Port scripts from conjurdemos/kubernetes-conjur-demo

cyberark · May 18, 2021 · 947fb35 · 947fb35
1 parent 3394b81
commit 947fb35
Show file tree

Hide file tree

Showing 47 changed files with 3,294 additions and 0 deletions.
diff --git a/bin/test-workflow/0_prep_check_dependencies.sh b/bin/test-workflow/0_prep_check_dependencies.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+. utils.sh
+
+check_env_var "CONJUR_NAMESPACE_NAME"
+check_env_var "TEST_APP_NAMESPACE_NAME"
+if [[ "$PLATFORM" == "kubernetes" ]] && ! is_minienv; then
+  check_env_var "DOCKER_REGISTRY_URL"
+fi
+
+# TODO: consider getting rid of USE_DOCKER_LOCAL_REGISTRY in favour of always using
+#  DOCKER_REGISTRY_PATH which when empty would default to DOCKER_REGISTRY_URL.
+if ! (( [[ "$PLATFORM" == "kubernetes" ]] && is_minienv ) \
+    || [[ "$USE_DOCKER_LOCAL_REGISTRY" == "true" ]]); then
+  check_env_var "DOCKER_REGISTRY_PATH"
+fi
+
+check_env_var "CONJUR_ACCOUNT"
+check_env_var "CONJUR_ADMIN_PASSWORD"
+check_env_var "AUTHENTICATOR_ID"
+check_env_var "TEST_APP_DATABASE"
+check_env_var "CONJUR_AUTHN_LOGIN_RESOURCE"
+check_env_var "PULL_DOCKER_REGISTRY_URL"
+check_env_var "PULL_DOCKER_REGISTRY_PATH"
+ensure_env_database
diff --git a/bin/test-workflow/1_prep_platform_login.sh b/bin/test-workflow/1_prep_platform_login.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+if [[ $PLATFORM == openshift ]]; then
+  oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD
+fi
+
diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh
@@ -0,0 +1,134 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Generating Conjur policy."
+
+prepare_conjur_cli_image() {
+  announce "Pulling and pushing Conjur CLI image."
+
+  docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest
+
+  cli_app_image=$(platform_image_for_push conjur-cli)
+  docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image
+
+  if ! is_minienv; then
+    docker push $cli_app_image
+  fi
+}
+
+deploy_conjur_cli() {
+  announce "Deploying Conjur CLI pod."
+
+  if is_minienv; then
+    IMAGE_PULL_POLICY='Never'
+  else
+    IMAGE_PULL_POLICY='Always'
+  fi
+
+  cli_app_image=$(platform_image_for_pull conjur-cli)
+  sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" ./$PLATFORM/conjur-cli.yml |
+    sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" |
+    sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
+    $cli create -f -
+
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+  wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running"
+}
+
+ensure_conjur_cli_initialized() {
+  announce "Ensure that Conjur CLI pod has a connection with Conjur initialized."
+
+  if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    conjur_service='conjur-oss'
+  else
+    conjur_service='conjur-master'
+  fi
+  conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
+
+  $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url"
+  $cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
+}
+
+pushd policy
+  mkdir -p ./generated
+
+  # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+
+  if [[ "$PLATFORM" == "openshift" ]]; then
+    is_openshift=true
+    is_kubernetes=false
+  else
+    is_openshift=false
+    is_kubernetes=true
+  fi
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml |
+    sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml
+popd
+
+# Create the random database password
+password=$(openssl rand -hex 12)
+
+set_namespace "$CONJUR_NAMESPACE_NAME"
+
+
+announce "Finding or creating a Conjur CLI pod"
+conjur_cli_pod=$(get_conjur_cli_pod_name)
+if [ -z "$conjur_cli_pod" ]; then
+  prepare_conjur_cli_image
+  deploy_conjur_cli
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+fi
+ensure_conjur_cli_initialized $conjur_cli_pod
+
+announce "Loading Conjur policy."
+
+$cli exec $conjur_cli_pod -- rm -rf /policy
+$cli cp ./policy $conjur_cli_pod:/policy
+
+$cli exec $conjur_cli_pod -- \
+  bash -c "
+  conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
+    CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \
+    CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \
+    DB_PASSWORD=${password} \
+    TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \
+    TEST_APP_DATABASE=${TEST_APP_DATABASE} \
+    /policy/load_policies.sh
+  "
+
+$cli exec $conjur_cli_pod -- rm -rf ./policy
+
+echo "Conjur policy loaded."
+
+set_namespace "$TEST_APP_NAMESPACE_NAME"
+
+# Set DB password in Kubernetes manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+pushd kubernetes
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
+popd
+
+# Set DB password in OC manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+pushd openshift
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
+popd
+
+announce "Added DB password value: $password"
diff --git a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Initializing Conjur certificate authority."
+
+set_namespace $CONJUR_NAMESPACE_NAME
+
+conjur_master=$(get_master_pod_name)
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
+else
+    $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
+fi
+
+echo "Certificate authority initialized."
