search

cyberark / secrets-provider-for-k8s

Cyberark secrets provider for k8s
Apache License 2.0
26 stars 11 forks source link

Support for complex secrets #77

Closed saprette closed 4 years ago

saprette commented 4 years ago

Hello,

cyberark/secrets-provider-for-k8s seems to have issues understanding complex secrets such as ssh keys or json documents.

Some details on the environment I'm using :

Setup the required policies to be able to use the authenticator kubernetes-authenticator-client in the namespace argocd.

A variable someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson is set ->

root@conjur-configure-pwz4hziqh9-jbwnp:/# conjur variable values add 'someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson' 'some_simple_secret_value'
Value added
root@conjur-configure-pwz4hziqh9-jbwnp:/# conjur variable value someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson
some_simple_secret_value

Using this test secret as starting state of the secret, and this simple job.

---
kind: Secret
apiVersion: v1
metadata:
  name: test-credentials
type: Opaque
stringData:
  conjur-map: |-
    .dockerconfigjson: |-
      someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson
---
apiVersion: batch/v1
kind: Job
metadata:
  name: conjur-test-provider-1
spec:
  activeDeadlineSeconds: 6000
  template:
    spec:
      serviceAccountName: kubernetes-authenticator-client
      containers:
        - image: 'cyberark/secrets-provider-for-k8s'
          imagePullPolicy: IfNotPresent
          name: kubernetes-authenticator-client
          env:
            - name: DEBUG
              value: 'true'
            - name: CONTAINER_MODE
              value: init
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: MY_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: MY_POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: CONJUR_VERSION
              value: '5'
            - name: CONJUR_APPLIANCE_URL
              value: "someOCPRoute"
            - name: CONJUR_AUTHN_URL
              value: "https://cs-conjur-1-conjur-oss.conjur.svc.cluster.local/authn-k8s/kubernetes_authenticator"
            - name: CONJUR_ACCOUNT
              value: 'default'
            - name: CONJUR_AUTHN_LOGIN
              value: "host/conjur/authn-k8s/kubernetes_authenticator/apps/argocd/*/*"
            - name: CONJUR_SSL_CERTIFICATE
              valueFrom:
                secretKeyRef:
                  name: conjur-cert
                  key: tls.crt
            - name: K8S_SECRETS
              value: test-credentials
            - name: SECRETS_DESTINATION
              value: k8s_secrets
      restartPolicy: Never
---

In that case, simple password works and the K8 secret is correctly updated with the secret value from Conjur

