Kubernetes Authenticator Client

This topic describes step-by-step how to enable applications in a Kubernetes environment using a Kubernetes authenticator. It is important to complete each step in the order they are described.

Integrate the Kubernetes Authenticator Client

To enable an application to authenticate with Conjur, the application manifest must be modified to include:

  • The Kubernetes Authenticator Client as either a sidecar or init container

  • A volume mounted to both containers to share the Conjur access token

  • Application environment variables containing connection information for the Conjur appliance

  • Configure the authenticator client container and add the container name to policy

Create service account for your app

If you are using service accounts to authenticate and you have not created one yet, you will need to do so now. The following example assumes that you are using test-app as the name for your service account.

  
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-app

Make sure that this service account name matches both policy for authenticator identities in Conjur as well as manifests below wherever < APP_SERVICE_ACCOUNT_NAME > is used.

Add the authenticator image

The Authenticator Client is a public image available on DockerHub or on Red Hat. It can be added to the manifest as either a sidecar or init container.

To use the authenticator as a sidecar, insert its image spec alongside the application container image spec. See the Sidecar application manifest example .

To use an init container, insert the authenticator spec under the initContainers property of the pod spec. See the Init container application manifest example . The authenticator client must be configured with the following variables:

Parameter

Description
CONTAINER_MODE

The container mode defaults to sidecar; when running in sidecar mode, you may omit this parameter.

For the init container, set this value to init.
MY_POD_NAME

This variable identifies the pod where your application runs. Use the Downward API to insert this information into the manifest. In the example manifests, this value is auto-populated fron the app container info.
MY_POD_NAMESPACE

This variable identifies the pod where your application runs. Use the Downward API to insert this information into the manifest. In the example manifests, this value is auto-populated fron the app container info.
MY_POD_IP

This variable identifies the pod where your application runs. Use the Downward API to insert this information into the manifest. In the example manifests, this value is auto-populated from the app container info.
CONJUR_AUTHN_URL

Specify the credential service used to log into the Follower.

Syntax: https://conjur-follower.<CONJUR_NAMESPACE_NAME>.svc.cluster.local/authn-k8s/<AUTHENTICATOR_ID>.

CONJUR_ACCOUNT

The account name designated to the Conjur appliance during initial configuration. You most likely set this environment variable before running the deployment scripts. If so, you can use $CONJUR_ACCOUNT for the value here. In most default installations, this account name is default but your configuration may vary.

CONJUR_AUTHN_LOGIN

Specify the Conjur host that authenticates to Conjur. Set this value to a host id that is defined in policy.

For more information, see Application Identity in OpenShift/Kubernetes.
CONJUR_SSL_CERTIFICATE

The public SSL certificate value required for connecting to the Conjur follower service.

The SSL certificate is generated during Conjur appliance configuration and stored in a .pem file located in the root folder where Conjur was created. The file name is conjur-account.pem, where account is the account name provided for the Conjur appliance.

We recommend using a ConfigMap to store the value.

For example, use:

  
kubectl create configmap conjur-cert --from-file=ssl-certificate="/path/to/ssl/cert"

The equivalent OpenShift command is:

  
oc create configmap conjur-cert --from-file=ssl-certificate="/path/to/ssl/cert"

The above commands create a ConfigMap that loads the certificate value into it. Now that the certificate value is populated, add the following configuration to the manifest:

  
configMapKeyRef:
    name: conjur-cert        
    key: ssl_certificate

Add a shared volume

The authenticator uses a volume shared with the application container to provide a token to authenticate with Conjur and retrieve secrets. The application manifest should define a memory-only volume and then mount it to /run/conjur on both the application and authenticator containers.

Add Conjur connection information

The application must be configured with environment variables that contain connection information for the Conjur appliance. Add the following variables to the application environment:

Parameter

Description
CONJUR_AUTHN_URL

Specify the credential service used to log into the Follower.

Syntax: https://follower.<CONJUR_NAMESPACE_NAME>.svc.cluster.local/authn-k8s/<AUTHENTICATOR_ID>.

CONJUR_ACCOUNT

The account name designated to the Conjur appliance during initial configuration. You most likely set this environment variable before running the deployment scripts. If so, you can use $CONJUR_ACCOUNT for the value here. In most default installations, this account name is default but your configuration may vary.

CONJUR_AUTHN_TOKEN_FILE

Identifies the complete path and filename where the authentication container should write the Conjur access token that it obtains on behalf of the application.
CONJUR_SSL_CERTIFICATE

The public SSL certificate value required for connecting to the Conjur follower service. We recommend using a ConfigMap to store the value.

The SSL certificate is generated during Conjur appliance configuration and stored in a .pem file located in the root folder where Conjur was created. The file name is conjur-account.pem, where account is the account name provided for the Conjur appliance.

