Building a container image for Workload Identity Manager that uses an HSM¶

Workload Identity Manager (formerly known as Firefly) has a PKCS#11 version that integrates with third-party software to use HSM key protection, this 3rd party software is separately licensed and distributed by HSM vendors. Kubernetes is the recommended execution environment for production Workload Identity Manager instances, so it is important for CyberArk customers to understand how to build their own Workload Identity Manager container images combining 3rd party HSM libraries with the Workload Identity Manager with PKCS#11 integration.

PKCS#11 Client¶

Review the instructions provided by your HSM vendor for building Linux container images that work with their product. You will need to acquire the applicable HSM client software that includes a PKCS#11 library.

• Thales: Installing Luna Minimal Client on Linux using Docker
• AWS: How to run AWS CloudHSM workloads in container environments
• Entrust: nShield Container Option Pack: Application Containers

Sample: Luna Network HSM using Red Hat Universal Base Image (UBI)¶

Step 1: Download the latest Workload Identity Manager PKCS#11 binary¶

To retrieve the Workload Identity Manager PKCS#11 binary, navigate to the Workload Identity Manager releases page and download either the latest version, or the version you prefer.

Step 2: Build the image using Docker¶

1. Prepare a Dockerfile that looks something like this for a UBI based image:

   # FROM private-registry.venafi.cloud/firefly/firefly-base-pkcs11:v1.10.0 AS firefly-base
   # or
   FROM private-registry.venafi.cloud/firefly-ent/firefly-base-pkcs11-fips:v1.10.0 AS firefly-base
   
   FROM registry.access.redhat.com/ubi8/ubi@sha256:bcfca5f27e2d2a822bdbbe7390601edefee48c3cae03b552a33235dcca4a0e24
   
   RUN yum install -y tar glibc.i686
   
   WORKDIR /tmp
   COPY ./610-000401-010_SW_Linux_Luna_Minimal_Client_V10.7.0_RevA.tar lunaclient.tar
   
   RUN mkdir -p /usr/local/luna
   RUN tar xvf /tmp/lunaclient.tar --strip 1 -C /usr/local/luna
   RUN rm /tmp/lunaclient.tar
   ENV ChrystokiConfigurationPath=/usr/local/luna/config
   ENV PATH="/usr/local/luna/bin/64:${PATH}"
   
   COPY --from=firefly-base /ko-app/firefly /ko-app/firefly
   
   LABEL org.opencontainers.image.vendor="CyberArk Software Ltd."
   LABEL org.opencontainers.image.licenses="EULA - https://www.cyberark.com/contract-terms/"
   LABEL org.opencontainers.image.authors="mis.support@cyberark.com"
   LABEL org.opencontainers.image.title="CyberArk Workload Identity Manager"
   LABEL org.opencontainers.image.url="https://www.cyberark.com/products/workload-identity-manager/"
   LABEL org.opencontainers.image.documentation="https://docs.cyberark.com/mis-saas/firefly/overview/"
   
   USER 65532:65532
   
   ENTRYPOINT [ "/ko-app/firefly" ]
   

2. Then build the container image by executing the following command which assumes the Dockerfile is in the current directory along with the tarball containing the HSM client software and the firefly-pkcs11 binary:

   docker build . --tag firefly-luna-network-hsm:sample
   

Step 3: Test the image using Docker¶

1. Prepare a Workload Identity Manager config.yaml that looks something like this:

   bootstrap:
     vaas:
       auth:
         privateKeyFile: /etc/firefly/svc-acct.pvk
         clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
       csr:
         instanceNaming: Firefly-Docker
       pkcs11:
         clientLibraryPath: /usr/local/luna/libs/64/libCryptoki2_64.so
   server:
     grpc:
       port: 8081
       tls:
         dnsNames:
         - firefly.example.com
         ipAddress: 10.20.30.40
     rest:
       port: 8281
       tls:
         dnsNames:
         - firefly.example.com
         ipAddress: 10.20.30.40
   

2. Then run the container by executing the following command which assumes the Workload Identity Manager config.yaml and CyberArk Certificate Manager - SaaS service account private key file are located in the "firefly" subdirectory, and the Chrystoki.conf and client/server certificate files for accessing the HSM are located in the "luna" subdirectory.

   docker run --rm \
         --cap-add=IPC_LOCK \
         -e ACCEPT_TERMS=Y \
         -p 8081:8081 \
         -p 8281:8281 \
         -v ./firefly/config.yaml:/etc/firefly/config.yaml:ro \
         -v ./firefly/svc-acct.pvk:/etc/firefly/svc-acct.pvk:ro \
         -v ./luna:/usr/local/luna/config:ro \
         firefly-luna-network-hsm:sample \
         run -c /etc/firefly/config.yaml