Secrets Provider authenticator pod failing to authenticate

jhunt · October 2, 2020, 2:17pm

Hi there,

I’m trying to configure the Kubernetes Secrets Provider integration but I am currently receiving an error due to the following issue with the authenticator application container (I shortened the log as the other retries are exactly the same):

INFO: 2020/10/02 11:02:12 main.go:23: CSPFK008I CyberArk Secrets Provider for Kubernetes v1.1.0-dev starting up
DEBUG: 2020/10/02 11:02:12 main.go:115: CSPFK001D Debug mode is enabled
INFO: 2020/10/02 11:02:12 main.go:81: CSPFK001I Authenticating as user ‘host/conjur/authn-k8s/provider/apps/secrets-provider-host’
INFO: 2020/10/02 11:02:12 authenticator.go:197: CAKC005I Trying to login Conjur…
INFO: 2020/10/02 11:02:12 authenticator.go:116: CAKC007I Logging in as user ‘host/conjur/authn-k8s/provider/apps/secrets-provider-host’
INFO: 2020/10/02 11:02:12 requests.go:23: CAKC011I Login request to: https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/inject_client_cert
INFO: 2020/10/02 11:02:13 file.go:35: CAKC017I Waiting for file /etc/conjur/ssl/client.pem to become available…
INFO: 2020/10/02 11:02:13 authenticator.go:159: CAKC015I Loaded client certificate successfully from /etc/conjur/ssl/client.pem
INFO: 2020/10/02 11:02:13 authenticator.go:171: CAKC016I Deleted client certificate from memory
INFO: 2020/10/02 11:02:13 authenticator.go:203: CAKC002I Logged in
INFO: 2020/10/02 11:02:13 authenticator.go:186: CAKC008I Cert expires: 2020-10-05 11:02:12 +0000 UTC
INFO: 2020/10/02 11:02:13 authenticator.go:187: CAKC009I Current date: 2020-10-02 11:02:13.930684707 +0000 UTC
INFO: 2020/10/02 11:02:13 authenticator.go:188: CAKC010I Buffer time: 30s
INFO: 2020/10/02 11:02:13 requests.go:47: CAKC012I Authn request to: https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate
ERROR: 2020/10/02 11:02:13 main.go:84: CSPFK010E Failed to authenticate
INFO: 2020/10/02 11:02:14 main.go:61: CSPFK010I Updating Kubernetes Secrets: 1 retries out of 5
INFO: 2020/10/02 11:02:14 main.go:81: CSPFK001I Authenticating as user ‘host/conjur/authn-k8s/provider/apps/secrets-provider-host’
INFO: 2020/10/02 11:02:14 authenticator.go:186: CAKC008I Cert expires: 2020-10-05 11:02:12 +0000 UTC
INFO: 2020/10/02 11:02:14 authenticator.go:187: CAKC009I Current date: 2020-10-02 11:02:14.954439628 +0000 UTC
INFO: 2020/10/02 11:02:14 authenticator.go:188: CAKC010I Buffer time: 30s
INFO: 2020/10/02 11:02:14 requests.go:47: CAKC012I Authn request to: https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate
ERROR: 2020/10/02 11:02:14 main.go:84: CSPFK010E Failed to authenticate
ERROR: 2020/10/02 11:02:19 main.go:68: CSPFK038E Retransmission backoff exhausted
ERROR: 2020/10/02 11:02:19 main.go:107: CSPFK039E Secrets Provider for Kubernetes failed to update Kubernetes Secrets

Seems like it managed to authenticate initially as host/conjur/authn-k8s/provider/apps/secrets-provider-host, but then why is Authn request to https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate failing?

Thanks in advance for you help!

izgerij · October 2, 2020, 2:22pm

Hello @jhunt -

Do you also have the Docker logs from the Conjur server? I’m interested to see what is logged there when the authentication request fails.

It looks from what you’ve shared that it was able to log in and retrieve the client certificate successfully (which is a good sign for your configuration), but the authentication failed. Which could mean your app identity doesn’t have authenticate permissions on the webservice, or there may be other issues - but the Conjur logs should help us figure out what.

jhunt · October 2, 2020, 2:49pm

Below are the logs from the Conjur Nginx container, is this what you mean?

