From 8304bc151617fce4d97ffa52c8b9596014587281 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Fri, 15 Mar 2019 12:13:50 +0100 Subject: [PATCH 01/31] add suport for mysql --- .gitignore | 2 + 0_check_dependencies.sh | 11 +++ 2_load_conjur_policies.sh | 11 ++- 6_deploy_test_app.sh | 55 +++++++++--- Jenkinsfile | 45 ++++++++-- ci/test | 43 +++++---- etc/secretless.yml | 21 +++++ kubernetes/mysql.template.yml | 137 +++++++++++++++++++++++++++++ kubernetes/postgres.yml | 9 ++ kubernetes/test-app-secretless.yml | 2 +- openshift/mysql.template.yml | 131 +++++++++++++++++++++++++++ openshift/postgres.template.yml | 6 +- openshift/test-app-secretless.yml | 2 +- pg/schema.template.sql | 2 +- policy/app-access.yml | 2 + policy/load_policies.sh | 21 ++++- 16 files changed, 453 insertions(+), 47 deletions(-) create mode 100644 kubernetes/mysql.template.yml create mode 100644 openshift/mysql.template.yml diff --git a/.gitignore b/.gitignore index 96d863f..5e4d7e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,8 @@ policy/generated/* pg/schema.sql openshift/postgres.yml +openshift/mysql.yml +kubernetes/mysql.yml test_app_summon/secrets.yml test_app_summon/summon* output/ diff --git a/0_check_dependencies.sh b/0_check_dependencies.sh index e84ffb3..ee44947 100755 --- a/0_check_dependencies.sh +++ b/0_check_dependencies.sh @@ -11,3 +11,14 @@ check_env_var "DOCKER_REGISTRY_PATH" check_env_var "CONJUR_ACCOUNT" check_env_var "CONJUR_ADMIN_PASSWORD" check_env_var "AUTHENTICATOR_ID" +check_env_var "TEST_APP_DATABASE" +case "${TEST_APP_DATABASE}" in +postgres) + ;; +mysql) + ;; +*) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; +esac diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index 3f9c873..0cf308b 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -35,6 +35,7 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ DB_PASSWORD=${password} \ TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \ + TEST_APP_DATABASE=${TEST_APP_DATABASE} \ CONJUR_VERSION=${CONJUR_VERSION} \ /policy/load_policies.sh " @@ -48,12 +49,18 @@ fi # Set DB password in DB schema pushd pg - sed -e "s#{{ TEST_APP_PG_PASSWORD }}#$password#g" ./schema.template.sql > ./schema.sql + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./schema.template.sql > ./schema.sql +popd + +# Set DB password in MySQL Kubernetes manifest +pushd kubernetes + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./mysql.yml popd # Set DB password in OC deployment manifest pushd openshift - sed -e "s#{{ TEST_APP_PG_PASSWORD }}#$password#g" ./postgres.template.yml > ./postgres.yml + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./postgres.yml + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./mysql.yml popd announce "Added DB password value: $password" diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index 846c83d..f107a92 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -84,20 +84,38 @@ deploy_app_backend() { statefulset/summon-init-pg \ statefulset/summon-sidecar-pg \ statefulset/secretless-pg \ + statefulset/summon-init-mysql \ + statefulset/summon-sidecar-mysql \ + statefulset/secretless-mysql \ secret/test-app-backend-certs - echo "Create secrets for test app backend" - $cli --namespace $TEST_APP_NAMESPACE_NAME \ - create secret generic \ - test-app-backend-certs \ - --from-file=server.crt=./etc/ca.pem \ - --from-file=server.key=./etc/ca-key.pem - - echo "Deploying test app backend" - test_app_pg_docker_image=$(platform_image test-app-pg) - sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/postgres.yml | + case "${TEST_APP_DATABASE}" in + postgres) + echo "Create secrets for test app backend" + $cli --namespace $TEST_APP_NAMESPACE_NAME \ + create secret generic \ + test-app-backend-certs \ + --from-file=server.crt=./etc/ca.pem \ + --from-file=server.key=./etc/ca-key.pem + + echo "Deploying test app backend" + test_app_pg_docker_image=$(platform_image test-app-pg) + sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/postgres.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - + ;; + mysql) + echo "Deploying test app backend" + test_app_mysql_docker_image="mysql/mysql-server:5.7" + sed -e "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/mysql.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - + echo "doneee" + ;; + *) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; + esac + } ########################### @@ -194,8 +212,25 @@ deploy_secretless_app() { sleep 5 + case "$TEST_APP_DATABASE" in + postgres) + PORT=5432 + PROTOCOL=postgresql + ;; + mysql) + PORT=3306 + PROTOCOL=mysql + ;; + *) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; + esac + secretless_db_url="$PROTOCOL://localhost:$PORT/test_app" + sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" ./$PLATFORM/test-app-secretless.yml | sed -e "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | + sed -e "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | diff --git a/Jenkinsfile b/Jenkinsfile index af76249..e71b522 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,27 +11,56 @@ pipeline { stages { stage('Deploy Demos') { parallel { - stage('GKE and v4 Conjur') { + +// Postgres Tests + + stage('GKE, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 4 postgres' + } + } + + stage('GKE, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 5 postgres' + } + } + + stage('OpenShift v3.9, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 4 postgres' + } + } + + stage('OpenShift v3.9, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 5 postgres' + } + } + +// MySQL Tests + + stage('GKE, v4 Conjur, MySQL') { steps { - sh 'cd ci && summon -e gke ./test gke 4' + sh 'cd ci && summon -e gke ./test gke 4 mysql' } } - stage('GKE and v5 Conjur') { + stage('GKE, v5 Conjur, MySQL') { steps { - sh 'cd ci && summon -e gke ./test gke 5' + sh 'cd ci && summon -e gke ./test gke 5 mysql' } } - stage('OpenShift v3.9 and v4 Conjur') { + stage('OpenShift v3.9, v4 Conjur, MySQL') { steps { - sh 'cd ci && summon -e oc ./test oc 4' + sh 'cd ci && summon -e oc ./test oc 4 mysql' } } - stage('OpenShift v3.9 and v5 Conjur') { + stage('OpenShift v3.9, v5 Conjur, MySQL') { steps { - sh 'cd ci && summon -e oc ./test oc 5' + sh 'cd ci && summon -e oc ./test oc 5 mysql' } } } diff --git a/ci/test b/ci/test index 95d71a6..7e9cfc0 100755 --- a/ci/test +++ b/ci/test @@ -1,9 +1,10 @@ #!/bin/bash # Usage: -# summon -e [platform] ./test [platform] [conjur version] +# summon -e [platform] ./test [platform] [conjur version] [database] # platform: gke or oc # conjur version: 4 or 5 +# database: postgres or mysql set -euo pipefail IFS=$'\n\t' @@ -31,30 +32,14 @@ trap finish EXIT function printUsage() { echo "---" echo "Usage:" - echo "summon -e [platform] ./test [platform] [conjur version]" + echo "summon -e [platform] ./test [platform] [conjur version] [database]" echo "platform: gke or oc" echo "conjur version: 4 or 5" + echo "database: postgres or mysql" exit 1 } -# Parse input arguments -if [ $# -ne 2 ]; then - echo "Invalid number of arguments." - printUsage -fi - -TEST_PLATFORM="$1" -CONJUR_VERSION="$2" - -export TEST_PLATFORM -export CONJUR_VERSION - -# sensible default for OPENSHIFT_URL port -if [[ ! -z "${OPENSHIFT_URL}" ]] && [[ "${OPENSHIFT_URL}" != *: ]]; then - OPENSHIFT_URL="${OPENSHIFT_URL}:8443" -fi - function main() { announce 'Checking arguments' checkArguments @@ -143,6 +128,7 @@ function runDockerCommand() { -e CONJUR_ADMIN_PASSWORD \ -e AUTHENTICATOR_ID \ -e TEST_APP_NAMESPACE_NAME \ + -e TEST_APP_DATABASE \ -e PLATFORM \ -e DOCKER_REGISTRY_URL \ -e DOCKER_REGISTRY_PATH \ @@ -190,4 +176,23 @@ function checkArguments() { printUsage } +# Parse input arguments +if [ $# -ne 3 ]; then + echo "Invalid number of arguments." + printUsage +fi + +TEST_PLATFORM="$1" +CONJUR_VERSION="$2" +TEST_APP_DATABASE="$3" + +export TEST_PLATFORM +export CONJUR_VERSION +export TEST_APP_DATABASE + +# sensible default for OPENSHIFT_URL port +if [[ ! -z "${OPENSHIFT_URL}" ]] && [[ "${OPENSHIFT_URL}" != *: ]]; then + OPENSHIFT_URL="${OPENSHIFT_URL}:8443" +fi + main diff --git a/etc/secretless.yml b/etc/secretless.yml index a7bbff1..df488d2 100644 --- a/etc/secretless.yml +++ b/etc/secretless.yml @@ -2,6 +2,9 @@ listeners: - name: test-app-pg-listener protocol: pg address: 0.0.0.0:5432 + - name: test-app-mysql-listener + protocol: mysql + address: 0.0.0.0:3306 handlers: - name: test-app-pg-handler @@ -19,3 +22,21 @@ handlers: - name: sslmode provider: literal id: require + - name: test-app-mysql-handler + listener: test-app-mysql-listener + credentials: + - name: host + provider: conjur + id: test-secretless-app-db/host + - name: port + provider: conjur + id: test-secretless-app-db/port + - name: username + provider: conjur + id: test-secretless-app-db/username + - name: password + provider: conjur + id: test-secretless-app-db/password + - name: sslmode + provider: literal + id: require diff --git a/kubernetes/mysql.template.yml b/kubernetes/mysql.template.yml new file mode 100644 index 0000000..52b40f7 --- /dev/null +++ b/kubernetes/mysql.template.yml @@ -0,0 +1,137 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-init-mysql + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + containers: + - name: test-summon-init-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-sidecar-mysql + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + containers: + - name: test-summon-sidecar-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: secretless-mysql + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + containers: + - name: test-secretless-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app diff --git a/kubernetes/postgres.yml b/kubernetes/postgres.yml index bb5e792..b69f886 100644 --- a/kubernetes/postgres.yml +++ b/kubernetes/postgres.yml @@ -41,6 +41,9 @@ spec: mountPath: "/etc/certs/" readOnly: true args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_DB + value: test_app volumes: - name: