Add Support for MySQL (#51)

+ Adds support for using MySQL as a database
+ Adds TEST_APP_DATABASE envvar for choosing database
+ Deflakes tests by leveraging readiness probes and aggressively checking for readiness

.gitignore

@@ -1,6 +1,3 @@
 policy/generated/*
-pg/schema.sql
-openshift/postgres.yml
-test_app_summon/secrets.yml
-test_app_summon/summon*
+tmp.*
 output/

0_check_dependencies.sh

@@ -11,3 +11,5 @@ check_env_var "DOCKER_REGISTRY_PATH"
 check_env_var "CONJUR_ACCOUNT"
 check_env_var "CONJUR_ADMIN_PASSWORD"
 check_env_var "AUTHENTICATOR_ID"
+check_env_var "TEST_APP_DATABASE"
+ensure_env_database

1_create_test_app_namespace.sh

@@ -1,4 +1,4 @@
-#!/bin/bash 
+#!/bin/bash
 set -euo pipefail
 
 . utils.sh
@@ -22,14 +22,14 @@ else
   elif [ $PLATFORM = 'openshift' ]; then
     $cli new-project $TEST_APP_NAMESPACE_NAME
   fi
-  
+
   set_namespace $TEST_APP_NAMESPACE_NAME
 fi
 
 $cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
 
-sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
-  sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
+sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
+  sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
   $cli create -f -
 
 if [[ $PLATFORM == openshift ]]; then

2_load_conjur_policies.sh

@@ -8,13 +8,15 @@ announce "Generating Conjur policy."
 pushd policy
   mkdir -p ./generated
 
-  sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/cluster-authn-svc.yml
+  # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
 
-  sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/project-authn.yml
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml
 
-  sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/app-identity.yml
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml
 popd
 
 # Create the random database password
@@ -35,6 +37,7 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then
       CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \
       DB_PASSWORD=${password} \
       TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \
+      TEST_APP_DATABASE=${TEST_APP_DATABASE} \
       CONJUR_VERSION=${CONJUR_VERSION} \
       /policy/load_policies.sh
     "
@@ -46,14 +49,18 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then
   set_namespace "$TEST_APP_NAMESPACE_NAME"
 fi
 
-# Set DB password in DB schema
-pushd pg
-  sed -e "s#{{ TEST_APP_PG_PASSWORD }}#$password#g" ./schema.template.sql > ./schema.sql
+# Set DB password in Kubernetes manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+pushd kubernetes
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
 popd
 
-# Set DB password in OC deployment manifest
+# Set DB password in OC manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
 pushd openshift
-  sed -e "s#{{ TEST_APP_PG_PASSWORD }}#$password#g" ./postgres.template.yml > ./postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
 popd
 
 announce "Added DB password value: $password"

4_store_conjur_cert.sh

@@ -1,4 +1,4 @@
-#!/bin/bash 
+#!/bin/bash
 set -euo pipefail
 
 . utils.sh
@@ -9,7 +9,7 @@ set_namespace $CONJUR_NAMESPACE_NAME
 
 echo "Retrieving Conjur certificate."
 
-follower_pod_name=$($cli get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1)
+follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
 ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
 
 set_namespace $TEST_APP_NAMESPACE_NAME

5_build_and_push_containers.sh

@@ -21,14 +21,16 @@ pushd test_app_summon
 
     # retrieve the summon binaries
     id=$(docker create test-app-builder)
-    docker cp $id:/usr/local/lib/summon/summon-conjur ./
-    docker cp $id:/usr/local/bin/summon ./
-    docker rm -v $id
+    docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur
+    docker cp $id:/usr/local/bin/summon ./tmp.summon
+    docker rm --volumes $id
   fi
 
