I installed conjur oss on kubernetes cluster using helm v3 & have loaded below policies.
---
# Initializes the users of the myapp application
- !group admin
- !group devops
- !group secrets_admin
- !group developer
- !grant
role: !group admin
members:
- !group devops
- !grant
role: !group secrets_admin
members:
- !group devops
- !group developer
- !user Ted
- !grant
role: !group devops
members:
- !user Ted
- !user John
- !grant
role: !group developer
members:
- !user John
---
# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint.
- !policy
id: conjur/authn-k8s/myapp/apps
owner: !group devops
annotations:
description: Identities permitted to authenticate
body:
- !layer
annotations:
description: Layer of authenticator identities permitted to call authn svc
- &hosts
- !host
id: myapp/*/*
annotations:
kubernetes/authentication-container-name: authenticator
openshift: "false"
- !host
id: myapp-cloud/deployment/api
annotations:
kubernetes/authentication-container-name: authenticator
kubernetes: "true"
- !host
id: myapp-cloud/deployment/ui
annotations:
kubernetes/authentication-container-name: authenticator
kubernetes: "true"
- !grant
role: !layer
members: *hosts
---
# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it
- !policy
id: conjur/authn-k8s/myapp
owner: !group admin
annotations:
description: authentication webservice definition myapp
body:
- !webservice
annotations:
description: authn service for cluster
- !policy
id: ca
body:
- !variable
id: cert
annotations:
description: CA cert for Kubernetes Pods.
- !variable
id: key
annotations:
description: CA key for Kubernetes Pods.
# define layer of whitelisted authn ids permitted to call authn service
- !layer users
- !permit
resource: !webservice
privilege: [ read, authenticate ]
role: !layer users
- !grant
role: !layer conjur/authn-k8s/myapp/users
members:
- !layer conjur/authn-k8s/myapp/apps
---
- !policy
id: myapp
owner: !group devops
annotations:
description: This policy connects authn identities to an application identity. It defines a layer named for an application that contains the whitelisted identities that can authenticate to the authn-k8s endpoint. Any permissions granted to the application layer will be inherited by the whitelisted authn identities, thereby granting access to the authenticated identity.
body:
- !layer
# add authn identities to application layer so authn roles inherit app's permissions
- !grant
role: !layer
members:
- !layer /conjur/authn-k8s/myapp/apps
---
# This policy defines the variables for myapp app
- !policy
id: myapp-app-vars
owner: !group secrets_admin
annotations:
description: This policy contains the variables for myapp
body:
- &variables
- !variable aws/access_key_id
- !variable aws/secret_access_key
- !permit
role: !layer /myapp
privileges: [ read, execute ]
resources: *variables
- !policy
id: some-apps
owner: !group devops
annotations:
description: Identities permitted to authenticate
body:
- !layer
annotations:
description: Layer of authenticator identities permitted to call authn svc
- &hosts
- !host
id: myapp-cloud/*/*
annotations:
kubernetes/authentication-container-name: authenticator
openshift: "false"
- !grant
role: !layer
members: *hosts
# Inherit test-app's permissions
- !grant
role: !layer myapp
members: !layer some-apps
# Allow the host to authenticate with the authn-k8s authenticator
- !grant
role: !layer conjur/authn-k8s/myapp/users
members: !layer some-apps
When the kubernetes authenticator deployed as init container tries to authenticate it throws below error:
INFO: 2020/08/14 12:36:57 main.go:45: CAKC006I Authenticating as user '&{host/conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api host.conjur.authn-k8s.myapp.apps myapp-cloud.deployment.api}'
INFO: 2020/08/14 12:36:57 authenticator.go:181: CAKC005I Trying to login Conjur...
INFO: 2020/08/14 12:36:57 authenticator.go:113: CAKC007I Logging in as user &{host/conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api host.conjur.authn-k8s.myapp.apps myapp-cloud.deployment.api}.
INFO: 2020/08/14 12:36:57 requests.go:23: CAKC011I Login request to: https://rebrand-conjur.labgsd.com/authn-k8s/myapp/inject_client_cert
ERROR: 2020/08/14 12:36:57 authenticator.go:133: CAKC029E Received invalid response to certificate signing request. Reason: status code 401,
ERROR: 2020/08/14 12:36:57 authenticator.go:184: CAKC015E Login failed
ERROR: 2020/08/14 12:36:57 main.go:48: CAKC016E Failed to authenticate
I have enabled debug
level logs on conjur server, where I see below log statements:
Started POST "/authn-k8s/myapp/inject_client_cert" for 127.0.0.1 at 2020-08-14 11:37:51 +0000
Processing by AuthenticateController#k8s_inject_client_cert as HTML
Parameters: {"service_id"=>"myapp"}
e[1me[35mSequel::Postgres::Database (0.2ms)e[0m BEGIN
CONJ00028D Setting common name to host.conjur.authn-k8s.myapp.apps.myapp-cloud.deployment.api
e[1me[36mSequel::Postgres::Database (0.4ms)e[0m e[1mSELECT * FROM "resources" WHERE "resource_id" = 'default:webservice:conjur/authn-k8s/myapp'e[0m
CONJ00027D Host id default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api extracted from CSR common name
e[1me[35mSequel::Postgres::Database (0.4ms)e[0m SELECT * FROM "resources" WHERE "resource_id" = 'default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api'
e[1me[36mSequel::Postgres::Database (0.7ms)e[0m e[1mSELECT * FROM "roles" WHERE "role_id" = 'default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api'e[0m
e[1me[35mSequel::Postgres::Database (1.1ms)e[0m SELECT * FROM is_role_allowed_to('default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api', 'authenticate', 'default:webservice:conjur/authn-k8s/myapp') LIMIT 1
CONJ00027D Host id default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api extracted from CSR common name
e[1me[36mSequel::Postgres::Database (0.4ms)e[0m e[1mSELECT * FROM "annotations" WHERE ("annotations"."resource_id" = 'default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api')e[0m
CONJ00026D Validating host id default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api
CONJ00024D Retrieved value of annotation kubernetes/authentication-container-name
CONJ00024D Retrieved value of annotation kubernetes/authentication-container-name
CONJ00015D Copying SSL certificate to myapp-cloud/api-65f76bb56b-cnnpr
CONJ00027D Host id default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api extracted from CSR common name
e[1me[35mSequel::Postgres::Database (0.3ms)e[0m SELECT * FROM "resources" WHERE "resource_id" = 'default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api'
e[1me[36mSequel::Postgres::Database (0.3ms)e[0m e[1mSELECT * FROM "annotations" WHERE ("annotations"."resource_id" = 'default:host:conjur/authn-k8s/myapp/apps/myapp-cloud/deployment/api')e[0m
e[1me[35mSequel::Postgres::Database (0.3ms)e[0m SELECT * FROM "resources" WHERE "resource_id" = 'default:variable:conjur/authn-k8s/myapp/ca/cert'
e[1me[36mSequel::Postgres::Database (0.3ms)e[0m e[1mSELECT * FROM "secrets" WHERE ("secrets"."resource_id" = 'default:variable:conjur/authn-k8s/myapp/ca/cert') ORDER BY "version" DESC LIMIT 1e[0m
Authentication Error: #<NoMethodError: undefined method `value' for nil:NilClass>
Please help.