backend-certs secret: @@ -89,6 +92,9 @@ spec: mountPath: "/etc/certs/" readOnly: true args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_DB + value: test_app volumes: - name: backend-certs secret: @@ -138,6 +144,9 @@ spec: mountPath: "/etc/certs/" readOnly: true args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_DB + value: test_app volumes: - name: backend-certs secret: diff --git a/kubernetes/test-app-secretless.yml b/kubernetes/test-app-secretless.yml index f14bb2e..be98b4c 100644 --- a/kubernetes/test-app-secretless.yml +++ b/kubernetes/test-app-secretless.yml @@ -43,7 +43,7 @@ spec: - containerPort: 8080 env: - name: DB_URL - value: postgresql://localhost:5432/postgres + value: {{ SECRETLESS_DB_URL }} - image: {{ SECRETLESS_IMAGE }} imagePullPolicy: Always name: secretless diff --git a/openshift/mysql.template.yml b/openshift/mysql.template.yml new file mode 100644 index 0000000..d5f08b4 --- /dev/null +++ b/openshift/mysql.template.yml @@ -0,0 +1,131 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-init-mysql + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + containers: + - name: test-summon-init-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-sidecar-mysql + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + containers: + - name: test-summon-sidecar-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: secretless-mysql + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + containers: + - name: test-secretless-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app diff --git a/openshift/postgres.template.yml b/openshift/postgres.template.yml index 265a0d0..95c9712 100644 --- a/openshift/postgres.template.yml +++ b/openshift/postgres.template.yml @@ -38,7 +38,7 @@ spec: - name: POSTGRESQL_USER value: test_app - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_PG_PASSWORD }} + value: {{ TEST_APP_DB_PASSWORD }} - name: POSTGRESQL_DATABASE value: test_app volumeMounts: @@ -95,7 +95,7 @@ spec: - name: POSTGRESQL_USER value: test_app - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_PG_PASSWORD }} + value: {{ TEST_APP_DB_PASSWORD }} - name: POSTGRESQL_DATABASE value: test_app volumeMounts: @@ -152,7 +152,7 @@ spec: - name: POSTGRESQL_USER value: test_app - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_PG_PASSWORD }} + value: {{ TEST_APP_DB_PASSWORD }} - name: POSTGRESQL_DATABASE value: test_app volumeMounts: diff --git a/openshift/test-app-secretless.yml b/openshift/test-app-secretless.yml index 824c639..5c47375 100644 --- a/openshift/test-app-secretless.yml +++ b/openshift/test-app-secretless.yml @@ -43,7 +43,7 @@ spec: - containerPort: 8080 env: - name: DB_URL - value: postgresql://localhost:5432/postgres + value: {{ SECRETLESS_DB_URL }} - image: {{ SECRETLESS_IMAGE }} imagePullPolicy: Always name: secretless diff --git a/pg/schema.template.sql b/pg/schema.template.sql index fcee442..c85ff08 100644 --- a/pg/schema.template.sql +++ b/pg/schema.template.sql @@ -1,2 +1,2 @@ -CREATE USER test_app PASSWORD '{{ TEST_APP_PG_PASSWORD }}'; +CREATE USER test_app PASSWORD '{{ TEST_APP_DB_PASSWORD }}'; GRANT ALL ON SCHEMA public to test_app; diff --git a/policy/app-access.yml b/policy/app-access.yml index 1c90593..d7db27b 100644 --- a/policy/app-access.yml +++ b/policy/app-access.yml @@ -42,6 +42,8 @@ - &secretless-variables - !variable password - !variable url + - !variable port + - !variable host - !variable username - !permit diff --git a/policy/load_policies.sh b/policy/load_policies.sh index 44f94da..acadd4b 100755 --- a/policy/load_policies.sh +++ b/policy/load_policies.sh @@ -42,14 +42,31 @@ for app_name in "${APPS[@]}"; do conjur variable values add "$app_name-db/password" $DB_PASSWORD conjur variable values add "$app_name-db/username" "test_app" - db_url="$app_name-backend.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:5432/postgres" + case "$TEST_APP_DATABASE" in + postgres) + PORT=5432 + PROTOCOL=postgresql + ;; + mysql) + PORT=3306 + PROTOCOL=mysql + ;; + *) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; + esac + db_host="$app_name-backend.$TEST_APP_NAMESPACE_NAME.svc.cluster.local" + db_url="$db_host:$PORT/test_app" if [[ "$app_name" = "test-secretless-app" ]]; then # Secretless doesn't require the full connection URL, just the host/port # and an optional database conjur variable values add "$app_name-db/url" "$db_url" + conjur variable values add "$app_name-db/port" "$PORT" + conjur variable values add "$app_name-db/host" "$db_host" else - conjur variable values add "$app_name-db/url" "postgresql://$db_url" + conjur variable values add "$app_name-db/url" "$PROTOCOL://$db_url" fi done From 19e13e3a17f324099082d341e5c432c19a113ffc Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 02:55:45 +0800 Subject: [PATCH 02/31] run test cases in sequence --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index e71b522..be105ba 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -10,7 +10,7 @@ pipeline { stages { stage('Deploy Demos') { - parallel { + stages { // Postgres Tests From 8100198d21a45d4b8b9e085b327db53fe9161404 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 09:22:30 +0800 Subject: [PATCH 03/31] run mysql and postgres tests in parallel --- Jenkinsfile | 84 ++++++++++++++++++++++++++++------------------------- 1 file changed, 45 insertions(+), 39 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index be105ba..98e880f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -10,57 +10,63 @@ pipeline { stages { stage('Deploy Demos') { - stages { + parallel { // Postgres Tests + stage('Postgres') { + stages { + stage('GKE, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 4 postgres' + } + } - stage('GKE, v4 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e gke ./test gke 4 postgres' - } - } + stage('GKE, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 5 postgres' + } + } - stage('GKE, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e gke ./test gke 5 postgres' - } - } + stage('OpenShift v3.9, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 4 postgres' + } + } - stage('OpenShift v3.9, v4 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e oc ./test oc 4 postgres' + stage('OpenShift v3.9, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 5 postgres' + } + } } } - stage('OpenShift v3.9, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e oc ./test oc 5 postgres' - } - } - // MySQL Tests - - stage('GKE, v4 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e gke ./test gke 4 mysql' - } - } + stage('MySQL') { + stages { + stage('GKE, v4 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e gke ./test gke 4 mysql' + } + } - stage('GKE, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e gke ./test gke 5 mysql' - } - } + stage('GKE, v5 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e gke ./test gke 5 mysql' + } + } - stage('OpenShift v3.9, v4 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e oc ./test oc 4 mysql' - } - } + stage('OpenShift v3.9, v4 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e oc ./test oc 4 mysql' + } + } - stage('OpenShift v3.9, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e oc ./test oc 5 mysql' + stage('OpenShift v3.9, v5 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e oc ./test oc 5 mysql' + } + } } } } From e1fde03f2a9048d54d7e02802b99868f0e515bbe Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 09:42:02 +0800 Subject: [PATCH 04/31] show state of pods before exit --- ci/test | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ci/test b/ci/test index 7e9cfc0..77e8738 100755 --- a/ci/test +++ b/ci/test @@ -15,6 +15,12 @@ function finish { # Stop the running processes runDockerCommand " + if [ \$PLATFORM = 'kubernetes' ]; then + cli=kubectl + elif [ \$PLATFORM = 'openshift' ]; then + cli=oc + fi + \$oc get pods ./stop cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./stop " From 976cf39aff3a49d7be62a4f7bd407a5959c56189 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 12:38:41 +0800 Subject: [PATCH 05/31] add health checks --- 7_verify_authentication.sh | 9 +++++++++ ci/test | 2 +- kubernetes/test-app-secretless.yml | 9 ++++++++- kubernetes/test-app-summon-init.yml | 9 ++++++++- kubernetes/test-app-summon-sidecar.yml | 9 ++++++++- openshift/test-app-secretless.yml | 9 ++++++++- openshift/test-app-summon-init.yml | 9 ++++++++- openshift/test-app-summon-sidecar.yml | 9 ++++++++- utils.sh | 8 +++++++- 9 files changed, 65 insertions(+), 8 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index d34b197..7644d1f 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -26,6 +26,15 @@ announce "Validating that the deployments are functioning as expected." set_namespace $TEST_APP_NAMESPACE_NAME +echo "Waiting for pods to become available" + +while [[ $(pods_not_ready "test-app-summon-init") ]] || + [[ $(pods_not_ready "test-app-summon-sidecar") ]] || + [[ $(pods_not_ready "test-app-secretless") ]]; do + printf "." + sleep 1 +done + if [[ "$PLATFORM" == "openshift" ]]; then echo "Waiting for deployments to become available" diff --git a/ci/test b/ci/test index 77e8738..8050617 100755 --- a/ci/test +++ b/ci/test @@ -20,7 +20,7 @@ function finish { elif [ \$PLATFORM = 'openshift' ]; then cli=oc fi - \$oc get pods + \$cli get pods ./stop cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./stop " diff --git a/kubernetes/test-app-secretless.yml b/kubernetes/test-app-secretless.yml index be98b4c..00d08a8 100644 --- a/kubernetes/test-app-secretless.yml +++ b/kubernetes/test-app-secretless.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: Always name: test-app-secretless ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: DB_URL value: {{ SECRETLESS_DB_URL }} diff --git a/kubernetes/test-app-summon-init.yml b/kubernetes/test-app-summon-init.yml index 7f62774..0f02fd9 100644 --- a/kubernetes/test-app-summon-init.yml +++ b/kubernetes/test-app-summon-init.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: {{ IMAGE_PULL_POLICY }} name: test-app ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/kubernetes/test-app-summon-sidecar.yml b/kubernetes/test-app-summon-sidecar.yml index dfa75ec..caf90b6 100644 --- a/kubernetes/test-app-summon-sidecar.yml +++ b/kubernetes/test-app-summon-sidecar.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: {{ IMAGE_PULL_POLICY }} name: test-app ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/openshift/test-app-secretless.yml b/openshift/test-app-secretless.yml index 5c47375..c403775 100644 --- a/openshift/test-app-secretless.yml +++ b/openshift/test-app-secretless.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: Always name: test-app-secretless ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: DB_URL value: {{ SECRETLESS_DB_URL }} diff --git a/openshift/test-app-summon-init.yml b/openshift/test-app-summon-init.yml index 290f343..bdadc78 100644 --- a/openshift/test-app-summon-init.yml +++ b/openshift/test-app-summon-init.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: Always name: test-app ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/openshift/test-app-summon-sidecar.yml b/openshift/test-app-summon-sidecar.yml index ba157ec..ca41b61 100644 --- a/openshift/test-app-summon-sidecar.yml +++ b/openshift/test-app-summon-sidecar.yml @@ -40,7 +40,14 @@ spec: imagePullPolicy: Always name: test-app ports: - - containerPort: 8080 + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 5 + periodSeconds: 10 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/utils.sh b/utils.sh index 1b284bd..861400d 100755 --- a/utils.sh +++ b/utils.sh @@ -54,7 +54,7 @@ docker_tag_and_push() { else docker_tag="$DOCKER_REGISTRY_PATH/$CONJUR_NAMESPACE_NAME/$1:$CONJUR_NAMESPACE_NAME" fi - + docker tag $1:$CONJUR_NAMESPACE_NAME $docker_tag docker push $docker_tag } @@ -171,3 +171,9 @@ function deployment_status() { echo "$($cli describe deploymentconfig $deployment | awk '/^\tStatus:/' | awk '{ print $2 }')" } + +function pods_not_ready() { + local app_label=$1 + + $cli describe pod -l "app=$app_label" | awk '/Ready/' | awk '{ print $2 }' | grep 'False' +} From 09cfa9de7631df6531f60063569749486019a4ac Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 13:23:52 +0800 Subject: [PATCH 06/31] wait for port-forwarding --- 7_verify_authentication.sh | 9 ++++++++- ci/test | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 7644d1f..48cd417 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -34,6 +34,7 @@ while [[ $(pods_not_ready "test-app-summon-init") ]] || printf "." sleep 1 done +echo "" if [[ "$PLATFORM" == "openshift" ]]; then echo "Waiting for deployments to become available" @@ -62,7 +63,13 @@ if [[ "$PLATFORM" == "openshift" ]]; then secretless_url="localhost:8083" # Pause for the port-forwarding to complete setup - sleep 10 + echo "Waiting for port-forwarding to complete setup" + while [[ $(nc -z localhost 8081) ]] || + [[ $(nc -z localhost 8082) ]] || + [[ $(nc -z localhost 8083) ]]; do + printf "." + sleep 1 + done else echo "Waiting for services to become available" while [ -z "$(service_ip "test-app-summon-init")" ] || diff --git a/ci/test b/ci/test index 8050617..44d6fa2 100755 --- a/ci/test +++ b/ci/test @@ -20,7 +20,7 @@ function finish { elif [ \$PLATFORM = 'openshift' ]; then cli=oc fi - \$cli get pods + \$cli -n $TEST_APP_NAMESPACE_NAME get pods ./stop cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./stop " From a7a0283180125904bf85e18e6a4626ee548cad7e Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 14:07:55 +0800 Subject: [PATCH 07/31] stop should list pods before exiting --- ci/test | 6 ------ stop | 7 +++++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/ci/test b/ci/test index 44d6fa2..7e9cfc0 100755 --- a/ci/test +++ b/ci/test @@ -15,12 +15,6 @@ function finish { # Stop the running processes runDockerCommand " - if [ \$PLATFORM = 'kubernetes' ]; then - cli=kubectl - elif [ \$PLATFORM = 'openshift' ]; then - cli=oc - fi - \$cli -n $TEST_APP_NAMESPACE_NAME get pods ./stop cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./stop " diff --git a/stop b/stop index 0c5bd20..fa83d1f 100755 --- a/stop +++ b/stop @@ -1,8 +1,11 @@ -#!/bin/bash +#!/bin/bash set -euo pipefail . utils.sh +set_namespace $TEST_APP_NAMESPACE_NAME +$cli get pods + set_namespace default if [[ $PLATFORM == openshift ]]; then @@ -16,7 +19,7 @@ if has_namespace $TEST_APP_NAMESPACE_NAME; then while : ; do printf "..." - + if has_namespace "$TEST_APP_NAMESPACE_NAME"; then sleep 5 else From e1f7ba5a00d03139282e27ccd73a9f7145deb15d Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 14:56:41 +0800 Subject: [PATCH 08/31] dump secretless logs --- 7_verify_authentication.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 48cd417..0a76806 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -12,6 +12,9 @@ function finish { set +u + echo "lastly from secretless" + kubectl logs -l "app=test-app-secretless" --all-containers=true + echo -e "\n\nStopping all port-forwarding" for pid in "${PIDS[@]}"; do if [ -n "${!pid}" ]; then From 9450dc0a536d5af5724cae8972ed14b2ee2106a4 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 17:32:29 +0800 Subject: [PATCH 09/31] make generated files unique across tests --- .gitignore | 6 +- 2_load_conjur_policies.sh | 16 ++- 5_build_and_push_containers.sh | 3 +- 6_deploy_test_app.sh | 15 ++- kubernetes/postgres.template.yml | 166 +++++++++++++++++++++++++++++++ pg/Dockerfile | 3 - pg/schema.template.sql | 2 - test_app_summon/Dockerfile | 4 +- test_app_summon/Dockerfile.oc | 4 +- 9 files changed, 192 insertions(+), 27 deletions(-) create mode 100644 kubernetes/postgres.template.yml delete mode 100644 pg/schema.template.sql diff --git a/.gitignore b/.gitignore index 5e4d7e4..b5fe4e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,11 @@ policy/generated/* -pg/schema.sql +openshift/*.postgres.yml +openshift/*.mysql.yml +kubernetes/*.postgres.yml +kubernetes/*.mysql.yml openshift/postgres.yml openshift/mysql.yml +kubernetes/postgres.yml kubernetes/mysql.yml test_app_summon/secrets.yml test_app_summon/summon* diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index 0cf308b..01e314a 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -47,20 +47,16 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then set_namespace "$TEST_APP_NAMESPACE_NAME" fi -# Set DB password in DB schema -pushd pg - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./schema.template.sql > ./schema.sql -popd - -# Set DB password in MySQL Kubernetes manifest +# Set DB password in Kubernetes manifests pushd kubernetes - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./mysql.yml + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.sql + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd -# Set DB password in OC deployment manifest +# Set DB password in OC manifests pushd openshift - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./postgres.yml - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./mysql.yml + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd announce "Added DB password value: $password" diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index 221ad8f..087b289 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -28,7 +28,7 @@ pushd test_app_summon for app_type in "${APPS[@]}"; do # prep secrets.yml - sed -e "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > secrets.yml + sed -e "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "$TEST_APP_NAMESPACE_NAME.secrets.yml" dockerfile="Dockerfile" if [[ "$PLATFORM" == "openshift" ]]; then @@ -37,6 +37,7 @@ pushd test_app_summon echo "Building test app image" docker build \ + --build-arg namespace=$TEST_APP_NAMESPACE_NAME\ -t test-app:$CONJUR_NAMESPACE_NAME \ -f $dockerfile . diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index f107a92..81f8c5e 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -27,7 +27,7 @@ init_registry_creds() { if [[ "$PLATFORM" == "kubernetes" ]]; then if [[ "${DOCKER_EMAIL}" != "" ]]; then announce "Creating image pull secret." - + kubectl delete --ignore-not-found secret dockerpullsecret kubectl create secret docker-registry dockerpullsecret \ @@ -38,16 +38,16 @@ init_registry_creds() { fi elif [[ "$PLATFORM" == "openshift" ]]; then announce "Creating image pull secret." - + $cli delete --ignore-not-found secrets dockerpullsecret - + $cli secrets new-dockercfg dockerpullsecret \ --docker-server=${DOCKER_REGISTRY_PATH} \ --docker-username=_ \ --docker-password=$($cli whoami -t) \ --docker-email=_ - - $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull + + $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull fi } @@ -100,15 +100,14 @@ deploy_app_backend() { echo "Deploying test app backend" test_app_pg_docker_image=$(platform_image test-app-pg) - sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/postgres.yml | + sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.postgres.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; mysql) echo "Deploying test app backend" test_app_mysql_docker_image="mysql/mysql-server:5.7" - sed -e "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/mysql.