From 5c40b8dc5916933fc0a2fc5711e829c8613e2e97 Mon Sep 17 00:00:00 2001 From: Ofira Burstein Date: Mon, 17 Feb 2020 15:22:16 +0200 Subject: [PATCH] adding Java SDK client example and scripts to run it on openshift --- demos/java-api-client/Dockerfile | 4 + demos/java-api-client/README.md | 8 + demos/java-api-client/build.sh | 76 +++++++ demos/java-api-client/pom.xml | 69 ++++++ .../java/com/cyberark/example/JavaClient.java | 62 ++++++ demos/openshift-install/README.md | 36 ++++ demos/openshift-install/cleanup.sh | 18 ++ demos/openshift-install/conjur-cli.yaml | 27 +++ .../conjur_scripts/cert_script.sh | 31 +++ demos/openshift-install/docker-compose.yml | 16 ++ demos/openshift-install/installer.sh | 200 ++++++++++++++++++ .../java-client-installer.sh | 136 ++++++++++++ .../templates/conjur-java-api-example.yaml | 98 +++++++++ .../templates/custom-values.yaml | 15 ++ .../templates/policy-for-variables.yaml | 12 ++ .../templates/policy-for-webservice.yaml | 30 +++ .../policy-hosts-to-authenticate.yaml | 22 ++ 17 files changed, 860 insertions(+) create mode 100644 demos/java-api-client/Dockerfile create mode 100644 demos/java-api-client/README.md create mode 100755 demos/java-api-client/build.sh create mode 100644 demos/java-api-client/pom.xml create mode 100644 demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java create mode 100644 demos/openshift-install/README.md create mode 100755 demos/openshift-install/cleanup.sh create mode 100644 demos/openshift-install/conjur-cli.yaml create mode 100755 demos/openshift-install/conjur_scripts/cert_script.sh create mode 100755 demos/openshift-install/docker-compose.yml create mode 100755 demos/openshift-install/installer.sh create mode 100755 demos/openshift-install/java-client-installer.sh create mode 100644 demos/openshift-install/templates/conjur-java-api-example.yaml create mode 100644 demos/openshift-install/templates/custom-values.yaml create mode 100644 demos/openshift-install/templates/policy-for-variables.yaml create mode 100644 demos/openshift-install/templates/policy-for-webservice.yaml create mode 100644 demos/openshift-install/templates/policy-hosts-to-authenticate.yaml diff --git a/demos/java-api-client/Dockerfile b/demos/java-api-client/Dockerfile new file mode 100644 index 00000000..16b260b7 --- /dev/null +++ b/demos/java-api-client/Dockerfile @@ -0,0 +1,4 @@ +FROM openjdk:8-jre-alpine +ADD target/ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar +ENTRYPOINT ["java", "-jar", "ConjurJavaClient-1.0-SNAPSHOT-with-dependencies.jar"] + diff --git a/demos/java-api-client/README.md b/demos/java-api-client/README.md new file mode 100644 index 00000000..bae227ed --- /dev/null +++ b/demos/java-api-client/README.md @@ -0,0 +1,8 @@ +Instructions for building java client +------------------------------------- + +For compiling java test application please run: ./build.sh +Java SDK API fat jar will appear in the directory and docker image of the client application will be available +In addition, JAVA API SDK fat jar will be installed in local maven repository and will be usable for other applications +For Running this application on openshift please look for instructions in ../openshift-install/README.txt + diff --git a/demos/java-api-client/build.sh b/demos/java-api-client/build.sh new file mode 100755 index 00000000..de6be5c3 --- /dev/null +++ b/demos/java-api-client/build.