+
   for app_type in "${APPS[@]}"; do
     # prep secrets.yml
-    sed -e "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > secrets.yml
+    # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+    sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "tmp.$TEST_APP_NAMESPACE_NAME.secrets.yml"
 
     dockerfile="Dockerfile"
     if [[ "$PLATFORM" == "openshift" ]]; then
@@ -37,8 +39,9 @@ pushd test_app_summon
 
     echo "Building test app image"
     docker build \
-      -t test-app:$CONJUR_NAMESPACE_NAME \
-      -f $dockerfile .
+      --build-arg namespace=$TEST_APP_NAMESPACE_NAME \
+      --tag test-app:$CONJUR_NAMESPACE_NAME \
+      --file $dockerfile .
 
     test_app_image=$(platform_image "test-$app_type-app")
     docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image

6_deploy_test_app.sh

@@ -24,30 +24,28 @@ main() {
 
 ###########################
 init_registry_creds() {
-  if [[ "$PLATFORM" == "kubernetes" ]]; then
-    if [[ "${DOCKER_EMAIL}" != "" ]]; then
-      announce "Creating image pull secret."
-
-      kubectl delete --ignore-not-found secret dockerpullsecret
-
-      kubectl create secret docker-registry dockerpullsecret \
-        --docker-server=$DOCKER_REGISTRY_URL \
-        --docker-username=$DOCKER_USERNAME \
-        --docker-password=$DOCKER_PASSWORD \
-        --docker-email=$DOCKER_EMAIL
-    fi
+  if [[ "${PLATFORM}" == "kubernetes" ]] && [[ -n "${DOCKER_EMAIL}" ]]; then
+    announce "Creating image pull secret."
+
+    kubectl delete --ignore-not-found secret dockerpullsecret
+
+    kubectl create secret docker-registry dockerpullsecret \
+      --docker-server=$DOCKER_REGISTRY_URL \
+      --docker-username=$DOCKER_USERNAME \
+      --docker-password=$DOCKER_PASSWORD \
+      --docker-email=$DOCKER_EMAIL
   elif [[ "$PLATFORM" == "openshift" ]]; then
     announce "Creating image pull secret."
-    
+
     $cli delete --ignore-not-found secrets dockerpullsecret
-  
+
     $cli secrets new-dockercfg dockerpullsecret \
       --docker-server=${DOCKER_REGISTRY_PATH} \
       --docker-username=_ \
       --docker-password=$($cli whoami -t) \
       --docker-email=_
-  
-    $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull    
+
+    $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull
   fi
 }
 
@@ -84,20 +82,40 @@ deploy_app_backend() {
      statefulset/summon-init-pg \
      statefulset/summon-sidecar-pg \
      statefulset/secretless-pg \
+     statefulset/summon-init-mysql \
+     statefulset/summon-sidecar-mysql \
+     statefulset/secretless-mysql \
      secret/test-app-backend-certs
 
-  echo "Create secrets for test app backend"
-  $cli --namespace $TEST_APP_NAMESPACE_NAME \
-    create secret generic \
-    test-app-backend-certs \
-    --from-file=server.crt=./etc/ca.pem \
-    --from-file=server.key=./etc/ca-key.pem
-
-  echo "Deploying test app backend"
-  test_app_pg_docker_image=$(platform_image test-app-pg)
-  sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/postgres.yml |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    $cli create -f -
+  ensure_env_database
+  case "${TEST_APP_DATABASE}" in
+  postgres)
+    echo "Create secrets for test app backend"
+    $cli --namespace $TEST_APP_NAMESPACE_NAME \
+      create secret generic \
+      test-app-backend-certs \
+      --from-file=server.crt=./etc/ca.pem \
+      --from-file=server.key=./etc/ca-key.pem
+
+    echo "Deploying test app backend"
+
+    test_app_pg_docker_image=$(platform_image test-app-pg)
+
+    sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml |
+      sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+      $cli create -f -
+    ;;
+  mysql)
+    echo "Deploying test app backend"
+
+    test_app_mysql_docker_image="mysql/mysql-server:5.7"
+
+    sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml |
+     sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+     $cli create -f -
+    ;;
+  esac
+
 }
 
 ###########################
@@ -116,18 +134,18 @@ deploy_sidecar_app() {
 
   sleep 5
 
-  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml |
-    sed -e "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" |
-    sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
-    sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
-    sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
-    sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
-    sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
-    sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
-    sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" |
+  sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml |
+    sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" |
+    sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
+    sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
+    sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
+    sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
+    sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
+    sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+    sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
+    sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+    sed "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" |
     $cli create -f -
 
   if [[ "$PLATFORM" == "openshift" ]]; then
@@ -153,18 +171,18 @@ deploy_init_container_app() {
 
   sleep 5
 
-  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml |
-    sed -e "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" |
-    sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
-    sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
-    sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
-    sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
-    sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
-    sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
-    sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" |
+  sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml |
+    sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" |
+    sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
+    sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
+    sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
+    sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
+    sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
+    sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+    sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
+    sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+    sed "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" |
     $cli create -f -
 
   if [[ "$PLATFORM" == "openshift" ]]; then
@@ -194,13 +212,27 @@ deploy_secretless_app() {
 
   sleep 5
 
-  sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" ./$PLATFORM/test-app-secretless.yml |
-    sed -e "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" |
-    sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
-    sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
-    sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
-    sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
+  ensure_env_database
+  case "${TEST_APP_DATABASE}" in
+  postgres)
+    PORT=5432
+    PROTOCOL=postgresql
+    ;;
+  mysql)
+    PORT=3306
+    PROTOCOL=mysql
+    ;;
+  esac
+  secretless_db_url="$PROTOCOL://localhost:$PORT/test_app"
+
+  sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" ./$PLATFORM/test-app-secretless.yml |
+    sed "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" |
+    sed "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" |
+    sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
+    sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
+    sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
+    sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
+    sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
     $cli create -f -
 
   if [[ "$PLATFORM" == "openshift" ]]; then

7_verify_authentication.sh

@@ -26,6 +26,16 @@ announce "Validating that the deployments are functioning as expected."
 
 set_namespace $TEST_APP_NAMESPACE_NAME
 
+echo "Waiting for pods to become available"
+
+until [[ $(pods_ready "test-app-summon-init") ]] &&
+      [[ $(pods_ready "test-app-summon-sidecar") ]] &&
+      [[ $(pods_ready "test-app-secretless") ]]; do
+  printf "."
+  sleep 1
+done
+echo ""
+
 if [[ "$PLATFORM" == "openshift" ]]; then
   echo "Waiting for deployments to become available"
 
@@ -51,23 +61,28 @@ if [[ "$PLATFORM" == "openshift" ]]; then
   init_url="localhost:8081"
   sidecar_url="localhost:8082"
   secretless_url="localhost:8083"
-
-  # Pause for the port-forwarding to complete setup
-  sleep 10
 else
   echo "Waiting for services to become available"
   while [ -z "$(service_ip "test-app-summon-init")" ] ||
         [ -z "$(service_ip "test-app-summon-sidecar")" ] ||
         [ -z "$(service_ip "test-app-secretless")" ]; do
     printf "."
-    sleep 1
+    sleep 3
   done
 
   init_url=$(service_ip test-app-summon-init):8080
   sidecar_url=$(service_ip test-app-summon-sidecar):8080
   secretless_url=$(service_ip test-app-secretless):8080
 fi
 
+echo "Waiting for urls to be ready"
+until $(curl -s --connect-timeout 3 $init_url > /dev/null) &&
+      $(curl -s --connect-timeout 3 $sidecar_url > /dev/null) &&
+      $(curl -s --connect-timeout 3 $secretless_url > /dev/null); do
+  printf "."
+  sleep 3
+done
+
 echo -e "\nAdding entry to the init app\n"
 curl \
   -d '{"name": "Mr. Init"}' \