I’ve got a question which might seem obvious, but I cannot get my Kubernetes Authenticator Client to work as a sidecar with conjur-oss on GKE so I don’t know the answer.
I have conjur-oss working outside of Kubernetes with docker-compose and use the Java API to retrieve secrets. The Conjur object is initialised using:
c = new Conjur (user, API-KEY)
All works well. Looking at the code, the authentication token is retrieved and automatically reloaded every 6 minutes by the Conjur API so that it always remains valid for subsequent calls to retrieve secrets. My Conjur object never needs to be re-initialised.
Moving to k8s, the sidecar client requests a token every 6 minutes and this is written to a volume which is shared with my app. My app reads this from the volume and calls:
c = new Conjur (token)
The question is, do I need to re-initialise my Conjur object before every call to retrieve secrets as the token will be rejected as invalid/out of date by the Conjur server after around 8 minutes?
Like I say, seems obvious but I have not see example Java API code which clarifies this.