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +set -e +#set -x + +function validate_app { + APPNAME=$1 + CHECK_APP=$( which $APPNAME ) + if [ -z "$CHECK_APP" ] + then + echo "Please install $APPNAME" + exit 1 + fi +} + +validate_app git +validate_app mvn +validate_app docker + +COMMAND=$0 +echo "$COMMAND" +suffix="/build.sh"; +HOME_DIR=${COMMAND%$suffix}; +pushd $HOME_DIR + +rm -rf target +rm -rf conjur-api-java + +echo "Cloning Conjur Java SDK repository from Github" + +git clone https://github.com/cyberark/conjur-api-java.git + +if [ ! -d "./conjur-api-java" ] +then + echo "Git clone failed" + exit 1 +fi + +BRANCH_NAME=$( git rev-parse --abbrev-ref HEAD ) + +git checkout $BRANCH_NAME + +pushd conjur-api-java + +echo "Building Conjur Java SDK JAR" + +mvn install -DskipTests -Dmaven.javadoc.skip=true + +popd + +API_JAR_NAME=$( ls conjur-api-java/target/*with-dependencies.jar | grep conjur-api ) +echo "API_JAR_NAME=$API_JAR_NAME" +if [ -z $API_JAR_NAME ] +then + echo "Maven install Conjur Java SDK jar failed" + exit 1 +fi + +VERSION=$( echo "$API_JAR_NAME"| cut -d'/' -f 3 | cut -d'-' -f 3 ) + +echo "Installing Conjur Java SDK JAR to Maven Repo" + +mvn install:install-file -Dfile=conjur-api-java/target/conjur-api-$VERSION-with-dependencies.jar -DgroupId=net.conjur.api -DartifactId=conjur-api -Dversion=$VERSION -Dpackaging=jar + +echo "Build Conjur Java Client Example" +mvn install -Dconjur-api-version=2.1.0 + +cp conjur-api-java/target/conjur-api-2.1.0-with-dependencies.jar . + +rm -rf conjur-api-java + +echo "Creating docker image of Conjur Java Client Example" +docker build -f Dockerfile -t conjur-java-client . + +docker images | grep conjur-java-client + diff --git a/demos/java-api-client/pom.xml b/demos/java-api-client/pom.xml new file mode 100644 index 00000000..341965e6 --- /dev/null +++ b/demos/java-api-client/pom.xml @@ -0,0 +1,69 @@ + + + 4.0.0 + + 2.1.0 + + com.cyberark.example + ConjurJavaClient + 1.0-SNAPSHOT + + + net.conjur.api + conjur-api + ${conjur-api-version} + + + + + maven-compiler-plugin + 2.3.2 + + 1.6 + 1.6 + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.20 + + + ${env.CONJUR_ACCOUNT} + ${env.CONJUR_APPLIANCE_URL} + ${env.CONJUR_AUTHN_LOGIN} + + + + + + org.apache.maven.plugins + maven-shade-plugin + + + + shade + + + with-dependencies + true + + + com.cyberark.example.JavaClient + + + META-INF/cxf/bus-extensions.txt + + + + + + + + + + diff --git a/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java b/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java new file mode 100644 index 00000000..5189d67d --- /dev/null +++ b/demos/java-api-client/src/main/java/com/cyberark/example/JavaClient.java @@ -0,0 +1,62 @@ +package com.cyberark.example; + +import net.conjur.api.Conjur; +import net.conjur.api.Token; + +import java.io.FileOutputStream; +import java.io.PrintWriter; + +import java.io.File; +import java.nio.file.Paths; + +public class JavaClient { + + private static String truststoreFileName = "/run/conjur/truststore.jks"; + + private static void initialize() + { + System.setProperty("javax.net.ssl.trustStore", truststoreFileName); + System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); + System.setProperty("CONJUR_ACCOUNT", System.getenv("CONJUR_ACCOUNT")); + if (System.getenv("CONJUR_AUTHN_LOGIN") != null) + { + System.setProperty("CONJUR_AUTHN_LOGIN", System.getenv("CONJUR_AUTHN_LOGIN")); + } + System.setProperty("CONJUR_APPLIANCE_URL", System.getenv("CONJUR_APPLIANCE_URL")); + } + + private static void enterPending() + { + try + { + Thread.sleep(500000); + } + catch (Exception e) + { + System.out.println("Timer Exception:" + e); + } + } + + public static void main(String args[]) + { + System.out.println("Running Conjur Java SDK Example"); + initialize(); + Token token = null; + try + { + System.out.println("CONJUR_AUTHN_TOKEN_FILE = " + System.getenv("CONJUR_AUTHN_TOKEN_FILE")); + token = Token.fromFile(Paths.get(System.getenv("CONJUR_AUTHN_TOKEN_FILE"))); + } + catch (Exception e) + { + System.out.println("Exception:" + e); + return; + } + System.out.println("Create Conjur