A note about the setup: I exposed my Conjur Ingress service via NodePort on static port 32149/TCP on the cluster node’s IP address. I mapped the node’s IP address to conjur.myorg.com as the the DNS name is required to match the SSL hostname in order for SSL verification to be successful when connecting with Conjur CLI. As this is for local testing, I added 172.16.220.56 conjur.myorg.com to my local /etc/hosts file.

conjur.myorg.com:32149 172.16.220.56 “GET /assets/application-9358cc259a6205f4bf349fc5e5dc7917fc4e38e8a28aab7a91dd9c618ff7b07b.js HTTP/1.1” 200 10773 “https://conjur.myorg.com:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.004
conjur.myorg.com:32149 172.16.220.56 “GET /assets/conjur-logo-all-white-fb73262d3a2d351e2b70450ca17aa9e3b5cc3fbd054e15559ba8b1398ba53b38.svg HTTP/1.1” 200 2190 “https://conjur.myorg.com:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.000
conjur.myorg.com:32149 172.16.220.56 “GET /assets/cyberark-white-cf283ca98fac35948b9533e19feef06a196df16051a6492241dd707983cf6441.png HTTP/1.1” 200 6188 “https://conjur.myorg.com:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.000
conjur.myorg.com:32149 172.16.220.56 “GET /assets/font-awesome/fa-brands-400-8e4560c16c7970efa47680450b2cf239d4a482c056d308acea12bb9022906c8b.woff2 HTTP/1.1” 200 75936 “https://conjur.myorg.com:32149/assets/application-ba8a2c04dbcf87c46690e40ad7b3dce36318e943868f9fc3d7acf978ec8767e1.css” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.000
conjur.myorg.com:32149 172.16.220.56 “GET /favicon.ico HTTP/1.1” 401 21 “https://conjur.myorg.com:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.000
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 200 648 “-” “curl/7.68.0” 0.028 0.028
172.16.220.56:32149 172.16.220.56 “POST /authn/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 200 648 “-” “curl/7.68.0” 0.021 0.020
172.16.220.56:32149 172.16.220.56 “GET / HTTP/1.1” 200 4259 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.005 0.008
172.16.220.56:32149 172.16.220.56 “GET /assets/application-ba8a2c04dbcf87c46690e40ad7b3dce36318e943868f9fc3d7acf978ec8767e1.css HTTP/1.1” 200 34221 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.000
172.16.220.56:32149 172.16.220.56 “GET /assets/application-9358cc259a6205f4bf349fc5e5dc7917fc4e38e8a28aab7a91dd9c618ff7b07b.js HTTP/1.1” 200 10773 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.004
172.16.220.56:32149 172.16.220.56 “GET /assets/conjur-logo-all-white-fb73262d3a2d351e2b70450ca17aa9e3b5cc3fbd054e15559ba8b1398ba53b38.svg HTTP/1.1” 200 2190 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.004
172.16.220.56:32149 172.16.220.56 “GET /assets/cyberark-white-cf283ca98fac35948b9533e19feef06a196df16051a6492241dd707983cf6441.png HTTP/1.1” 200 6188 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.000
172.16.220.56:32149 172.16.220.56 “GET /assets/font-awesome/fa-brands-400-8e4560c16c7970efa47680450b2cf239d4a482c056d308acea12bb9022906c8b.woff2 HTTP/1.1” 200 75936 “https://172.16.220.56:32149/assets/application-ba8a2c04dbcf87c46690e40ad7b3dce36318e943868f9fc3d7acf978ec8767e1.css” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.004
172.16.220.56:32149 172.16.220.56 “GET /favicon.ico HTTP/1.1” 401 21 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.000
172.16.220.56:32149 172.16.220.56 “GET / HTTP/1.1” 200 4259 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.007 0.004
172.16.220.56:32149 172.16.220.56 “GET /assets/application-ba8a2c04dbcf87c46690e40ad7b3dce36318e943868f9fc3d7acf978ec8767e1.css HTTP/1.1” 200 34221 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.000
172.16.220.56:32149 172.16.220.56 “GET /assets/application-9358cc259a6205f4bf349fc5e5dc7917fc4e38e8a28aab7a91dd9c618ff7b07b.js HTTP/1.1” 200 10773 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.000
172.16.220.56:32149 172.16.220.56 “GET /assets/conjur-logo-all-white-fb73262d3a2d351e2b70450ca17aa9e3b5cc3fbd054e15559ba8b1398ba53b38.svg HTTP/1.1” 200 2190 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.004
172.16.220.56:32149 172.16.220.56 “GET /assets/cyberark-white-cf283ca98fac35948b9533e19feef06a196df16051a6492241dd707983cf6441.png HTTP/1.1” 200 6188 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.001 0.004
172.16.220.56:32149 172.16.220.56 “GET /assets/font-awesome/fa-brands-400-8e4560c16c7970efa47680450b2cf239d4a482c056d308acea12bb9022906c8b.woff2 HTTP/1.1” 200 75936 “https://172.16.220.56:32149/assets/application-ba8a2c04dbcf87c46690e40ad7b3dce36318e943868f9fc3d7acf978ec8767e1.css” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.002 0.004
172.16.220.56:32149 172.16.220.56 “GET /favicon.ico HTTP/1.1” 401 21 “https://172.16.220.56:32149/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36” 0.005 0.008
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/inject_client_cert HTTP/1.1” 200 5 “-” “Go-http-client/1.1” 0.202 0.200
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.013 0.012
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.009 0.008
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.011 0.012
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.010 0.012
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.009 0.008
conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local 10.233.65.210 “POST /authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate HTTP/1.1” 401 5 “-” “Go-http-client/1.1” 0.009 0.008
conjur.myorg.com:32149 172.16.220.56 “GET /authn/default/login HTTP/1.1” 200 64 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.013 0.012
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.036 0.036
conjur.myorg.com:32149 172.16.220.56 “GET /resources/default/ HTTP/1.1” 200 27482 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.046 0.048
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.021 0.020
conjur.myorg.com:32149 172.16.220.56 “GET /secrets/default/variable/conjur%2Fauthn-k8s%2Fprovider%2Fca%2Fcert/ HTTP/1.1” 200 1406 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.017 0.012
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.022 0.020
conjur.myorg.com:32149 172.16.220.56 “GET /secrets/default/variable/conjur%2Fauthn-k8s%2Fprovider%2Fca%2Fkey/ HTTP/1.1” 200 1690 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.015 0.016
conjur.myorg.com:32149 172.16.220.56 “GET /authn/default/login HTTP/1.1” 200 64 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.012 0.008
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.021 0.016
conjur.myorg.com:32149 172.16.220.56 “GET /resources/default/webservice/conjur%2Fauthn-k8s%2Fprovider HTTP/1.1” 200 445 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.015 0.016
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.015 0.012
conjur.myorg.com:32149 172.16.220.56 “POST /policies/default/policy/root HTTP/1.1” 404 282 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.128 0.128
conjur.myorg.com:32149 172.16.220.56 “POST /authn/default/admin/authenticate HTTP/1.1” 200 580 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.014 0.012
conjur.myorg.com:32149 172.16.220.56 “POST /policies/default/policy/root HTTP/1.1” 404 282 “-” “rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57” 0.102 0.100

