Authenticator Client Error

Conjur
, ,
#1

I have deployed conjur open source and Kubernetes Authenticator as well. While deploying below yaml in cluster i get Authenticator Client Error Logs (mentioned below).

Test yaml Deployed:

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-app-namespace
spec:
selector:
matchLabels:
app: test-app
replicas: 1
template:
metadata:
labels:
app: test-app
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: nginx:latest
ports:
- containerPort: 80
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
readOnly: true
initContainers:
- image: cyberark/conjur-authn-k8s-client
imagePullPolicy: Always
name: authenticator
env:
- name: CONJUR_AUTHN_LOGIN
value: host/test-app
- name: CONTAINER_MODE
value: init
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
- mountPath: /etc/conjur/ssl
name: conjur-client-ssl
volumes:
- name: conjur-access-token
emptyDir:
medium: Memory
- name: conjur-client-ssl
emptyDir:
medium: Memory

Authenticator Client Error Logs:

INFO: 2022/07/31 14:53:28.150378 main.go:19: CAKC048 Kubernetes Authenticator Client v0.23.1-dev starting up…
INFO: 2022/07/31 14:53:28.150541 configuration_factory.go:79: CAKC070 Chosen “authn-k8s” configuration
INFO: 2022/07/31 14:53:28.150732 authenticator_factory.go:31: CAKC075 Chosen “authn-k8s” flow
ERROR: 2022/07/31 14:53:28.327146 client.go:17: CAKC014 Failed to append Conjur CA cert
ERROR: 2022/07/31 14:53:28.327295 main.go:72: CAKC019 Failed to instantiate Authenticator object

https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-set-up-apps.htm

While setting up the Authenticator using below helm install command, the the CM conjur-configmap data “conjurSslCertificate and conjurSslCertificateBase64” shows empty. I injected the conjurSslCertificate manually so

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myorg”
–set conjur.applianceUrl=“https://conjur-follower.cyberark-conjur.svc.cluster.local
–set conjur.certificateFilePath=“/fullchain.pem”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”

I injected the conjurSslCertificate manually so that while setting apps (Set up applications (cert-based authentication)) below steps won’t get fail.

helm install namespace-prep cyberark/conjur-config-namespace-prep
–namespace test-apps-namespace
–set authnK8s.goldenConfigMap=“conjur-configmap”
–set authnK8s.namespace=“cyberark-conjur”

This looks with certification issue. Is there anyway to know we are giving the right conjur.certificateFilePath one while helm install cluster-prep or anything other steps to do for configurations.

Thanks in advance

Regards,
Somit

#2

Hi @somitnirmata
Are you seeing any Helm errors? Were you seeing Helm errors to begin with that required setting theconjurSslCertificate manually? When Helm installing with the remote helm repo cyberark/conjur-config-cluster-prep the cert needs to be B64 encoded, and I would expect Helm to give this error - “If you are using helm install with a (remote) chart reference, please use conjur.certficateBase64 instead of conjur.certificateFilePath.”
Are you seeing that error?

Hope this help - Rob

#3

Hi Rob,

Thanks for the reply.

Yes. I see error when i do below helm install, when conjur-configmap has no conjurSslCertificate data. So inorder to avoid this we manullay injected ssl into this

helm install namespace-prep cyberark/conjur-config-namespace-prep
–namespace test-apps-namespace
–set authnK8s.goldenConfigMap=“conjur-configmap”
–set authnK8s.namespace=“cyberark-conjur”

Is it possible for you tell why the conjurSslCertificate: kept empty?
apiVersion: v1
data:
authnK8sAuthenticatorID: dev-cluster
authnK8sClusterRole: conjur-clusterrole
authnK8sNamespace: cyberark-conjur
authnK8sServiceAccount: authn-k8s-sa
conjurAccount: myConjurAccount
conjurApplianceUrl: https://conjur123.lab.nirmata.co
conjurSslCertificate: “”
conjurSslCertificateBase64: “”

Thanks,
Somit

#4

Hi Somit,
Can you try creating the conjur-configmap with base64 encoding ?
So

helm install my-conjur-release . \
     --set conjur.certificateBase64="$(base64 -w0 path/to/conjur.pem)" \
     ...