API Instance"); + Conjur conjur = new Conjur(token); + String secret = conjur.variables().retrieveSecret("variables/mypassword"); + System.out.println("Retrieved secret = " + secret); + enterPending(); + } + +} diff --git a/demos/openshift-install/README.md b/demos/openshift-install/README.md new file mode 100644 index 00000000..9e111e99 --- /dev/null +++ b/demos/openshift-install/README.md @@ -0,0 +1,36 @@ +Explanations: +------------- +The purpose of this demo is to install Conjur on existing OpenShift environment and then run Java Client on top of it +The environent contains 4 pods each with up to 2 containers inside +Pod #1: Postgres +Pod #2: Conjur + Nginx +Pod #3: Conjur CLI +Pod #4: Conjur authenticator client + Java Client + +Local Prerequisites: +-------------------- +Git - git version 2.24.1 +Maven - Apache Maven 3.6.3 +Java SDK / JRE - openjdk version "1.8.0_232" +MAC OS Catalina - Version 10.15.1 (19076) +OpenShift client installed on MAC + +External Prerequisites: +----------------------- +A GitHub user for GitHub environment +OpenShift - oc v3.11.0+0cbc58b + kubernetes v1.11.0+d4cacc0 + features: Basic-Auth + +Commands: +--------- +1. **Building Java Client:** cd /conjur-intro/demos/java-api-client + ./build.sh +2. **Installing Conjur and Conjur-CLI on OpenShift:** /conjur-intro/demos/openshift-install + ./installer.sh --with-config --ocp-url : --project-name --account-name --authenticator +3. **Verify that all pods are up and running by:** oc get pods +4. **Installing and running java client opn Open Shift:** ./java-client-installer.sh --ocp-url : --docker-url --project-name --account-name --authenticator +5. **Verify that all pods are up and running by:** oc get pods +6. **Checking output of Java client container on pod #4:** oc logs -c my-conjur-java-client + It should show that secret was retrieved properly + diff --git a/demos/openshift-install/cleanup.sh b/demos/openshift-install/cleanup.sh new file mode 100755 index 00000000..8829175b --- /dev/null +++ b/demos/openshift-install/cleanup.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +#set -x +#set -e + +function validate_app { + APPNAME=$1 + CHECK_APP=$( which $APPNAME ) + if [ -z "$CHECK_APP" ] + then + echo "Please install $APPNAME" + exit 1 + fi +} + +validate_app oc + +oc delete project $1 diff --git a/demos/openshift-install/conjur-cli.yaml b/demos/openshift-install/conjur-cli.yaml new file mode 100644 index 00000000..7897361d --- /dev/null +++ b/demos/openshift-install/conjur-cli.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: conjur-cli + labels: + app: conjur-cli +spec: + replicas: 1 + selector: + matchLabels: + app: conjur-cli + template: + metadata: + name: conjur-cli + labels: + app: conjur-cli + spec: + serviceAccountName: default + containers: + - name: conjur-cli + image: cyberark/conjur-cli:5-latest + imagePullPolicy: IfNotPresent + command: ["sleep"] + args: ["infinity"] + imagePullSecrets: + - name: dockerpullsecret diff --git a/demos/openshift-install/conjur_scripts/cert_script.sh b/demos/openshift-install/conjur_scripts/cert_script.sh new file mode 100755 index 00000000..8238e53e --- /dev/null +++ b/demos/openshift-install/conjur_scripts/cert_script.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -e +AUTHENTICATOR_ID=$2 +CONJUR_ACCOUNT=$1 + +# Generate OpenSSL private key +openssl genrsa -out ca.key 2048 + +CONFIG=" +[ req ] +distinguished_name = dn +x509_extensions = v3_ca +[ dn ] +[ v3_ca ] +basicConstraints = critical,CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +" + +# Generate root CA certificate +openssl req -x509 -new -nodes -key ca.key -sha1 -days 3650 -set_serial 0x0 -out ca.cert \ + -subj "/CN=conjur.authn-k8s.