DEBUG: 2020/03/27 12:55:36 main.go:121: CSPFK001D Debug mode is enabled
INFO: 2020/03/27 12:55:36 main.go:65: CSPFK001I Authenticating as user '&{host/conjur/authn-k8s/kubernetes_authenticator/apps/argocd/*/* host.conjur.authn-k8s.kubernetes_authenticator.apps argocd.*.*}'
INFO: 2020/03/27 12:55:36 authenticator.go:181: CAKC005I Trying to login Conjur...
INFO: 2020/03/27 12:55:36 authenticator.go:113: CAKC007I Logging in as user &{host/conjur/authn-k8s/kubernetes_authenticator/apps/argocd/*/* host.conjur.authn-k8s.kubernetes_authenticator.apps argocd.*.*}.
INFO: 2020/03/27 12:55:36 requests.go:23: CAKC011I Login request to: https://cs-conjur-1-conjur-oss.conjur.svc.cluster.local/authn-k8s/kubernetes_authenticator/inject_client_cert
INFO: 2020/03/27 12:55:36 authenticator.go:187: CAKC002I Logged in
INFO: 2020/03/27 12:55:36 authenticator.go:170: CAKC008I Cert expires: 2020-03-30 12:55:36 +0000 UTC
INFO: 2020/03/27 12:55:36 authenticator.go:171: CAKC009I Current date: 2020-03-27 12:55:36.874151925 +0000 UTC
INFO: 2020/03/27 12:55:36 authenticator.go:172: CAKC010I Buffer time:  30s
INFO: 2020/03/27 12:55:36 requests.go:47: CAKC012I Authn request to: https://cs-conjur-1-conjur-oss.conjur.svc.cluster.local/authn-k8s/kubernetes_authenticator/default/host%2Fconjur%2Fauthn-k8s%2Fkubernetes_authenticator%2Fapps%2Fargocd%2F%2A%2F%2A/authenticate
INFO: 2020/03/27 12:55:36 authenticator.go:250: CAKC001I Successfully authenticated
INFO: 2020/03/27 12:55:36 k8s_secrets_client.go:53: CSPFK004I Creating Kubernetes client...
INFO: 2020/03/27 12:55:36 k8s_secrets_client.go:22: CSPFK005I Retrieving Kubernetes secret 'test-credentials' from namespace 'argocd'...
DEBUG: 2020/03/27 12:55:36 provide_conjur_secrets.go:120: CSPFK009D Processing 'conjur-map' data entry value of k8s secret 'test-credentials'
INFO: 2020/03/27 12:55:36 conjur_secrets_retriever.go:11: CSPFK003I Retrieving following secrets from Conjur: [someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson]
INFO: 2020/03/27 12:55:36 conjur_client.go:21: CSPFK002I Creating Conjur client...
INFO: 2020/03/27 12:55:36 k8s_secrets_client.go:53: CSPFK004I Creating Kubernetes client...
INFO: 2020/03/27 12:55:36 k8s_secrets_client.go:40: CSPFK006I Patching Kubernetes secret 'test-credentials' in namespace 'argocd'
kind: Secret
apiVersion: v1
metadata:
  name: test-credentials
  namespace: argocd
  selfLink: /api/v1/namespaces/argocd/secrets/test-credentials
  uid: 0dfb8da0-c58c-4105-891b-c3e79d02b0b2
  resourceVersion: '50487994'
  creationTimestamp: '2020-03-27T06:56:23Z'
data:
  .dockerconfigjson: c29tZV9zaW1wbGVfc2VjcmV0X3ZhbHVl
  conjur-map: >-
    LmRvY2tlcmNvbmZpZ2pzb246IHwtCiAgc29tZWVudi9oZjMzM29jcC9hcnRpZmFjdG9yeS1wdWxsLXNlY3JldC9kb2NrZXJjb25maWdqc29u
type: Opaque

However, if I set the secret value with a more complex json document ->

root@conjur-configure-936gnaui13-zwdt2:/# conjur variable value someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson
{"auths":{"someurl":{"auth":"sometoken="}}}

In that case cyberark/secrets-provider-for-k8s fails with the following parsing error. Note that the same kind of parsing error occurs for an ssh key (but this time complaining about a \r character).