For example, use:

  
kubectl create configmap conjur-cert --from-file=ssl-certificate="/path/to/ssl/cert"

The equivalent OpenShift command is:

  
oc create configmap conjur-cert --from-file=ssl-certificate="/path/to/ssl/cert"

The above commands create a ConfigMap that loads the certificate value into it:

  
configMapKeyRef:
    name: conjur-cert        #ConfigMap name
    key: ssl_certificate  #the key into the ConfigMap

Configure the authenticator client container name

 

In pre-v5.2.4 deployments, the container name must be the value authenticator. Starting with v5.2.4, there are no restrictions on the authenticator client container name.

Assign the authenticator client container name in the application manifest, in the -image section for the authenticator client. Here is the relevant section in the manifest:

  
- image: cyberark/conjur-authn-k8s-client
   imagePullPolicy: Always
   name: <AUTHENTICATOR_CLIENT_CONTAINER_NAME>

The container name that you assign here must match the one defined in the host's authn-k8s/authentication-container-name annotation, as described in Define Kubernetes Resources as DAP identities.

This is an example application manifest describing the changes needed for configuration as a sidecar. Some details unrelated to authenticator configuration may vary based on your environment type or version.

Replace the variables in < > with values:

  
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-app
  name: test-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      serviceAccountName: < APP_SERVICE_ACCOUNT_NAME >
      containers:
      - image: < TEST_APP_DOCKER_IMAGE >
        imagePullPolicy: Always
        name: test-app
        ports:
        - containerPort: 8080
        env:
          - name: CONJUR_APPLIANCE_URL
            value: "< CONJUR_APPLIANCE_URL >"
          - name: CONJUR_ACCOUNT
            value: < CONJUR_ACCOUNT >
          - name: CONJUR_AUTHN_TOKEN_FILE
            value: /run/conjur/access-token
          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: < CONFIG_MAP_NAME >
                key: ssl-certificate
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
            readOnly: true
      - image: cyberark/conjur-authn-k8s-client
        imagePullPolicy: Always
        name: <AUTHENTICATOR_CLIENT_CONTAINER_NAME>
        env:
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: CONJUR_AUTHN_URL
            value: "< CONJUR_AUTHN_URL >"
          - name: CONJUR_ACCOUNT
            value: < CONJUR_ACCOUNT >
          - name: CONJUR_AUTHN_LOGIN
            value: "< CONJUR_AUTHN_LOGIN >"
          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: < CONFIG_MAP_NAME >
                key: ssl-certificate
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
      imagePullSecrets:
        - name: dockerpullsecret
      volumes:
        - name: conjur-access-token
          emptyDir:
            medium: Memory

This is an example application manifest describing the changes needed for configuration as an init container. Some details unrelated to authenticator configuration may vary based on your environment type or version.

Replace the variables in < > with values:

  
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-app
  name: test-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      serviceAccountName: < APP_SERVICE_ACCOUNT_NAME >
      containers:
      - image: < TEST_APP_DOCKER_IMAGE >
        imagePullPolicy: always
        name: test-app
        ports:
        - containerPort: 8080
        env:
          - name: CONJUR_APPLIANCE_URL
            value: "< CONJUR_APPLIANCE_URL >"
          - name: CONJUR_ACCOUNT
            value: < CONJUR_ACCOUNT >
          - name: CONJUR_AUTHN_TOKEN_FILE
            value: /run/conjur/access-token
          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: < CONFIG_MAP_NAME >
                key: ssl-certificate
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
            readOnly: true
      initContainers:
      - image: cyberark/conjur-authn-k8s-client
        imagePullPolicy: Always
        name: <AUTHENTICATOR_CLIENT_CONTAINER_NAME>
        env:
          - name: CONTAINER_MODE
            value: init
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: CONJUR_AUTHN_URL
            value: "< CONJUR_AUTHN_URL >"
          - name: CONJUR_ACCOUNT
            value: < CONJUR_ACCOUNT >
          - name: CONJUR_AUTHN_LOGIN
            value: "< CONJUR_AUTHN_LOGIN >"
          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: < CONFIG_MAP_NAME >
                key: ssl-certificate
        volumeMounts:
          - mountPath: /run/conjur
            name: conjur-access-token
      imagePullSecrets:
        - name: dockerpullsecret
      volumes:
        - name: conjur-access-token
          emptyDir:
            medium: Memory

Define application policy

Use a Conjur policy to define the following:

  • An identity for our application linked to the authentication identities we defined in Policy for authentication identities

  • Variables to hold the secrets for our application that can be written to by at least one human user and read by our application identity

For each application we use with Conjur, we recommend creating a layer in policy to link an application's identity to the identities that can be used to authenticate to Conjur.

Replace the variables in < > with values:

  
---
- !policy
  id: test-app
  owner: !group devops
  annotations:
    description: This policy connects authn identities to an application identity. It defines a layer named for an application that contains the allowlisted identities that can authenticate to the authn-k8s endpoint. Any permissions granted to the application layer will be inherited by the allowlisted authn identities, thereby granting access to the authenticated identity.
  body:
  - !layer

 # add authn identities to application layer so authn roles inherit app's permissions
  - !grant
    role: !layer
    members:
    - !layer /conjur/authn-k8s/< AUTHENTICATOR_ID >/apps

Finally, we will define the secrets we wish to store in Conjur and the applications that should be granted access. In this sample policy, database credentials are stored in variables and access to these credentials is granted to the application identity layer we defined in the previous step.