$AUTHENTICATOR_ID/OU=Conjur Kubernetes CA/O=$CONJUR_ACCOUNT" \ + -config <(echo "$CONFIG") + +# Verify cert +openssl x509 -in ca.cert -text -noout &> /dev/null + +# Load variable values +conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/key "$(cat ca.key)" +conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/cert "$(cat ca.cert)" + diff --git a/demos/openshift-install/docker-compose.yml b/demos/openshift-install/docker-compose.yml new file mode 100755 index 00000000..f2f74369 --- /dev/null +++ b/demos/openshift-install/docker-compose.yml @@ -0,0 +1,16 @@ +version: '2' +services: + + database: + image: postgres:9.4 + container_name: postgres_database + + conjur: + image: cyberark/conjur + container_name: conjur_server + command: server + environment: + DATABASE_URL: postgres://postgres@database/postgres + CONJUR_DATA_KEY: + depends_on: [ database ] + diff --git a/demos/openshift-install/installer.sh b/demos/openshift-install/installer.sh new file mode 100755 index 00000000..2faa3819 --- /dev/null +++ b/demos/openshift-install/installer.sh @@ -0,0 +1,200 @@ +#!/bin/bash + +#set -x +set -e + +OPENSHIFT_URL= +PROJECT_NAME= +ACCOUNT_NAME=myaccount +AUTHENTICATOR=myauthenticator + +function validate_app { + APPNAME=$1 + CHECK_APP=$( which $APPNAME ) + if [ -z "$CHECK_APP" ] + then + echo "Please install $APPNAME" + exit 1 + fi +} + +function validate { + validate_app helm + validate_app oc + validate_app docker + validate_app docker-compose + validate_app awk + validate_app openssl + validate_app keytool +} + +function install { + + oc login $OPENSHIFT_URL + oc adm prune images + echo "Creating project $PROJECT_NAME" + + oc new-project $PROJECT_NAME + + TOKEN=$( oc whoami -t ) + + DATA_KEY=$( docker-compose run --no-deps --rm conjur data-key generate ) + + oc get is + echo "Installing Conjur OSS application on OpenShift" + oc delete ClusterRole conjur-oss-conjur-authenticator --ignore-not-found + oc delete ClusterRoleBinding conjur-oss-conjur-authenticator --ignore-not-found + + + cat templates/custom-values.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ ACCOUNT_NAME }}'/$ACCOUNT_NAME/g > custom-values.yaml.tmp + + cat custom-values.yaml.tmp | awk "{gsub(/{{ DATA_KEY }}/,\"$DATA_KEY\")}1" > custom-values.yaml + rm -rf custom-values.yaml.tmp + ##cat custom-values.yaml + echo "Installing conjur-oss" + helm install conjur-oss -f custom-values.yaml https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v1.3.8/conjur-oss-1.3.8.tgz &> /dev/null + echo "Installation done" + oc adm policy add-scc-to-user anyuid "system:serviceaccount:$PROJECT_NAME:default" &> /dev/null + + CONJUR_OSS_POD_LINE=$( oc get pods | grep conjur-oss | (head -n1 && tail -n1) ) + + CONJUR_OSS_POD=$( echo "$CONJUR_OSS_POD_LINE" | awk '{print $1}' ) + + for i in {1..50} + do + CONTAINERS_STATUS=$( oc get pods | grep conjur-oss | (head -n1 && tail -n1) | awk '{print $2}' ) + + if [ "$CONTAINERS_STATUS" == "2/2" ]; then + break + fi + echo "Waiting for conjur pod to be up..." + sleep 2 + done + + oc get pods + + if [ "$CONTAINERS_STATUS" != "2/2" ]; then + echo "Conjur pod did not come up properly - exiting" + exit 1 + fi + + echo "Create account" + CONJUR_OUTPUT_INIT=$( oc exec "$CONJUR_OSS_POD" --container=conjur-oss conjurctl account create $ACCOUNT_NAME ) + API_KEY=$( echo "$CONJUR_OUTPUT_INIT" | grep "API key" | awk '{print $5}' ) + echo "Create CLI pod" + oc create -f conjur-cli.yaml + +} + +function config { + + echo "Creating basic configuration to Conjur" + CONJUR_CLI_POD=$( oc get pods | grep conjur-cli | (head -n1 && tail -n1) | cut -f 1 -d " " ) + + mkdir -p policy + + echo -e "admin\n$API_KEY" > policy/authnInput + + cat templates/policy-hosts-to-authenticate.