diff --git a/demos/java-api-client/Dockerfile b/demos/java-api-client/Dockerfile
new file mode 100644
index 00000000..16b260b7
--- /dev/null
+++ b/demos/java-api-client/Dockerfile
@@ -0,0 +1,4 @@
+FROM openjdk:8-jre-alpine
+ADD target/ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar
+ENTRYPOINT ["java", "-jar", "ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar"]
+
diff --git a/demos/java-api-client/README.md b/demos/java-api-client/README.md
new file mode 100644
index 00000000..bae227ed
--- /dev/null
+++ b/demos/java-api-client/README.md
@@ -0,0 +1,8 @@
+Instructions for building java client
+-------------------------------------
+
+For compiling java test application please run: ./build.sh
+Java SDK API fat jar will appear in the directory and docker image of the client application will be available
+In addition, JAVA API SDK fat jar will be installed in local maven repository and will be usable for other applications
+For Running this application on openshift please look for instructions in ../openshift-install/README.txt
+
diff --git a/demos/java-api-client/build.sh b/demos/java-api-client/build.sh
new file mode 100755
index 00000000..de6be5c3
--- /dev/null
+++ b/demos/java-api-client/build.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+set -e
+#set -x
+
+function validate_app {
+ APPNAME=$1
+ CHECK_APP=$( which $APPNAME )
+ if [ -z "$CHECK_APP" ]
+ then
+ echo "Please install $APPNAME"
+ exit 1
+ fi
+}
+
+validate_app git
+validate_app mvn
+validate_app docker
+
+COMMAND=$0
+echo "$COMMAND"
+suffix="/build.sh";
+HOME_DIR=${COMMAND%$suffix};
+pushd $HOME_DIR
+
+rm -rf target
+rm -rf conjur-api-java
+
+echo "Cloning Conjur Java SDK repository from Github"
+
+git clone https://github.com/cyberark/conjur-api-java.git
+
+if [ ! -d "./conjur-api-java" ]
+then
+ echo "Git clone failed"
+ exit 1
+fi
+
+BRANCH_NAME=$( git rev-parse --abbrev-ref HEAD )
+
+git checkout $BRANCH_NAME
+
+pushd conjur-api-java
+
+echo "Building Conjur Java SDK JAR"
+
+mvn install -DskipTests -Dmaven.javadoc.skip=true
+
+popd
+
+API_JAR_NAME=$( ls conjur-api-java/target/*with-dependencies.jar | grep conjur-api )
+echo "API_JAR_NAME=$API_JAR_NAME"
+if [ -z $API_JAR_NAME ]
+then
+ echo "Maven install Conjur Java SDK jar failed"
+ exit 1
+fi
+
+VERSION=$( echo "$API_JAR_NAME"| cut -d'/' -f 3 | cut -d'-' -f 3 )
+
+echo "Installing Conjur Java SDK JAR to Maven Repo"
+
+mvn install:install-file -Dfile=conjur-api-java/target/conjur-api-$VERSION-with-dependencies.jar -DgroupId=net.conjur.api -DartifactId=conjur-api -Dversion=$VERSION -Dpackaging=jar
+
+echo "Build Conjur Java Client Example"
+mvn install -Dconjur-api-version=2.1.0
+
+cp conjur-api-java/target/conjur-api-2.1.0-with-dependencies.jar .
+
+rm -rf conjur-api-java
+
+echo "Creating docker image of Conjur Java Client Example"
+docker build -f Dockerfile -t conjur-java-client .