  
- !policy
  id: test-summon-init-app-db
  owner: !group devops
  annotations:
    description: This policy contains the creds to access the summon init app DB

  body:
    - &init-variables
      - !variable password
      - !variable url
      - !variable username

    - !permit
      role: !layer /test-app
      privileges: [ read, execute ]
      resources: *init-variables

  1. Save policy as .yml files in a location accessible to the Conjur master.

  2. Log into Conjur.

  3. Load each policy file:

      
    $ conjur policy load  root <policy_for application_identity.yml>

     

    $ conjur policy load root <policy_for application_secrets.yml>

Prepare applications to retrieve secrets

Use either the Conjur API or Summon to enable applications to retrieve secrets from Conjur.

CyberArk Conjur is a tool that reads identifiers for a set of secrets from a secrets.yml file, uses the identifiers with a provider to retrieve the secret values from some source, and injects the secrets into an the environment variables of an application run as a subprocess. The secret values exist only in memory and will be discarded when the process exits.

To retrieve secrets with Summon, both Summon and the summon-conjur provider must be installed into the application container. See our Kubernetes demo repo for an example of how to perform this installation in a Docker container using the installation scripts for the respective tools.

Summon reads the access token it needs to communicate with Conjur from the file specified by the CONJUR_AUTHN_TOKEN_FILE variable in the application's environment, which will need to be specified in the application manifest. The file is not immediately available but Summon will wait gracefully until the file exists before retrieving secrets.

Summon reads the identifiers for the secrets that an application needs from a secrets.yml file.

The following is an example of a secrets.yml file showing multiple types of allowed entries.

  
DB_USERNAME: !var my-app/db/username
DB_PASSWORD: !var my-app/db/password
REGION: us-east-1
SSL_CERT: !var:file ssl/certs/private

  • Lines 1 and 2 specify variables with pathnames containing a secret. In this case, assume that a policy with an id of my-app was loaded into Conjur.

  • Line 3 specifies a literal string for the secret.

  • Line 4 specifies a variable that is a file containing the secret. The contents of the file would also be retrieved from Conjur.

Conjur provides client libraries in a variety of languages that can be integrated into an application to facilitate secret retrieval:

The access token retrieved by the Kubernetes authenticator client is written to the volume shared with the application container at /run/conjur/access-token. This file can be read and used with the client libraries to talk to Conjur. The token will not be available until the authenticator client completes the authentication process so you will need to write logic that waits until the file is available before configuring the client.

 

The token is not be available until the authenticator client performs its authentication process, so the application will need to wait until the file is available before making REST requests.

Using API calls, the application gets the access token from the shared volume (/run/conjur/access-token), authenticates to Conjur, and then requests secrets.

The access token may not be available immediately on application startup. The application may need to wait for the volume to mount, the authentication to occur, and the access token to be written into the shared file.

 

The conjur-api-go API handles the wait gracefully and seamlessly.

For other APIs, the application containers should check for the file on startup and retry until the file exists.

Additional resources

  • See DockerHub for more information about the API and the access token. The same sidecar is used for both Kubernetes and OpenShift integrations.

  • See our demo repository for examples of complete Conjur deployments and test applications that use the API to get secrets from Conjur.

The application can use the access token provided by the Kubernetes authenticator to retrieve secrets from the Conjur REST API. The token will need to be included in the Authorization header when making a request against the retrieve secret endpoint.

The application can read the access token from the shared volume at /run/conjur/access-token. Note that it will not be available until the authenticator client performs its authentication process, so the application will need to wait until the file is available before making REST requests.

Load initial secret values into Conjur

For each secret defined in an application policy, load the initial secret value. You can use the Conjur API, the UI, or the CLI for this step.

This is an example using the CLI:

  
$ conjur variable value cluster-1/db/password abc$xyz

Start the application

To start the application, use this Kubernetes command:

  
kubectl create -f your-manifest.yaml

The equivalent OpenShift command is:

  
oc create -f your-manifest.yaml

Troubleshooting

This section provides troubleshooting for the Kubernetes Authenticator Client.

Enable debug logs

To enable debug logs, add the debug parameter to the application deployment manifest. For details, see Enable debug logs.

Display logs

To display the Kubernetes Authenticator Client logs:

  1. Make sure you are in the application namespace:

      
    kubectl config set-context <test-app-namespace-name>

  2. Find your pod name:

      
    kubectl get pods

  3. Display the logs:

      
    kubectl logs <pod-name> -c <k8s-authn-client-container>

  1. Make sure you are in the application project:

      
    oc project <project-name>

  2. Find your pod name:

      
    oc get pods

  3. Display the logs:

      
    oc logs <pod-name> -c <k8s-authn-client-container>

Common issues and resolutions

The table below describes common issues and their resolution:

Issue

Error code

Resolution

Conjur client certificate placement has failed

CAKC055

The log message should indicate the error that occurred in the process.