Authenticator Client Error

I have deployed conjur open source and Kubernetes Authenticator as well. While deploying below yaml in cluster i get Authenticator Client Error Logs (mentioned below).

Test yaml Deployed:

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-app-namespace
spec:
selector:
matchLabels:
app: test-app
replicas: 1
template:
metadata:
labels:
app: test-app
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: nginx:latest
ports:
- containerPort: 80
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
readOnly: true
initContainers:
- image: cyberark/conjur-authn-k8s-client
imagePullPolicy: Always
name: authenticator
env:
- name: CONJUR_AUTHN_LOGIN
value: host/test-app
- name: CONTAINER_MODE
value: init
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- mountPath: /run/conjur
name: conjur-access-token
- mountPath: /etc/conjur/ssl
name: conjur-client-ssl
volumes:
- name: conjur-access-token
emptyDir:
medium: Memory
- name: conjur-client-ssl
emptyDir:
medium: Memory

Authenticator Client Error Logs:

INFO: 2022/07/31 14:53:28.150378 main.go:19: CAKC048 Kubernetes Authenticator Client v0.23.1-dev starting up…
INFO: 2022/07/31 14:53:28.150541 configuration_factory.go:79: CAKC070 Chosen “authn-k8s” configuration
INFO: 2022/07/31 14:53:28.150732 authenticator_factory.go:31: CAKC075 Chosen “authn-k8s” flow
ERROR: 2022/07/31 14:53:28.327146 client.go:17: CAKC014 Failed to append Conjur CA cert
ERROR: 2022/07/31 14:53:28.327295 main.go:72: CAKC019 Failed to instantiate Authenticator object

https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-set-up-apps.htm

While setting up the Authenticator using below helm install command, the the CM conjur-configmap data “conjurSslCertificate and conjurSslCertificateBase64” shows empty. I injected the conjurSslCertificate manually so

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myorg”
–set conjur.applianceUrl=“https://conjur-follower.cyberark-conjur.svc.cluster.local
–set conjur.certificateFilePath=“/fullchain.pem”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”

I injected the conjurSslCertificate manually so that while setting apps (Set up applications (cert-based authentication)) below steps won’t get fail.

helm install namespace-prep cyberark/conjur-config-namespace-prep
–namespace test-apps-namespace
–set authnK8s.goldenConfigMap=“conjur-configmap”
–set authnK8s.namespace=“cyberark-conjur”

This looks with certification issue. Is there anyway to know we are giving the right conjur.certificateFilePath one while helm install cluster-prep or anything other steps to do for configurations.

Thanks in advance

Regards,
Somit

Hi @somitnirmata
Are you seeing any Helm errors? Were you seeing Helm errors to begin with that required setting theconjurSslCertificate manually? When Helm installing with the remote helm repo cyberark/conjur-config-cluster-prep the cert needs to be B64 encoded, and I would expect Helm to give this error - “If you are using helm install with a (remote) chart reference, please use conjur.certficateBase64 instead of conjur.certificateFilePath.”
Are you seeing that error?

Hope this help - Rob

Hi Rob,

Thanks for the reply.

Yes. I see error when i do below helm install, when conjur-configmap has no conjurSslCertificate data. So inorder to avoid this we manullay injected ssl into this

helm install namespace-prep cyberark/conjur-config-namespace-prep
–namespace test-apps-namespace
–set authnK8s.goldenConfigMap=“conjur-configmap”
–set authnK8s.namespace=“cyberark-conjur”

Is it possible for you tell why the conjurSslCertificate: kept empty?
apiVersion: v1
data:
authnK8sAuthenticatorID: dev-cluster
authnK8sClusterRole: conjur-clusterrole
authnK8sNamespace: cyberark-conjur
authnK8sServiceAccount: authn-k8s-sa
conjurAccount: myConjurAccount
conjurApplianceUrl: https://conjur123.lab.nirmata.co
conjurSslCertificate: “”
conjurSslCertificateBase64: “”

Thanks,
Somit

Hi Somit,
Can you try creating the conjur-configmap with base64 encoding ?
So

helm install my-conjur-release . \
     --set conjur.certificateBase64="$(base64 -w0 path/to/conjur.pem)" \
     ...

Rob

Hi Rob,

Tried the above, but gets a syntax error.

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myConjurAccount”
–set conjur.applianceUrl=“https://url
–set conjur.certificateFilePath=“/Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem”
–set conjur.certificateBase64=“$(base64 -w0 /Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem)”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”
base64: invalid option – w
Usage: base64 [-hvDd] [-b num] [-i in_file] [-o out_file]
-h, --help display this message
-Dd, --decode decodes input
-b, --break break encoded string into num character lines
-i, --input input file (default: “-” for stdin)
-o, --output output file (default: “-” for stdout)
Error: INSTALLATION FAILED: values don’t meet the specifications of the schema(s) in the following chart(s):
conjur-config-cluster-prep:

  • conjur.certificateBase64: String length must be greater than or equal to 1

Its saying base64: invalid option – w and specification error. By any chance you meant base64 -d. In that case I have tried that also and getting specification error:

helm install cluster-prep cyberark/conjur-config-cluster-prep
–namespace cyberark-conjur
–create-namespace
–set conjur.account=“myConjurAccount”
–set conjur.applianceUrl=“https://url
–set conjur.certificateFilePath=“/Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem”
–set conjur.certificateBase64=“$(base64 -d /Users/somitsebastian/conjur/authenticator-setup-2/pem/conjur.pem)”
–set authnK8s.authenticatorID=“dev-cluster”
–set authnK8s.serviceAccount.name=“authn-k8s-sa”
Error: INSTALLATION FAILED: values don’t meet the specifications of the schema(s) in the following chart(s):
conjur-config-cluster-prep:

  • conjur.certificateBase64: Does not match pattern ‘^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$’

  • Somit

Hi Somit,
are you on a Mac? On Linux I have the -w0 option, but I don’t see the -w0 on a mac.

Rob

Also if you download the Helm charts you can use the cert directly, you won’t have to base64 encode if that is an issue.

Rob