{"id":45521418,"url":"https://github.com/conjurdemos/conjur-intro","last_synced_at":"2026-02-22T23:00:01.176Z","repository":{"id":37953852,"uuid":"138625372","full_name":"conjurdemos/conjur-intro","owner":"conjurdemos","description":"Miscellaneous utilities that make it easier to make, manage, and run demos","archived":false,"fork":false,"pushed_at":"2025-10-20T14:28:01.000Z","size":40503,"stargazers_count":10,"open_issues_count":10,"forks_count":11,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-10-20T16:32:40.848Z","etag":null,"topics":["conjbot-notify","conjur","internal"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/conjurdemos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-06-25T17:03:07.000Z","updated_at":"2025-10-09T06:49:27.000Z","dependencies_parsed_at":"2024-01-03T17:24:43.059Z","dependency_job_id":"98aa1c44-76bf-4c48-bbdf-6fde03176b05","html_url":"https://github.com/conjurdemos/conjur-intro","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/conjurdemos/conjur-intro","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conjurdemos%2Fconjur-intro","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conjurdemos%2Fconjur-intro/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conjurdemos%2Fconjur-intro/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conjurdemos%2Fconjur-intro/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/conjurdemos","download_url":"https://codeload.github.com/conjurdemos/conjur-intro/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conjurdemos%2Fconjur-intro/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29730200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-22T20:09:16.275Z","status":"ssl_error","status_checked_at":"2026-02-22T20:09:13.750Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["conjbot-notify","conjur","internal"],"created_at":"2026-02-22T22:59:57.915Z","updated_at":"2026-02-22T23:00:01.171Z","avatar_url":"https://github.com/conjurdemos.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Conjur Intro\nTools and scripts  utilities that make it easier to make, manage, and run demos\n\n## Demos\n\n- [AWS Cluster](demos/aws-cluster/README.md)\n- [Conjur Cluster](demos/cluster/README.md)\n- [Certificate Authority](demos/certificate-authority/mutual-tls/README.md)\n\n## Tools\n- [Generate Signed Certificates](tools/simple-certificates/)\n- [K6 Performance Tests](tools/performance-tests/k6/)\n\n## CLI Tools\n\nThis project includes a CLI which simplifies the process of running a variety of scenarios.\n\n### Workflow Examples\n\nDeploy a master auto-failover cluster (behind L4 load balancer).\n\n```sh\n$ bin/dap --provision-master\n$ bin/dap --provision-standbys\n$ bin/dap --enable-auto-failover\n```\n\nGiven the above, to add a follower (behind L7 load balancer), add data, and validate retrieval:\n```sh\n$ bin/dap --provision-follower\n$ bin/api --load-sample-policy-and-values\n$ bin/api --fetch-secrets\n```\n\nNext, let's trigger an auto-failover event:\n```sh\n$ bin/dap --trigger-failover\n```\n\nUpgrade and rebuild cluster:\n```sh\n$ bin/dap --upgrade-master \u003cversion\u003e\n$ bin/dap --provision-standbys --version \u003cversion\u003e\n$ bin/dap --enable-auto-failover\n$ bin/dap --provision-follower --version \u003cversion\u003e\n```\n\nand finally, validate:\n\n```sh\n$ bin/api --fetch-secrets\n```\n\nFollower could be also deployed using Kind into Kubernetes cluster:\n\n```sh\n$ bin/dap --provision-k8s-follower\n```\n\nMore information about way of how the Follower is deployed into Kubernetes\ncluster can be found in [README.md](artifacts/k8s-follower-orchestrator/README.md)\n\n### Integration Examples\n\nDeploy the Conjur Provider for Secrets Store CSI Driver in Kubernetes (kind):\n  \n```sh\n$ bin/dap --provision-csi-provider\n\n# Print the mounted secret values:\n$ docker compose exec -T csi-provider-orchestrator bash -c \"kubectl exec -n test-app test-app -- cat /mnt/secrets-store/relative/path/fileA.txt\"\n$ docker compose exec -T csi-provider-orchestrator bash -c \"kubectl exec -n test-app test-app -- cat /mnt/secrets-store/relative/path/fileB.txt\"\n$ docker compose exec -T csi-provider-orchestrator bash -c \"kubectl exec -n test-app test-app -- cat /mnt/secrets-store/relative/path/fileC.txt\"\n```\n\nDeploy the Conjur Secrets Provider in Kubernetes (kind):\n  \n```sh\n$ bin/dap --provision-secrets-provider\n\n# Print the mounted secret values:\n$ POD_NAME=$(docker compose exec -T secrets-provider-orchestrator bash -c \"kubectl get pods -n test-app -l app=test-app -o jsonpath='{.items[0].metadata.name}'\")\n$ docker compose exec -T secrets-provider-orchestrator bash -c \"kubectl exec -n test-app $POD_NAME -- cat /opt/secrets/conjur/db-credentials.yaml\"\n```\n\n### Working with Podman\n\nThe project is enabled to work with Podman instead of Docker.