Errors are unnecessarily logged on client prior to certificate being injected #119

eranha · 2020-04-20T10:43:24Z

Afte the CSR is sent the server and the response is being sent out-of-band, the client yields errors to log while attempting to load the certificate, until the server injects the certificate to the client. This type of output can be alarming to see and unhelpful so it would be good to only show this when there is a real problem getting the certificate.

AC:

Certificate reading errors should only be logged when we are sure that the server failed to inject the signed cert

INFO: 2020/04/20 08:23:44 main.go:43: CAKC006I Authenticating as user '&{host/conjur/authn-k8s/conjur-5-e799170e-f-test/apps/test-app-5-e799170e-f/service_account/oc-test-app-summon-init host.conjur.authn-k8s.conjur-5-e799170e-f-test.apps test-app-5-e799170e-f.service_account.oc-test-app-summon-init}'
INFO: 2020/04/20 08:23:44 authenticator.go:181: CAKC005I Trying to login Conjur...
INFO: 2020/04/20 08:23:44 authenticator.go:113: CAKC007I Logging in as user &{host/conjur/authn-k8s/conjur-5-e799170e-f-test/apps/test-app-5-e799170e-f/service_account/oc-test-app-summon-init host.conjur.authn-k8s.conjur-5-e799170e-f-test.apps test-app-5-e799170e-f.service_account.oc-test-app-summon-init}.
INFO: 2020/04/20 08:23:44 requests.go:23: CAKC011I Login request to: https://conjur-follower.conjur-5-e799170e-f-test.svc.cluster.local/api/authn-k8s/conjur-5-e799170e-f-test/inject_client_cert
ERROR: 2020/04/20 08:23:44 authenticator.go:140: CAKC011E Client certificate not found at '/etc/conjur/ssl/client.pem'
ERROR: 2020/04/20 08:23:44 authenticator.go:184: CAKC015E Login failed
ERROR: 2020/04/20 08:23:44 main.go:46: CAKC016E Failed to authenticate
INFO: 2020/04/20 08:23:46 main.go:43: CAKC006I Authenticating as user '&{host/conjur/authn-k8s/conjur-5-e799170e-f-test/apps/test-app-5-e799170e-f/service_account/oc-test-app-summon-init host.conjur.authn-k8s.conjur-5-e799170e-f-test.apps test-app-5-e799170e-f.service_account.oc-test-app-summon-init}'
INFO: 2020/04/20 08:23:46 authenticator.go:181: CAKC005I Trying to login Conjur...
INFO: 2020/04/20 08:23:46 authenticator.go:113: CAKC007I Logging in as user &{host/conjur/authn-k8s/conjur-5-e799170e-f-test/apps/test-app-5-e799170e-f/service_account/oc-test-app-summon-init host.conjur.authn-k8s.conjur-5-e799170e-f-test.apps test-app-5-e799170e-f.service_account.oc-test-app-summon-init}.
INFO: 2020/04/20 08:23:46 requests.go:23: CAKC011I Login request to: https://conjur-follower.conjur-5-e799170e-f-test.svc.cluster.local/api/authn-k8s/conjur-5-e799170e-f-test/inject_client_cert
INFO: 2020/04/20 08:23:46 authenticator.go:187: CAKC002I Logged in
INFO: 2020/04/20 08:23:46 authenticator.go:170: CAKC008I Cert expires: 2020-04-23 08:23:44 +0000 UTC
INFO: 2020/04/20 08:23:46 authenticator.go:171: CAKC009I Current date: 2020-04-20 08:23:46.685910936 +0000 UTC
INFO: 2020/04/20 08:23:46 authenticator.go:172: CAKC010I Buffer time:  30s
INFO: 2020/04/20 08:23:46 requests.go:47: CAKC012I Authn request to: https://conjur-follower.conjur-5-e799170e-f-test.svc.cluster.local/api/authn-k8s/conjur-5-e799170e-f-test/my-account/host%2Fconjur%2Fauthn-k8s%2Fconjur-5-e799170e-f-test%2Fapps%2Ftest-app-5-e799170e-f%2Fservice_account%2Foc-test-app-summon-init/authenticate
INFO: 2020/04/20 08:23:46 authenticator.go:250: CAKC001I Successfully authenticated

The text was updated successfully, but these errors were encountered:

sgnn7 · 2020-04-24T18:51:55Z

Hi @eranha,
The problem here is that to avoid using "secret zero" and prevent DoSing the server with open connections, we have to do the injection of the certificate in an out-of-band async fashion into the container.

