Obvious authn-k8s token question

leighcee · August 12, 2020, 2:21pm

Hi,

I’ve got a question which might seem obvious, but I cannot get my Kubernetes Authenticator Client to work as a sidecar with conjur-oss on GKE so I don’t know the answer.

I have conjur-oss working outside of Kubernetes with docker-compose and use the Java API to retrieve secrets. The Conjur object is initialised using:
c = new Conjur (user, API-KEY)

All works well. Looking at the code, the authentication token is retrieved and automatically reloaded every 6 minutes by the Conjur API so that it always remains valid for subsequent calls to retrieve secrets. My Conjur object never needs to be re-initialised.

Moving to k8s, the sidecar client requests a token every 6 minutes and this is written to a volume which is shared with my app. My app reads this from the volume and calls:
c = new Conjur (token)

The question is, do I need to re-initialise my Conjur object before every call to retrieve secrets as the token will be rejected as invalid/out of date by the Conjur server after around 8 minutes?

Like I say, seems obvious but I have not see example Java API code which clarifies this.

Thanks,
Lee

sgnn7 · August 13, 2020, 3:29pm

do I need to re-initialise my Conjur object before every call to retrieve secrets as the token will be rejected as invalid/out of date by the Conjur server after around 8 minutes?

Yes, your hunch is correct. if you’re manually doing the secret fetch with the authnenticator-provided token value, you have to use whatever the current state of the token is so you should read the file and initialize Conjur() at the point(s) that you use them. The main reason why this isn’t too obvious in the docs is that usually credentials are either fetched during that initial stage only once or used with something like secretless-broker that reads that token just-in-time. I guess we could add a constructor that takes a token path instead of the raw token value as well but that will probably make the Conjur class itself decently more fragile.

Srdjan

leighcee · August 13, 2020, 10:06pm

Wonderful, thanks @sgnn7 for the clarification!

system · August 20, 2020, 10:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
K8s authn-jwt based authentication Secrets Management - Conjur, Secrets Hub & CP howto	11	850	June 16, 2022
Conjur-OSS as a service hosted in dedicated kubernates cluster Secrets Management - Conjur, Secrets Hub & CP	3	197	January 26, 2023
Conjur set-up and usage of credentials in springboot app Development	2	451	September 10, 2021
Conjur Open Source Suite release v1.13.0+suite.1 Product Announcements opensource , conjur	0	350	August 27, 2021
Conjur environment variables - Kubernetes Secrets Management - Conjur, Secrets Hub & CP kubernetes	3	711	October 9, 2020

Obvious authn-k8s token question

Related Topics