Closed izgeri closed 5 years ago
@ismarc please provide @sgnn7 with the following info (there are definitions in the docs here):
@sgnn7 I created a new namespace for you srdjan-secretless-rotation
, but you will still need to:
load policy to the conjur/authn-k8s/AUTHENTICATOR_NAME/apps
branch to add your service account host ID to the right layer in policy
- !host
id: srdjan-secretless-rotation/service_account/secretless-rotation
annotations:
kubernetes/authentication-container-name: secretless
openshift: "true"
# grant membership to the conjur/authn-k8s/AUTHENTICATOR_NAME/apps layer
- !grant
role: !layer
member: !host srdjan-secretless-rotation/service_account/secretless-rotation
root
to grant your hosts access to the secrets
- !grant
role: !group DAP_SECRET_LAYER
member: !host conjur/authn-k8s/AUTHENTICATOR_NAME/apps/srdjan-secretless-rotation/service_account/secretless-rotation
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-app-conjur-authenticator-role-binding-FOLLOWER_NAMESPACE
namespace: srdjan-secretless-rotation
subjects:
- kind: ServiceAccount
name: conjur-cluster
namespace: FOLLOWER_NAMESPACE
roleRef:
kind: ClusterRole
name: conjur-authenticator-FOLLOWER_NAMESPACE
apiGroup: rbac.authorization.k8s.io
MySQL DB info: hostname: conjur/xa-secretless-dual-db/mysql/hostname port: conjur/xa-secretless-dual-db/mysql/port database: conjur/xa-secretless-dual-db/mysql/database admin username: ConjurSync/Dual/Secretless_Dual/Database-MySQL-xa-secretless-dual.cupksrq0shff.us-east-1.rds.amazonaws.com-myadmin/username admin password: ConjurSync/Dual/Secretless_Dual/Database-MySQL-xa-secretless-dual.cupksrq0shff.us-east-1.rds.amazonaws.com-myadmin/password rotated username: ConjurSync/Dual/Secretless_Dual/myadmin_rotate/username rotated password: ConjurSync/Dual/Secretless_Dual/myadmin_rotate/password
DAP_SECRET_LAYER: conjur/xa-secretless-dual-db DAP_FOLLOWER_NAMESPACE: xa-secretless-dual DAP_FOLLOWER_URL: https://conjur-follower.xa-secretless-dual.svc.cluster.local
conjur.pem: -----BEGIN CERTIFICATE----- MIID3DCCAsSgAwIBAgIJAPfjjAHaOxsXMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMMFXhhLWNsdXN0ZXItbWF0dHMtcm9vdDAgFw0xOTA2MTkyMTI2MzVaGA8yOTk5 MDgyMDIxMjYzNVowTzEbMBkGA1UECwwSeGEtc2VjcmV0bGVzcy1kdWFsMTAwLgYD VQQDDCd4YS1zZWNyZXRsZXNzLWR1YWwtbWFzdGVyLnFhLmNvbmp1ci5uZXQwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF9llY+ERA1g306HpO+LLK4Abl NCDWWWu2Dbv7gFrHBuwqloaw6L4cLn9NuFZr7/p5gyoRQfiS8pIHoRoqeOxp/1rH k5pnJvLsamyF1jdXPvVHnzOQSLAa6+epxgN4UsCuQeOYQHORqOv70L7cD/YUDptE Vp2x0TW1Z2p2x/SNVNoRxCM1bP30/fxcieXNWfh9fpY2/eNp1OBZYH/FoPJ1cDi5 m2DKtoRGSB6Uh7DLD8SJKeW3kScUK3ZJzvQU6SSul07Uxeojq5xO0C3wqRqeAtk1 TAYSIFJjOrQUGLimhfCTnHQC7m5hCoo5KhnyyHkY91NIJfGwLFdgDlNpwFy3AgMB AAGjgecwgeQwHwYDVR0jBBgwFoAUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwCQYDVR0T BAIwADALBgNVHQ8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MIGJBgNVHREEgYEwf4IoZWMyLTMtODMtMTkyLTE4MS5jb21wdXRlLTEuYW1hem9u YXdzLmNvbYIpZWMyLTMtMjE1LTE4My0xNTEuY29tcHV0ZS0xLmFtYXpvbmF3cy5j b22CKGVjMi0zLTg1LTI0NS0yNDYuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wDQYJ KoZIhvcNAQELBQADggEBAHYSWnXVjOweARDOgo4nVHv+EB0f3bn+/nDwVTVCY7q+ QQVyw/rIE/bIuJW/47tax4NB5gNGdE/y4iKxrCD+v+fOvhwrhDaBB7hTf3x8f/9V ckvtHaOFmgLQ1Q85iE+JmchdwX6bzgNy1SYRdHKI2HX+pdKjsx6hmnsYfzFbmB37 juNv+j5cM98eR9sxzJBewghTqvELrcMYTOUNSSWi91+iR0fq/Wi+5gI1sRULoi31 rHogfQCsRk5qlQnjGOZVCSCZ0Dv6CT8Z0L0cmvYXakj80cFl3SjGHLG8NXN84njl zgKiSWK3R79nBSu8ktnkhBR8fFa7d4bOUWqoEGyd2Js= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDGDCCAgCgAwIBAgIJAI1WX4QpjEBBMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMMFXhhLWNsdXN0ZXItbWF0dHMtcm9vdDAgFw0xOTA0MjkxNTIxMjhaGA8yOTk5 MDYzMDE1MjEyOFowIDEeMBwGA1UEAwwVeGEtY2x1c3Rlci1tYXR0cy1yb290MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn9uzg3BW5nsBtRiPpceeofND EmRhHgKEc+32e4LaROALgySMjIcI4rzLal7FNbDJzFlHEFfa9EtsSTL/GoPVQawd 22xO9XW8GVrlTF96hRUCz9AcphOMV3ZJ8mYUdirZ4ondvatBi+u2nHxNm0+p2uFB CAp9cRhyvrcubVylI3bEhQxwDh5AmQIIAmxnWGS13lQNZOKMaN6KTAly3UecAMmH Vy3qftRaVzAxsEVJy6I9yvU589qu+nGQvdYoQ5WQw0wLpQBRLBp1GQn310cEiSga PBmRHfTMbXqgkCBgYFdOX6biqhCuAI+ndEY79/2Hbv/G+MbTpw+r/PbEK9ACTwID AQABo1MwUTAdBgNVHQ4EFgQUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwHwYDVR0jBBgw FoAUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQsFAAOCAQEAH8PJT8vwWr9ZNVUOeis1R2kL8ZKKmOt0jqSx8+LxiNEiO9eK 6vfakAVD7TaU0kOlw0rAcgrYIZ24TMNDjOZjehCgjdjIY0xRqSbvZRsCDYsCFlDT T/vANk1e2mywtHpTzrONQzhCUUjomF8OLOu9vAKw3oNtAd50KP2JNgbXoDOyQtJb GbLcstw1DGRkXRL0NB7muCEpDHVGvU68V69KLHa7AFNoERHSspnUtzwxv3NQ4A5N F3pXRn7WIc7b4KjzqGYDjWB1gW+lmDcX2iUMHObZiaU8DbWf/ZXxIGsVfj5xDeyu 2WltqnV2V8Y/UTDgvziPvA9FlfU0ijt6Xrwqvw== -----END CERTIFICATE-----
Cluster info: ID of K8s authenticator: openshift/xa-secretless-dual Conjur account: xa
UI: https://xa-secretless-dual.qa.conjur.net Master LB: xa-secretless-dual.qa.conjur.net Follower LB: xa-secretless-dual-follower.qa.conjur.net Master: 3.83.192.181 Sync standby: 3.85.245.246 Async standby: 3.215.183.151 Follower: 18.207.241.184
https://<cluster>/console/project/srdjan-secretless-rotation/browse/pods/juxtaposer-mysql-84c9f49958-kfhcq?tab=logs
https://<cluster>/console/project/srdjan-secretless-rotation/browse/pods/juxtaposer-mysql2-7f4cc89fb4-58s55?tab=logs
AC: