Better handling of malformed Kubernetes service account token for Kubernetes authenticator

[doodlesbykumbi]

Is your feature request related to a problem? Please describe.

We collect the service account token from file (from the Pod) or from a Conjur variable. It’s possible that when people set the value as a Conjur variable (or otherwise) they’ll add new lines around the value without knowing how it could impact the authenticator. The service account token value is directly used in the auth header on HTTP requests to the Kubernetes API. There’s no sanitisation done, see https://github.com/cyberark/conjur/blob/master/app/domain/authentication/authn_k8s/k8s_object_lookup.rb#L30. Headers are not allowed to have carriage returns or line feeds and so the user unfortunate enough to hit this issue will, when authenticating, get the tough to debug error:

host failed to inject client certificate with authenticator authn-k8s service account:webservice:conjur/authn-k8s/<redacted>: header field value cannot include CR/LF

Describe the solution you would like

TBC

Describe alternatives you have considered

There’s a few things that come to mind to address this

1. Add this to the docs and troubleshooting
2. Update the authenticator to trim carriage returns and line feeds from the token, warn and try to use the trimmed token
3. Validate token format on write (if possible) and give users early precise feedback about what’s wrong
4. Validate token format on authentication and provide a clearer message than what HTTP does

Additional context

Issue seen and reported at https://discuss.cyberarkcommons.org/t/k8s-authenticator-failing-while-trying-to-inject-client-cert/1464.