Merge pull request #37 from Conjur-Enterprise/ss-token-app-property

CNJR-4607: Support authn-jwt field token-app-property

CHANGELOG.md

@@ -10,12 +10,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [0.2.0] - 2024-04-30
+## [0.2.0] - 2024-06-05
 
 ### Added
 - Support retrieving secrets definition from pod annotations (CNJR-4099)
 - Added support for configurable log levels using the `LOG_LEVEL` environment
   variable (CNJR-3733)
+- Added support for JWT authenticator field `token-app-property`, which makes
+  the `identity` configuration attribute optional (CNJR-4607)
 
 ### Changed
 - Updated Alpine base image to 3.19.1 (CONJSE-1852)

CONTRIBUTING.md

@@ -24,6 +24,11 @@ go tool cover -html ./test/c.out -o ./test/c.html
 open ./test/c.html
 ```
 
+This project also includes end-to-end tests exercising core functionality. To run them:
+```sh
+./bin/test_e2e
+```
+
 ## Pull Request Workflow
 
 1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
@@ -46,13 +51,13 @@ follow the instructions in this section.
 
 1. Review the git log and ensure the [changelog](CHANGELOG.md) contains all
    relevant recent changes with references to GitHub issues or PRs, if possible.
-   Also ensure the latest unreleased version is accurate - our pipeline generates 
+   Also ensure the latest unreleased version is accurate - our pipeline generates
    a VERSION file based on the changelog, which is then used to assign the version
    of the release and any release artifacts.
 1. Review the changes since the last tag, and if the dependencies have changed
    revise the [NOTICES](NOTICES.txt) to correctly capture the included
    dependencies and their licenses / copyrights.
-1. Ensure that all documentation that needs to be written has been 
+1. Ensure that all documentation that needs to be written has been
    written by TW, approved by PO/Engineer, and pushed to the forward-facing documentation.
 1. Scan the project for vulnerabilities
 

README.md

@@ -5,16 +5,17 @@ Conjur's integration for the
 which injects secrets into Kubernetes environments via
 [Container Storage Interface](https://kubernetes-csi.github.io/docs/) volumes.
 
-  * [Certification level](#certification-level)
-  * [Requirements](#requirements)
-  * [Usage](#usage)
-  * [Configuration](#configuration)
-    + [Conjur Provider Helm chart](#conjur-provider-helm-chart)
-    + [`SecretProviderClass`](#-secretproviderclass-)
-  * [Contributing](#contributing)
-  * [Community Support](#community-support)
-  * [Code Maintainers](#code-maintainers)
-  * [License](#license)
+- [Conjur Provider for Secrets Store CSI Driver](#conjur-provider-for-secrets-store-csi-driver)
+  - [Certification level](#certification-level)
+  - [Requirements](#requirements)
+  - [Usage](#usage)
+  - [Configuration](#configuration)
+    - [Conjur Provider Helm chart](#conjur-provider-helm-chart)
+    - [`SecretProviderClass`](#secretproviderclass)
+  - [Contributing](#contributing)
+  - [Community Support](#community-support)
+  - [Code Maintainers](#code-maintainers)
+  - [License](#license)
 
 <!---<small><i><a href='http://ecotrust-canada.github.io/markdown-toc/'>Table of contents generated with markdown-toc</a></i></small>--->
 
@@ -50,18 +51,17 @@ our certification levels, see
 
    ```yaml
    - !host
-     id: workload-host
+     id: system:serviceaccount:app-namespace:default
      annotations:
        authn-jwt/kube/kubernetes.io/namespace: app-namespace
-       authn-jwt/kube/kubernetes.io/serviceaccount/name: sa-name
+       authn-jwt/kube/kubernetes.io/serviceaccount/name: default
    ```
 
    The following policy YAML creates an AuthnJWT instance `kube` to authenticate
    workloads in Kubernetes using their ServiceAccount tokens, and permits the
-   created `host` to authenticate with the service. 
-
-    > **Note**  
