I’ve followed the Conjur OSS guide to authenticate my app via Kubernetes Authenticator Client sidecar. I’ve used the defaults as far as possible, keeping “https://conjur.myorg.com” as the domain/URL and mapping this via an /etc/hosts entry instead of configuring a DNS. The conjur-oss apps are up, I can hit the server and create all the required policies.
I’ve tried to follow the steps to the letter and am getting close but in the container logs:
requests.go:23: CAKC011I Login request to: https://conjur-oss.conjur-oss.svc.cluster.local/authn-k8s/test/inject_client_cert
ERROR: 2020/08/11 21:40:00 authenticator.go:133: CAKC029E Received invalid response to certificate signing request. Reason: status code 403,
I’m sure it’s linked to the section “Create the public SSL certificate required for connecting to the Conjur follower service and store in a ConfigMap”. For the CONJUR_SSL_CERTIFICATE parameter it says that:
The SSL certificate is generated during Conjur appliance configuration and stored in a .pem file located in the root folder where Conjur was created
In the Conjur server container what is the root folder? I can’t find any .pem files within the server itself (/opt/conjur/etc/ssl/cert and /opt/conjur/etc/ssl//ca are empty). When the Conjur client is initialised via conjur init, conjur-default.pem is created so I assumed I can use this:
kubectl create configmap conjur-cert --from-file=ssl-certificate="/home/lee/conjur-default.pem".
Any clues as to where I might be going wrong would be welcome. There are so many steps and config values in the sidecar manifest that I’m really not sure where to start debugging. I have attached the manifest in case it is of use.
Leesidecar-manifest.txt (2.1 KB)