Rob

#5

Hi Rob,

Tried the above, but gets a syntax error.

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myConjurAccount”
–set conjur.applianceUrl=“https://url
–set conjur.certificateFilePath=“/Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem”
–set conjur.certificateBase64=“$(base64 -w0 /Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem)”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”
base64: invalid option – w
Usage: base64 [-hvDd] [-b num] [-i in_file] [-o out_file]
-h, --help display this message
-Dd, --decode decodes input
-b, --break break encoded string into num character lines
-i, --input input file (default: “-” for stdin)
-o, --output output file (default: “-” for stdout)
Error: INSTALLATION FAILED: values don’t meet the specifications of the schema(s) in the following chart(s):
conjur-config-cluster-prep:

  • conjur.certificateBase64: String length must be greater than or equal to 1

Its saying base64: invalid option – w and specification error. By any chance you meant base64 -d. In that case I have tried that also and getting specification error:

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myConjurAccount”
–set conjur.applianceUrl=“https://url
–set conjur.certificateFilePath=“/Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem”
–set conjur.certificateBase64=“$(base64 -d /Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem)”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”
Error: INSTALLATION FAILED: values don’t meet the specifications of the schema(s) in the following chart(s):
conjur-config-cluster-prep:

  • conjur.certificateBase64: Does not match pattern ‘^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$’

  • Somit

#6

Hi Somit,
are you on a Mac? On Linux I have the -w0 option, but I don’t see the -w0 on a mac.

Rob

#7

Also if you download the Helm charts you can use the cert directly, you won’t have to base64 encode if that is an issue.

Rob

#8

Hi Rob,

I was able to resolve the issue using below:

helm install cluster-prep8 cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
*–set conjur.certificateBase64=“$(cat fullchain.pem | base64)” *
–set conjur.account=“myConjurAccount”
–set conjur.applianceUrl=“https://conjur123.lab.nirmata.co
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”

Since I was using Mac I used --set conjur.certificateBase64=“$(cat fullchain.pem | base64)”.

Now I have data populated in conjurSslCertificate & conjurSslCertificateBase64. Also created a ConfigMap and a RoleBinding in the test-app-namespace namespace using details from the Golden ConfigMap, conjur-configmap which is located in the cyberark-conjur namespace
helm install namespace-prep cyberark/conjur-config-namespace-prep
–namespace test-apps-namespace
–create-namespace
–set authnK8s.goldenConfigMap=“conjur-configmap”
–set authnK8s.namespace=“cyberark-conjur”

As the next time I tried deploying the deployment file where I get auth error. Before the deploy I have setup policies and secrets as mentioned in the doc.

https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/cjr-k8s-authn-client-authk8s.htm?tocpath=Integrations|OpenShift%252FKubernetes|App%20owner%253A%20Set%20up%20workloads%20in%20Kubernetes|Set%20up%20workloads%20(cert-based%20authn)|_____1#Step5

Auth Error shows in authenticator container:
ERROR: 2022/09/16 11:19:21.047049 main.go:49: CAKC016 Failed to authenticate
INFO: 2022/09/16 11:19:29.549622 authenticator.go:84: CAKC040 Authenticating as user ‘host/test-app’
ERROR: 2022/09/16 11:19:29.698850 authenticator.go:185: CAKC029 Received invalid response to certificate signing request. Reason: status code 401,
ERROR: 2022/09/16 11:19:29.698937 authenticator.go:271: CAKC015 Login failed

Manifest File:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-apps-namespace
spec:
selector:
matchLabels:
app: test-app
replicas: 1
template:
metadata:
labels:
app: test-app
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: nginx:latest
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
readOnly: true
initContainers:
- image: cyberark/conjur-authn-k8s-client
imagePullPolicy: Always
name: authenticator
env:
- name: CONJUR_AUTHN_LOGIN
value: host/test-app
- name: CONTAINER_MODE
value: init
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
- mountPath: /etc/conjur/ssl
name: conjur-client-ssl
volumes:
- name: conjur-access-token
emptyDir:
medium: Memory
- name: conjur-client-ssl
emptyDir:
medium: Memory

The input for conjur.certificateBase64 is same as my-conjur-oss-conjur-ssl-cert tls.crt

#9

Hi Team,

Can anyone help with the above query?

