Fix broken script use for non-master deployments #62
Conversation
|
To test this, someone would need to deploy the Conjur master outside of Kubernetes and verify that the end-to-end flow works. I am not comfortable merging until this flow is tested. |
start
Outdated
| @@ -9,10 +9,16 @@ set -xeuo pipefail | |||
|
|
|||
| ./1_create_test_app_namespace.sh | |||
|
|
|||
| # This script is run for both follower-based and master-based installs | |||
There was a problem hiding this comment.
I don't follow this comment at all.
There are two flows that this repo can do - it can deploy the master cluster to k8s/oc as well as the followers, or it can deploy just the followers to k8s/oc and assume you have configured a master cluster elsewhere.
when you have a master cluster elsewhere (eg DEPLOY_MASTER_CLUSTER is false) and you run start, the start script has no way of knowing how to connect to your master cluster to load the policies.
the current flow is described in usage in the main project readme. when you are not deploying a master cluster to kubernetes, you have to manually initialize the authenticator CA, manually load the policies (and script 2 makes this easier), and then you run ./start.
I don't think this workflow has been tested with this change, and if for some reason it has and it works well, the README needs to be updated before this PR could go in.
sgnn7
force-pushed
the
fix-non-master-deployment
branch
from
8a98d9c to
73ec892
Compare
Since deployment depends on some details from master deployment regarding the database, these files are mandatory and if the user has not yet created them, the scripts break in latter parts of the start script. With this check, we have at least a basic check that stage 2 (load_policy) has been run to generate these files which are used in stage 6 (deploy).
It's a little bit easier to read now tih some extra spacing and using an `if` vs the `||` syntax.
sgnn7
force-pushed
the
fix-non-master-deployment
branch
2 times, most recently
from
fd6bada to
dec7f67
Compare
Stop script was switching namespaces when namespace in question might not have been available so now we ensure that this does not happen.
sgnn7
force-pushed
the
fix-non-master-deployment
branch
from
dec7f67 to
7a98ead
Compare
|
Closing this stale PR for now until we can get more time dedicated for it. |
Old code would error out deploying the database since templates weren't
properly made. We now ensure that we create the templates in both cases
though obviously the follower-deploy policy loading is left to the user
to properly do with the right policies.
Connected to #57