Skip to content

feat(agent): add SMS/Conjur JWT authentication alongside username/password#817

Draft
roeezis wants to merge 1 commit into
jetstack:masterfrom
roeezis:public/CP-21164-sms-conjur-jwt
Draft

feat(agent): add SMS/Conjur JWT authentication alongside username/password#817
roeezis wants to merge 1 commit into
jetstack:masterfrom
roeezis:public/CP-21164-sms-conjur-jwt

Conversation

@roeezis

@roeezis roeezis commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Adds a workload-identity JWT authentication path to the Discovery & Context agent, alongside the existing CyberArk Identity username/password login (not replacing it). The agent reads a projected ServiceAccount token, exchanges it at Secrets Manager SaaS (Conjur Cloud) authn-jwt for a short-lived Conjur access token, and presents it as a Bearer credential. Only the token source changes, behind the existing identity.RequestAuthenticator seam — dataupload, service discovery and the upload pipeline are untouched.

Auth-method selection

The method is chosen automatically by config, so existing installs keep working with no change:

config.cyberark.serviceId set   -> Conjur JWT exchange (preferred)
else ARK_USERNAME + ARK_SECRET  -> username/password (unchanged)
both set                        -> serviceId wins (warn, ignore user/pass)
neither                         -> fail closed at startup

serviceId-wins lets a migrating install add the service id before removing its old credentials, so there is never a rollout window with no method.

What changed

  • internal/cyberark/conjur/ (new) — authn-jwt exchange, ~8 min token cache, sets Bearer; implements RequestAuthenticator.
  • internal/cyberark/jwtsource/ (new) — file source (projected SA token, default /var/run/secrets/tokens/jwt); spiffe deferred.
  • internal/cyberark/identity/username_password.go — existing username/password login moved here from identity.go, behaviour unchanged.
  • internal/cyberark/client.goselectAuthenticator picks the method by config; ClientConfig keeps Username/Secret and adds service_id/account/jwt_source.
  • internal/envelope/keyfetch/ — JWKS fetch uses the same authenticator selector.
  • pkg/agent/config.goconfig.cyberark.* keys; service_id no longer mandatory (fails closed at runtime if no method is configured).
  • deploy/charts/disco-agent/ — projected token volume (audience: conjur), config keys, optional ARK_USERNAME/ARK_SECRET, docs.

Tests

Unit tests cover the four selection cases (serviceId → conjur, user/pass → identity, both → conjur wins, neither → error) and the retained username/password login. internal/cyberark/... green.

Status

Draft for review. Server-side validation of the Conjur token and full integration testing against a live tenant are tracked separately.

…sword

Adds a workload-identity auth path: the agent reads a projected
ServiceAccount token, exchanges it at Secrets Manager SaaS (Conjur Cloud)
authn-jwt for a short-lived Conjur access token, and presents it as a
Bearer credential. The existing CyberArk Identity username/password login
is retained; the method is selected automatically by config:

  config.cyberark.serviceId set   -> Conjur JWT exchange (preferred)
  else ARK_USERNAME + ARK_SECRET  -> username/password (unchanged)
  both set                        -> serviceId wins
  neither                         -> fail closed

Only the token source changes, behind the existing
identity.RequestAuthenticator seam; dataupload, service discovery and the
upload pipeline are untouched.

- internal/cyberark/conjur: authn-jwt exchange, ~8m token cache, Bearer
- internal/cyberark/jwtsource: file source (projected SA token); spiffe deferred
- internal/cyberark/identity: username/password login retained (split into
  username_password.go), behaviour unchanged
- internal/cyberark/client.go: selectAuthenticator picks the method;
  NewRequestAuthenticator exposed for envelope/keyfetch
- internal/envelope/keyfetch: JWKS fetch uses the same authenticator selector
- pkg/agent/config.go: config.cyberark.* keys; service_id no longer mandatory
- deploy/charts/disco-agent: projected token volume (aud=conjur), config keys,
  optional ARK_USERNAME/ARK_SECRET; docs

Unit tests cover the four selection cases and the retained username/password
login.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants