Merge pull request #6 from Conjur-Enterprise/export_api_key

CNJR-0000: Automatically generate an authentication token

Author: szh

CHANGELOG.md

@@ -6,7 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
-## [2.0.8] - 2025-03-25
+## [2.1.0] - 2025-08-28
+
+### Added
+
+- The Conjur OSS Helm chart has been extended to optionally generate a short-lived authentication token (stored in a Kubernetes Secret) for the admin account
 
 ## [2.0.7] - 2023-08-30
 
@@ -173,7 +177,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - First version of chart available.
 
-[Unreleased]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.7...HEAD
+[2.1.0]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.7...v2.1.0
 [2.0.7]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.6...v2.0.7
 [2.0.6]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.5...v2.0.6
 [2.0.5]: https://github.com/cyberark/conjur-oss-helm-chart/compare/v2.0.4...v2.0.5

conjur-oss/README.md

@@ -22,6 +22,7 @@ Conjur Open Source is part of the CyberArk Privileged Access Security Solution w
     + [Example: Installation Using Command Line Arguments](#example-installation-using-command-line-arguments)
     + [Example: Installation Using Custom YAML File](#example-installation-using-custom-yaml-file)
   * [Configuring Conjur Accounts](#configuring-conjur-accounts)
+    + [Accessing account credentials via a Kubernetes Secret](#accessing-account-credentials-via-a-kubernetes-secret)
   * [Installing Conjur with an External Postgres Database](#installing-conjur-with-an-external-postgres-database)
   * [Auto-Generated Configuration](#auto-generated-configuration)
 - [Upgrading, Modifying, or Migrating a Conjur Open Source Helm Deployment](#upgrading-modifying-or-migrating-a-conjur-open-source-helm-deployment)
@@ -257,9 +258,16 @@ kubectl exec --namespace $CONJUR_NAMESPACE \
               --container=conjur-oss \
               -- conjurctl account create $CONJUR_ACCOUNT | tail -1
 ```
+
 The credentials for this account will be provided after the account has been created.
 Store these in a safe location.
 
+#### Accessing account credentials via a Kubernetes Secret
+
+This chart includes the ability to automatically generate a short-lived token that can be used to programmatically authenticate to the Conjur service. The token is stored as a json file (token.json) in a Secret (`conjur-oss-conjur-admin-token`) in the same namespace as the Conjur service. The main use-case for this feature is to enable full automation of bootstrapping Conjur with initial policies, i.e. ones that provide further authenticators and hosts. For example, Conjur's Go SDK provides a method `NewClientFromTokenFile` which accepts the token.json file.  
+
+_**NOTE:**_ Be aware that this token is for the admin account created when the Conjur service first starts and, thus, has full privileges over the service. It is intended to enable the Conjur service to be bootstrapped with further, less privileged authenticators and hosts. With this in mind the token, by default, expires 10 minutes after being created. Although this value can be increased we recommend that you do not.
+
 ### Installing Conjur with an External Postgres Database
 
 You can configure Conjur to use an external (non-integrated) Postgres database
@@ -398,6 +406,12 @@ The following table lists the configurable parameters of the Conjur Open Source
 |`ssl.expiration`|Expiration limit for generated certificates|`365`|
 |`ssl.hostname`|Hostname and Common Name for generated certificate and ingress|`"conjur.myorg.com"`|
 |`postgresLabels`|Extra Kubernetes labels to apply to Conjur PostgreSQL resources|`{}`|
+|`exportAPIkey.enabled`|Controls whether a json authentication token should be created for the Conjur account specified in `account.name` and stored in a Kubernetes Secret. _**NOTE:**_ if you set this value to true you must also set `account.create` to `true`|`false`|
+|`exportAPIkey.secretName`|Name of the Secret to store the authentication token (in a file called token.json)|`"conjur-oss-conjur-admin-token"`|
+|`exportAPIkey.ttl`|How long the token will remain valid (use a valid `date -d` value, e.g. 15 minutes, 1 day)|"10 minutes"|
+|`exportAPIkey.image.repository`|Image used for the container which executes the script [export.sh](./files/export.sh) to generate the token|`registry.gitlab.com/gitlab-ci-utils/curl-jq`|