-    > Currently, use of the `token-app-property` variable is not supported.
+   created `host` to authenticate with the service. The `host` ID is the value
+   of the claim in the JWT token specified by the `token-app-property`
+   authenticator variable.
 
    ```yaml
    - !policy
@@ -94,17 +94,17 @@ our certification levels, see
 
      # This variable tells Conjur which claim in the JWT to use to determine the
      # Conjur host identity.
-     # - !variable
-     #   id: token-app-property # Most likely set to "sub" for Kubernetes
-   
+     - !variable
+       id: token-app-property # Most likely set to "sub" for Kubernetes
+
      # Used with 'token-app-property'.
      # This variable will hold the Conjur policy path that contains the Conjur
      # host identity found by looking at the claim entered in token-app-property.
      # - !variable
      #   id: identity-path
 
      - !permit
-       role: !host /workload-host
+       role: !host /system:serviceaccount:app-namespace:default
        privilege: [ read, authenticate ]
        resource: !webservice
    ```
@@ -122,7 +122,7 @@ our certification levels, see
        - !variable password
 
      - !permit
-       role: !host /workload-host
+       role: !host /system:serviceaccount:app-namespace:default
        privileges: [ read, execute ]
        resource: *variables
    ```
@@ -182,7 +182,6 @@ our certification levels, see
        account: myAccount
        applianceUrl: http://myorg.conjur.com
        authnId: authn-jwt/kube
-       identity: host/workload-host
        sslCertificate: |
          -----BEGIN CERTIFICATE-----
          MIIDhDCCAmy...njemCrVXIWw==
@@ -265,7 +264,7 @@ The following table lists the configurable parameters on the Conjur Provider's
 | `spec.parameters.applianceUrl` | Conjur Appliance URL | `https://myorg.conjur.com` |
 | `spec.parameters.authnId` | Type and service ID of desired Conjur authenticator | `authn-jwt/service-id` |
 | `spec.parameters.conjur.org/configurationVersion` | Conjur CSI Provider configuration version | `0.2.0` |
-| `spec.parameters.identity` | Conjur identity used during authentication and authorization | `botApp` |
+| `spec.parameters.identity` | Conjur identity used during authentication and authorization (Optional. Only used when `token-app-property` authenticator field is not used.) | `botApp` |
 | `spec.parameters.secrets` | Multiline string describing map of relative filepaths to Conjur variable IDs. NOTE: This parameter is ignored when `conjur.org/configurationVersion` is 0.2.0 or higher. Instead use application pod annotations. | <pre>- "relative/path/fileA.txt": "conjur/path/varA"<br>- "relative/path/fileB.txt": "conjur/path/varB"</pre> |
 | `spec.parameters.sslCertificate` | Conjur Appliance certificate | <pre>-----BEGIN CERTIFICATE-----<br>MIIDhDCCAmy...njemCrVXIWw==<br>-----END CERTIFICATE----- |
 

bin/poc

@@ -20,8 +20,9 @@ if [[ "${CONTAINERIZED}" == "true" ]]; then
 fi
 
 # Create testing namespace
-kubectl create ns csi
-kubectl config set-context --current --namespace=csi
+APP_NAMESPACE=app-namespace
+kubectl create ns "$APP_NAMESPACE"
+kubectl config set-context --current --namespace="$APP_NAMESPACE"
 
 # Update Helm repos
 helm repo add cyberark --insecure-skip-tls-verify https://cyberark.github.io/helm-charts
@@ -121,6 +122,7 @@ conjur variable set -i db-credentials/password -v 'Sup3rSecretP@ssword'
 # Set variable values on authenticator
 conjur variable set -i conjur/authn-jwt/kube/public-keys -v \$(cat /files/jwks)
 conjur variable set -i conjur/authn-jwt/kube/issuer -v \$(cat /files/issuer)
+conjur variable set -i conjur/authn-jwt/kube/token-app-property -v 'sub'
 "
 
 # Ensure the Secrets Store CSI Driver is ready
@@ -135,21 +137,22 @@ helm install \
   conjur-provider \
   ./helm/conjur-k8s-csi-provider
 
-# Deploy the app 
+# Deploy the app
 # conjur.configurationVersion=0.1.0 - secrets set in SecretProviderClass
 # conjur.configurationVersion=0.2.0 (default) - secrets set in application pod
 helm install test-app ./helm/test-app \
   --wait \
+  --namespace "$APP_NAMESPACE" \
   --set conjur.configurationVersion=0.2.0 \
   --set conjur.sslCertificate="$(cat ./files/conjur-cert.pem)" \
   --set conjur.secrets="- \"relative/path/fileA.txt\": \"db-credentials/url\"
 - \"relative/path/fileB.txt\": \"db-credentials/username\"
 - \"relative/path/fileC.txt\": \"db-credentials/password\""
 
 # Assertions
-fileA_content="$(kubectl exec pod/app -n csi -- cat /mnt/secrets-store/relative/path/fileA.txt)"
-fileB_content="$(kubectl exec pod/app -n csi -- cat /mnt/secrets-store/relative/path/fileB.txt)"
-fileC_content="$(kubectl exec pod/app -n csi -- cat /mnt/secrets-store/relative/path/fileC.txt)"
+fileA_content="$(kubectl exec pod/app -n "$APP_NAMESPACE" -- cat /mnt/secrets-store/relative/path/fileA.txt)"
+fileB_content="$(kubectl exec pod/app -n "$APP_NAMESPACE" -- cat /mnt/secrets-store/relative/path/fileB.txt)"
+fileC_content="$(kubectl exec pod/app -n "$APP_NAMESPACE" -- cat /mnt/secrets-store/relative/path/fileC.txt)"
 if [[ "$fileA_content" == "https://db.com" ]] && \
    [[ "$fileB_content" == "db_user" ]] && \
    [[ "$fileC_content" == "Sup3rSecretP@ssword" ]];

go.sum

@@ -3,10 +3,10 @@ github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPp
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyberark/conjur-api-go v0.11.4 h1:s2bbeJhb+Szosqjr4DX3BaQiZEsKKAFhn35TRqZeLIY=
-github.com/cyberark/conjur-api-go v0.11.4/go.mod h1:WjXCREpdXyU69k5ZwYQMA3k+VkPwMznr22fKSMD5OUE=
-github.com/cyberark/conjur-authn-k8s-client v0.26.1 h1:eod150C7iBDXu1AdFF6si7RH93M0NKpt97qbgEKYWCA=
-github.com/cyberark/conjur-authn-k8s-client v0.26.1/go.mod h1:Jqbs1zWeaG2MY0jFNlmpGRKg3m5XqXBYVR2Kw88oXDk=
+github.com/cyberark/conjur-api-go v0.12.0 h1:84h/IcphuuyWW1R4VX/Syuyw4lfR89sKvxloexJYmn8=
+github.com/cyberark/conjur-api-go v0.12.0/go.mod h1:WjXCREpdXyU69k5ZwYQMA3k+VkPwMznr22fKSMD5OUE=
+github.com/cyberark/conjur-authn-k8s-client v0.26.2 h1:HEjS7f6wpItnPbse6CQ/Dp3aHGeXTgnKjpl1RPdE2sA=
+github.com/cyberark/conjur-authn-k8s-client v0.26.2/go.mod h1:C57WW0NZyinwsVuRFSKEHkrxw0L3kXZ5Lb7BAosOxdA=
 github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
 github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

helm/test-app/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 description: A Helm chart for deploying CyberArk Conjur's CSI Driver Provider test app
 name: conjur-k8s-csi-provider-test-app
-version: 0.0.1
+version: 0.2.0
 home: https://github.com/cyberark/conjur-k8s-csi-provider
 icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg

helm/test-app/templates/secret-provider-class.yaml

@@ -11,7 +11,6 @@ spec:
     account: {{ .Values.conjur.account }}
     applianceUrl: {{ .Values.conjur.applianceUrl }}
     authnId: {{ .Values.conjur.authnId }}
-    identity: {{ .Values.conjur.identity }}
     secrets: |
 {{ .Values.conjur.secrets | indent 6 }}
     sslCertificate: |

helm/test-app/values.yaml

@@ -8,6 +8,5 @@ conjur:
   account: default
   applianceUrl: https://conjur-conjur-oss.conjur.svc.cluster.local
   authnId: authn-jwt/kube
-  identity: host/workload-host
   secrets:
   sslCertificate:

pkg/provider/provider.go

@@ -152,7 +152,8 @@ func NewConfig(req *v1alpha1.MountRequest, getAnnotationsFunc k8s.GetPodAnnotati
 	}
 
 	missingKeys := []string{}
-	for _, key := range []string{"account", "applianceUrl", "authnId", "identity", "sslCertificate"} {
+	// Don't check for 'identity' attribute since it is optional
+	for _, key := range []string{"account", "applianceUrl", "authnId", "sslCertificate"} {
 		if attributes[key] == "" {
 			missingKeys = append(missingKeys, key)
 		}