DEBUG: 2020/03/27 13:11:08 main.go:121: CSPFK001D Debug mode is enabled
INFO: 2020/03/27 13:11:08 main.go:65: CSPFK001I Authenticating as user '&{host/conjur/authn-k8s/kubernetes_authenticator/apps/argocd/*/* host.conjur.authn-k8s.kubernetes_authenticator.apps argocd.*.*}'
INFO: 2020/03/27 13:11:08 authenticator.go:181: CAKC005I Trying to login Conjur...
INFO: 2020/03/27 13:11:08 authenticator.go:113: CAKC007I Logging in as user &{host/conjur/authn-k8s/kubernetes_authenticator/apps/argocd/*/* host.conjur.authn-k8s.kubernetes_authenticator.apps argocd.*.*}.
INFO: 2020/03/27 13:11:08 requests.go:23: CAKC011I Login request to: https://cs-conjur-1-conjur-oss.conjur.svc.cluster.local/authn-k8s/kubernetes_authenticator/inject_client_cert
INFO: 2020/03/27 13:11:08 authenticator.go:187: CAKC002I Logged in
INFO: 2020/03/27 13:11:08 authenticator.go:170: CAKC008I Cert expires: 2020-03-30 13:11:08 +0000 UTC
INFO: 2020/03/27 13:11:08 authenticator.go:171: CAKC009I Current date: 2020-03-27 13:11:08.233864142 +0000 UTC
INFO: 2020/03/27 13:11:08 authenticator.go:172: CAKC010I Buffer time:  30s
INFO: 2020/03/27 13:11:08 requests.go:47: CAKC012I Authn request to: https://cs-conjur-1-conjur-oss.conjur.svc.cluster.local/authn-k8s/kubernetes_authenticator/default/host%2Fconjur%2Fauthn-k8s%2Fkubernetes_authenticator%2Fapps%2Fargocd%2F%2A%2F%2A/authenticate
INFO: 2020/03/27 13:11:08 authenticator.go:250: CAKC001I Successfully authenticated
INFO: 2020/03/27 13:11:08 k8s_secrets_client.go:53: CSPFK004I Creating Kubernetes client...
INFO: 2020/03/27 13:11:08 k8s_secrets_client.go:22: CSPFK005I Retrieving Kubernetes secret 'test-credentials' from namespace 'argocd'...
DEBUG: 2020/03/27 13:11:08 provide_conjur_secrets.go:120: CSPFK009D Processing 'conjur-map' data entry value of k8s secret 'test-credentials'
INFO: 2020/03/27 13:11:08 conjur_secrets_retriever.go:11: CSPFK003I Retrieving following secrets from Conjur: [someenv/hf333ocp/artifactory-pull-secret/dockerconfigjson]
INFO: 2020/03/27 13:11:08 conjur_client.go:21: CSPFK002I Creating Conjur client...
INFO: 2020/03/27 13:11:08 k8s_secrets_client.go:53: CSPFK004I Creating Kubernetes client...
INFO: 2020/03/27 13:11:08 k8s_secrets_client.go:40: CSPFK006I Patching Kubernetes secret 'test-credentials' in namespace 'argocd'
DEBUG: 2020/03/27 13:11:08 provide_conjur_secrets.go:155: CSPFK005D Failed to patch k8s secret. Reason: invalid character 'a' after object key:value pair
ERROR: 2020/03/27 13:11:08 provide_conjur_secrets.go:156: CSPFK022E Failed to patch k8s secret
ERROR: 2020/03/27 13:11:08 provide_conjur_secrets.go:82: CSPFK023E Failed to patch K8s secrets
ERROR: 2020/03/27 13:11:08 main.go:78: CSPFK016E Failed to provide Conjur secrets

Describe the solution you would like

cyberark/secrets-provider-for-k8s should support retreiving secrets as complex as it is possible to add in Conjur.

Describe alternatives you have considered

Encoding the json document or ssh key in base64 prior storing to Conjur removes the issue however it removes the main added value of cyberark/secrets-provider-for-k8s as in that case the workload using the secret must process it to make it a standard ssh key or document, which is not always possible when you don't own the binaries of that workload (what I see as the main use case of cyberark/secrets-provider-for-k8s).

sgnn7 commented 4 years ago

@saprette Thank you for filing this issue and with enough detail to make it very easy to reproduce! This repo is maintained by developers that live in IL and it is currently their weekend (they work Sun-Thr) so it may be a few days until you get a response. It looks like the input might just need json encoding before the patching over K8s API is done but I'm not familiar enough with the codebase to speculate much. Let me know if you don't hear anything from the repo devs by mid-next week.

CC: @orenbm

sigalsax commented 4 years ago

Hi @saprette, looking into this issue now. Thanks for logging it - the detail logged will certainly help us reproduce. Will respond back once I have an answer for you!

saprette commented 4 years ago

Hello, this fix works for me https://github.com/cyberark/secrets-provider-for-k8s/pull/78 I'll use my custom build for now as it works for my use cases, let me know what you plan to do as I'll need a fix from you before I go to production.