This is a demo based on containers simulating an environment with CyberArk Conjur, Ansible and ARA:
To better simulate the real target environment the demo has the following features:
- no authentication with ssh keys
- password rotation
- internal CA
- TLS certificates signed by the internal CA
- network segmentation
- docker
- docker-compose-plugin
Conjur:
- one frontend server (conjur-proxy)
- one backend server (conjur-server)
- one database server (conjur-database)
Ansible:
- one ansible master (ansible-master)
- three ansible targets (ansible-target[1-3])
ARA:
- one ARA server with local db (ansible-ara)
Clone the repository and move into the new directory:
$ git clone https://github.com/camandel/conjur-ansible-ara-demo
$ cd conjur-ansible-ara-demo
Create and configure the enviroment:
$ ./setup-all.sh
Now the environment is ready to use:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
980ac95db912 conjur-client "sleep infinity" 4 minutes ago Up 4 minutes conjur-client
127f43638e68 nginx:1.20-alpine "/docker-entrypoint.…" 4 minutes ago Up 4 minutes 80/tcp conjur-proxy
9632b8300b44 ansible-base "/usr/sbin/sshd -D" 5 minutes ago Up 4 minutes 22/tcp ansible-target1
86e663f94540 ansible-base "/usr/sbin/sshd -D" 5 minutes ago Up 4 minutes 22/tcp ansible-target2
934ab20ad478 ansible-master "/usr/sbin/sshd -D" 5 minutes ago Up 4 minutes 0.0.0.0:2222->22/tcp ansible-master
1916a7c7ea53 ansible-base "/usr/sbin/sshd -D" 5 minutes ago Up 5 minutes 22/tcp ansible-target3
9f840bc6e4c0 cyberark/conjur:1.17.2-2330 "conjurctl server" 5 minutes ago Up 4 minutes 80/tcp conjur-server
5c4b5caa25da quay.io/recordsansible/ara-api:latest "bash -c '/usr/local…" 5 minutes ago Up 5 minutes 0.0.0.0:8000->8000/tcp ansible-ara
6bd9ca308d48 postgres:14-alpine "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 5432/tcp conjur-database
Run the test playbook:
$ ./run-playbook.sh
Simulate password rotation and re-run the playbook:
$ ./password-rotation.sh
$ ./run-playbook.sh
Once the environment has been configured (do it only the first time) it can be managed with docker compose
command:
$ docker compose [stop/start/restart]
Every container can be accessed with docker exec
command but ansible-master and ansible-ara have also ports exposed on your host.
Open a terminal to connect to ansible-master (password is ansiblelab
):
$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222 root@localhost
root@ansible-master ~]# cd /opt/ansible-lab/
[root@ansible-master ansible-lab]# ansible-playbook -i inventory ping.yml
<...>
[root@ansible-master ansible-lab]# ara playbook list
<...>
Use a browser to view ARA web interface:
http://localhost:8000
If certificates have been updated you need to update some images and configuration files:
$ ./generate-certs.sh
$ DOCKER_BUILDKIT=0 docker compose up -d --build ansible-master
$ ./setup-ansible.sh
$ ./setup-conjur.sh
$ docker compose restart conjur-proxy conjur-client ansible-master
Sometimes during conjur restarts it doesn't automatically delete the pid file:
$ docker compose exec conjur-server /opt/conjur-server/tmp/pids/server.pid
$ docker compose restart conjur-server
To clean-up the whole environment (volumes included) run these commands:
$ docker compose down --volumes
$ rm admin.out master.out