Address open questions + update POC

design/providers/kubernetes_secrets_storage_csi/conjur_csi_provider_poc/README.md

@@ -3,6 +3,7 @@
 This POC provides a basic implemtation of a provider for Secret Store CSI Driver.
 
 Here are the steps install and setup a Kubernetes in Docker cluster
+
 ```sh
 # Install kind
 # For AMD64 / x86_64
@@ -35,23 +36,169 @@ helm install secrets-store-csi-driver secrets-store-csi-driver \
 
 # Build container image for conjur-csi-provider 
 docker build -f - -t conjur-csi-provider . <<EOF
-FROM golang:1.17-alpine AS build
+FROM golang:1.20
 
 WORKDIR /app
 ADD . .
-RUN go build -o conjur-csi-provider
+RUN go build -o /conjur-csi-provider
 
-FROM alpine:latest
+ENTRYPOINT ["/conjur-csi-provider"]
+EOF
 
-WORKDIR /app
-COPY --from=build /app/conjur-csi-provider .
+# Build the CLI
+docker build -f - -t conjur-cli . <<EOF
+FROM golang:latest
 
-ENTRYPOINT ["./conjur-csi-provider"]
+COPY --from=cyberark/conjur-cli:8 /usr/local/bin/conjur /usr/local/bin/conjur
+
+ENTRYPOINT ["/usr/local/bin/conjur"]
 EOF
 
-# Load the image
+
+# Load the images
+kind load docker-image conjur-cli:latest
 kind load docker-image conjur-csi-provider:latest
 
+# Deploy Conjur
+CONJUR_NAMESPACE=conjur
+CONJUR_DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)"
+HELM_RELEASE=conjur
+VERSION=2.0.6
+
+# Create Conjur namespace
+kubectl create namespace "$CONJUR_NAMESPACE"
+
+# Install Conjur
+helm install \
+   -n "$CONJUR_NAMESPACE" \
+   --set "dataKey=$CONJUR_DATA_KEY" \
+   --set logLevel="debug" \
+   --set "authenticators=authn\,authn-jwt/kube" \
+   "$HELM_RELEASE" \
+   https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v$VERSION/conjur-oss-$VERSION.tgz
+
+# Create Conjur account
+ls -la ./created_account > /dev/null 2>&1 > || kubectl exec --namespace conjur \
+            deployment/conjur-conjur-oss  \
+            --container=conjur-oss \
+            -- conjurctl account create "default" > created_account
+cat ./created_account
+
+# Run Conjur CLI
+kubectl run conjur-cli-pod --image=conjur-cli:latest --image-pull-policy=Never --namespace=conjur --command -- sleep infinity
+
+# Setup authenticator and secrets using Conjur CLI
+
+# Create files
+mkdir -p ./files
+# Create policy
+cat << EOL > ./files/policy.yml
+---
+
+- !host
+
+- !host 
+  id: kubernetes/applications/system:serviceaccount:default:default
+  annotations:
+    authn-jwt/kube/kubernetes.io/namespace: default
+
+- !host 
+  id: host1
+  annotations:
+    authn-jwt/kube/kubernetes.io/namespace: csi
+    authn-jwt/kube/kubernetes.io/serviceaccount/name: default
+
+- !variable secretVar
+
+- !permit
+  # Give permissions to the human user to update the secret and fetch the secret.
+  role: !host /host1
+  privileges: [read, update, execute]
+  resource: !variable secretVar
+
+# This policy defines a JWT authenticator to be used with Kubernetis cluster
+- !policy
+  id: conjur/authn-jwt/kube
+  body:
+  - !webservice
+
+  # Uncomment one of following variables depending on the public availability
+  # of the Service Account Issuer Discovery service in Kubernetes 
+  # If the service is publicly available, uncomment 'jwks-uri'.
+  # If the service is not available, uncomment 'public-keys'
+
+  # - !variable
+  #   id: jwks-uri
+
+  - !variable
+    id: public-keys
+
+  # This variable tells Conjur which claim in the JWT to use to determine the conjur host identity.
+  # - !variable
+  #   id: token-app-property # Most likely set to "sub" for Kubernetes
+
+  # This variable is used with token-app-property. This variable will hold the conjur policy path that contains the conjur host identity found by looking at the claim entered in token-app-property.
+  # - !variable
+  #   id: identity-path
+
