Application containers running in Rancher-managed Kubernetes environments can authenticate to Conjur and securely retrieve secrets.

This section specifically relates to the case where Kubernetes must be accessed through the Rancher API.

If your organization does not require access through the Rancher API, then the integration setup is identical to the setup for any other supported Kubernetes-based environment. In this case, see OpenShift/Kubernetes.

Supported Kubernetes-based environments

Integration with Rancher supports all Kubernetes-based environments supported by Conjur. For details, see Supported Kubernetes-based environments.

Before you start

Before you start setting up the integration between Conjur and Rancher:

  • Make sure that Rancher is set up and is managing any number of Kubernetes clusters that contain workloads that need to authenticate to Conjur.

  • Make sure that you have a healthy, running Conjur Server. For details, see Setup.

  • Make sure you have access to the Conjur CLI and the Rancher CLI.

Setup options

The section describes the workflows for setting up the Rancher integration, depending on whether you are deploying Conjur inside the Kubernetes clusters that contain workloads that need to retrieve secrets from Conjur or outside the Rancher environment.

  • Integration with Rancher supports certificate-based authentication only.

  • For multi-cluster support, a separate Kubernetes Authenticator must be defined for each Kubernetes cluster.

  1. The Conjur admin sets up a Kubernetes Authenticator for each Kubernetes cluster in Rancher that has workloads need to retrieve secrets from Conjur. This task requires information from the Rancher admin about resources in Rancher and connection details.

  2. The app owner can then set up workloads in the application namespace to authenticate to Conjur and retrieve secrets.