dane · October 2, 2020, 4:06pm

Hi @jhunt,
As @izgerij said, the fact that authentication for the cert injection is working is a good first step.

I’d like to look at a couple of things.

Would you mind sharing your policy definition where you grant access to secrets-provider-host?
It should look something like this:

---
- !policy
  id: conjur/authn-k8s/provider/apps
  owner: !group devops
  annotations:
    description: Identities permitted to authenticate 
  body:
  - !layer
    annotations:
      description: Layer of authenticator identities permitted to call authn svc
  - &hosts
    # Annotation-based authentication (host ID is an application name, and
    # permitted application identities are listed as annotations)
    - !host
      id: secrets-provider-host
      annotations:
        authn-k8s/namespace: <namespace-for-secrets-provider-host>
        authn-k8s/service-account: <your-service-account-for-secrets-provider-host>
        authn-k8s/deployment: secrets-provider-host
        authn-k8s/authentication-container-name: authenticator
        kubernetes: "true"

  - !grant
    role: !layer
    members: *hosts

It would be helpful to get the conjur-oss container logs from the Conjur-OSS pod, but with debug logs enabled.

To enable debug logging on Conjur, you would:

Run:
kubectl edit deployment -n <conjur-namespace> conjur-oss
Add this environment variable setting in the deployment along with other existing env vars for the Conjur OSS container:

        - name: CONJUR_LOG_LEVEL
          value: debug

Write/Quit the deployment edit
List the replicasets:
kubectl get replicasets -n <conjur-namespace>
Delete the OLDEST Conjur OSS replicaset:
kubectl delete replicaset -n <conjur-namespace> <oldest-conjur-replicaset>

Now that debug logs are enabled, you should be able to get Conjur logs:

kubectl logs -n <conjur-namespace> <conjur-pod> conjur-oss

jhunt · October 2, 2020, 4:29pm

Hi @dane,

Thanks a lot for helping out!