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > policy/policy-hosts-to-authenticate.yaml + + cat templates/policy-for-webservice.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g > policy/policy-for-webservice.yaml + + cat templates/policy-for-variables.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > policy/policy-for-variables.yaml + + echo "Load conjur policy" + + oc rsync policy "$CONJUR_CLI_POD":/ + oc rsync conjur_scripts "$CONJUR_CLI_POD":/ + + oc exec -it "$CONJUR_CLI_POD" conjur init <<< "https://conjur-oss +yes +$ACCOUNT_NAME +y +" + oc exec -it "$CONJUR_CLI_POD" conjur authn login < policy/authnInput + + oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-hosts-to-authenticate.yaml + oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-for-webservice.yaml + oc exec -it "$CONJUR_CLI_POD" conjur policy load root policy/policy-for-variables.yaml + oc exec -it "$CONJUR_CLI_POD" conjur variable values add variables/mypassword 123 + + echo "Create certificate" + oc exec -it "$CONJUR_CLI_POD" ./conjur_scripts/cert_script.sh $ACCOUNT_NAME $AUTHENTICATOR + oc exec -it "$CONJUR_CLI_POD" cat /root/conjur-$ACCOUNT_NAME.pem > conjur-cert.pem + oc delete --ignore-not-found=true configmap conjur-cert + ssl_certificate=$(cat conjur-cert.pem ) + oc create configmap conjur-cert --from-literal=ssl-certificate="$ssl_certificate" + + oc delete --ignore-not-found=true configmap conjur-cert-java + oc create configmap conjur-cert-java --from-file=ssl-certificate=conjur-cert.pem +} + +usage() +{ + cat << EOF + + Installs Conjur with Conjut CLI on OpenShift + + Usage: installer.sh [options] + + -h, --help Shows this help message + --ocp-url OpenShift URL (mandatory) + --with-config Basic configuration should be added + --project-name OpenShift project name (mandatory) + --account-name Conjur account name (mandatory) + --authenticator Conjur authenticator (mandatory) +EOF +} + +DO_CONFIG=0 +while [ "$1" != "" ]; do + case $1 in + --with-config ) DO_CONFIG=1 + ;; + --ocp-url ) shift + OPENSHIFT_URL=$1 + ;; + --project-name ) shift + PROJECT_NAME=$1 + ;; + --account-name ) shift + ACCOUNT_NAME=$1 + ;; + --authenticator ) shift + AUTHENTICATOR=$1 + ;; + -h | --help ) usage + exit + ;; + * ) usage + exit 1 + esac + shift +done + +if [ "$OPENSHIFT_URL" == "" ]; then + echo "Missing value in --ocp-url - exiting" + exit 1 +fi + +if [ "$PROJECT_NAME" == "" ]; then + echo "Missing value in --project-name - exiting" + exit 1 +fi + +validate + +install + +if [ "$DO_CONFIG" == "1" ]; then + config +fi + +#rm -rf conjur-cert.crt +#rm -rf conjur-cert.pem +rm -rf custom-values.yaml +rm -rf policy + +echo "Installation done" + + diff --git a/demos/openshift-install/java-client-installer.sh b/demos/openshift-install/java-client-installer.sh new file mode 100755 index 00000000..97927633 --- /dev/null +++ b/demos/openshift-install/java-client-installer.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +#set -x +set -e + +OPENSHIFT_URL= +PROJECT_NAME= +ACCOUNT_NAME=myaccount +AUTHENTICATOR=myauthenticator +DEPLOYMENT_NAME=conjur-java-api-example + +function validate_app { + APPNAME=$1 + CHECK_APP=$( which $APPNAME ) + if [ -z "$CHECK_APP" ] + then + echo "Please install $APPNAME" + exit 1 + fi +} + +function validate { + validate_app helm + validate_app oc + validate_app docker + validate_app docker-compose + validate_app awk + validate_app openssl + validate_app keytool +} + +function install { + + echo "entering project $PROJECT_NAME" + oc project $PROJECT_NAME + + echo "Pods originally running:" + oc get pods + + TOKEN=$( oc whoami -t ) + + echo "Pushing java client docker image to openshift" + docker tag conjur-java-client:latest $DOCKER_URL/$PROJECT_NAME/conjur-java-client:latest + docker login $DOCKER_URL -u _ -p $TOKEN + docker push $DOCKER_URL/$PROJECT_NAME/conjur-java-client:latest + + oc get is + + echo "Running Conjur Java Client in OpenShift" + cat templates/conjur-java-api-example.yaml | sed s/'{{ AUTHENTICATOR }}'/$AUTHENTICATOR/g | sed s/'{{ ACCOUNT_NAME }}'/$ACCOUNT_NAME/g | sed s/'{{ DEPLOYMENT_NAME }}'/$DEPLOYMENT_NAME/g | sed s/'{{ PROJECT_NAME }}'/$PROJECT_NAME/g > conjur-java-api-example.yaml + oc create -f conjur-java-api-example.yaml + +} + +usage() +{ + echo "usage: installer [[[--ocp-url url ] [--docker-url url ] [--project-name project] [--account-name account] [--authenticator authenticator]] | [-h]]" + +cat << EOF + + Installs Conjur with Conjut CLI on OpenShift + + Usage: installer.sh [options] + + -h, --help Shows this help message + --ocp-url OpenShift URL (mandatory) + --docker-url Docker URL (mandatory) + --project-name OpenShift project name (mandatory) + --account-name Conjur account name (mandatory) + --authenticator Conjur authenticator (mandatory) +EOF +} + +DO_CONFIG=0 +while [ "$1" != "" ]; do + case $1 in + --ocp-url ) shift + OPENSHIFT_URL=$1 + ;; + --docker-url ) shift + DOCKER_URL=$1 + ;; + --project-name ) shift + PROJECT_NAME=$1 + ;; + --account-name ) shift + ACCOUNT_NAME=$1 + ;; + --authenticator ) shift + AUTHENTICATOR=$1 + ;; + -h | --help ) usage + exit + ;; + * ) usage + exit 1 + esac + shift +done + +if [ "$OPENSHIFT_URL" == "" ]; then + echo "Missing value in --ocp-url - exiting" + exit 1 +fi + +if [ "$PROJECT_NAME" == "" ]; then + echo "Missing value in --project-name - exiting" + exit 1 +fi + +validate + +install + +CONJUR_JAVA_API_POD_LINE=$( oc get pods | grep conjur-java-api-example | (head -n1 && tail -n1) ) + +CONJUR_JAVA_API_POD=$( echo "$CONJUR_JAVA_API_POD_LINE" | awk '{print $1}' ) + +for i in {1..50} +do + CONTAINERS_STATUS=$( oc get pods | grep conjur-java-api-example | (head -n1 && tail -n1) | awk '{print $2}' ) + + if [ "$CONTAINERS_STATUS" == "2/2" ]; then + break + fi + echo "Waiting for the Java client pod to start..." + sleep 2 +done + +oc get pods + +rm -rf conjur-java-api-example.yaml + +echo "Installation done" + + diff --git a/demos/openshift-install/templates/conjur-java-api-example.yaml b/demos/openshift-install/templates/conjur-java-api-example.yaml new file mode 100644 index 00000000..0d2f9fe8 --- /dev/null +++ b/demos/openshift-install/templates/conjur-java-api-example.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ DEPLOYMENT_NAME }} + labels: + app: {{ DEPLOYMENT_NAME }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ DEPLOYMENT_NAME }} + template: + metadata: + name: {{ DEPLOYMENT_NAME }} + labels: + app: {{ DEPLOYMENT_NAME }} + spec: + serviceAccountName: default + containers: + - image: cyberark/conjur-kubernetes-authenticator:latest + imagePullPolicy: IfNotPresent + name: authenticator + env: + - name: CONJUR_VERSION + value: "5" + - name: CONTAINER_MODE + value: sidecar + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local/authn-k8s/{{ AUTHENTICATOR }} + - name: CONJUR_APPLIANCE_URL + value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local + - name: CONJUR_ACCOUNT + value: {{ ACCOUNT_NAME }} + - name: CONJUR_AUTHN_LOGIN + value: "host/conjur/authn-k8s/{{ AUTHENTICATOR }}/apps/{{ PROJECT_NAME }}/*/*" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: conjur-cert + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + - name: my-conjur-java-client + image: docker-registry.default.svc:5000/{{ PROJECT_NAME }}/conjur-java-client:latest + imagePullPolicy: Always + env: + - name: CONJUR_AUTHN_URL + value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local/authn-k8s/{{ AUTHENTICATOR }} + - name: CONJUR_APPLIANCE_URL + value: https://conjur-oss.