As part of the k8s authenticator flow, we open a websocket to the k8s api server to inject the client certificate. The conjur server logs the output of the websocket (CONJ00010D - CONJ00013D) but these log messages do not have the log tags that the rest of the logs have. For example, here is the log output of an "inject_client_cert" request flow:
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] Started POST "/authn-k8s/authn-dev-env/inject_client_cert" for 127.0.0.1 at 2020-09-23 15:23:39 +0000
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00028D Setting common name to host.conjur.authn-k8s.authn-dev-env.apps.local-secrets-provider.*.*
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00027D Host id cucumber:host:conjur/authn-k8s/authn-dev-env/apps/local-secrets-provider/*/* extracted from CSR common name
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00027D Host id cucumber:host:conjur/authn-k8s/authn-dev-env/apps/local-secrets-provider/*/* extracted from CSR common name
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00026D Validating host id cucumber:host:conjur/authn-k8s/authn-dev-env/apps/local-secrets-provider/*/*
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00024D Retrieved value of annotation kubernetes/authentication-container-name
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00027D Host id cucumber:host:conjur/authn-k8s/authn-dev-env/apps/local-secrets-provider/*/* extracted from CSR common name
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00015D Copying SSL certificate to cyberark-secrets-provider-for-k8s:/etc/conjur/ssl/client.pem in local-secrets-provider/test-env-6b7b4b57c6-f8xbg
CONJ00010D Pod 'test-env-6b7b4b57c6-f8xbg' : channel open
CONJ00012D Pod 'test-env-6b7b4b57c6-f8xbg', channel 'stdout':
CONJ00013D Pod: 'test-env-6b7b4b57c6-f8xbg', message: 'close', data: 'nil'
CONJ00011D Pod 'test-env-6b7b4b57c6-f8xbg' : channel closed
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] CONJ00037D Copied SSL certificate successfully
[origin=10.1.3.124] [request_id=07e98cd9-8181-4a2e-a57e-ca30b587b62c] [tid=35] Completed 200 OK in 195ms
Steps to Reproduce
Steps to reproduce the behavior:
Run the authn-client to perform an authn-k8s flow
View the Conjur logs
Expected Results
The logs from the websocket (CONJ00010D - CONJ00013D) have log tags as the rest of the log messages.
Actual Results (including error logs, if applicable)
They don't.
Reproducible
[x] Always
Environment setup
Debug logs are enabled by setting CONJUR_LOG_LEVEL=debug.
orenbm
commented
3 years ago
Summary
As part of the k8s authenticator flow, we open a websocket to the k8s api server to inject the client certificate. The conjur server logs the output of the websocket (
CONJ00010D - CONJ00013D) but these log messages do not have the log tags that the rest of the logs have. For example, here is the log output of an "inject_client_cert" request flow:Steps to Reproduce
Steps to reproduce the behavior:
Expected Results
The logs from the websocket (
CONJ00010D - CONJ00013D) have log tags as the rest of the log messages.Actual Results (including error logs, if applicable)
They don't.
Reproducible
Environment setup
Debug logs are enabled by setting
CONJUR_LOG_LEVEL=debug.