\nTo use Podman the above commands can be replaced as follows:\n\n```sh\n$ bin/podman-dap --provision-master\n$ bin/podman-dap --provision-standbys\n$ bin/podman-dap --enable-auto-failover\n```\n\nSimilarly bin/api and bin/cli can be replaced with bin/podman-api and bin/podman-cli.\n\nTo connect to the UI in the browser, use ports 10443(through HA proxy) or 10444(Conjur)\n***\n\n### bin/dap\n`bin/dap` provides a dead simple mechanism for starting DAP in a variety of configurations and workflows. It provides visibility into the commands required to perform various workflows.\n\n#### Flags\n|Flag|Type|Outcome|Notes|\n|-|-|-|-|\n|--create-backup|action|• Creates a backup|Requires configured master|\n|--dry-run|configuration|Only print configuration commands|\n|--enable-auto-failover|action|• Configures Master cluster with auto-failover|Requires configured master and standbys|\n|--generate-dh|configuration|• Disables the mounting of pre-generated DH params inside the master so they're generated on the fly|\n|--help||Shows all available arguments||\n|--import-custom-certificates|action|• Imports pre-generated 3rd-party certificates|Requires configured master|\n|--promote-standby|action|• Stops the current master\u003cbr\u003e• Promotes a standby| Requires configured standbys and no auto-failover|\n|--provision-follower|action|• Removes follower if present\u003cbr\u003e• Starts a DAP container and a Layer 7 load balancer\u003cbr\u003e• Generates a follower seed\u003cbr\u003e• Configures follower|Requires configured master|\n|--provision-k8s-follower|action|• Removes follower if present\u003cbr\u003e• Configures follower inside kubernetes cluster ran by kind|Requires configured master|\n|--provision-master|action|• Starts a DAP container and Layer 4 load balancer\u003cbr\u003e• Configures with account `demo` and password `MySecretP@ss1`||\n|--provision-standbys|action|• Removes standbys if present\u003cbr\u003e• Starts two DAP containers\u003cbr\u003e• Generates standby seed files\u003cbr\u003e• Configures standbys\u003cbr\u003e• Enable Synchronous Standby|Requires configured master|\n|--provision-csi-provider|action|• Configures Conjur CSI Provider inside kubernetes cluster ran by kind|Requires configured master|\n|--provision-secrets-provider|action|• Configures Conjur Secrets Provider inside kubernetes cluster ran by kind|Requires configured master|\n|--restore-from-backup|action|• Removes auto-failover (if enabled)\u003cbr\u003e• Stops and renames master\u003cbr\u003e• Starts new DAP container\u003cbr\u003e• Restores master from backup|Requires a previously created backup|\n|--stop|action|Stops and removes all containers||\n|--trigger-failover|action|• Stops current master|Requires an auto-failover cluster|\n|--trust-follower-proxy|action|• Adds Follower load balancer as a trusted proxy|Requires configured follower|\n|--upgrade-master `\u003cversion\u003e`|action|• Removes auto-failover (if enabled)\u003cbr\u003e• Generates a backup\u003cbr\u003e• Stops and removes master\u003cbr\u003e• Starts new DAP container\u003cbr\u003e• Restores master from backup|Requires configured master|\n|--version `\u003cversion\u003e`|configuration|Version of DAP to use (defaults to latest)|\n|--k8s-follower-version `\u003cversion\u003e`|configuration|Version of K8S-Follower to use (defaults to latest)|\n|--follower-to-master-connection `\u003con/off\u003e`|action|Pauses or unpauses follower connection to master|Requires a configured master|\n\n### bin/api\n\n`bin/api` enables some common policy and API flows.\n\n#### Flags\n\n|Flag|Type|Outcome|Notes|\n|-|-|-|-|\n|--against-master|configuration|Runs read actions against the master||\n|--authenticate-user|action|• Authenticates with default user and password\u003cbr\u003e• Displays the resulting authentication token||\n|--fetch-secrets|action|• Authenticates\u003cbr\u003e• Retrieves variable values|Run against follower unless `--against-master` flag is present|\n|--load-policy|action|• Authenticates\u003cbr\u003e• Loads policy|Run against master|\n|--load-policy-and-values|action|• Authenticates\u003cbr\u003e• Loads policy and variable values|Run against master, equivalent to running '--load-policy' and '--set-secrets'|\n|--password `\u003cpassword\u003e`|configuration|Uses a non-default password for authentication||\n|--set-secrets|action|• Authenticates\u003cbr\u003e• Sets variable values|Requires `--load-policy` before running|\n|--user `\u003cconjur-user\u003e`|configuration|Uses a non-default (`admin`) user for authentication||\n\n## Start a single DAP instance\n\nTo start a single DAP instance:\n\n```sh\n$ bin/dap --provision-master\n```\n\nThis instance runs behind an HAProxy load balancer and is available at: [https://localhost].  