Here’s the policy definition for secrets-provider-host:

- !policy
  id: conjur/authn-k8s/provider/apps
  body:
    - !layer
    - &hosts
      - !host
        id: secrets-provider-host
        annotations:
          authn-k8s/namespace: default
          authn-k8s/service-account: secrets-provider-service-account
          authn-k8s/authentication-container-name: cyberark-secrets-provider-for-k8s
    - !grant
      role: !layer
      members: *hosts

dane · October 2, 2020, 5:20pm

@jhunt,

A quick sanity check, the values that your policy uses for authn-k8s/namespace, authn-k8s/service-account, and authn-k8s/authentication-container-name match the correspondning fields in the output for kubectl get pod -n default <your-application-pod>?

jhunt · October 2, 2020, 5:28pm

I followed your steps and re-deployed the Secrets Provider via helm charts and it worked! I’m really confused why though… as to what changed commpared to the other times I tried.

NAME                            READY   STATUS      RESTARTS   AGE
mysql-client-778657c698-rmz2g   1/1     Running     0          3d5h
nfs-nfs-server-provisioner-0    1/1     Running     3          188d
secrets-provider-rfvm7          0/1     Completed   0          17m
vm-mariadb-master-0             1/1     Running     0          188d
vm-mariadb-slave-0              1/1     Running     0          188d

Here’s the log for secrets-provider-rfvm7 which looks successful:

INFO: 2020/10/02 16:44:43 main.go:23: CSPFK008I CyberArk Secrets Provider for Kubernetes v1.1.0-dev starting up
DEBUG: 2020/10/02 16:44:43 main.go:115: CSPFK001D Debug mode is enabled
INFO: 2020/10/02 16:44:43 main.go:81: CSPFK001I Authenticating as user 'host/conjur/authn-k8s/provider/apps/secrets-provider-host'
INFO: 2020/10/02 16:44:43 authenticator.go:197: CAKC005I Trying to login Conjur...
INFO: 2020/10/02 16:44:43 authenticator.go:116: CAKC007I Logging in as user 'host/conjur/authn-k8s/provider/apps/secrets-provider-host'
INFO: 2020/10/02 16:44:43 requests.go:23: CAKC011I Login request to: https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/inject_client_cert
INFO: 2020/10/02 16:44:44 file.go:35: CAKC017I Waiting for file /etc/conjur/ssl/client.pem to become available...
INFO: 2020/10/02 16:44:44 authenticator.go:159: CAKC015I Loaded client certificate successfully from /etc/conjur/ssl/client.pem
INFO: 2020/10/02 16:44:44 authenticator.go:171: CAKC016I Deleted client certificate from memory
INFO: 2020/10/02 16:44:44 authenticator.go:203: CAKC002I Logged in
INFO: 2020/10/02 16:44:44 authenticator.go:186: CAKC008I Cert expires: 2020-10-05 16:44:43 +0000 UTC
INFO: 2020/10/02 16:44:44 authenticator.go:187: CAKC009I Current date: 2020-10-02 16:44:44.522679508 +0000 UTC
INFO: 2020/10/02 16:44:44 authenticator.go:188: CAKC010I Buffer time:  30s
INFO: 2020/10/02 16:44:44 requests.go:47: CAKC012I Authn request to: https://conjur-helm-v2-conjur-oss.conjur-demo.svc.cluster.local/authn-k8s/provider/default/host%2Fconjur%2Fauthn-k8s%2Fprovider%2Fapps%2Fsecrets-provider-host/authenticate
INFO: 2020/10/02 16:44:44 authenticator.go:266: CAKC001I Successfully authenticated
INFO: 2020/10/02 16:44:44 k8s_secrets_client.go:54: CSPFK004I Creating Kubernetes client
INFO: 2020/10/02 16:44:44 k8s_secrets_client.go:19: CSPFK005I Retrieving Kubernetes secret 'db-credentials-demo' from namespace 'default'
DEBUG: 2020/10/02 16:44:44 provide_conjur_secrets.go:127: CSPFK009D Processing 'conjur-map' data entry value of Kubernetes Secret 'db-credentials-demo'
INFO: 2020/10/02 16:44:44 conjur_secrets_retriever.go:11: CSPFK003I Retrieving following secrets from DAP/Conjur: [db_credentials/username db_credentials/password]
INFO: 2020/10/02 16:44:44 conjur_client.go:21: CSPFK002I Creating DAP/Conjur client
INFO: 2020/10/02 16:44:44 k8s_secrets_client.go:54: CSPFK004I Creating Kubernetes client
INFO: 2020/10/02 16:44:44 k8s_secrets_client.go:38: CSPFK006I Updating Kubernetes secret 'db-credentials-demo' in namespace 'default'
INFO: 2020/10/02 16:44:44 main.go:102: CSPFK009I DAP/Conjur Secrets updated in Kubernetes successfully

And here is what I get for the Conjur logs, looks like it’s showing what the database is doing - is this what it should look like? The file is huge, so this is just an excerpt from the end of the file:

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.6ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.2ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40] Started GET "/" for 172.16.220.56 at 2020-10-02 16:55:25 +0000
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40] Processing by StatusController#index as HTML
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40]   e[1me[35mSequel::Postgres::Database (0.6ms)e[0m  BEGIN
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40]   Rendered status/index.html.erb within layouts/application (0.1ms)
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40]   Rendered shared/_navigation.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40]   Rendered shared/_footer.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40]   e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mCOMMITe[0m
[origin=172.16.220.56] [request_id=2a6f39df-7830-4f38-bb51-14062aec33aa] [tid=40] Completed 200 OK in 3ms (Views: 1.5ms)
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.2ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37] Started GET "/" for 172.16.220.56 at 2020-10-02 16:55:27 +0000
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37] Processing by StatusController#index as HTML
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37]   e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  BEGIN
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37]   Rendered status/index.html.erb within layouts/application (0.1ms)
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37]   Rendered shared/_navigation.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37]   Rendered shared/_footer.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37]   e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mCOMMITe[0m
[origin=172.16.220.56] [request_id=7eae7547-e527-4284-95b2-60187f2f3221] [tid=37] Completed 200 OK in 3ms (Views: 1.6ms)
  e[1me[36mSequel::Postgres::Database (0.6ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.3ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.6ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.2ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.7ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.4ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.3ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.6ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.3ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34] Started GET "/" for 172.16.220.56 at 2020-10-02 16:55:32 +0000
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34] Processing by StatusController#index as HTML
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34]   e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  BEGIN
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34]   Rendered status/index.html.erb within layouts/application (0.1ms)
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34]   Rendered shared/_navigation.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34]   Rendered shared/_footer.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34]   e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mCOMMITe[0m
[origin=172.16.220.56] [request_id=52e3182b-49e3-4b4a-9c0a-0cd644d5da9c] [tid=34] Completed 200 OK in 3ms (Views: 1.7ms)
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.2ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.7ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.2ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.6ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.2ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.7ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.2ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.2ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39] Started GET "/" for 172.16.220.56 at 2020-10-02 16:55:37 +0000
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39] Processing by StatusController#index as HTML
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39]   e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  BEGIN
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39]   Rendered status/index.html.erb within layouts/application (0.1ms)
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39]   Rendered shared/_navigation.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39]   Rendered shared/_footer.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39]   e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mCOMMITe[0m
[origin=172.16.220.56] [request_id=e9f4c971-b47b-4b62-bebe-6a9acdad4558] [tid=39] Completed 200 OK in 3ms (Views: 1.6ms)
  e[1me[36mSequel::Postgres::Database (0.6ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.2ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.3ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.7ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.3ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.7ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.7ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.7ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.3ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42] Started GET "/" for 172.16.220.56 at 2020-10-02 16:55:42 +0000
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42] Processing by StatusController#index as HTML
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42]   e[1me[35mSequel::Postgres::Database (0.4ms)e[0m  BEGIN
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42]   Rendered status/index.html.erb within layouts/application (0.1ms)
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42]   Rendered shared/_navigation.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42]   Rendered shared/_footer.html.erb (0.2ms)
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42]   e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mCOMMITe[0m
[origin=172.16.220.56] [request_id=b382aba9-7080-43dd-afa4-ef4dda2b1cbd] [tid=42] Completed 200 OK in 3ms (Views: 1.5ms)
  e[1me[35mSequel::Postgres::Database (0.6ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.5ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (0.6ms)e[0m  e[1mSELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (1.2ms)e[0m   SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )

  e[1me[36mSequel::Postgres::Database (0.3ms)e[0m  e[1mSELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1e[0m
  e[1me[35mSequel::Postgres::Database (0.6ms)e[0m  SELECT pg_try_advisory_lock(767003715) AS "v" LIMIT 1
  e[1me[36mSequel::Postgres::Database (1.3ms)e[0m  e[1m SELECT ttl.resource_id, ttl.value AS ttl, rotators.value AS rotator_name
 FROM annotations ttl