With that pre-requisite as a starting point, we do not have too many reliable options available to us from the authenticator. Are you suggesting that we use a different type of checks? If so, there is room for improvement here for sure but as-is described, this behavior is not exactly a bug. Let us know what you wanted to specifically to see here and we can try to refine the issue.

eranha · 2020-04-25T06:40:22Z

The error is logged because the certificate has not been injected yet. You can wait/retry for it, and only log an error after timeout

sgnn7 · 2020-04-28T13:42:17Z

Hi @eranha,
I think I see what you mean. I will update the issue with clearer info then.

sigalsax · 2020-08-18T13:25:58Z

See more detail here: #146
Solution design by @oburstein-hub here

### Fixed - Logs now correctly print only the Conjur identity without the policy branch prefix. ([#126](#126)) - When authentication fails, the exponential backoff retry is correctly reset so that it will continue to attempt to authenticate until backoff is exhausted. ([#158](#158)) ### Changed - Wait slightly for the client certificate file to exist after login before raising an error. [#119](#119)

This version introduces some changes that we can benefit from, especially these: - Errors in the certificate injection process on login are now printed to the client logs. [cyberark/conjur-authn-k8s-client#/170](cyberark/conjur-authn-k8s-client#170) - When authentication fails, the exponential backoff retry is correctly reset so that it will continue to attempt to authenticate until backoff is exhausted. [cyberark/conjur-authn-k8s-client#158](cyberark/conjur-authn-k8s-client#158) - Wait slightly for the client certificate file to exist after login before raising an error. [cyberark/conjur-authn-k8s-client#119](cyberark/conjur-authn-k8s-client#119)

sgnn7 added component/k8s kind/documentation triage/should-close triage/wont-fix labels Apr 24, 2020

sgnn7 changed the title ~~Client Yields Login Failed Error prior to Certificate being Injected~~ Don't log errors on client prior to certificate being injected Apr 28, 2020

sgnn7 added kind/cleanup kind/developer-experience and removed triage/wont-fix kind/documentation triage/should-close labels Apr 28, 2020

sgnn7 changed the title ~~Don't log errors on client prior to certificate being injected~~ Errors are unnecessarily logged on client prior to certificate being injected Apr 28, 2020

izgeri mentioned this issue Aug 13, 2020

Constant CSPFK010E Failed to authenticate error on startup #146

Closed

3 tasks

sigalsax mentioned this issue Aug 17, 2020

Secrets Provider - Account for initial error in authn-client cyberark/secrets-provider-for-k8s#186

Closed

izgeri mentioned this issue Aug 28, 2020

Add check for client certificate existence with a timeout #153

Merged

7 tasks

micahlee self-assigned this Aug 28, 2020

eladkug mentioned this issue Sep 8, 2020

Cert injection is not done properly in authn-k8s cyberark/conjur#1807

Closed

1 task

orenbm mentioned this issue Sep 13, 2020

Bump version to 0.18.1 #163

Merged

eladkug closed this as completed Oct 1, 2020

orenbm mentioned this issue Oct 8, 2020

Consume version 0.19.0 of conjur-authn-k8s-client cyberark/secretless-broker#1352

Merged

izgeri mentioned this issue Mar 29, 2021

Authenticator client sometimes panics when trying to kick off authentication #252

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Errors are unnecessarily logged on client prior to certificate being injected #119

Errors are unnecessarily logged on client prior to certificate being injected #119

eranha commented Apr 20, 2020 •

edited by eladkug

Loading

sgnn7 commented Apr 24, 2020

eranha commented Apr 25, 2020

sgnn7 commented Apr 28, 2020

sigalsax commented Aug 18, 2020

Errors are unnecessarily logged on client prior to certificate being injected #119

Errors are unnecessarily logged on client prior to certificate being injected #119

Comments

eranha commented Apr 20, 2020 • edited by eladkug Loading

sgnn7 commented Apr 24, 2020

eranha commented Apr 25, 2020

sgnn7 commented Apr 28, 2020

sigalsax commented Aug 18, 2020

eranha commented Apr 20, 2020 •

edited by eladkug

Loading