We got errors, from k8s site:
CONJ00048I Authentication Error: #<Errors::Authentication::Security::AuthenticatorNotWhitelisted: CONJ00004E ‘authn-k8s/dev-cluster’ is not enabled>
conjur-follower failed to inject client certificate with authenticator authn-k8s service :webservice:conjur/authn-k8s/dev-cluster: CONJ00004E ‘authn-k8s/dev-cluster’ is not enabled
Cert-based authn
Documentation Deploy Conjur Kubernetes Follower
We have no idea what we might be missing? what is the client certificate in this error? I don’t see any mention of a client certificate in this documentation
It looks like you’re trying to authenticate using an authenticator called “authn-k8s/dev-cluster” but it’s not enabled on the Conjur side. Are you using Conjur OSS or Enterprise? If OSS, what is the value of the CONJUR_AUTHENTICATORS environment variable?
See point number 5 in these docs for more info.
We are using enterprise version, we used this documentation and created Webservices conjur/authn-k8s/dev-cluster and all variables but maybe we got something wrong in points 4 and 5.
should the CA certificate from point 3 should land in the k8s cluster? and does the conjur master’s cluster CA have to be the same as the k8s API? Do they just have to be added as trusted?
From the fact that the error you’re receiving is “Errors::Authentication::Security::AuthenticatorNotWhitelisted: CONJ00004E”, this is probably a configuration issue not related to certificates. Have you verified that the authenticator has been enabled? You can check using the webservice described here and in step 5 here.
Ok i find solution I also had to add “authn-k8s/dev-cluster” /opt/conjur/etc/conjur.conf to the file.
Adding to “/etc/conjur/config/conjur.yml” wasn’t enough.