We are in the process of testing integration between CyberArk Conjur enterprise 12.4 and OpenShift 4.8. We are running into an odd issue with Secrets Provider for Kubernetes > Init container > Kubernetes Secrets mode
.
The init container finishes executing successfully with logs indicating that the secrets were retrieved from Conjur and K8s secret was updated. But the actual k8s secret was not updated. Based on the conjur logs, we confirmed that the init container was able to fetch the secrets.
Did anyone experience this issue before? Please suggest any tips that could help troubleshoot this.
Init Container Log
DEBUG: 2022/03/01 19:39:27.901561 authenticator.go:258: CAKC044 Buffer time: 30s
DEBUG: 2022/03/01 19:39:27.901835 requests.go:46: CAKC046 Authn request to: https://t-cdap-follower-svc.test.acme.net/authn-k8s/test-cluster/Tst1/host%2Ftest-app-csp/authenticate
DEBUG: 2022/03/01 19:39:27.901862 authenticator.go:318: CAKC069 Sending authn-k8s request...
INFO: 2022/03/01 19:39:28.148447 authenticator.go:116: CAKC035 Successfully authenticated
INFO: 2022/03/01 19:39:28.148525 conjur_secrets_retriever.go:71: CSPFK003I Retrieving following secrets from DAP/Conjur: [Tst1:variable:ConjurSync/TestApp/APS_0_TST_WAU_SL_ACME/Operating System-Win_Dom_Acc_Test-1.1.1.1-testusername/password Tst1:variable:ConjurSync/TestApp/APS_0_TST_WAU_SL_ACME/Operating System-Win_Dom_Acc_Test-1.1.1.1-testusername/username]
INFO: 2022/03/01 19:39:28.148537 conjur_client.go:21: CSPFK002I Creating DAP/Conjur client
INFO: 2022/03/01 19:39:28.185514 provide_conjur_secrets.go:153: CSPFK009I DAP/Conjur Secrets updated in Kubernetes successfully
k8s secret
---
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
namespace: test-app-namespace
type: Opaque
stringData:
conjur-map: |-
DB_USERNAME: Tst1:variable:ConjurSync/TestApp/APS_0_TST_WAU_SL_ACME/Operating System-Win_Dom_Acc_Test-1.1.1.1-testusername/username
DB_PASSWORD: Tst1:variable:ConjurSync/TestApp/APS_0_TST_WAU_SL_ACME/Operating System-Win_Dom_Acc_Test-1.1.1.1-testusername/password
Init Container Env
- image: image-registry.openshift-image-registry.svc:5000/test-app-namespace/secrets-provider-for-k8s:1.4
imagePullPolicy: Always
name: cyberark-secrets-provider-for-k8s
env:
- name: CONJUR_AUTHN_LOGIN
value: host/test-app-csp
- name: CONTAINER_MODE
value: init
- name: DEBUG
value: "true"
- name: SECRETS_DESTINATION
value: k8s_secrets
- name: K8S_SECRETS
value: db-credentials
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect