Unable to use host id-based k8s authentication with container name annotation

[micahlee]

Summary

In the k8s authenticator, if the authenticator container is defined as authn-k8s/authentication-container-name: authenticator, but the host still uses host id-based authentication, rather than annotation-based, then the inject-client-cert request will fail with:

CONJ00045E Host does not have a namespace constraint

This is because the check for annotation-based authentication only checks for the authn-k8s/ prefix, rather than the presence of specific identification annotions:

conjur/app/domain/authentication/authn_k8s/application_identity.rb

Lines 211 to 213 in cc532b9

	def application_identity_in_annotations?
	@application_identity_in_annotations ||= @host_annotations.select { |a| a.values[:name].start_with?("authn-k8s/") }.any?
	end

Expected Results

Annotation-based authentication should check for the specific presence of the allowed identity annotations defined in:

conjur/app/domain/authentication/authn_k8s/application_identity.rb

Lines 193 to 196 in cc532b9

	def permitted_constraints
	@permitted_constraints ||= %w(
	namespace service_account pod deployment stateful_set deployment_config
	)

A clear and concise description of what you expected to happen.