Enable Authenticators

The following topic describes how to enable authenticators for application deployment.

Policy

Define and upload the following policies:

Initialize the CA

The Policy for the Kubernetes authenticator service declares variables to hold a CA certificate and key. After loading the policy, run the following commands to initialize those resources.

  • The value of AUTHENTICATOR_ID must match the AUTHENTICATOR_ID in the name of the Kubernetes Authenticator policy defined in the Policy for the Kubernetes authenticator service. For example, if the policy ID is "conjur/authn-k8s/subcluster-1", the value of AUTHENTICATOR_ID is "subcluster-1".

  • The value of CONJUR_ACCOUNT must match the Conjur account used in the Deploy Conjur

To initialize the CA, run the following script:

 
#!/bin/bash
set -e
AUTHENTICATOR_ID='<AUTHENTICATOR_ID>'
CONJUR_ACCOUNT='<CONJUR_ACCOUNT>'

# Generate OpenSSL private key
openssl genrsa -out ca.key 2048

CONFIG="
[ req ]
distinguished_name = dn
x509_extensions = v3_ca
[ dn ]
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
"

# Generate root CA certificate
openssl req -x509 -new -nodes -key ca.key -sha1 -days 3650 -set_serial 0x0 -out ca.cert \
  -subj "/CN=conjur.authn-k8s.$AUTHENTICATOR_ID/OU=Conjur Kubernetes CA/O=$CONJUR_ACCOUNT" \
  -config <(echo "$CONFIG")

# Verify cert
openssl x509 -in ca.cert -text -noout

# Load variable values
conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/key "$(cat ca.key)"
conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/cert "$(cat ca.cert)"

These commands create a private key and root certificate and store contents of those files in the variables conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/key and conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/cert.

Login or auth calls to the webservice will fail if these resources are not properly defined in policy and initialized.

Configure Conjur authenticators

 

The deployment scripts for Conjur already performed this step using the value you set in the SERVICE_ID environment variable. You need to be aware of this step to add additional application clusters or additional authenticator types.

The CONJUR_AUTHENTICATORS environment variable in the Conjur deployment YAML file defines the authentication types used to authenticate with the Conjur cluster.

 

This variable is set on followers.

To enable Kubernetes authentication, use:

 
CONJUR_AUTHENTICATORS=authn-k8s/<AUTHENTICATOR_ID>

where AUTHENTICATOR_ID is the id assigned to the authn-k8s webservice in Conjur policy. It is important that the AUTHENTICATOR_ID used here match the webservice id declared in the Kubernetes policy.

For example, in this snippet from the Conjur webservice policy, a policy branch named conjur declares the authn-k8s service with the authenticator_id of prod/gke:

 
- !policy
  id: conjur/authn-k8s/prod/gke

The authentication value is:

 
CONJUR_AUTHENTICATORS=authn-k8s/prod/gke

One authn-k8s service can serve multiple application authenticator ids. Additional Conjur policy for hosts and applications will control which namespaces get access to Conjur and which applications get access to specific secrets. There should be a separate authn-k8s policy (and corresponding authenticator id) for each or Kubernetes cluster.

CONJUR_AUTHENTICATORS can include more than one authenticator and more than one authentication type as a comma-separated list. For example, the following shows two authn-k8s services and another unrelated authenticator:

 
CONJUR_AUTHENTICATORS=authn-k8s/prod/gke,authn-k8s/dev/gke,authn-jwt/something

To disable an authenticator, remove it from the list.

 
True