Login:\n\n- Account `demo`\n- User: `admin`\n- Password: `MySecretP@ss1`\n\n## Start a DAP Cluster with Follower\n\nTo start a basic HA DAP cluster (self-signed certificates, no Master Key encryption) and a Follower:\n\n```sh\n$ bin/dap --provision-master\n$ bin/dap --provision-standbys\n$ bin/dap --provision-follower\n```\n\nThis instance runs behind an HAProxy load balancer and is available at: [https://localhost].  Login:\n\n- Account `demo`\n- User: `admin`\n- Password: `MySecretP@ss1`\n\n#### Available Flags\n\nThe following flags are available:\n\n```\nUsage: bin/dap single [options]\n\n    --create-backup                   Creates a backup|Requires configured master\n    --dry-run                         Print configuration commands with executing\n    --enable-auto-failover            Configures Master cluster with auto-failover (Requires configured master and standbys)\n    --h, --help                       Shows this help message\n    --import-custom-certificates      Imports pre-generated 3rd-party certificates (Requires configured master)\n    --promote-standby                 Stops the current master and promotes a standby (Requires configured standbys and no auto-failover)\n    --provision-follower              Configures follower behind a Layer 7 load balancer (Requires configured master)\n    --provision-k8s-follower          Configures follower inside kubernetes cluster ran by kind (Requires configured master)\n    --provision-master                Configures a DAP Master with account `demo` and password `MySecretP@ss1` behind a Layer 4 load balancer\n    --provision-standbys              Deploys and configures two standbys (Requires configured master)\n    --provision-csi-provider          Configures Conjur CSI provider inside kubernetes cluster ran by kind (Requires configured master)\n    --provision-secrets-provider      Configures Conjur Secrets Provider for Kubernetes inside a kind cluster (Requires configured master)\n    --restore-from-backup             Restores a master from backup|Requires a previously created backup\n    --provision-keycloak              Configures Keycloak OIDC authenticator (Requires configured master)\n    --stop                            Stops all containers and cleans up cached files\n    --trigger-failover                Stops current master (Requires an auto-failover cluster)\n    --trust-follower-proxy            Adds Follower load balancer as a trusted proxy (Requires a configured follower)\n    --upgrade-master \u003cversion\u003e        Restores master from backup (Requires configured master)\n    --version \u003cversion\u003e               Version of DAP to use (defaults to latest build)\n    --k8s-follower-version \u003cversion\u003e  Version of K8S-Follower to use (defaults to latest build)\n```\n\n### `bin/cli`\n`bin/cli` is a proxy script, sending all subsequent arguments to a Conjur CLI container. This provides a simple mechanism for loading policy and interacting with Conjur.\n\n#### Loading policy\nThe policy folder contains sample policy which can be loaded with:\n```sh\n$ bin/cli conjur policy replace -b root -f policy/users.yml\n$ bin/cli conjur policy load -b root -f policy/policy.yml\n$ bin/cli conjur policy load -b staging -f policy/apps/myapp.yml\n$ bin/cli conjur policy load -b production -f policy/apps/myapp.yml\n$ bin/cli conjur policy load -b root -f policy/application_grants.yml\n$ bin/cli conjur policy load -b root -f policy/hosts.yml\n```\n\n#### Setting/Retrieving a Variable\n```\nbin/cli conjur variable set -i production/myapp/database/username -v my-username\nbin/cli conjur variable set -i production/myapp/database/password -v my-password\nbin/cli conjur variable set -i production/myapp/database/url -v https://my-database.mycompany.com\nbin/cli conjur variable set -i production/myapp/database/port -v 5432\n```\n\n#### Validating Packages\nThis project can also be used to verify PRs, by installing the branch specific package (created by Jenkins).  To begin, download the `.deb` package.  After starting Conjur, packages can be installed with:\n\n```\n# Start Conjur\n$ bin/dap --provision-master --version 5.11.0\n```\nNext in a new tab:\n\n```\n$ bin/install ~/Downloads/conjur-ui_2.10.9.1-e389f20_amd64.deb\n```\nThe install script will install the package into the running Conjur appliance and restart the Conjur service.\n\nYou can view the contents of this package by running:\n\n```\n$ docker compose exec conjur-master-1.mycompany.local ls -a /opt/conjur/possum/\n```\n\n## Performance Tests\n\nConjur Intro includes support for running a simple load test against a running instance.\n\n```sh\n# Start Conjur\n$ bin/dap --provision-master\n$ bin/dap --provision-follower\n\n# Run datadog agent\n$ ./tools/performance-tests/k6/bin/metrics --start\n\n# Optionally, load policies and 150k secrets (this might take around an hour)\n$ ./bin/load-benchmark-data --accounts_per_safe 200 --safes 15 --hosts 300 --users 150 --all-properties-synchronized\n\n# To integrate with statsD, set ENABLE_STATSD to true:\n$ ENABLE_STATSD=true ./bin/load-benchmark-data --accounts_per_safe 200 --safes 15 --hosts 300 --users 150 --all-properties-synchronized\n\n# Run load test without StatsD (default)\n$ TEST_FILE=tools/performance-tests/k6/scenarios/read-individually.js ./bin/load-test\n\n# Or run load test with StatsD enabled\n$ ENABLE_STATSD=true TEST_FILE=tools/performance-tests/k6/scenarios/read-individually.js ./bin/load-test\n\n# To get raw results in json format set ENABLE_JSON_OUTPUT flag (disabled by default)\n# Additionally, when ENABLE_JSON_OUTPUT flag is enabled, standard deviation will be calculated\n# Note: resulted json file can have hundreds of megabytes\n$ ENABLE_JSON_OUTPUT=true TEST_FILE=tools/performance-tests/k6/scenarios/read-individually.js ./bin/load-test\n\n# Run benchmark for number of authenticators\n$ bin/dap --provision-keycloak\n$ ./bin/authenticators-benchmark\n\n```\n\nThe above test generates a report in the folder:\n\n`tmp/{TIMESTAMP}-test-name`\n\nLoad is applied using k6. The k6 files are located at:\n\n`tools/performance-tests/k6`\n\nScenarios for load testing are located at:\n\n`tools/performance-tests/k6/scenarios`\n\nNumber of VUs can be configured by setting `K6_CUSTOM_VUS` environment variable.\n\nCurrently supported scenarios are: \n\n- `tools/performance-tests/k6/scenarios/read-individually.js` - Read one secret at a time from Conjur by 12 VUs\n\n- `tools/performance-tests/k6/scenarios/read-batch-2-secrets.js` - Read two secrets at a time from Conjur by 12 VUs\n\n- `tools/performance-tests/k6/scenarios/read-batch-4-secrets.js` - Read four secrets at a time from Conjur by 12 VUs\n\n- `tools/performance-tests/k6/scenarios/create-policy.js` - Create unique policies in Conjur by 1 VU in 500 iterations.\n\n- `tools/performance-tests/k6/scenarios/write-secrets.js` - Write secrets to Conjur by 20 VUs. \u003cbr\u003e\n  - Secrets are located at `tools/performance-tests/k6/data/test-variable-secrets.csv` \u003cbr\u003e\n\n- `tools/performance-tests/k6/scenarios/policy-number-test.js` - Load simple policies into Conjur by 5 VUs. \u003cbr\u003e\n  - Duration of the test can be configured by setting K6_CUSTOM_DURATION environment variable.\n\n- `tools/performance-tests/k6/scenarios/policy-depth-test.js` - Keep loading nested policies until max depth is reached\n\n- `tools/performance-tests/k6/scenarios/list-and-batch-read.js` - List all secrets in Conjur and then read a portion of them.\n  - The purpose of this is to imitate how External Secrets Operator works when using the Find by Name or Find by Tag features.\n    See \u003chttps://github.com/external-secrets/external-secrets/pull/3364.\n\nNote: for read scenarios, we can specify the desired safe and lob to read from by setting the `DESIRED_SAFE` and `DESIRED_LOB` environment variables. \u003cbr\u003e\n\nBenchmark scenario for number of authenticators:\n- `bin/authenticators-benchmark` - Load test for number of authenticators. \u003cbr\u003e\n  - Runs a loop that: adds authenticators to Conjur, run `read-individually.js` scenario,\n    measure the performance and save the results. \n\n## Contributing\n\nWe welcome contributions of all kinds to this repository. For instructions on\nhow to get started and descriptions of our development workflows, please see our\n[contributing guide](CONTRIBUTING.md).\n\n## License\n\nThis repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconjurdemos%2Fconjur-intro","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconjurdemos%2Fconjur-intro","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconjurdemos%2Fconjur-intro/lists"}