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - - echo "doneee" + sed -e "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; *) echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" diff --git a/kubernetes/postgres.template.yml b/kubernetes/postgres.template.yml new file mode 100644 index 0000000..75ad69a --- /dev/null +++ b/kubernetes/postgres.template.yml @@ -0,0 +1,166 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-init-pg + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-summon-init-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: summon-sidecar-pg + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-summon-sidecar-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: secretless-pg + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-secretless-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 diff --git a/pg/Dockerfile b/pg/Dockerfile index bdd892a..3b7ee97 100644 --- a/pg/Dockerfile +++ b/pg/Dockerfile @@ -1,8 +1,5 @@ FROM postgres:9.6 -ENV POSTGRES_PASSWORD postgres - RUN mkdir -p /docker-entrypoint-initdb.d -COPY ./schema.sql /docker-entrypoint-initdb.d/ COPY rotate_password /usr/local/bin/ diff --git a/pg/schema.template.sql b/pg/schema.template.sql deleted file mode 100644 index c85ff08..0000000 --- a/pg/schema.template.sql +++ /dev/null @@ -1,2 +0,0 @@ -CREATE USER test_app PASSWORD '{{ TEST_APP_DB_PASSWORD }}'; -GRANT ALL ON SCHEMA public to test_app; diff --git a/test_app_summon/Dockerfile b/test_app_summon/Dockerfile index c192436..d574b4d 100644 --- a/test_app_summon/Dockerfile +++ b/test_app_summon/Dockerfile @@ -1,3 +1,5 @@ +ARG namespace + FROM ruby:2.2.9 as test-app-builder MAINTAINER CyberArk LABEL builder="test-app-builder" @@ -25,7 +27,7 @@ COPY --from=test-app-builder /usr/local/lib/summon /usr/local/lib/summon COPY --from=test-app-builder /usr/local/bin/summon /usr/local/bin/summon #---copy secrets.yml into image---# -COPY secrets.yml /etc/secrets.yml +COPY $namespace.secrets.yml /etc/secrets.yml #---override entrypoint to wrap command with summon---# ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] diff --git a/test_app_summon/Dockerfile.oc b/test_app_summon/Dockerfile.oc index 3195c35..30147bd 100644 --- a/test_app_summon/Dockerfile.oc +++ b/test_app_summon/Dockerfile.oc @@ -1,3 +1,5 @@ +ARG namespace + FROM cyberark/demo-app MAINTAINER CyberArk @@ -6,7 +8,7 @@ COPY summon-conjur /usr/local/lib/summon/ COPY summon /usr/local/bin/ #---copy secrets.yml into image---# -COPY secrets.yml /etc/secrets.yml +COPY $namespace.secrets.yml /etc/secrets.yml #---override entrypoint to wrap command with summon---# ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] From 0866984f241512d10d7b69113e3a8544b0e861ca Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 17:35:10 +0800 Subject: [PATCH 10/31] no --all-containers --- 7_verify_authentication.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 0a76806..0af6344 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -13,7 +13,7 @@ function finish { set +u echo "lastly from secretless" - kubectl logs -l "app=test-app-secretless" --all-containers=true + kubectl logs -l "app=test-app-secretless" echo -e "\n\nStopping all port-forwarding" for pid in "${PIDS[@]}"; do From 03530166c37bec644619406e537630b9408afbca Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 18:17:55 +0800 Subject: [PATCH 11/31] fix args .__. --- 2_load_conjur_policies.sh | 2 +- test_app_summon/Dockerfile | 3 +-- test_app_summon/Dockerfile.oc | 3 +-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index 01e314a..7f1a29c 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -49,7 +49,7 @@ fi # Set DB password in Kubernetes manifests pushd kubernetes - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.sql + sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd diff --git a/test_app_summon/Dockerfile b/test_app_summon/Dockerfile index d574b4d..697770e 100644 --- a/test_app_summon/Dockerfile +++ b/test_app_summon/Dockerfile @@ -1,5 +1,3 @@ -ARG namespace - FROM ruby:2.2.9 as test-app-builder MAINTAINER CyberArk LABEL builder="test-app-builder" @@ -20,6 +18,7 @@ ENV PATH="/usr/local/lib/summon:${PATH}" # ============= MAIN CONTAINER ============== # FROM cyberark/demo-app +ARG namespace MAINTAINER CyberArk #---copy summon into image---# diff --git a/test_app_summon/Dockerfile.oc b/test_app_summon/Dockerfile.oc index 30147bd..e6de0f8 100644 --- a/test_app_summon/Dockerfile.oc +++ b/test_app_summon/Dockerfile.oc @@ -1,6 +1,5 @@ -ARG namespace - FROM cyberark/demo-app +ARG namespace MAINTAINER CyberArk #---copy summon into image---# From 244d1926f155a08dace05f45f17df8130405f514 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 19:36:28 +0800 Subject: [PATCH 12/31] round infinity --- .gitignore | 2 +- 2_load_conjur_policies.sh | 6 +- kubernetes/postgres.yml | 154 -------------------------------------- policy/load_policies.sh | 6 +- 4 files changed, 7 insertions(+), 161 deletions(-) delete mode 100644 kubernetes/postgres.yml diff --git a/.gitignore b/.gitignore index b5fe4e4..f627911 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,6 @@ openshift/postgres.yml openshift/mysql.yml kubernetes/postgres.yml kubernetes/mysql.yml -test_app_summon/secrets.yml +test_app_summon/*.secrets.yml test_app_summon/summon* output/ diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index 7f1a29c..c2298ce 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -8,13 +8,13 @@ announce "Generating Conjur policy." pushd policy mkdir -p ./generated - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/cluster-authn-svc.yml + sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/project-authn.yml + sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/app-identity.yml + sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml popd # Create the random database password diff --git a/kubernetes/postgres.yml b/kubernetes/postgres.yml deleted file mode 100644 index b69f886..0000000 --- a/kubernetes/postgres.yml +++ /dev/null @@ -1,154 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-init-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-init-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: summon-init-pg - labels: - app: test-summon-init-app-backend -spec: - serviceName: test-summon-init-app-backend - selector: - matchLabels: - app: test-summon-init-app-backend - template: - metadata: - labels: - app: test-summon-init-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-summon-init-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: Always - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-sidecar-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-sidecar-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: summon-sidecar-pg - labels: - app: test-summon-sidecar-app-backend -spec: - serviceName: test-summon-sidecar-app-backend - selector: - matchLabels: - app: test-summon-sidecar-app-backend - template: - metadata: - labels: - app: test-summon-sidecar-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-summon-sidecar-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: Always - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-secretless-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-secretless-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: secretless-pg - labels: - app: test-secretless-app-backend -spec: - serviceName: test-secretless-app-backend - selector: - matchLabels: - app: test-secretless-app-backend - template: - metadata: - labels: - app: test-secretless-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-secretless-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: Always - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 diff --git a/policy/load_policies.sh b/policy/load_policies.sh index acadd4b..06954cd 100755 --- a/policy/load_policies.sh +++ b/policy/load_policies.sh @@ -15,9 +15,9 @@ readonly PATH_TO_POLICY_FILES="/policy" readonly POLICY_FILES=( "$PATH_TO_POLICY_FILES/users.yml" - "$PATH_TO_POLICY_FILES/generated/project-authn.yml" - "$PATH_TO_POLICY_FILES/generated/cluster-authn-svc.yml" - "$PATH_TO_POLICY_FILES/generated/app-identity.yml" + "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml" + "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml" + "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml" "$PATH_TO_POLICY_FILES/app-access.yml" ) From 061141bea0f0e7a60835896c2f609d4f1702b190 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 19:55:35 +0800 Subject: [PATCH 13/31] no logs --- 7_verify_authentication.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 0af6344..48cd417 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -12,9 +12,6 @@ function finish { set +u - echo "lastly from secretless" - kubectl logs -l "app=test-app-secretless" - echo -e "\n\nStopping all port-forwarding" for pid in "${PIDS[@]}"; do if [ -n "${!pid}" ]; then From 279adb66760bcd12e3ff2f28dfe06b8c413fd563 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 22:05:15 +0800 Subject: [PATCH 14/31] use kubernetes-conjur-deploy with increased readinessProbe timeoutSeconds --- ci/test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/test b/ci/test index 7e9cfc0..747ed1f 100755 --- a/ci/test +++ b/ci/test @@ -56,7 +56,7 @@ function main() { function deployConjur() { pushd .. - git clone git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID + git clone --single-branch --branch kt/hot-fixes git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID popd runDockerCommand "cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./start" From 73474ec246f149f22712cc4f0bdf9bdd18279055 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 22:26:03 +0800 Subject: [PATCH 15/31] wait for service ips to complete setup --- 7_verify_authentication.sh | 9 +++++++++ kubernetes/test-app-secretless.yml | 4 ++-- kubernetes/test-app-summon-init.yml | 4 ++-- kubernetes/test-app-summon-sidecar.yml | 4 ++-- openshift/test-app-secretless.yml | 4 ++-- openshift/test-app-summon-init.yml | 4 ++-- openshift/test-app-summon-sidecar.yml | 4 ++-- 7 files changed, 21 insertions(+), 12 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 48cd417..88502fd 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -82,6 +82,15 @@ else init_url=$(service_ip test-app-summon-init):8080 sidecar_url=$(service_ip test-app-summon-sidecar):8080 secretless_url=$(service_ip test-app-secretless):8080 + + # Pause for service ips to complete setup + echo "Waiting for service ips to complete setup" + while [[ $(nc -z $(service_ip test-app-summon-init) 8080) ]] || + [[ $(nc -z $(service_ip test-app-summon-sidecar) 8080) ]] || + [[ $(nc -z $(service_ip test-app-secretless) 8080) ]]; do + printf "." + sleep 1 + done fi echo -e "\nAdding entry to the init app\n" diff --git a/kubernetes/test-app-secretless.yml b/kubernetes/test-app-secretless.yml index 00d08a8..44226d2 100644 --- a/kubernetes/test-app-secretless.yml +++ b/kubernetes/test-app-secretless.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: DB_URL value: {{ SECRETLESS_DB_URL }} diff --git a/kubernetes/test-app-summon-init.yml b/kubernetes/test-app-summon-init.yml index 0f02fd9..847f971 100644 --- a/kubernetes/test-app-summon-init.yml +++ b/kubernetes/test-app-summon-init.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/kubernetes/test-app-summon-sidecar.yml b/kubernetes/test-app-summon-sidecar.yml index caf90b6..f972f6d 100644 --- a/kubernetes/test-app-summon-sidecar.yml +++ b/kubernetes/test-app-summon-sidecar.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/openshift/test-app-secretless.yml b/openshift/test-app-secretless.yml index c403775..c9db530 100644 --- a/openshift/test-app-secretless.yml +++ b/openshift/test-app-secretless.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: DB_URL value: {{ SECRETLESS_DB_URL }} diff --git a/openshift/test-app-summon-init.yml b/openshift/test-app-summon-init.yml index bdadc78..d09f286 100644 --- a/openshift/test-app-summon-init.yml +++ b/openshift/test-app-summon-init.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' diff --git a/openshift/test-app-summon-sidecar.yml b/openshift/test-app-summon-sidecar.yml index ca41b61..41a22ce 100644 --- a/openshift/test-app-summon-sidecar.yml +++ b/openshift/test-app-summon-sidecar.yml @@ -46,8 +46,8 @@ spec: httpGet: path: /pets port: http - initialDelaySeconds: 5 - periodSeconds: 10 + initialDelaySeconds: 15 + timeoutSeconds: 5 env: - name: CONJUR_VERSION value: '{{ CONJUR_VERSION }}' From c619f7eed781bd851375deef7cb652f41399cd93 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 18 Mar 2019 22:55:38 +0800 Subject: [PATCH 16/31] add netcat to test container --- ci/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/Dockerfile b/ci/Dockerfile index 30e0b13..74f396d 100644 --- a/ci/Dockerfile +++ b/ci/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /src # Install Docker client RUN apt-get update -y && \ - apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common wget && \ + apt-get install -y apt-transport-https ca-certificates curl netcat gnupg2 software-properties-common wget && \ curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add - && \ add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" && \ apt-get update && \ From 4dd3b0ecb69fab4895c0af4cfdea36d56781d6e6 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 00:27:39 +0800 Subject: [PATCH 17/31] actually verify urls --- 7_verify_authentication.sh | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 88502fd..ebbebc7 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -61,38 +61,30 @@ if [[ "$PLATFORM" == "openshift" ]]; then init_url="localhost:8081" sidecar_url="localhost:8082" secretless_url="localhost:8083" - - # Pause for the port-forwarding to complete setup - echo "Waiting for port-forwarding to complete setup" - while [[ $(nc -z localhost 8081) ]] || - [[ $(nc -z localhost 8082) ]] || - [[ $(nc -z localhost 8083) ]]; do - printf "." - sleep 1 - done else echo "Waiting for services to become available" while [ -z "$(service_ip "test-app-summon-init")" ] || [ -z "$(service_ip "test-app-summon-sidecar")" ] || [ -z "$(service_ip "test-app-secretless")" ]; do printf "." - sleep 1 + sleep 3 done init_url=$(service_ip test-app-summon-init):8080 sidecar_url=$(service_ip test-app-summon-sidecar):8080 secretless_url=$(service_ip test-app-secretless):8080 - - # Pause for service ips to complete setup - echo "Waiting for service ips to complete setup" - while [[ $(nc -z $(service_ip test-app-summon-init) 8080) ]] || - [[ $(nc -z $(service_ip test-app-summon-sidecar) 8080) ]] || - [[ $(nc -z $(service_ip test-app-secretless) 8080) ]]; do - printf "." - sleep 1 - done fi +split_url() { echo $1 | awk -F":" '{print $1, $2}' } + +echo "Waiting for urls to be ready" +while [[ ! $(nc -z $(split_url $init_url)) ]] || + [[ ! $(nc -z $(split_url $sidecar_url)) ]] || + [[ ! $(nc -z $(split_url $secretless_url)) ]]; do + printf "." + sleep 3 +done + echo -e "\nAdding entry to the init app\n" curl \ -d '{"name": "Mr. Init"}' \ From c04839e72c64f8ee3170b1ef5c07c18f9d6f0d7b Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 00:36:13 +0800 Subject: [PATCH 18/31] try doing everything in parallel :) --- Jenkinsfile | 89 +++++++++++++++++++++++++---------------------------- 1 file changed, 42 insertions(+), 47 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 98e880f..f090d2e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -9,64 +9,59 @@ pipeline { } stages { - stage('Deploy Demos') { - parallel { - // Postgres Tests - stage('Postgres') { - stages { - stage('GKE, v4 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e gke ./test gke 4 postgres' - } - } + stage('Deploy Demos Postgres') { + parallel { + stage('GKE, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 4 postgres' + } + } - stage('GKE, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e gke ./test gke 5 postgres' - } - } + stage('GKE, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e gke ./test gke 5 postgres' + } + } - stage('OpenShift v3.9, v4 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e oc ./test oc 4 postgres' - } - } + stage('OpenShift v3.9, v4 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 4 postgres' + } + } - stage('OpenShift v3.9, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon -e oc ./test oc 5 postgres' - } - } + stage('OpenShift v3.9, v5 Conjur, Postgres') { + steps { + sh 'cd ci && summon -e oc ./test oc 5 postgres' } } + } + } // MySQL Tests - stage('MySQL') { - stages { - stage('GKE, v4 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e gke ./test gke 4 mysql' - } - } + stage('MySQL') { + parallel { + stage('GKE, v4 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e gke ./test gke 4 mysql' + } + } - stage('GKE, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e gke ./test gke 5 mysql' - } - } + stage('GKE, v5 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e gke ./test gke 5 mysql' + } + } - stage('OpenShift v3.9, v4 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e oc ./test oc 4 mysql' - } - } + stage('OpenShift v3.9, v4 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e oc ./test oc 4 mysql' + } + } - stage('OpenShift v3.9, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon -e oc ./test oc 5 mysql' - } - } + stage('OpenShift v3.9, v5 Conjur, MySQL') { + steps { + sh 'cd ci && summon -e oc ./test oc 5 mysql' } } } From 87c22a928b17baeafe79926384eb5db20e27146a Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 01:03:09 +0800 Subject: [PATCH 19/31] fix function decl --- 7_verify_authentication.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index ebbebc7..ec2359b 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -75,7 +75,9 @@ else secretless_url=$(service_ip test-app-secretless):8080 fi -split_url() { echo $1 | awk -F":" '{print $1, $2}' } +function split_url() { + echo $1 | awk -F":" '{print $1, $2}'; +} echo "Waiting for urls to be ready" while [[ ! $(nc -z $(split_url $init_url)) ]] || From 1a67b2674d016eed996c66169a1f8b2ba2b1448d Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 01:33:53 +0800 Subject: [PATCH 20/31] redefine ready --- 7_verify_authentication.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index ec2359b..dd37a6e 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -80,9 +80,9 @@ function split_url() { } echo "Waiting for urls to be ready" -while [[ ! $(nc -z $(split_url $init_url)) ]] || - [[ ! $(nc -z $(split_url $sidecar_url)) ]] || - [[ ! $(nc -z $(split_url $secretless_url)) ]]; do +while ! $(nc -z $(split_url $init_url)) || + ! $(nc -z $(split_url $sidecar_url)) || + ! $(nc -z $(split_url $secretless_url)); do printf "." sleep 3 done From 0fc72d7bcac2b3ec8afc41a30de9a5804c018642 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 02:12:29 +0800 Subject: [PATCH 21/31] fix mysql tests description --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index f090d2e..4c337ea 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -39,7 +39,7 @@ pipeline { } // MySQL Tests - stage('MySQL') { + stage('Deploy Demos MySQL') { parallel { stage('GKE, v4 Conjur, MySQL') { steps { From 41e1f27b0672f191fc8b4034f661df180f085920 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 21:58:24 +0800 Subject: [PATCH 22/31] cleanup + useful comments --- 0_check_dependencies.sh | 11 +---------- 2_load_conjur_policies.sh | 4 ++++ 5_build_and_push_containers.sh | 2 ++ 6_deploy_test_app.sh | 10 ++-------- 7_verify_authentication.sh | 6 +++--- ci/Dockerfile | 2 +- policy/load_policies.sh | 3 ++- utils.sh | 13 +++++++++++++ 8 files changed, 28 insertions(+), 23 deletions(-) diff --git a/0_check_dependencies.sh b/0_check_dependencies.sh index ee44947..23f0320 100755 --- a/0_check_dependencies.sh +++ b/0_check_dependencies.sh @@ -12,13 +12,4 @@ check_env_var "CONJUR_ACCOUNT" check_env_var "CONJUR_ADMIN_PASSWORD" check_env_var "AUTHENTICATOR_ID" check_env_var "TEST_APP_DATABASE" -case "${TEST_APP_DATABASE}" in -postgres) - ;; -mysql) - ;; -*) - echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" - exit 1 - ;; -esac +ensure_env_database diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index c2298ce..ad6917a 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -8,6 +8,8 @@ announce "Generating Conjur policy." pushd policy mkdir -p ./generated + # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI + sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | @@ -48,12 +50,14 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then fi # Set DB password in Kubernetes manifests +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd kubernetes sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd # Set DB password in OC manifests +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd openshift sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index 087b289..d9a5f53 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -26,8 +26,10 @@ pushd test_app_summon docker rm -v $id fi + for app_type in "${APPS[@]}"; do # prep secrets.yml + # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI sed -e "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "$TEST_APP_NAMESPACE_NAME.secrets.yml" dockerfile="Dockerfile" diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index 81f8c5e..d6ad992 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -89,6 +89,7 @@ deploy_app_backend() { statefulset/secretless-mysql \ secret/test-app-backend-certs + ensure_env_database case "${TEST_APP_DATABASE}" in postgres) echo "Create secrets for test app backend" @@ -109,10 +110,6 @@ deploy_app_backend() { test_app_mysql_docker_image="mysql/mysql-server:5.7" sed -e "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; - *) - echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" - exit 1 - ;; esac } @@ -211,6 +208,7 @@ deploy_secretless_app() { sleep 5 + ensure_env_database case "$TEST_APP_DATABASE" in postgres) PORT=5432 @@ -220,10 +218,6 @@ deploy_secretless_app() { PORT=3306 PROTOCOL=mysql ;; - *) - echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" - exit 1 - ;; esac secretless_db_url="$PROTOCOL://localhost:$PORT/test_app" diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index dd37a6e..e49383b 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -80,9 +80,9 @@ function split_url() { } echo "Waiting for urls to be ready" -while ! $(nc -z $(split_url $init_url)) || - ! $(nc -z $(split_url $sidecar_url)) || - ! $(nc -z $(split_url $secretless_url)); do +while ! $(curl $(split_url $init_url)) || + ! $(curl $(split_url $sidecar_url)) || + ! $(curl $(split_url $secretless_url)); do printf "." sleep 3 done diff --git a/ci/Dockerfile b/ci/Dockerfile index 74f396d..30e0b13 100644 --- a/ci/Dockerfile +++ b/ci/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /src # Install Docker client RUN apt-get update -y && \ - apt-get install -y apt-transport-https ca-certificates curl netcat gnupg2 software-properties-common wget && \ + apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common wget && \ curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add - && \ add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" && \ apt-get update && \ diff --git a/policy/load_policies.sh b/policy/load_policies.sh index 06954cd..99245c5 100755 --- a/policy/load_policies.sh +++ b/policy/load_policies.sh @@ -13,6 +13,7 @@ conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD readonly PATH_TO_POLICY_FILES="/policy" +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI readonly POLICY_FILES=( "$PATH_TO_POLICY_FILES/users.yml" "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml" @@ -42,7 +43,7 @@ for app_name in "${APPS[@]}"; do conjur variable values add "$app_name-db/password" $DB_PASSWORD conjur variable values add "$app_name-db/username" "test_app" - case "$TEST_APP_DATABASE" in + case "${TEST_APP_DATABASE}" in postgres) PORT=5432 PROTOCOL=postgresql diff --git a/utils.sh b/utils.sh index 861400d..08437c1 100755 --- a/utils.sh +++ b/utils.sh @@ -22,6 +22,19 @@ check_env_var() { set -u } +ensure_env_database() { + case "${TEST_APP_DATABASE}" in + postgres) + ;; + mysql) + ;; + *) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; + esac +} + announce() { echo "++++++++++++++++++++++++++++++++++++++" echo "" From 6c895d8fded5c1ca466923e8eff4425c6958466c Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 19 Mar 2019 22:19:49 +0800 Subject: [PATCH 23/31] fix urls + silence curl output in urls wait --- 7_verify_authentication.sh | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index e49383b..4c99e23 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -75,14 +75,10 @@ else secretless_url=$(service_ip test-app-secretless):8080 fi -function split_url() { - echo $1 | awk -F":" '{print $1, $2}'; -} - echo "Waiting for urls to be ready" -while ! $(curl $(split_url $init_url)) || - ! $(curl $(split_url $sidecar_url)) || - ! $(curl $(split_url $secretless_url)); do +while ! $(curl -s --connect-timeout 3 $init_url > /dev/null) || + ! $(curl -s --connect-timeout 3 $sidecar_url > /dev/null) || + ! $(curl -s --connect-timeout 3 $secretless_url > /dev/null); do printf "." sleep 3 done From 1a096389f6946453f5f101b011dfbd1a956d2845 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 25 Mar 2019 22:21:09 +0800 Subject: [PATCH 24/31] address feedback --- 1_create_test_app_namespace.sh | 8 ++-- 2_load_conjur_policies.sh | 18 ++++----- 4_store_conjur_cert.sh | 4 +- 5_build_and_push_containers.sh | 2 +- 6_deploy_test_app.sh | 72 +++++++++++++++++----------------- 7_verify_authentication.sh | 6 +-- ci/test | 14 +++++++ policy/load_policies.sh | 12 +++--- rotate | 4 +- stop | 2 +- utils.sh | 23 ++++++----- 11 files changed, 89 insertions(+), 76 deletions(-) diff --git a/1_create_test_app_namespace.sh b/1_create_test_app_namespace.sh index fd58990..50e27c0 100755 --- a/1_create_test_app_namespace.sh +++ b/1_create_test_app_namespace.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash set -euo pipefail . utils.sh @@ -22,14 +22,14 @@ else elif [ $PLATFORM = 'openshift' ]; then $cli new-project $TEST_APP_NAMESPACE_NAME fi - + set_namespace $TEST_APP_NAMESPACE_NAME fi $cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME -sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml | - sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | +sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml | + sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | $cli create -f - if [[ $PLATFORM == openshift ]]; then diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index ad6917a..c7f599f 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -10,13 +10,13 @@ pushd policy # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml popd # Create the random database password @@ -52,15 +52,15 @@ fi # Set DB password in Kubernetes manifests # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd kubernetes - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd # Set DB password in OC manifests # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd openshift - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed -e "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml popd announce "Added DB password value: $password" diff --git a/4_store_conjur_cert.sh b/4_store_conjur_cert.sh index 936700a..301ca6e 100755 --- a/4_store_conjur_cert.sh +++ b/4_store_conjur_cert.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash set -euo pipefail . utils.sh @@ -9,7 +9,7 @@ set_namespace $CONJUR_NAMESPACE_NAME echo "Retrieving Conjur certificate." -follower_pod_name=$($cli get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1) +follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1) ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) set_namespace $TEST_APP_NAMESPACE_NAME diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index d9a5f53..1d422e7 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -30,7 +30,7 @@ pushd test_app_summon for app_type in "${APPS[@]}"; do # prep secrets.yml # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI - sed -e "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "$TEST_APP_NAMESPACE_NAME.secrets.yml" + sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "$TEST_APP_NAMESPACE_NAME.secrets.yml" dockerfile="Dockerfile" if [[ "$PLATFORM" == "openshift" ]]; then diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index d6ad992..51fa710 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -101,14 +101,14 @@ deploy_app_backend() { echo "Deploying test app backend" test_app_pg_docker_image=$(platform_image test-app-pg) - sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.postgres.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.postgres.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; mysql) echo "Deploying test app backend" test_app_mysql_docker_image="mysql/mysql-server:5.7" - sed -e "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - + sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; esac @@ -130,18 +130,18 @@ deploy_sidecar_app() { sleep 5 - sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml | - sed -e "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | - sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" | - sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | - sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" | + sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml | + sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" | $cli create -f - if [[ "$PLATFORM" == "openshift" ]]; then @@ -167,18 +167,18 @@ deploy_init_container_app() { sleep 5 - sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml | - sed -e "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | - sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" | - sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | - sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" | + sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml | + sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ CONJUR_VERSION }}#'$CONJUR_VERSION'#g" | $cli create -f - if [[ "$PLATFORM" == "openshift" ]]; then @@ -209,7 +209,7 @@ deploy_secretless_app() { sleep 5 ensure_env_database - case "$TEST_APP_DATABASE" in + case "${TEST_APP_DATABASE}" in postgres) PORT=5432 PROTOCOL=postgresql @@ -221,14 +221,14 @@ deploy_secretless_app() { esac secretless_db_url="$PROTOCOL://localhost:$PORT/test_app" - sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" ./$PLATFORM/test-app-secretless.yml | - sed -e "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | - sed -e "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | - sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" ./$PLATFORM/test-app-secretless.yml | + sed "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | + sed "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | $cli create -f - if [[ "$PLATFORM" == "openshift" ]]; then diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 4c99e23..881a936 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -76,9 +76,9 @@ else fi echo "Waiting for urls to be ready" -while ! $(curl -s --connect-timeout 3 $init_url > /dev/null) || - ! $(curl -s --connect-timeout 3 $sidecar_url > /dev/null) || - ! $(curl -s --connect-timeout 3 $secretless_url > /dev/null); do +until $(curl -s --connect-timeout 3 $init_url > /dev/null) && + $(curl -s --connect-timeout 3 $sidecar_url > /dev/null) && + $(curl -s --connect-timeout 3 $secretless_url > /dev/null); do printf "." sleep 3 done diff --git a/ci/test b/ci/test index 747ed1f..93c6c08 100755 --- a/ci/test +++ b/ci/test @@ -1,7 +1,15 @@ #!/bin/bash # Usage: +# ./test [platform] [conjur version] [database] +# +# Note: This script expects several environment variables to be +# defined and exported, some of which are sensitive/secret values. +# It is for this that we recommend to always call this script using summon. +# +# Recommended usage: # summon -e [platform] ./test [platform] [conjur version] [database] +# # platform: gke or oc # conjur version: 4 or 5 # database: postgres or mysql @@ -32,7 +40,13 @@ trap finish EXIT function printUsage() { echo "---" echo "Usage:" + echo "./test [platform] [conjur version] [database]" + echo "" + echo "Note: This script expects several environment variables to be defined and exported, some of which are sensitive/secret values. It is for this that we recommend to always call this script using summon." + echo "" + echo "Recommended Usage:" echo "summon -e [platform] ./test [platform] [conjur version] [database]" + echo "" echo "platform: gke or oc" echo "conjur version: 4 or 5" echo "database: postgres or mysql" diff --git a/policy/load_policies.sh b/policy/load_policies.sh index 99245c5..5f4c212 100755 --- a/policy/load_policies.sh +++ b/policy/load_policies.sh @@ -11,15 +11,15 @@ set -u conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD -readonly PATH_TO_POLICY_FILES="/policy" +readonly POLICY_DIR="/policy" # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI readonly POLICY_FILES=( - "$PATH_TO_POLICY_FILES/users.yml" - "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml" - "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml" - "$PATH_TO_POLICY_FILES/generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml" - "$PATH_TO_POLICY_FILES/app-access.yml" + "$POLICY_DIR/users.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml" + "$POLICY_DIR/app-access.yml" ) for policy_file in "${POLICY_FILES[@]}"; do diff --git a/rotate b/rotate index 5d78d10..f92fb81 100755 --- a/rotate +++ b/rotate @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash set -euo pipefail . utils.sh @@ -28,7 +28,7 @@ if [[ "$PLATFORM" = "kubernetes" ]]; then set_namespace $TEST_APP_NAMESPACE_NAME for app_name in "${APPS[@]}"; do - backend_pod=$($cli get pods --no-headers -l app=$app_name-backend | + backend_pod=$($cli get pods --no-headers --selector app=$app_name-backend | awk '{ print $1 }') $cli exec -c $app_name-backend $backend_pod -- rotate_password $new_pwd done diff --git a/stop b/stop index fa83d1f..a343a0a 100755 --- a/stop +++ b/stop @@ -18,7 +18,7 @@ if has_namespace $TEST_APP_NAMESPACE_NAME; then printf "Waiting for $TEST_APP_NAMESPACE_NAME namespace deletion to complete" while : ; do - printf "..." + printf "." if has_namespace "$TEST_APP_NAMESPACE_NAME"; then sleep 5 diff --git a/utils.sh b/utils.sh index 08437c1..976ea30 100755 --- a/utils.sh +++ b/utils.sh @@ -23,16 +23,15 @@ check_env_var() { } ensure_env_database() { - case "${TEST_APP_DATABASE}" in - postgres) - ;; - mysql) - ;; - *) - echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + local valid_dbs=( + postgres + mysql + ) + if ! printf '%s\n' "${valid_dbs[@]}" | grep -q "^${TEST_APP_DATABASE}\$"; then + echo "Got '${TEST_APP_DATABASE}', expected TEST_APP_DATABASE to be one of:" + printf "'%s'\n" "${valid_dbs[@]}" exit 1 - ;; - esac + fi } announce() { @@ -81,12 +80,12 @@ get_pod_name() { } get_master_pod_name() { - pod_list=$($cli get pods -l app=conjur-node,role=master --no-headers | awk '{ print $1 }') + pod_list=$($cli get pods --selector app=conjur-node,role=master --no-headers | awk '{ print $1 }') echo $pod_list | awk '{print $1}' } get_conjur_cli_pod_name() { - pod_list=$($cli get pods -l app=conjur-cli --no-headers | awk '{ print $1 }') + pod_list=$($cli get pods --selector app=conjur-cli --no-headers | awk '{ print $1 }') echo $pod_list | awk '{print $1}' } @@ -188,5 +187,5 @@ function deployment_status() { function pods_not_ready() { local app_label=$1 - $cli describe pod -l "app=$app_label" | awk '/Ready/' | awk '{ print $2 }' | grep 'False' + $cli describe pod --selector "app=$app_label" | awk '/Ready/{if ($2 != "False") exit 1}' } From b93ec12aa134bd5138d1f3158796c30ef41b6c1d Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 25 Mar 2019 22:34:14 +0800 Subject: [PATCH 25/31] all temp files are of the form tmp.* --- .gitignore | 11 +---------- 2_load_conjur_policies.sh | 8 ++++---- 5_build_and_push_containers.sh | 6 +++--- 6_deploy_test_app.sh | 4 ++-- test_app_summon/Dockerfile | 2 +- test_app_summon/Dockerfile.oc | 6 +++--- 6 files changed, 14 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index f627911..faede12 100644 --- a/.gitignore +++ b/.gitignore @@ -1,12 +1,3 @@ policy/generated/* -openshift/*.postgres.yml -openshift/*.mysql.yml -kubernetes/*.postgres.yml -kubernetes/*.mysql.yml -openshift/postgres.yml -openshift/mysql.yml -kubernetes/postgres.yml -kubernetes/mysql.yml -test_app_summon/*.secrets.yml -test_app_summon/summon* +tmp.* output/ diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh index c7f599f..bd4a95c 100755 --- a/2_load_conjur_policies.sh +++ b/2_load_conjur_policies.sh @@ -52,15 +52,15 @@ fi # Set DB password in Kubernetes manifests # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd kubernetes - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml popd # Set DB password in OC manifests # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI pushd openshift - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./${TEST_APP_NAMESPACE_NAME}.mysql.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml popd announce "Added DB password value: $password" diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index 1d422e7..661c744 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -21,8 +21,8 @@ pushd test_app_summon # retrieve the summon binaries id=$(docker create test-app-builder) - docker cp $id:/usr/local/lib/summon/summon-conjur ./ - docker cp $id:/usr/local/bin/summon ./ + docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur + docker cp $id:/usr/local/bin/summon ./tmp.summon docker rm -v $id fi @@ -30,7 +30,7 @@ pushd test_app_summon for app_type in "${APPS[@]}"; do # prep secrets.yml # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI - sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "$TEST_APP_NAMESPACE_NAME.secrets.yml" + sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "tmp.$TEST_APP_NAMESPACE_NAME.secrets.yml" dockerfile="Dockerfile" if [[ "$PLATFORM" == "openshift" ]]; then diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index 51fa710..172dbfa 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -101,14 +101,14 @@ deploy_app_backend() { echo "Deploying test app backend" test_app_pg_docker_image=$(platform_image test-app-pg) - sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.postgres.yml | + sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; mysql) echo "Deploying test app backend" test_app_mysql_docker_image="mysql/mysql-server:5.7" - sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - + sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - ;; esac diff --git a/test_app_summon/Dockerfile b/test_app_summon/Dockerfile index 697770e..ea5cb10 100644 --- a/test_app_summon/Dockerfile +++ b/test_app_summon/Dockerfile @@ -26,7 +26,7 @@ COPY --from=test-app-builder /usr/local/lib/summon /usr/local/lib/summon COPY --from=test-app-builder /usr/local/bin/summon /usr/local/bin/summon #---copy secrets.yml into image---# -COPY $namespace.secrets.yml /etc/secrets.yml +COPY tmp.$namespace.secrets.yml /etc/secrets.yml #---override entrypoint to wrap command with summon---# ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] diff --git a/test_app_summon/Dockerfile.oc b/test_app_summon/Dockerfile.oc index e6de0f8..8459699 100644 --- a/test_app_summon/Dockerfile.oc +++ b/test_app_summon/Dockerfile.oc @@ -3,11 +3,11 @@ ARG namespace MAINTAINER CyberArk #---copy summon into image---# -COPY summon-conjur /usr/local/lib/summon/ -COPY summon /usr/local/bin/ +COPY tmp.summon-conjur /usr/local/lib/summon/ +COPY tmp.summon /usr/local/bin/ #---copy secrets.yml into image---# -COPY $namespace.secrets.yml /etc/secrets.yml +COPY tmp.