{{ PROJECT_NAME }}.svc.cluster.local + - name: CONJUR_ACCOUNT + value: {{ ACCOUNT_NAME }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: conjur-cert + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + initContainers: + - name: pem-to-truststore + image: registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.1-16 + env: + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: conjur-cert-java + key: ssl-certificate + - name: truststore_jks + value: /run/conjur/truststore.jks + - name: password + value: changeit + command: ['/bin/bash'] + args: ['-c', "echo \"$CONJUR_SSL_CERTIFICATE\" > conjur-cert.pem && openssl x509 -outform der -in conjur-cert.pem -out conjur-cert.crt && echo \"Creating TrustStore file in /run/conjur/truststore.jks\" && keytool -import -noprompt -keystore $truststore_jks -file conjur-cert.crt -storepass changeit -alias ca "] + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/demos/openshift-install/templates/custom-values.yaml b/demos/openshift-install/templates/custom-values.yaml new file mode 100644 index 00000000..41bb4883 --- /dev/null +++ b/demos/openshift-install/templates/custom-values.yaml @@ -0,0 +1,15 @@ +authenticators: "authn-k8s/{{ AUTHENTICATOR }},authn" +dataKey: "{{ DATA_KEY }}" +account: "{{ ACCOUNT_NAME }}" + +image: + repository: "cyberark/conjur" + tag: "latest" + pullPolicy: Always + +ssl: + hostname: custom.domainname.com + +postgres: + persistentVolume: + create: false diff --git a/demos/openshift-install/templates/policy-for-variables.yaml b/demos/openshift-install/templates/policy-for-variables.yaml new file mode 100644 index 00000000..7cc1d6bc --- /dev/null +++ b/demos/openshift-install/templates/policy-for-variables.yaml @@ -0,0 +1,12 @@ +--- +# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it +- !policy + id: variables + body: + - !variable + id: mypassword + + - !permit + resource: !variable mypassword + privilege: [ read, execute ] + role: !host /conjur/authn-k8s/{{ AUTHENTICATOR }}/apps/{{ PROJECT_NAME }}/*/* diff --git a/demos/openshift-install/templates/policy-for-webservice.yaml b/demos/openshift-install/templates/policy-for-webservice.yaml new file mode 100644 index 00000000..4df09d2a --- /dev/null +++ b/demos/openshift-install/templates/policy-for-webservice.yaml @@ -0,0 +1,30 @@ +# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it +- !policy + id: conjur/authn-k8s/{{ AUTHENTICATOR }} + owner: !group devops + annotations: + description: Namespace defs for the Conjur cluster in dev + body: + - !webservice + annotations: + description: authn service for cluster + +# CA cert and key for creating client certificates + - !policy + id: ca + body: + - !variable + id: cert + annotations: + description: CA cert for Kubernetes Pods. + - !variable + id: key + annotations: + description: CA key for Kubernetes Pods. + + # permit a layer of whitelisted authn ids to call authn service + - !permit + resource: !webservice + privilege: [ read, authenticate ] + role: !layer /conjur/authn-k8s/{{ AUTHENTICATOR }}/apps + diff --git a/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml b/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml new file mode 100644 index 00000000..8e399678 --- /dev/null +++ b/demos/openshift-install/templates/policy-hosts-to-authenticate.yaml @@ -0,0 +1,22 @@ +--- +# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint. +- !group devops +- !policy + id: conjur/authn-k8s/{{ AUTHENTICATOR }}/apps + owner: !group devops + annotations: + description: Identities permitted to authenticate + body: + - !layer + annotations: + description: Layer of authenticator identities permitted to call authn svc + - &hosts + - !host + id: {{ PROJECT_NAME }}/*/* + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "true" + + - !grant + role: !layer + members: *hosts