThe Ansible environment will include a control node and a number of managed nodes. First, retrieve the API key for the Conjur host representing the control node, then create it:
export ANSIBLE_CONJUR_AUTHN_API_KEY="$(docker compose exec conjur conjurctl role retrieve-key cucumber:host:ansible/ansible-master)"
docker compose up -d ansibleNext, create two instances of each managed node:
docker compose up -d --scale test_app_ubuntu=2 test_app_ubuntu
docker compose up -d --scale test_app_centos=2 test_app_centosTo grant your Ansible host a Conjur identity, first install the Conjur Collection on your Ansible control node:
docker compose exec ansible ansible-galaxy collection install cyberark.conjurSet up the host factory token in the HFTOKEN env var
export HFTOKEN="$(docker compose exec conjur_cli conjur hostfactory tokens create ansible/ansible-factory | jq -r '.[0].token')"Once you've done this, you can configure each Ansible node with a Conjur identity by including a section like the example below in your Ansible playbook:
---
- hosts: testapp
roles:
- role: cyberark.conjur.conjur_host_identity
conjur_appliance_url: 'https://conjur.myorg.com',
conjur_account: 'cucumber',
conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}",
conjur_host_name: "{{inventory_hostname}}"First we register the host with Conjur, adding it into the layer specific to the provided host factory token, and then install Summon with the Summon Conjur provider for secret retrieval from Conjur.
The Conjur lookup plugin can inject secret data directly into an Ansible playbook, like it the following example:
---
- hosts: testapp
tasks:
- name: Provide secret with Lookup plugin
debug:
msg: "{{ lookup('cyberark.conjur.conjur_variable', '/ansible/target-password') }}"