K8s Authenticator failing while trying to inject client cert

Error:

host failed to inject client certificate with authenticator authn-k8s service account:webservice:conjur/authn-k8s/dev-cluster: header field value cannot include CR/LF

Any assistance on above would be really really appreciated.

@joe.garcia @AndrewCopeland

I might have seen this error before. You can try the code below when adding the Kubernetes cluster CA cert and see if it fixes the issue.

conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/ca-cert "$(cat cluster-ca.cert)"

Thanks for posting @greenlights. Could you please provide some context around your setup ? Some detail that would be useful to better diagnose the issue are:

  1. What client is being used to make the authentication request ?
  2. Where is the authenticator running (in-cluster or out) ? Is it taking the service account token from Pod (file system) or is the token stored in a Conjur variable ?

Based on the error you’re seeing I suspect that the authenticator might be running with a Kubernetes Service Account token stored in a Conjur variable. The authenticator uses the token to in the auth header when making requests to the Kubernetes API. Headers are not allowed to have carriage return or line feeds. It’s likely that there’s an extra new line on the stored token. If so please strip any carriage returns or line feeds from the token value stored in Conjur, and it should work.

1 Like

Hi @kumbirai Thanks for the response.

yes it had new line character. After putting correct one it worked, Thanks alot !

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.