Thanks in advance

  • Somit
#10

Hi Somit, The manifest looks give like the example. Did you try setting the CONJUR_LOG_LEVEL env variable to debug? If you used the conjur-oss helm chart you can set the env variable in conjur-oss/values.yaml. That might get a better hint of why it is failing.

#11

Hi Rob,
Please see the logs file of conjur-oss after setting the CONJUR_LOG_LEVEL to debug:
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in block in call' [origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in block in tagged’
e[1me[35mSequel::Postgres::Database (2.7ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:28:in `tagged’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in `tagged’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/static.rb:127:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/conjur-rack-heartbeat-2.2.0/lib/rack/heartbeat.rb:20:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /opt/conjur-server/lib/rack/remove_request_parameters.rb:26:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /opt/conjur-server/lib/rack/default_content_type.rb:68:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/configuration.rb:227:in `call’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:706:in `handle_request’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:476:in `process_client’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:334:in `block in run’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in `block in spawn_thread’
e[1me[36mSequel::Postgres::Database (45.8ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] e[1me[36mSequel::Postgres::Database (1.5ms)e[0m e[1mROLLBACKe[0m
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] ApplicationController::Unauthorized
/opt/conjur-server/app/controllers/authenticate_controller.rb:192:in handle_authentication_error' /opt/conjur-server/app/controllers/authenticate_controller.rb:134:in rescue in k8s_inject_client_cert’
/opt/conjur-server/app/controllers/authenticate_controller.rb:120:in k8s_inject_client_cert' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:in process_action' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in process_action’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:in block in process_action' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in block in run_callbacks’
/opt/conjur-server/app/controllers/application_controller.rb:74:in block in run_with_transaction' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/database/transactions.rb:224:in _transaction’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/database/transactions.rb:199:in block in transaction' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/database/connecting.rb:301:in block in synchronize’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/connection_pool/threaded.rb:107:in hold' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/database/connecting.rb:301:in synchronize’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/sequel-4.49.0/lib/sequel/database/transactions.rb:165:in transaction' /opt/conjur-server/app/controllers/application_controller.rb:73:in run_with_transaction’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in block in run_callbacks' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in run_callbacks’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in process_action' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in process_action’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in block in process_action' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in block in instrument’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in instrument' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in instrument’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in process_action' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in process_action’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in process' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in process’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in dispatch' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in dispatch’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in dispatch' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in serve’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in block in serve' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in each’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in serve' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/conjur-rack-4.2.0/lib/conjur/rack/authenticator.rb:89:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/head.rb:12:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in block in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in run_callbacks' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in call_app' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in block in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in block in tagged' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:28:in tagged’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in tagged' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/static.rb:127:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/conjur-rack-heartbeat-2.2.0/lib/rack/heartbeat.rb:20:in call’
/opt/conjur-server/lib/rack/remove_request_parameters.rb:26:in call' /opt/conjur-server/lib/rack/default_content_type.rb:68:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in call' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/configuration.rb:227:in call’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:706:in handle_request' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:476:in process_client’
/var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/server.rb:334:in block in run' /var/lib/ruby/lib/ruby/gems/2.5.0/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in block in spawn_thread’
[origin=192.168.236.147] [request_id=ba7dece8-aca4-4e4e-832d-2e4498435a2f] [tid=40] Completed 401 Unauthorized in 88ms
e[1me[35mSequel::Postgres::Database (30.4ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (1.7ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (6.6ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (2.9ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (2.7ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (13.8ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (5.6ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (4.8ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (5.6ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (1.3ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (1.8ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (4.5ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (1.2ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Started GET “/” for 10.10.1.212 at 2022-09-27 10:10:37 +0000
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Processing by StatusController#index as /
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Parameters: {:controller=>“status”, :action=>“index”}
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] e[1me[35mSequel::Postgres::Database (2.1ms)e[0m BEGIN
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Rendering status/index.html.erb
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Rendered status/index.html.erb (0.2ms)
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] e[1me[36mSequel::Postgres::Database (4.0ms)e[0m e[1mCOMMITe[0m
[origin=10.10.1.212] [request_id=b174f32b-4746-4da2-8bd2-1a9260231855] [tid=45] Completed 200 OK in 9ms (Views: 1.7ms)
e[1me[36mSequel::Postgres::Database (5.1ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (18.1ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (2.8ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (6.2ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (9.9ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (8.4ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (1.8ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (5.2ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (1.1ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (1.5ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (6.0ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (2.2ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Started GET “/” for 10.10.1.212 at 2022-09-27 10:10:42 +0000
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Processing by StatusController#index as /
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Parameters: {:controller=>“status”, :action=>“index”}
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] e[1me[35mSequel::Postgres::Database (12.0ms)e[0m BEGIN
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Rendering status/index.html.erb
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Rendered status/index.html.erb (0.2ms)
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] e[1me[36mSequel::Postgres::Database (3.2ms)e[0m e[1mCOMMITe[0m
e[1me[36mSequel::Postgres::Database (5.6ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
[origin=10.10.1.212] [request_id=442d3a6c-66e2-46e7-9082-ccb4310c22d4] [tid=46] Completed 200 OK in 31ms (Views: 7.1ms)
e[1me[35mSequel::Postgres::Database (14.0ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (1.4ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (1.4ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (4.9ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (0.6ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (1.2ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (5.3ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (0.7ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (1.3ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (4.7ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (1.3ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (1.3ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (11.7ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (1.8ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Started GET “/” for 10.10.1.212 at 2022-09-27 10:10:47 +0000
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Processing by StatusController#index as /
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Parameters: {:controller=>“status”, :action=>“index”}
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] e[1me[35mSequel::Postgres::Database (5.8ms)e[0m BEGIN
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Rendering status/index.html.erb
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Rendered status/index.html.erb (0.1ms)
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] e[1me[36mSequel::Postgres::Database (0.7ms)e[0m e[1mCOMMITe[0m
[origin=10.10.1.212] [request_id=160c28ba-8687-4de0-bbb4-732b0cd3323d] [tid=31] Completed 200 OK in 10ms (Views: 1.6ms)
e[1me[35mSequel::Postgres::Database (1.7ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (4.7ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (0.8ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (1.4ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (12.1ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (4.3ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (3.2ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (9.5ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (47.4ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (2.8ms)e[0m e[1mSELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (4.6ms)e[0m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)

e[1me[36mSequel::Postgres::Database (1.2ms)e[0m e[1mSELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1e[0m
e[1me[35mSequel::Postgres::Database (2.4ms)e[0m SELECT pg_try_advisory_lock(767003715) AS “v” LIMIT 1
e[1me[36mSequel::Postgres::Database (5.2ms)e[0m e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
FROM annotations ttl

– This ensures we get only entries with both
– a ttl and a rotator specified
JOIN annotations rotators ON (
rotators.resource_id = ttl.resource_id
AND rotators.name = ‘rotation/rotator’
)

LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

LEFT JOIN (
SELECT resource_id, MAX(version) AS version
FROM secrets
GROUP BY resource_id
) max_version ON max_version.resource_id = ttl.resource_id

WHERE ttl.name = ‘rotation/ttl’
AND secrets.version = max_version.version
AND (
secrets.expires_at < NOW() OR secrets.expires_at IS NULL
)
e[0m
e[1me[35mSequel::Postgres::Database (1.7ms)e[0m SELECT pg_advisory_unlock(767003715) AS “v” LIMIT 1