+|`exportAPIkey.image.tag`|Image tag|`"3.2.1"`|
+|`exportAPIkey.image.pullPolicy`|Image pull policy|`Always`|
 
 ### Deploying Without Persistent Volume Support (e.g. for MiniKube, KataCoda)
 Some Kubernetes platforms (e.g. MiniKube and KataCoda) do not have
@@ -560,6 +574,7 @@ The Kubernetes secrets that may need to be manually deleted following
 |`<helm-release>-conjur-data-key`|Data encryption key|Always|
 |`<helm-release>-conjur-ssl-ca-cert`|Conjur SSL CA Certificate|When auto-generated (i.e. not explicitly set)|
 |`<helm-release>-conjur-ssl-cert`|Conjur SSL Access Certificate|When auto-generated (i.e. not explicitly set)|
+|`<helm-release>-conjur-admin-token`|Authentication token for Conjur|If `exportAPIkey.enabled` set to `true`|
 
 To delete the residual "self-managed" Kubernetes secrets associated with
 the Conjur deployment, run the following:

conjur-oss/files/export.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+echo "Sidecar: Waiting for main application's HTTP endpoint at http://localhost:8080/..."
+
+while ! curl --fail-with-body --silent --output /dev/null http://localhost:8080/; do
+    echo "Sidecar: Main application HTTP endpoint not ready yet, sleeping..."
+    sleep 10
+done
+echo "Sidecar: Main application HTTP endpoint is ready!"
+
+TOKEN_EXPIRATION=$(date -d "now + {{ .Values.exportAPIkey.ttl }}" +%s)
+TOKEN_VALUE=$(echo "{\"account\":\"${CONJUR_ACCOUNT}\", \"sub\":\"admin\", \"exp\":$TOKEN_EXPIRATION}" | socat - UNIX-CONNECT:"/run/authn-local/.socket")
+echo "Sidecar: Generated Conjur token value"
+
+echo "Sidecar: Proceeding to create Kubernetes Secret using curl..."
+
+# Kubernetes API access details (provided by the ServiceAccount mount)
+SERVICEACCOUNT_DIR="/var/run/secrets/kubernetes.io/serviceaccount"
+TOKEN=$(cat "${SERVICEACCOUNT_DIR}/token")
+NAMESPACE=$(cat "${SERVICEACCOUNT_DIR}/namespace")
+CACERT="${SERVICEACCOUNT_DIR}/ca.crt"
+KUBERNETES_SERVICE_HOST=$KUBERNETES_SERVICE_HOST # Injected by Kubernetes
+KUBERNETES_SERVICE_PORT=$KUBERNETES_SERVICE_PORT # Injected by Kubernetes
+
+API_SERVER_URL="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"
+SECRETS_API_PATH="/api/v1/namespaces/${NAMESPACE}/secrets"
+
+SECRET_NAME="{{ .Values.exportAPIkey.secretName }}"
+SECRET_KEY="token.json"
+
+# Base64 encode the secret value
+# Using tr -d '\n' to remove newline characters added by base64 on some systems
+ENCODED_VALUE=$(echo -n "${TOKEN_VALUE}" | base64 | tr -d '\n')
+
+# Construct the JSON payload for the Secret
+read -r -d '' JSON_PAYLOAD <<EOF
+{
+  "apiVersion": "v1",
+  "kind": "Secret",
+  "metadata": {
+    "name": "${SECRET_NAME}"
+  },
+  "type": "Opaque",
+  "data": {
+    "${SECRET_KEY}": "${ENCODED_VALUE}"
+  }
+}
+EOF
+
+echo "Sidecar: removing any existing Secret with the same name..."
+curl -X DELETE \
+  -H "Authorization: Bearer ${TOKEN}" \
+  --cacert "${CACERT}" \
+  --silent \
+  --output /dev/null \
+  --write-out "%{http_code}\n" \
+  "${API_SERVER_URL}${SECRETS_API_PATH}/${SECRET_NAME}" | grep -q "200" && echo "Sidecar: Successfully deleted existing Secret '$SECRET_NAME'." || echo "Sidecar: No existing Secret '$SECRET_NAME' to delete or deletion failed."
+
+echo "Sidecar: Attempting to create Secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
+HTTP_CODE=$(curl -X POST \
+-H "Authorization: Bearer ${TOKEN}" \
+--json "${JSON_PAYLOAD}" \
+--cacert "${CACERT}" \
+--silent \
+--output /dev/null \
+--write-out "%{http_code}\n" \
+"${API_SERVER_URL}${SECRETS_API_PATH}")
+
+if [[ "$HTTP_CODE" =~ ^2 ]]; then # Check for 2xx success codes
+  echo "Sidecar: Successfully created Secret '$SECRET_NAME'. HTTP Status: $HTTP_CODE"
+elif [[ "$HTTP_CODE" == "409" ]]; then # 409 Conflict means it already exists
+  echo "Sidecar: Secret '$SECRET_NAME' already exists. HTTP Status: $HTTP_CODE"
+else
+  echo "Sidecar: Failed to create Secret '$SECRET_NAME'. HTTP Status: $HTTP_CODE"
+fi
+
+echo "Sidecar: Post-main-app-startup tasks completed."
+
+# Keep the sidecar container running indefinitely to prevent it from exiting and causing
+# the control plane to try and restart it.
+tail -f /dev/null

conjur-oss/templates/auth-role.yaml

@@ -42,6 +42,11 @@ rules:
 - apiGroups: [""]
   resources: ["pods/exec"]
