What's inside ?
The Conjur Kubernetes authenticator client is designed to have a light footprint both in terms of storage and memory consumption. It has very few components
- a static binary for the authenticator
- the sleep binary from busybox for debugging
- the tar binary from busybox to meet the requirement of the authentication service
The client is configured entirely through environment variables. These are listed below.
MY_POD_NAME: Pod name (see downwards API)
MY_POD_NAMESPACE: Pod namespace (see downwards API)
CONTAINER_MODE: Set this to
initto run as an init container that will exit after performing authentication. All other values (including blank) will cause the container to run as a sidecar.
CONJUR_VERSION: Conjur version ('4' or '5', defaults to '5'). Must use a string value in the manifest due to YAML parsing not handling integer values well.
CONJUR_ACCOUNT: Conjur account name
CONJUR_AUTHN_URL: URL pointing to authenticator service endpoint
CONJUR_AUTHN_LOGIN: Host login for pod e.g.
CONJUR_SSL_CERTIFICATE: Public SSL cert for Conjur connection
The client's process logs its flow to
- Exponential backoff is exercised when an error occurs
- Client will re-login when certificate has expired
- Client goes through login by presenting certificate signing request (CSR) -> Server (authn-k8s running inside the appliance) injects signed client certificate out of band into requesting pod
- Client picks up signed client certificate, deletes it from disk and uses to authenticator via mutual TLS -> Server responds with auth token (retrieved via authn-local) encrypted with the public key of the client.
- Client decrypts the auth token and writes it to to the shared memory volume (
- Client proceeds to authenticate time and time again