+
+docker images | grep conjur-java-client
+
diff --git a/demos/java-api-client/pom.xml b/demos/java-api-client/pom.xml
new file mode 100644
index 00000000..341965e6
--- /dev/null
+++ b/demos/java-api-client/pom.xml
@@ -0,0 +1,69 @@
+
+
+ 4.0.0
+
+ 2.1.0
+
+ com.cyberark.example
+ ConjurJavaClient
+ 1.0-SNAPSHOT
+
+
+ net.conjur.api
+ conjur-api
+ ${conjur-api-version}
+
+
+
+
+ maven-compiler-plugin
+ 2.3.2
+
+ 1.6
+ 1.6
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ 2.20
+
+
+ ${env.CONJUR_ACCOUNT}
+ ${env.CONJUR_APPLIANCE_URL}
+ ${env.CONJUR_AUTHN_LOGIN}
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-shade-plugin
+
+
+
+ shade
+
+
+ with-dependencies
+ true
+
+
+ com.cyberark.example.JavaClient
+
+
+ META-INF/cxf/bus-extensions.txt
+
+
+
+
+
+
+
+
+
+
diff --git a/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java b/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java
new file mode 100644
index 00000000..5189d67d
--- /dev/null
+++ b/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java
@@ -0,0 +1,62 @@
+package com.cyberark.example;
+
+import net.conjur.api.Conjur;
+import net.conjur.api.Token;
+
+import java.io.FileOutputStream;
+import java.io.PrintWriter;
+
+import java.io.File;
+import java.nio.file.Paths;
+
+public class JavaClient {
+
+ private static String truststoreFileName = "/run/conjur/truststore.jks";
+
+ private static void initialize()
+ {
+ System.setProperty("javax.net.ssl.trustStore", truststoreFileName);
+ System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
+ System.setProperty("CONJUR_ACCOUNT", System.getenv("CONJUR_ACCOUNT"));
+ if (System.getenv("CONJUR_AUTHN_LOGIN") != null)
+ {
+ System.setProperty("CONJUR_AUTHN_LOGIN", System.getenv("CONJUR_AUTHN_LOGIN"));
+ }
+ System.setProperty("CONJUR_APPLIANCE_URL", System.getenv("CONJUR_APPLIANCE_URL"));
+ }
+
+ private static void enterPending()
+ {
+ try
+ {
+ Thread.sleep(500000);
+ }
+ catch (Exception e)
+ {
+ System.out.println("Timer Exception:" + e);
+ }
+ }
+
+ public static void main(String args[])
+ {
+ System.out.println("Running Conjur Java SDK Example");
+ initialize();
+ Token token = null;
+ try
+ {
+ System.out.println("CONJUR_AUTHN_TOKEN_FILE = " + System.getenv("CONJUR_AUTHN_TOKEN_FILE"));
+ token = Token.fromFile(Paths.get(System.getenv("CONJUR_AUTHN_TOKEN_FILE")));
+ }
+ catch (Exception e)
+ {
+ System.out.println("Exception:" + e);
+ return;
+ }
+ System.out.println("Create Conjur API Instance");
+ Conjur conjur = new Conjur(token);
+ String secret = conjur.variables().retrieveSecret("variables/mypassword");
+ System.out.println("Retrieved secret = " + secret);
+ enterPending();
+ }
+
+}
diff --git a/demos/openshift-install/README.md b/demos/openshift-install/README.md
new file mode 100644
index 00000000..9e111e99
--- /dev/null
+++ b/demos/openshift-install/README.md
@@ -0,0 +1,36 @@
+Explanations:
+-------------
+The purpose of this demo is to install Conjur on existing OpenShift environment and then run Java Client on top of it
+The environent contains 4 pods each with up to 2 containers inside
+Pod #1: Postgres
+Pod #2: Conjur + Nginx
+Pod #3: Conjur CLI
+Pod #4: Conjur authenticator client + Java Client
+
+Local Prerequisites:
+--------------------
+Git - git version 2.24.1
+Maven - Apache Maven 3.6.3
+Java SDK / JRE - openjdk version "1.8.0_232"
+MAC OS Catalina - Version 10.15.1 (19076)
+OpenShift client installed on MAC
+
+External Prerequisites:
+-----------------------
+A GitHub user for GitHub environment
+OpenShift - oc v3.11.0+0cbc58b
+ kubernetes v1.11.0+d4cacc0
+ features: Basic-Auth
+
+Commands:
+---------