$namespace.secrets.yml /etc/secrets.yml #---override entrypoint to wrap command with summon---# ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] From 9193d9b4a71bfece43b82ac8b59e3e6df94fc602 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Mon, 25 Mar 2019 22:46:44 +0800 Subject: [PATCH 26/31] more cleanup --- ci/test | 4 ++-- utils.sh | 11 +++-------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/ci/test b/ci/test index 93c6c08..62a204e 100755 --- a/ci/test +++ b/ci/test @@ -191,7 +191,7 @@ function checkArguments() { } # Parse input arguments -if [ $# -ne 3 ]; then +if [[ $# -ne 3 ]]; then echo "Invalid number of arguments." printUsage fi @@ -205,7 +205,7 @@ export CONJUR_VERSION export TEST_APP_DATABASE # sensible default for OPENSHIFT_URL port -if [[ ! -z "${OPENSHIFT_URL}" ]] && [[ "${OPENSHIFT_URL}" != *: ]]; then +if [[ -n "${OPENSHIFT_URL}" ]] && [[ "${OPENSHIFT_URL}" != *: ]]; then OPENSHIFT_URL="${OPENSHIFT_URL}:8443" fi diff --git a/utils.sh b/utils.sh index 976ea30..4eb8881 100755 --- a/utils.sh +++ b/utils.sh @@ -9,17 +9,12 @@ elif [ $PLATFORM = 'openshift' ]; then fi check_env_var() { - var_name=$1 - - # temporarily turn off checking for unset variables - set +u - - if [ "${!var_name}" = "" ]; then + if [[ -z "${!1+x}" ]]; then +# where ${var+x} is a parameter expansion which evaluates to nothing if var is unset, and substitutes the string x otherwise. +# https://stackoverflow.com/questions/3601515/how-to-check-if-a-variable-is-set-in-bash/13864829#13864829 echo "You must set $1 before running these scripts." exit 1 fi - - set -u } ensure_env_database() { From 7fb953a8929c2524e621b5419423f029669ce363 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 26 Mar 2019 00:20:16 +0800 Subject: [PATCH 27/31] fix tmp.summon* copy --- test_app_summon/Dockerfile.oc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test_app_summon/Dockerfile.oc b/test_app_summon/Dockerfile.oc index 8459699..03e8e7a 100644 --- a/test_app_summon/Dockerfile.oc +++ b/test_app_summon/Dockerfile.oc @@ -3,8 +3,8 @@ ARG namespace MAINTAINER CyberArk #---copy summon into image---# -COPY tmp.summon-conjur /usr/local/lib/summon/ -COPY tmp.summon /usr/local/bin/ +COPY tmp.summon-conjur /usr/local/lib/summon/summon-conjur +COPY tmp.summon /usr/local/bin/summon #---copy secrets.yml into image---# COPY tmp.$namespace.secrets.yml /etc/secrets.yml From d9c17d5c6220b84321f70046c2bee72729a30389 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 26 Mar 2019 16:03:58 +0800 Subject: [PATCH 28/31] more cleanup --- 5_build_and_push_containers.sh | 6 +++--- 6_deploy_test_app.sh | 34 +++++++++++++++++++--------------- 7_verify_authentication.sh | 6 +++--- Jenkinsfile | 16 ++++++++-------- ci/test | 8 ++++---- utils.sh | 4 ++-- 6 files changed, 39 insertions(+), 35 deletions(-) diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index 661c744..ded5736 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -23,7 +23,7 @@ pushd test_app_summon id=$(docker create test-app-builder) docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur docker cp $id:/usr/local/bin/summon ./tmp.summon - docker rm -v $id + docker rm --volumes $id fi @@ -40,8 +40,8 @@ pushd test_app_summon echo "Building test app image" docker build \ --build-arg namespace=$TEST_APP_NAMESPACE_NAME\ - -t test-app:$CONJUR_NAMESPACE_NAME \ - -f $dockerfile . + --tag test-app:$CONJUR_NAMESPACE_NAME \ + --file $dockerfile . test_app_image=$(platform_image "test-$app_type-app") docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh index 172dbfa..4cc24b3 100755 --- a/6_deploy_test_app.sh +++ b/6_deploy_test_app.sh @@ -24,18 +24,16 @@ main() { ########################### init_registry_creds() { - if [[ "$PLATFORM" == "kubernetes" ]]; then - if [[ "${DOCKER_EMAIL}" != "" ]]; then - announce "Creating image pull secret." - - kubectl delete --ignore-not-found secret dockerpullsecret - - kubectl create secret docker-registry dockerpullsecret \ - --docker-server=$DOCKER_REGISTRY_URL \ - --docker-username=$DOCKER_USERNAME \ - --docker-password=$DOCKER_PASSWORD \ - --docker-email=$DOCKER_EMAIL - fi + if [[ "${PLATFORM}" == "kubernetes" ]] && [[ -n "${DOCKER_EMAIL}" ]]; then + announce "Creating image pull secret." + + kubectl delete --ignore-not-found secret dockerpullsecret + + kubectl create secret docker-registry dockerpullsecret \ + --docker-server=$DOCKER_REGISTRY_URL \ + --docker-username=$DOCKER_USERNAME \ + --docker-password=$DOCKER_PASSWORD \ + --docker-email=$DOCKER_EMAIL elif [[ "$PLATFORM" == "openshift" ]]; then announce "Creating image pull secret." @@ -100,15 +98,21 @@ deploy_app_backend() { --from-file=server.key=./etc/ca-key.pem echo "Deploying test app backend" + test_app_pg_docker_image=$(platform_image test-app-pg) + sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - $cli create -f - + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + $cli create -f - ;; mysql) echo "Deploying test app backend" + test_app_mysql_docker_image="mysql/mysql-server:5.7" - sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | $cli create -f - + + sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + $cli create -f - ;; esac diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 881a936..70d8c5d 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -28,9 +28,9 @@ set_namespace $TEST_APP_NAMESPACE_NAME echo "Waiting for pods to become available" -while [[ $(pods_not_ready "test-app-summon-init") ]] || - [[ $(pods_not_ready "test-app-summon-sidecar") ]] || - [[ $(pods_not_ready "test-app-secretless") ]]; do +until [[ $(pods_ready "test-app-summon-init") ]] && + [[ $(pods_ready "test-app-summon-sidecar") ]] && + [[ $(pods_ready "test-app-secretless") ]]; do printf "." sleep 1 done diff --git a/Jenkinsfile b/Jenkinsfile index 4c337ea..81f576f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,25 +14,25 @@ pipeline { parallel { stage('GKE, v4 Conjur, Postgres') { steps { - sh 'cd ci && summon -e gke ./test gke 4 postgres' + sh 'cd ci && summon --environment gke ./test gke 4 postgres' } } stage('GKE, v5 Conjur, Postgres') { steps { - sh 'cd ci && summon -e gke ./test gke 5 postgres' + sh 'cd ci && summon --environment gke ./test gke 5 postgres' } } stage('OpenShift v3.9, v4 Conjur, Postgres') { steps { - sh 'cd ci && summon -e oc ./test oc 4 postgres' + sh 'cd ci && summon --environment oc ./test oc 4 postgres' } } stage('OpenShift v3.9, v5 Conjur, Postgres') { steps { - sh 'cd ci && summon -e oc ./test oc 5 postgres' + sh 'cd ci && summon --environment oc ./test oc 5 postgres' } } } @@ -43,25 +43,25 @@ pipeline { parallel { stage('GKE, v4 Conjur, MySQL') { steps { - sh 'cd ci && summon -e gke ./test gke 4 mysql' + sh 'cd ci && summon --environment gke ./test gke 4 mysql' } } stage('GKE, v5 Conjur, MySQL') { steps { - sh 'cd ci && summon -e gke ./test gke 5 mysql' + sh 'cd ci && summon --environment gke ./test gke 5 mysql' } } stage('OpenShift v3.9, v4 Conjur, MySQL') { steps { - sh 'cd ci && summon -e oc ./test oc 4 mysql' + sh 'cd ci && summon --environment oc ./test oc 4 mysql' } } stage('OpenShift v3.9, v5 Conjur, MySQL') { steps { - sh 'cd ci && summon -e oc ./test oc 5 mysql' + sh 'cd ci && summon --environment oc ./test oc 5 mysql' } } } diff --git a/ci/test b/ci/test index 62a204e..e9b9a18 100755 --- a/ci/test +++ b/ci/test @@ -8,7 +8,7 @@ # It is for this that we recommend to always call this script using summon. # # Recommended usage: -# summon -e [platform] ./test [platform] [conjur version] [database] +# summon --environment [platform] ./test [platform] [conjur version] [database] # # platform: gke or oc # conjur version: 4 or 5 @@ -45,7 +45,7 @@ function printUsage() { echo "Note: This script expects several environment variables to be defined and exported, some of which are sensitive/secret values. It is for this that we recommend to always call this script using summon." echo "" echo "Recommended Usage:" - echo "summon -e [platform] ./test [platform] [conjur version] [database]" + echo "summon --environment [platform] ./test [platform] [conjur version] [database]" echo "" echo "platform: gke or oc" echo "conjur version: 4 or 5" @@ -106,8 +106,8 @@ function prepareTestEnvironment() { # Prepare Docker images docker pull $CONJUR_APPLIANCE_IMAGE - docker build -t $CONJUR_DEMO_TEST_IMAGE:$CONJUR_NAMESPACE_NAME \ - -f Dockerfile \ + docker build --tag $CONJUR_DEMO_TEST_IMAGE:$CONJUR_NAMESPACE_NAME \ + --file Dockerfile \ --build-arg OPENSHIFT_CLI_URL=$OPENSHIFT_CLI_URL \ --build-arg KUBECTL_CLI_URL=$KUBECTL_CLI_URL \ . diff --git a/utils.sh b/utils.sh index 4eb8881..7fdf74e 100755 --- a/utils.sh +++ b/utils.sh @@ -179,8 +179,8 @@ function deployment_status() { awk '{ print $2 }')" } -function pods_not_ready() { +function pods_ready() { local app_label=$1 - $cli describe pod --selector "app=$app_label" | awk '/Ready/{if ($2 != "False") exit 1}' + $cli describe pod --selector "app=$app_label" | awk '/Ready/{if ($2 != "True") exit 1}' && echo 2 } From e90d14a1935c899895bd0ea265272dffd68d097a Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 26 Mar 2019 16:51:37 +0800 Subject: [PATCH 29/31] minor fix --- 5_build_and_push_containers.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh index ded5736..91d2b9c 100755 --- a/5_build_and_push_containers.sh +++ b/5_build_and_push_containers.sh @@ -39,7 +39,7 @@ pushd test_app_summon echo "Building test app image" docker build \ - --build-arg namespace=$TEST_APP_NAMESPACE_NAME\ + --build-arg namespace=$TEST_APP_NAMESPACE_NAME \ --tag test-app:$CONJUR_NAMESPACE_NAME \ --file $dockerfile . From 786394a29298d27204162f7b940f7be0be4ac0ed Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 26 Mar 2019 22:11:01 +0800 Subject: [PATCH 30/31] bump test_app_summon builder image to ruby:2.4 --- test_app_summon/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_app_summon/Dockerfile b/test_app_summon/Dockerfile index ea5cb10..82eb1e4 100644 --- a/test_app_summon/Dockerfile +++ b/test_app_summon/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.2.9 as test-app-builder +FROM ruby:2.4 as test-app-builder MAINTAINER CyberArk LABEL builder="test-app-builder" From ab32540664494af9aef7cf28b6658c3e68686141 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Tue, 26 Mar 2019 23:10:21 +0800 Subject: [PATCH 31/31] bump test_app_summon builder image for OC to ruby:2.4 --- test_app_summon/Dockerfile.builder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_app_summon/Dockerfile.builder b/test_app_summon/Dockerfile.builder index 291551c..46cb3e9 100644 --- a/test_app_summon/Dockerfile.builder +++ b/test_app_summon/Dockerfile.builder @@ -1,4 +1,4 @@ -FROM ruby:2.2.9 +FROM ruby:2.4 MAINTAINER CyberArk #---some useful tools for interactive usage---#