 -- This ensures we get only entries with both
 -- a ttl and a rotator specified
 JOIN annotations rotators ON (
 rotators.resource_id = ttl.resource_id
 AND rotators.name = 'rotation/rotator'
 )

 LEFT JOIN secrets ON ttl.resource_id = secrets.resource_id

 LEFT JOIN (
 SELECT resource_id, MAX(version) AS version
 FROM secrets
 GROUP BY resource_id
 ) max_version ON max_version.resource_id = ttl.resource_id

 WHERE ttl.name = 'rotation/ttl' 
 AND secrets.version = max_version.version
 AND (
 secrets.expires_at < NOW() OR secrets.expires_at IS NULL
 )
e[0m
  e[1me[35mSequel::Postgres::Database (0.3ms)e[0m  SELECT pg_advisory_unlock(767003715) AS "v" LIMIT 1

Many thanks for your help, this is my first successful Kubernetes integration! I would be really curious though to understand what changed in my cofiguration. The only thing I can think of is having edited the deployment as you suggested and deleting the old replicaset.

dane · October 2, 2020, 6:01pm

@jhunt,

Great to hear that it’s working now, and congratulations on getting your first Kubernetes integration running! And yeah, it’s a little troubling that we don’t know the exact thing that fixed it.

The Conjur server debug log looks healthy! What I look for in those debug logs when I’m looking for error conditions are the words Error or ERROR, and also any long blocks of tracebacks.

An error looks something like this:

[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] Authentication Error: #<Errors::Authentication::Security::WebserviceNotFound: CONJ00005E Webservice 'my-authenticator-id' not found>

and a traceback looks like this (this is just a portion of one, the full traceback is a lot longer):

[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /opt/conjur-server/app/domain/authentication/authn_k8s/validate_pod_request.rb:36:in `validate_webservice_exists'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /opt/conjur-server/app/domain/authentication/authn_k8s/validate_pod_request.rb:27:in `call'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] (eval):7:in `call'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /opt/conjur-server/app/domain/authentication/authn_k8s/inject_client_cert.rb:34:in `validate'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /opt/conjur-server/app/domain/authentication/authn_k8s/inject_client_cert.rb:24:in `call'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] (eval):7:in `call'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /opt/conjur-server/app/controllers/authenticate_controller.rb:112:in `k8s_inject_client_cert'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /var/lib/gems/2.5.0/gems/actionpack-4.2.11/lib/abstract_controller/base.rb:198:in `process_action'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /var/lib/gems/2.5.0/gems/actionpack-4.2.11/lib/action_controller/metal/rendering.rb:10:in `process_action'
[origin=127.0.0.1] [request_id=7fdfa096-9151-47cc-9881-36d9084946ba] [tid=43] /var/lib/gems/2.5.0/gems/actionpack-4.2.11/lib/abstract_controller/callbacks.rb:20:in `block in process_action'

I don’t know why the new deployment worked… could it be that the something in your original Helm release didn’t match the authenication identities that you specify in your policy (namespace, service-account, or authentication-container-name)?

For the new deployment, did you use helm delete ... and helm install ..., or just helm upgrade ...?

Topic		Replies	Views
Authenticator pod failing to authenticate Secrets Management - Conjur, Secrets Hub & CP	21	7692	November 18, 2019
CyberArk secret provider for k8s not updating the secret Conjur Enterprise kubernetes , conjur	5	395	March 16, 2022
Authenticator Client Error Secrets Management - Conjur, Secrets Hub & CP opensource , kubernetes , conjur	10	1190	September 27, 2022
Secrets provider for K8s/Openshift Conjur Enterprise kubernetes , conjur	7	1135	October 5, 2023
Credential Provider and K8S Secrets Management - Conjur, Secrets Hub & CP kubernetes	1	25	July 18, 2024

Secrets Provider authenticator pod failing to authenticate

Related topics