Setting CONJUR_AUTHENTICATORS in docker-compose.yml

Hi,

This is like a very obvious quick fix for someone. I cannot set the authenticators following the guide here.

I’m spinning up using the docker-compose method, which works fine, except whatever I set for CONJUR_AUTHENTICATORS seems to be completely ignored. I can set it to anything, including random strings, but the log in the container never changes.

Here’s a snippet:

conjur:
image: cyberark/conjur:latest
command: server -a cucumber
environment:
PORT: 3000
DATABASE_URL: postgres://postgres@postgres/postgres
CONJUR_DATA_KEY: “W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=”
CONJUR_AUTHENTICATORS: authn-k8s,authn

Is this the incorrect method? Would I do the same in a Helm deployment into Kubernetes?

Thanks in advance,
Lee

Hey Lee,

You’re following our CyberArk DAP documentation for enterprise. If you’re using Conjur, our OSS, you’ll want to use those docs.

Here’s a direct link on how to handle CONJUR_AUTHENTICATORS for Conjur: https://docs.conjur.org/Latest/en/Content/Integrations/Kubernetes_deployApplicationCluster.htm

Currently, you are listing authn-k8s without a service ID. Add that on and you should be golden.

Hey @leighcee,
I believe you are using the variables correctly but the authn-k8s authenticator needs an ID appended to it like this:

environment:
  - DATABASE_URL: postgres://postgres@postgres/postgres
  - CONJUR_DATA_KEY: “W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=”
  - CONJUR_AUTHENTICATORS: "authn,authn-k8s/my_authenticator_id"

Let me know if that doesn’t work,
Srdjan

You’ll also want to re-generate a new CONJUR_DATA_KEY value, as well.

Thanks Joe.

Sorry, I’d pasted the wrong link! I’d actually followed the OSS docs and tried with a service ID and it didn’t work. I’ll try again.

To be honest, I’m close to giving up as things just don’t happen like the docs. For example, I cannot find out how to verify the k8s authenticator is up and running - Setting up a status webservice hasn’t worked for me.

Thanks,
Lee

Thanks again Srdjan, really appreciated.

I’d actually tried with an ID with no joy. The subsequent webservice instructions look simple, and I am sure I’ve followed them correctly, but looks like the authenticator is not working:

curl -H “$(conjur authn authenticate -H)” --cacert /home/lee/conjur-default.pem https://conjur.myorg.com/authn-k8s/myid/default/status
Errors::Authentication::StatusNotImplemented: CONJ00056E Status check not implemented for authenticator

The docs mention a plugin a few times but I’m not sure if this needs to be separately installed. The conjur client also has a “plugin list” command but this returns nothing.

Please let me now what info I can add here - I’m stuck

Kind regards,
Lee

Hi @sgnn7 and @joe.garcia,

Turns out I can’t read… I spent two days trying to set up a webservice to view the status of my k8s authenticator, but have just noticed here that:

Supports: OIDC Authenticator; Azure Authenticator

So looks like I have been wasting my time! I’ll go through the rest of the guide and try and get end-to-end k8s authentication working using the sidecar method. I suspect I might have to get in touch again, so thanks in advance.

Thanks again,
Lee

Hey @leighcee,
Oh I see what you’re taking about. Yeah, I believe that authn-k8s is supported in Conjur OSS but the status page isn’t.

With that said, in the enterprise AAM/DAP product built on Conjur OSS, there is a health page (though our docs seem out of date there) for status of all authenticators (eg. installed/configured/enabled) but Conjur OSS does not have that OOTB right now. There is some work being done on that per-authenticator but I’m not aware of its current progress since I don’t work in that area of code.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.