+  # Uncomment ca-cert if the JWKS website cert isn't trusted by conjur
+
+  # - !variable
+  #   id: ca-cert
+
+  # This variable contains what "iss" in the JWT.
+  - !variable
+    id: issuer
+  
+  # This variable contains what "aud" is the JWT.
+  # - !variable
+  #   id: audience
+  
+  - !permit
+    role: !host /kubernetes/applications/system:serviceaccount:default:default
+    privilege: [ read, authenticate ]
+    resource: !webservice
+
+  - !permit
+    role: !host /host1
+    privilege: [ read, authenticate ]
+    resource: !webservice
+EOL
+
+# Get values required by authn-jwt authenticator and store to files
+kubectl get --raw /.well-known/openid-configuration | jq -r .issuer > ./files/issuer
+echo '{"type": "jwks", "value": '$(kubectl get --raw /openid/v1/jwks)' }' > ./files/jwks
+
+# Copy files into CLI container
+kubectl -n "${CONJUR_NAMESPACE}" cp ./files conjur-cli-pod:/files -c conjur-cli-pod
+
+# Exec into CLI container
+kubectl -n "${CONJUR_NAMESPACE}" exec -it conjur-cli-pod bash
+
+# Run this script manually
+echo "
+# Initialise CLI and login
+conjur init -u https://conjur-conjur-oss.conjur.svc.cluster.local -a "default" --self-signed
+conjur login -i admin
+
+# Apply policy
+conjur policy replace -b root -f ./policy.yml
+
+# Inspect resources
+# conjur list
+# conjur resource show default:host:host1
+
+# Set secret value
+conjur variable set -i secretVar -v something-super-secret
+
+# Set variable values on authenticator
+conjur variable set -i conjur/authn-jwt/kube/public-keys -v $(cat /files/jwks)
+conjur variable set -i conjur/authn-jwt/kube/issuer -v $(cat /files/issuer)
+
+# Validate authenticator
+curl -v -k --request POST 'https://conjur-conjur-oss.conjur.svc.cluster.local/authn-jwt/kube/default/host%2Fhost1/authenticate' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept-Encoding: base64' --data-urlencode 'jwt='$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+"
+
 # Remove app and provider
 # kubectl delete pod --force app conjur-csi-provider
 

design/providers/kubernetes_secrets_storage_csi/conjur_csi_provider_poc/go.mod

@@ -3,15 +3,24 @@ module conjur_csi_provider_poc
 go 1.20
 
 require (
+	github.com/cyberark/conjur-api-go v0.11.1
 	google.golang.org/grpc v1.56.0
 	sigs.k8s.io/secrets-store-csi-driver v1.3.4
 )
 
 require (
+	github.com/alessio/shellescape v1.4.1 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/danieljoos/wincred v1.1.2 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/zalando/go-keyring v0.2.3-0.20230503081219-17db2e5354bd // indirect
 	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

design/providers/kubernetes_secrets_storage_csi/conjur_csi_provider_poc/go.sum

@@ -1,12 +1,42 @@
+github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
+github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
+github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
+github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyberark/conjur-api-go v0.11.1 h1:vjaMkw0geJsA+ikMM6UDLg4VLFQWKo/B0i9IWlOQ1f0=
+github.com/cyberark/conjur-api-go v0.11.1/go.mod h1:n1p46Hj9l8wkZjM17cVYdfcatyPboWyioLGlC0QszCs=
+github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
+github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/zalando/go-keyring v0.2.3-0.20230503081219-17db2e5354bd h1:D+eeEnOlWcMXbwZ5X3oy68nHafBtGcj1jMKFHtVdybY=
+github.com/zalando/go-keyring v0.2.3-0.20230503081219-17db2e5354bd/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
 golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -18,5 +48,11 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 sigs.k8s.io/secrets-store-csi-driver v1.3.4 h1:rCMOb2I4lJaN6sw0CjT6YHA8ts2yscWAOBGu0EaCIWk=
 sigs.k8s.io/secrets-store-csi-driver v1.3.4/go.mod h1:jh6wML45aTbxT2YZtU4khzSm8JYxwVrQbhsum+WR6j8=