diff --git a/bin/test-workflow/4_app_create_namespace.sh b/bin/test-workflow/4_app_create_namespace.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Creating Test App namespace."
+
+set_namespace default
+
+if has_namespace "$TEST_APP_NAMESPACE_NAME"; then
+  echo "Namespace '$TEST_APP_NAMESPACE_NAME' exists, not going to create it."
+  set_namespace $TEST_APP_NAMESPACE_NAME
+else
+  echo "Creating '$TEST_APP_NAMESPACE_NAME' namespace."
+
+  if [ $PLATFORM = 'kubernetes' ]; then
+    $cli create namespace $TEST_APP_NAMESPACE_NAME
+  elif [ $PLATFORM = 'openshift' ]; then
+    $cli new-project $TEST_APP_NAMESPACE_NAME
+  fi
+
+  set_namespace $TEST_APP_NAMESPACE_NAME
+fi
+
+$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+  conjur_authn_cluster_role="$HELM_RELEASE-conjur-authenticator"
+else
+  conjur_authn_cluster_role="conjur-authenticator-$CONJUR_NAMESPACE_NAME"
+fi
+sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
+  sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
+  sed "s#{{ CONJUR_AUTHN_CLUSTER_ROLE }}#$conjur_authn_cluster_role#g" |
+  sed "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" |
+  $cli create -f -
+
+if [[ $PLATFORM == openshift ]]; then
+  # add permissions for Conjur admin user
+  oc adm policy add-role-to-user system:registry $OSHIFT_CONJUR_ADMIN_USERNAME
+  oc adm policy add-role-to-user system:image-builder $OSHIFT_CONJUR_ADMIN_USERNAME
+
+  oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n default
+  oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n $TEST_APP_NAMESPACE_NAME
+  echo "Logging in as Conjur Openshift admin. Provide password as needed."
+  oc login -u $OSHIFT_CONJUR_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD
+fi
diff --git a/bin/test-workflow/5_app_store_conjur_cert.sh b/bin/test-workflow/5_app_store_conjur_cert.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Storing Conjur cert for test app configuration."
+
+set_namespace $CONJUR_NAMESPACE_NAME
+
+echo "Retrieving Conjur certificate."
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+  master_pod_name=$(get_master_pod_name)
+  ssl_cert=$($cli exec -c "${HELM_RELEASE}-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
+else
+  if $cli get pods --selector role=follower --no-headers; then
+    follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
+    ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
+  else
+    echo "Regular follower not found. Trying to assume a decomposed follower..."
+    follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1)
+    ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
+  fi
+fi
+
+set_namespace $TEST_APP_NAMESPACE_NAME
+
+echo "Storing non-secret conjur cert as test app configuration data"
+
+$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME
+
+# Store the Conjur cert in a ConfigMap.
+$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert")
+
+echo "Conjur cert stored."
diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+if [[ "$PLATFORM" == "openshift" ]]; then
+    docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH
+fi
+
+announce "Building and pushing test app images."
+
+readonly APPS=(
+  "init"
+  "sidecar"
+)
+
+pushd test_app_summon
+  if [[ "$PLATFORM" == "openshift" ]]; then
+    echo "Building Summon binaries to include in app image"
+    docker build -t test-app-builder -f Dockerfile.builder .
+
+    # retrieve the summon binaries
+    id=$(docker create test-app-builder)
+    docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur
+    docker cp $id:/usr/local/bin/summon ./tmp.summon
+    docker rm --volumes $id
+  fi
+
+
+  for app_type in "${APPS[@]}"; do
+    # prep secrets.yml
+    # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+    sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "tmp.$TEST_APP_NAMESPACE_NAME.secrets.yml"
+
+    dockerfile="Dockerfile"
+    if [[ "$PLATFORM" == "openshift" ]]; then
+      dockerfile="Dockerfile.oc"
+    fi
+
+    echo "Building test app image"
+    docker build \
+      --build-arg namespace=$TEST_APP_NAMESPACE_NAME \
+      --tag test-app:$CONJUR_NAMESPACE_NAME \
+      --file $dockerfile .
+
+    test_app_image=$(platform_image_for_push "test-$app_type-app")
+    docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image
+
+    if ! is_minienv; then
+      docker push $test_app_image
+    fi
+  done
+popd
+
+# If in Kubernetes, build custom pg image
+if [[ "$PLATFORM" != "openshift" ]]; then
+  pushd pg
+    docker build -t test-app-pg:$CONJUR_NAMESPACE_NAME .
+    test_app_pg_image=$(platform_image_for_push test-app-pg)
+    docker tag test-app-pg:$CONJUR_NAMESPACE_NAME $test_app_pg_image
+
+    if ! is_minienv; then
+      docker push $test_app_pg_image
+    fi
+  popd
+fi
+
+if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then
+  # Re-tag the locally-built conjur-authn-k8s-client:dev image
+  authn_image=$(platform_image_for_push conjur-authn-k8s-client)
+  docker tag conjur-authn-k8s-client:dev $authn_image
+
+  # Re-tag the locally-built secretless-broker:latest image
+  secretless_image=$(platform_image_for_push secretless-broker)
+  docker tag secretless-broker:latest $secretless_image
+
+  if ! is_minienv; then
+    docker push $authn_image
+    docker push $secretless_image
+  fi
+fi