   verbs: ["create", "get"]
+{{- if .Values.exportAPIkey.enabled }}  
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete", "update", "get", "list"]
+{{- end }}  
 ---
 kind: ClusterRoleBinding
 apiVersion: {{ include "conjur-oss.rbac-api" . }}

conjur-oss/templates/deployment.yaml

@@ -55,6 +55,14 @@ spec:
             - key: conjur_site
               path: sites-enabled/conjur.conf
       {{- end }}
+      {{- if .Values.exportAPIkey.enabled }}
+      - name: {{ .Release.Name }}-authn-local-socket-volume
+        emptyDir: {}
+      - name: {{ .Release.Name }}-export-api-key-configmap-volume
+        configMap:
+          name: {{ .Release.Name }}-export-api-key-configmap
+          defaultMode: 0500
+      {{- end }}      
       containers:
       - name: {{ .Release.Name }}-nginx
         image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
@@ -160,8 +168,33 @@ spec:
           value: {{ .Values.account.name }}
         - name: CONJUR_LOG_LEVEL
           value: {{ .Values.logLevel }}
+        {{- if .Values.exportAPIkey.enabled }}
+        volumeMounts:
+        - name: {{ .Release.Name }}-authn-local-socket-volume
+          mountPath: /run/authn-local
+          readOnly: false
+        {{- end }}          
         resources:
 {{ toYaml .Values.resources | indent 12 }}
+      {{- if .Values.exportAPIkey.enabled }}
+      - name: {{ .Release.Name }}-export-api-key
+        image: "{{ .Values.exportAPIkey.image.repository }}:{{ .Values.exportAPIkey.image.tag }}"
+        imagePullPolicy: {{ .Values.exportAPIkey.image.pullPolicy }}
+        command: [ "/bin/bash", "-c" ]
+        args:
+          - |
+            apk add --no-cache socat
+            /scripts/export.sh
+        env:
+        - name: CONJUR_ACCOUNT
+          value: {{ .Values.account.name }}        
+        volumeMounts:
+        - name: {{ .Release.Name }}-authn-local-socket-volume
+          mountPath: /run/authn-local
+          readOnly: false
+        - name: {{ .Release.Name }}-export-api-key-configmap-volume
+          mountPath: "/scripts"
+      {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

conjur-oss/templates/exportapikey-configmap.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.exportAPIkey.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-export-api-key-configmap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "conjur-oss.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  export.sh: {{ tpl (.Files.Get "files/export.sh") . | quote }}
+{{- end -}}

conjur-oss/templates/tests/test-simple-install-configmap.yaml

@@ -7,3 +7,9 @@ data:
     @test "Testing that Conjur status page is up" {
       curl -f --cacert /cacert/tls.crt https://{{ template "conjur-oss.fullname" . }}/ | grep 'Status'
     }
+  {{- if .Values.exportAPIkey.enabled }}
+    @test "Testing that the Secret containing a Conjur authentication token has been created" {
+      result=$(curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)/secrets/{{ .Values.exportAPIkey.secretName }}" --output /dev/null --silent --write-out "%{http_code}")
+      [ "$result" -eq 200 ]
+    }
+  {{- end }}

conjur-oss/templates/tests/test-simple-install.yaml

@@ -15,6 +15,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation
 {{ end }}
 spec:
+  serviceAccountName: {{ template "conjur-oss.service-account" . }}
   initContainers:
   - name: {{ .Release.Name }}-bats-init
     image: bats/bats:v1.1

conjur-oss/values.schema.json

@@ -250,6 +250,19 @@
           "type": "boolean"
         }
       }
-    }
+    },
+    "exportAPIkey": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "secretName": {
+          "type": "string"
+        },
+        "ttl": {
+          "type": "string"
+        }
+      }
+    }    
   }
 }

conjur-oss/values.yaml

@@ -188,3 +188,15 @@ tolerations: []
 # Set enabled true for OCP support
 openshift: 
   enabled: false
+
+# Set enabled to true to enable the Export API key feature.
+# This feature allows the Conjur server to export the API key for a given
+# Conjur user to a Kubernetes secret.
+exportAPIkey:
+  enabled: false # If true, ensure account.create is also true.
+  secretName: "conjur-oss-conjur-admin-token"
+  ttl: "10 minutes"
+  image:
+    repository: registry.gitlab.com/gitlab-ci-utils/curl-jq
+    tag: "3.2.1"
+    pullPolicy: Always