+1. **Building Java Client:** cd /conjur-intro/demos/java-api-client
+ ./build.sh
+2. **Installing Conjur and Conjur-CLI on OpenShift:** /conjur-intro/demos/openshift-install
+ ./installer.sh --with-config --ocp-url : --project-name --account-name --authenticator
+3. **Verify that all pods are up and running by:** oc get pods
+4. **Installing and running java client opn Open Shift:** ./java-client-installer.sh --ocp-url : --docker-url --project-name --account-name --authenticator
+5. **Verify that all pods are up and running by:** oc get pods
+6. **Checking output of Java client container on pod #4:** oc logs -c my-conjur-java-client
+ It should show that secret was retrieved properly
+
diff --git a/demos/openshift-install/cleanup.sh b/demos/openshift-install/cleanup.sh
new file mode 100755
index 00000000..8829175b
--- /dev/null
+++ b/demos/openshift-install/cleanup.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#set -x
+#set -e
+
+function validate_app {
+ APPNAME=$1
+ CHECK_APP=$( which $APPNAME )
+ if [ -z "$CHECK_APP" ]
+ then
+ echo "Please install $APPNAME"
+ exit 1
+ fi
+}
+
+validate_app oc
+
+oc delete project $1
diff --git a/demos/openshift-install/conjur-cli.yaml b/demos/openshift-install/conjur-cli.yaml
new file mode 100644
index 00000000..7897361d
--- /dev/null
+++ b/demos/openshift-install/conjur-cli.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: conjur-cli
+ labels:
+ app: conjur-cli
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: conjur-cli
+ template:
+ metadata:
+ name: conjur-cli
+ labels:
+ app: conjur-cli
+ spec:
+ serviceAccountName: default
+ containers:
+ - name: conjur-cli
+ image: cyberark/conjur-cli:5-latest
+ imagePullPolicy: IfNotPresent
+ command: ["sleep"]
+ args: ["infinity"]
+ imagePullSecrets:
+ - name: dockerpullsecret
diff --git a/demos/openshift-install/conjur_scripts/cert_script.sh b/demos/openshift-install/conjur_scripts/cert_script.sh
new file mode 100755
index 00000000..8238e53e
--- /dev/null
+++ b/demos/openshift-install/conjur_scripts/cert_script.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e
+AUTHENTICATOR_ID=$2
+CONJUR_ACCOUNT=$1
+
+# Generate OpenSSL private key
+openssl genrsa -out ca.key 2048
+
+CONFIG="
+[ req ]
+distinguished_name = dn
+x509_extensions = v3_ca
+[ dn ]
+[ v3_ca ]
+basicConstraints = critical,CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+"
+
+# Generate root CA certificate
+openssl req -x509 -new -nodes -key ca.key -sha1 -days 3650 -set_serial 0x0 -out ca.cert \
+ -subj "/CN=conjur.authn-k8s.$AUTHENTICATOR_ID/OU=Conjur Kubernetes CA/O=$CONJUR_ACCOUNT" \
+ -config <(echo "$CONFIG")
+
+# Verify cert
+openssl x509 -in ca.cert -text -noout &> /dev/null
+
+# Load variable values
+conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/key "$(cat ca.key)"
+conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/cert "$(cat ca.cert)"
+
diff --git a/demos/openshift-install/docker-compose.yml b/demos/openshift-install/docker-compose.yml
new file mode 100755
index 00000000..f2f74369
--- /dev/null
+++ b/demos/openshift-install/docker-compose.yml
@@ -0,0 +1,16 @@
+version: '2'
+services:
+
+ database:
+ image: postgres:9.4
+ container_name: postgres_database
+
+ conjur:
+ image: cyberark/conjur
+ container_name: conjur_server
+ command: server
+ environment:
+ DATABASE_URL: postgres://postgres@database/postgres
+ CONJUR_DATA_KEY:
+ depends_on: [ database ]
+
diff --git a/demos/openshift-install/installer.sh b/demos/openshift-install/installer.sh
new file mode 100755
index 00000000..2faa3819
--- /dev/null
+++ b/demos/openshift-install/installer.sh
@@ -0,0 +1,200 @@
+#!/bin/bash
+
+#set -x
+set -e
+
+OPENSHIFT_URL=
+PROJECT_NAME=
+ACCOUNT_NAME=myaccount
+AUTHENTICATOR=myauthenticator
+
+function validate_app {
+ APPNAME=$1
+ CHECK_APP=$( which $APPNAME )
+ if [ -z "$CHECK_APP" ]
+ then
+ echo "Please install $APPNAME"
+ exit 1
+ fi
+}
+
+function validate {
+ validate_app helm
+ validate_app oc
+ validate_app docker
+ validate_app docker-compose
+ validate_app awk
+ validate_app openssl
+ validate_app keytool
+}
+
+function install {
+
+ oc login $OPENSHIFT_URL
+ oc adm prune images
+ echo "Creating project $PROJECT_NAME"
+
+ oc new-project $PROJECT_NAME
+
+ TOKEN=$( oc whoami -t )
+
+ DATA_KEY=$( docker-compose run --no-deps --rm conjur data-key generate )
+
+ oc get is
+ echo "Installing Conjur OSS application on OpenShift"
+ oc delete ClusterRole conjur-oss-conjur-authenticator --ignore-not-found
+ oc delete ClusterRoleBinding conjur-oss-conjur-authenticator --ignore-not-found
+
+
+ cat templates/custom-values.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ ACCOUNT_NAME }}'/$ACCOUNT_NAME/g > custom-values.yaml.tmp
+
+ cat custom-values.yaml.tmp | awk "{gsub(/{{ DATA_KEY }}/,\"$DATA_KEY\")}1" > custom-values.yaml
+ rm -rf custom-values.yaml.tmp
+ ##cat custom-values.yaml
+ echo "Installing conjur-oss"
+ helm install conjur-oss -f custom-values.yaml https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v1.3.8/conjur-oss-1.3.8.tgz &> /dev/null
+ echo "Installation done"
+ oc adm policy add-scc-to-user anyuid "system:serviceaccount:$PROJECT_NAME:default" &> /dev/null
+
+ CONJUR_OSS_POD_LINE=$( oc get pods | grep conjur-oss | (head -n1 && tail -n1) )
+
+ CONJUR_OSS_POD=$( echo "$CONJUR_OSS_POD_LINE" | awk '{print $1}' )
+
+ for i in {1..50}
+ do
+ CONTAINERS_STATUS=$( oc get pods | grep conjur-oss | (head -n1 && tail -n1) | awk '{print $2}' )
+
+ if [ "$CONTAINERS_STATUS" == "2/2" ]; then
+ break
+ fi
+ echo "Waiting for conjur pod to be up..."
+ sleep 2
+ done
+
+ oc get pods
+
+ if [ "$CONTAINERS_STATUS" != "2/2" ]; then
+ echo "Conjur pod did not come up properly - exiting"
+ exit 1
+ fi
+
+ echo "Create account"
+ CONJUR_OUTPUT_INIT=$( oc exec "$CONJUR_OSS_POD" --container=conjur-oss conjurctl account create $ACCOUNT_NAME )
+ API_KEY=$( echo "$CONJUR_OUTPUT_INIT" | grep "API key" | awk '{print $5}' )
+ echo "Create CLI pod"
+ oc create -f conjur-cli.yaml
+
+}
+
+function config {
+
+ echo "Creating basic configuration to Conjur"
+ CONJUR_CLI_POD=$( oc get pods | grep conjur-cli | (head -n1 && tail -n1) | cut -f 1 -d " " )
+
+ mkdir -p policy
+
+ echo -e "admin\n$API_KEY" > policy/authnInput
+
+ cat templates/policy-hosts-to-authenticate.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > policy/policy-hosts-to-authenticate.yaml
+
+ cat templates/policy-for-webservice.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g > policy/policy-for-webservice.yaml
+
+ cat templates/policy-for-variables.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > policy/policy-for-variables.yaml
+
+ echo "Load conjur policy"
+
+ oc rsync policy "$CONJUR_CLI_POD":/
+ oc rsync conjur_scripts "$CONJUR_CLI_POD":/
+
+ oc exec -it "$CONJUR_CLI_POD" conjur init <<< "https://conjur-oss
+yes
+$ACCOUNT_NAME
+y
+"
+ oc exec -it "$CONJUR_CLI_POD" conjur authn login < policy/authnInput
+
+ oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-hosts-to-authenticate.yaml
+ oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-for-webservice.yaml
+ oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-for-variables.yaml
+ oc exec -it "$CONJUR_CLI_POD" conjur variable values add variables/mypassword 123
