feat(agent): add SMS/Conjur JWT authentication alongside username/password#817
Draft
roeezis wants to merge 1 commit into
Draft
feat(agent): add SMS/Conjur JWT authentication alongside username/password#817roeezis wants to merge 1 commit into
roeezis wants to merge 1 commit into
Conversation
…sword Adds a workload-identity auth path: the agent reads a projected ServiceAccount token, exchanges it at Secrets Manager SaaS (Conjur Cloud) authn-jwt for a short-lived Conjur access token, and presents it as a Bearer credential. The existing CyberArk Identity username/password login is retained; the method is selected automatically by config: config.cyberark.serviceId set -> Conjur JWT exchange (preferred) else ARK_USERNAME + ARK_SECRET -> username/password (unchanged) both set -> serviceId wins neither -> fail closed Only the token source changes, behind the existing identity.RequestAuthenticator seam; dataupload, service discovery and the upload pipeline are untouched. - internal/cyberark/conjur: authn-jwt exchange, ~8m token cache, Bearer - internal/cyberark/jwtsource: file source (projected SA token); spiffe deferred - internal/cyberark/identity: username/password login retained (split into username_password.go), behaviour unchanged - internal/cyberark/client.go: selectAuthenticator picks the method; NewRequestAuthenticator exposed for envelope/keyfetch - internal/envelope/keyfetch: JWKS fetch uses the same authenticator selector - pkg/agent/config.go: config.cyberark.* keys; service_id no longer mandatory - deploy/charts/disco-agent: projected token volume (aud=conjur), config keys, optional ARK_USERNAME/ARK_SECRET; docs Unit tests cover the four selection cases and the retained username/password login.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a workload-identity JWT authentication path to the Discovery & Context agent, alongside the existing CyberArk Identity username/password login (not replacing it). The agent reads a projected ServiceAccount token, exchanges it at Secrets Manager SaaS (Conjur Cloud)
authn-jwtfor a short-lived Conjur access token, and presents it as aBearercredential. Only the token source changes, behind the existingidentity.RequestAuthenticatorseam —dataupload, service discovery and the upload pipeline are untouched.Auth-method selection
The method is chosen automatically by config, so existing installs keep working with no change:
serviceId-wins lets a migrating install add the service id before removing its old credentials, so there is never a rollout window with no method.What changed
internal/cyberark/conjur/(new) — authn-jwt exchange, ~8 min token cache, setsBearer; implementsRequestAuthenticator.internal/cyberark/jwtsource/(new) —filesource (projected SA token, default/var/run/secrets/tokens/jwt);spiffedeferred.internal/cyberark/identity/username_password.go— existing username/password login moved here fromidentity.go, behaviour unchanged.internal/cyberark/client.go—selectAuthenticatorpicks the method by config;ClientConfigkeepsUsername/Secretand addsservice_id/account/jwt_source.internal/envelope/keyfetch/— JWKS fetch uses the same authenticator selector.pkg/agent/config.go—config.cyberark.*keys;service_idno longer mandatory (fails closed at runtime if no method is configured).deploy/charts/disco-agent/— projected token volume (audience: conjur), config keys, optionalARK_USERNAME/ARK_SECRET, docs.Tests
Unit tests cover the four selection cases (serviceId → conjur, user/pass → identity, both → conjur wins, neither → error) and the retained username/password login.
internal/cyberark/...green.Status
Draft for review. Server-side validation of the Conjur token and full integration testing against a live tenant are tracked separately.