Conjur K8s Authenticator Debugging

debugging_info.md

• Display role bindings for conjur-cluster service account token

  oc get clusterrolebindings -o json \
    | jq '.items | map(select(any(.subjects[]; .name | contains("conjur-cluster"))))'
  

• Display conjur-authenticator role information

  oc describe clusterrole conjur-authenticator
  

• Display configured K8s CA certificate

  conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/ca-cert
  

• Verify service account token is what's expected

  This does not output the service token itself, but does display the MD5 sum of the token.

  TOKEN_SECRET_NAME="$(kubectl get secrets -n <FOLLOWER_NAMESPACE> \
      | grep 'conjur.*service-account-token' \
      | head -n1 \
      | awk '{print $1}')"
  
  # Show MD5 sum for expected token
  oc get secret -n <FOLLOWER_NAMESPACE> $TOKEN_SECRET_NAME -o json \
      | jq -r .data.token \
      | base64 --decode \
      | md5sum
  
  # Show MD5 sum for stored token
  conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/service-account-token \
      | md5sum
  

• Display configured API URL for authenticator

  echo "$(conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/kubernetes/api-url)"
  

• Display generated CA certificate for authenticator

  conjur variable value conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/cert
  

• Retrieve metadata about generated CA key:

  Conjur show demo:variable:conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/key
  

• List configured authenticators:

  curl -ks https://localhost/info | jq .authenticators