+
+ echo "Create certificate"
+ oc exec -it "$CONJUR_CLI_POD" ./conjur_scripts/cert_script.sh $ACCOUNT_NAME $AUTHENTICATOR
+ oc exec -it "$CONJUR_CLI_POD" cat /root/conjur-$ACCOUNT_NAME.pem > conjur-cert.pem
+ oc delete --ignore-not-found=true configmap conjur-cert
+ ssl_certificate=$(cat conjur-cert.pem )
+ oc create configmap conjur-cert --from-literal=ssl-certificate="$ssl_certificate"
+
+ oc delete --ignore-not-found=true configmap conjur-cert-java
+ oc create configmap conjur-cert-java --from-file=ssl-certificate=conjur-cert.pem
+}
+
+usage()
+{
+ cat << EOF
+
+ Installs Conjur with Conjut CLI on OpenShift
+
+ Usage: installer.sh [options]
+
+ -h, --help Shows this help message
+ --ocp-url OpenShift URL (mandatory)
+ --with-config Basic configuration should be added
+ --project-name OpenShift project name (mandatory)
+ --account-name Conjur account name (mandatory)
+ --authenticator Conjur authenticator (mandatory)
+EOF
+}
+
+DO_CONFIG=0
+while [ "$1" != "" ]; do
+ case $1 in
+ --with-config ) DO_CONFIG=1
+ ;;
+ --ocp-url ) shift
+ OPENSHIFT_URL=$1
+ ;;
+ --project-name ) shift
+ PROJECT_NAME=$1
+ ;;
+ --account-name ) shift
+ ACCOUNT_NAME=$1
+ ;;
+ --authenticator ) shift
+ AUTHENTICATOR=$1
+ ;;
+ -h | --help ) usage
+ exit
+ ;;
+ * ) usage
+ exit 1
+ esac
+ shift
+done
+
+if [ "$OPENSHIFT_URL" == "" ]; then
+ echo "Missing value in --ocp-url - exiting"
+ exit 1
+fi
+
+if [ "$PROJECT_NAME" == "" ]; then
+ echo "Missing value in --project-name - exiting"
+ exit 1
+fi
+
+validate
+
+install
+
+if [ "$DO_CONFIG" == "1" ]; then
+ config
+fi
+
+#rm -rf conjur-cert.crt
+#rm -rf conjur-cert.pem
+rm -rf custom-values.yaml
+rm -rf policy
+
+echo "Installation done"
+
+
diff --git a/demos/openshift-install/java-client-installer.sh b/demos/openshift-install/java-client-installer.sh
new file mode 100755
index 00000000..97927633
--- /dev/null
+++ b/demos/openshift-install/java-client-installer.sh
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+#set -x
+set -e
+
+OPENSHIFT_URL=
+PROJECT_NAME=
+ACCOUNT_NAME=myaccount
+AUTHENTICATOR=myauthenticator
+DEPLOYMENT_NAME=conjur-java-api-example
+
+function validate_app {
+ APPNAME=$1
+ CHECK_APP=$( which $APPNAME )
+ if [ -z "$CHECK_APP" ]
+ then
+ echo "Please install $APPNAME"
+ exit 1
+ fi
+}
+
+function validate {
+ validate_app helm
+ validate_app oc
+ validate_app docker
+ validate_app docker-compose
+ validate_app awk
+ validate_app openssl
+ validate_app keytool
+}
+
+function install {
+
+ echo "entering project $PROJECT_NAME"
+ oc project $PROJECT_NAME
+
+ echo "Pods originally running:"
+ oc get pods
+
+ TOKEN=$( oc whoami -t )
+
+ echo "Pushing java client docker image to openshift"
+ docker tag conjur-java-client:latest $DOCKER_URL/$PROJECT_NAME/conjur-java-client:latest
+ docker login $DOCKER_URL -u _ -p $TOKEN
+ docker push $DOCKER_URL/$PROJECT_NAME/conjur-java-client:latest
+
+ oc get is
+
+ echo "Running Conjur Java Client in OpenShift"
+ cat templates/conjur-java-api-example.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ ACCOUNT_NAME }}'/$ACCOUNT_NAME/g | sed s/'{{ DEPLOYMENT_NAME }}'/$DEPLOYMENT_NAME/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > conjur-java-api-example.yaml
+ oc create -f conjur-java-api-example.yaml
+
+}
+
+usage()
+{
+ echo "usage: installer [[[--ocp-url url ] [--docker-url url ] [--project-name project] [--account-name account] [--authenticator authenticator]] | [-h]]"
+
+cat << EOF
+
+ Installs Conjur with Conjut CLI on OpenShift
+
+ Usage: installer.sh [options]
+
+ -h, --help Shows this help message
+ --ocp-url OpenShift URL (mandatory)
+ --docker-url Docker URL (mandatory)
+ --project-name OpenShift project name (mandatory)
+ --account-name Conjur account name (mandatory)
+ --authenticator Conjur authenticator (mandatory)
+EOF
+}
+
+DO_CONFIG=0
+while [ "$1" != "" ]; do
+ case $1 in
+ --ocp-url ) shift
+ OPENSHIFT_URL=$1
+ ;;
+ --docker-url ) shift
+ DOCKER_URL=$1
+ ;;
+ --project-name ) shift
+ PROJECT_NAME=$1
+ ;;
+ --account-name ) shift
+ ACCOUNT_NAME=$1
+ ;;
+ --authenticator ) shift
+ AUTHENTICATOR=$1
+ ;;
+ -h | --help ) usage
+ exit
+ ;;
+ * ) usage
+ exit 1
+ esac
+ shift
+done
+
+if [ "$OPENSHIFT_URL" == "" ]; then
+ echo "Missing value in --ocp-url - exiting"
+ exit 1
+fi
+
+if [ "$PROJECT_NAME" == "" ]; then
+ echo "Missing value in --project-name - exiting"
+ exit 1
+fi
+
+validate
+
+install
+
+CONJUR_JAVA_API_POD_LINE=$( oc get pods | grep conjur-java-api-example | (head -n1 && tail -n1) )
+
+CONJUR_JAVA_API_POD=$( echo "$CONJUR_JAVA_API_POD_LINE" | awk '{print $1}' )
+
+for i in {1..50}
+do
+ CONTAINERS_STATUS=$( oc get pods | grep conjur-java-api-example | (head -n1 && tail -n1) | awk '{print $2}' )
+
+ if [ "$CONTAINERS_STATUS" == "2/2" ]; then
+ break
+ fi
+ echo "Waiting for the Java client pod to start..."
+ sleep 2
+done
+
+oc get pods
+
+rm -rf conjur-java-api-example.yaml
+
+echo "Installation done"
+
+
diff --git a/demos/openshift-install/templates/conjur-java-api-example.yaml b/demos/openshift-install/templates/conjur-java-api-example.yaml
new file mode 100644
index 00000000..0d2f9fe8
--- /dev/null
+++ b/demos/openshift-install/templates/conjur-java-api-example.yaml
@@ -0,0 +1,98 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ DEPLOYMENT_NAME }}
+ labels:
+ app: {{ DEPLOYMENT_NAME }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: {{ DEPLOYMENT_NAME }}
+ template:
+ metadata:
+ name: {{ DEPLOYMENT_NAME }}
+ labels:
+ app: {{ DEPLOYMENT_NAME }}
+ spec:
+ serviceAccountName: default
+ containers:
+ - image: cyberark/conjur-kubernetes-authenticator:latest
+ imagePullPolicy: IfNotPresent
+ name: authenticator
+ env:
+ - name: CONJUR_VERSION
+ value: "5"
+ - name: CONTAINER_MODE
+ value: sidecar
+ - name: MY_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: MY_POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: CONJUR_AUTHN_URL
+ value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local/authn-k8s/{{ AUTHENTICATOR }}
+ - name: CONJUR_APPLIANCE_URL
+ value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local
+ - name: CONJUR_ACCOUNT
+ value: {{ ACCOUNT_NAME }}
+ - name: CONJUR_AUTHN_LOGIN
+ value: "host/conjur/authn-k8s/{{ AUTHENTICATOR }}/apps/{{ PROJECT_NAME }}/*/*"
+ - name: CONJUR_SSL_CERTIFICATE
+ valueFrom:
+ configMapKeyRef:
+ name: conjur-cert
+ key: ssl-certificate
+ volumeMounts:
+ - mountPath: /run/conjur
+ name: conjur-access-token
+ - name: my-conjur-java-client
+ image: docker-registry.default.svc:5000/{{ PROJECT_NAME }}/conjur-java-client:latest
+ imagePullPolicy: Always
+ env:
+ - name: CONJUR_AUTHN_URL
+ value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local/authn-k8s/{{ AUTHENTICATOR }}
+ - name: CONJUR_APPLIANCE_URL
+ value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local
+ - name: CONJUR_ACCOUNT
+ value: {{ ACCOUNT_NAME }}
+ - name: CONJUR_AUTHN_TOKEN_FILE
+ value: /run/conjur/access-token
+ - name: CONJUR_SSL_CERTIFICATE
+ valueFrom:
+ configMapKeyRef:
+ name: conjur-cert
+ key: ssl-certificate
+ volumeMounts:
+ - mountPath: /run/conjur
+ name: conjur-access-token
+ initContainers:
+ - name: pem-to-truststore
+ image: registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.1-16
+ env:
+ - name: CONJUR_SSL_CERTIFICATE
+ valueFrom:
+ configMapKeyRef:
+ name: conjur-cert-java
+ key: ssl-certificate
+ - name: truststore_jks
+ value: /run/conjur/truststore.jks
+ - name: password
+ value: changeit
+ command: ['/bin/bash']
+ args: ['-c', "echo \"$CONJUR_SSL_CERTIFICATE\" > conjur-cert.pem && openssl x509 -outform der -in conjur-cert.pem -out conjur-cert.crt && echo \"Creating TrustStore file in /run/conjur/truststore.jks\" && keytool -import -noprompt -keystore $truststore_jks -file conjur-cert.crt -storepass changeit -alias ca "]
+ volumeMounts:
+ - mountPath: /run/conjur
+ name: conjur-access-token
+ volumes:
+ - name: conjur-access-token
+ emptyDir:
+ medium: Memory
diff --git a/demos/openshift-install/templates/custom-values.yaml b/demos/openshift-install/templates/custom-values.yaml
new file mode 100644
index 00000000..41bb4883
--- /dev/null
+++ b/demos/openshift-install/templates/custom-values.yaml
@@ -0,0 +1,15 @@
+authenticators: "authn-k8s/{{ AUTHENTICATOR }},authn"
+dataKey: "{{ DATA_KEY }}"
+account: "{{ ACCOUNT_NAME }}"
+
+image:
+ repository: "cyberark/conjur"
+ tag: "latest"
+ pullPolicy: Always
+
+ssl:
+ hostname: custom.domainname.com
+
+postgres:
+ persistentVolume:
+ create: false
diff --git a/demos/openshift-install/templates/policy-for-variables.yaml b/demos/openshift-install/templates/policy-for-variables.yaml
new file mode 100644
index 00000000..7cc1d6bc
--- /dev/null
+++ b/demos/openshift-install/templates/policy-for-variables.yaml
@@ -0,0 +1,12 @@
+---
+# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it
+- !policy
+ id: variables
+ body:
+ - !variable
+ id: mypassword
+
+ - !permit
+ resource: !variable mypassword
+ privilege: [ read, execute ]
+ role: !host /conjur/authn-k8s/{{ AUTHENTICATOR }}/apps/{{ PROJECT_NAME }}/*/*
diff --git a/demos/openshift-install/templates/policy-for-webservice.yaml b/demos/openshift-install/templates/policy-for-webservice.yaml
new file mode 100644
index 00000000..4df09d2a
--- /dev/null
+++ b/demos/openshift-install/templates/policy-for-webservice.yaml
@@ -0,0 +1,30 @@
+# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it
+- !policy
+ id: conjur/authn-k8s/{{ AUTHENTICATOR }}
+ owner: !group devops
+ annotations:
+ description: Namespace defs for the Conjur cluster in dev
+ body:
+ - !webservice
+ annotations:
+ description: authn service for cluster
+
+# CA cert and key for creating client certificates
+ - !policy
+ id: ca
+ body:
+ - !variable
+ id: cert
+ annotations:
+ description: CA cert for Kubernetes Pods.
+ - !variable
+ id: key
+ annotations:
+ description: CA key for Kubernetes Pods.
+
+ # permit a layer of whitelisted authn ids to call authn service
+ - !permit
+ resource: !webservice
+ privilege: [ read, authenticate ]
+ role: !layer /conjur/authn-k8s/{{ AUTHENTICATOR }}/apps
+
diff --git a/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml b/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml
new file mode 100644
index 00000000..8e399678
--- /dev/null
+++ b/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml
@@ -0,0 +1,22 @@
+---
+# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint.
+- !group devops
+- !policy
+ id: conjur/authn-k8s/{{ AUTHENTICATOR }}/apps
+ owner: !group devops
+ annotations:
+ description: Identities permitted to authenticate
+ body:
+ - !layer
+ annotations:
+ description: Layer of authenticator identities permitted to call authn svc
+ - &hosts
+ - !host
+ id: {{ PROJECT_NAME }}/*/*
+ annotations:
+ kubernetes/authentication-container-name: authenticator
+ openshift: "true"
+
+ - !grant
+ role: !layer
+ members: *hosts