-
Display role bindings for conjur-cluster service account token
oc get clusterrolebindings -o json \ | jq '.items | map(select(any(.subjects[]; .name | contains("conjur-cluster"))))'
-
Display conjur-authenticator role information
oc describe clusterrole conjur-authenticator
-
Display configured K8s CA certificate
conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/ca-cert
-
Verify service account token is what's expected
This does not output the service token itself, but does display the MD5 sum of the token.
TOKEN_SECRET_NAME="$(kubectl get secrets -n <FOLLOWER_NAMESPACE> \ | grep 'conjur.*service-account-token' \ | head -n1 \ | awk '{print $1}')" # Show MD5 sum for expected token oc get secret -n <FOLLOWER_NAMESPACE> $TOKEN_SECRET_NAME -o json \ | jq -r .data.token \ | base64 --decode \ | md5sum # Show MD5 sum for stored token conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/service-account-token \ | md5sum
-
Display configured API URL for authenticator
echo "$(conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/api-url)"
-
Display generated CA certificate for authenticator
conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/cert
-
Retrieve metadata about generated CA key:
Conjur show demo:variable:conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/key
-
List configured authenticators:
curl -ks https://localhost/info | jq .authenticators
Created
September 6, 2019 15:17
-
-
Save micahlee/d20fcf0a47cfffeaf487f49c7e26b6df to your computer and use it in GitHub Desktop.
Conjur K8s Authenticator Debugging
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Client authentication failure. Error in master/leader log was:
The client log showed it was receiving the certificate (login succeeded), but then failing when trying to use the cert for authentication.
Clearly the cert was not reaching the Follower. Turns out the load balancer was terminating TLS and stripping the cert out of the header before sending to the Follower. Configuring the LB for pass-through allowed authentication to succeed.