From 10f4a74ba509648fb3ee13057010a7c3aadf5417 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 05:58:55 -0700 Subject: [PATCH 01/18] Prep branch --- .gitignore | 5 +++++ .gitleaks.toml | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitignore b/.gitignore index eff8b275..26d85dc9 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,8 @@ test temp helm/kubernetes-cluster-prep/files/conjur-cert.pem + +bin/test-workflow/policy/generated/* +tmp.* +bin/test-workflow/output/ +bin/test-workflow/bash-lib/ diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..a4625a9b --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,4 @@ +[allowlist] + files = [ + "bin/test-workflow/etc/ca-key.pem" # test ssl certs + ] From 6bf1101e5cb71a11941db88aead06b23a5fe68f7 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 06:01:07 -0700 Subject: [PATCH 02/18] Port scripts from conjurdemos/kubernetes-conjur-demo --- bin/test-workflow | 62 ---- .../0_prep_check_dependencies.sh | 26 ++ bin/test-workflow/1_prep_platform_login.sh | 9 + .../2_admin_load_conjur_policies.sh | 134 ++++++++ .../3_admin_init_conjur_cert_authority.sh | 18 ++ bin/test-workflow/4_app_create_namespace.sh | 47 +++ bin/test-workflow/5_app_store_conjur_cert.sh | 35 +++ .../6_app_build_and_push_containers.sh | 81 +++++ bin/test-workflow/7_app_deploy.sh | 296 ++++++++++++++++++ .../8_app_verify_authentication.sh | 183 +++++++++++ bin/test-workflow/etc/ca-key.pem | 30 ++ bin/test-workflow/etc/ca.pem | 24 ++ bin/test-workflow/etc/secretless.yml | 34 ++ bin/test-workflow/kubernetes/conjur-cli.yml | 27 ++ .../kubernetes/mysql.template.yml | 137 ++++++++ .../kubernetes/postgres.template.yml | 166 ++++++++++ ...-app-conjur-authenticator-role-binding.yml | 14 + .../kubernetes/test-app-secretless.yml | 95 ++++++ .../kubernetes/test-app-summon-init.yml | 105 +++++++ .../kubernetes/test-app-summon-sidecar.yml | 104 ++++++ ...h-host-outside-apps-branch-summon-init.yml | 106 +++++++ bin/test-workflow/kubernetes/test-curl.yml | 13 + bin/test-workflow/openshift/conjur-cli.yml | 26 ++ .../openshift/mysql.template.yml | 131 ++++++++ .../openshift/postgres.template.yml | 170 ++++++++++ ...-app-conjur-authenticator-role-binding.yml | 14 + .../openshift/test-app-secretless.yml | 95 ++++++ .../openshift/test-app-summon-init.yml | 105 +++++++ .../openshift/test-app-summon-sidecar.yml | 102 ++++++ ...h-host-outside-apps-branch-summon-init.yml | 105 +++++++ bin/test-workflow/openshift/test-curl.yml | 13 + bin/test-workflow/pg/Dockerfile | 5 + bin/test-workflow/pg/rotate_password | 22 ++ bin/test-workflow/policy/app-access.yml | 52 +++ bin/test-workflow/policy/load_policies.sh | 72 +++++ .../templates/app-identity-def.template.yml | 14 + .../authn-any-policy-branch.template.yml | 33 ++ .../cluster-authn-svc-def.template.yml | 43 +++ .../templates/project-authn-def.template.yml | 133 ++++++++ bin/test-workflow/policy/users.yml | 40 +++ bin/test-workflow/set_env_vars.sh | 29 ++ bin/test-workflow/start | 26 ++ bin/test-workflow/stop | 39 +++ bin/test-workflow/test_app_summon/Dockerfile | 32 ++ .../test_app_summon/Dockerfile.builder | 15 + .../test_app_summon/Dockerfile.oc | 13 + .../test_app_summon/secrets.template.yml | 3 + bin/test-workflow/utils.sh | 278 ++++++++++++++++ 48 files changed, 3294 insertions(+), 62 deletions(-) delete mode 100755 bin/test-workflow create mode 100755 bin/test-workflow/0_prep_check_dependencies.sh create mode 100755 bin/test-workflow/1_prep_platform_login.sh create mode 100755 bin/test-workflow/2_admin_load_conjur_policies.sh create mode 100755 bin/test-workflow/3_admin_init_conjur_cert_authority.sh create mode 100755 bin/test-workflow/4_app_create_namespace.sh create mode 100755 bin/test-workflow/5_app_store_conjur_cert.sh create mode 100755 bin/test-workflow/6_app_build_and_push_containers.sh create mode 100755 bin/test-workflow/7_app_deploy.sh create mode 100755 bin/test-workflow/8_app_verify_authentication.sh create mode 100644 bin/test-workflow/etc/ca-key.pem create mode 100644 bin/test-workflow/etc/ca.pem create mode 100644 bin/test-workflow/etc/secretless.yml create mode 100644 bin/test-workflow/kubernetes/conjur-cli.yml create mode 100644 bin/test-workflow/kubernetes/mysql.template.yml create mode 100644 bin/test-workflow/kubernetes/postgres.template.yml create mode 100644 bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml create mode 100644 bin/test-workflow/kubernetes/test-app-secretless.yml create mode 100644 bin/test-workflow/kubernetes/test-app-summon-init.yml create mode 100644 bin/test-workflow/kubernetes/test-app-summon-sidecar.yml create mode 100644 bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml create mode 100644 bin/test-workflow/kubernetes/test-curl.yml create mode 100644 bin/test-workflow/openshift/conjur-cli.yml create mode 100644 bin/test-workflow/openshift/mysql.template.yml create mode 100644 bin/test-workflow/openshift/postgres.template.yml create mode 100644 bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml create mode 100644 bin/test-workflow/openshift/test-app-secretless.yml create mode 100644 bin/test-workflow/openshift/test-app-summon-init.yml create mode 100644 bin/test-workflow/openshift/test-app-summon-sidecar.yml create mode 100644 bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml create mode 100644 bin/test-workflow/openshift/test-curl.yml create mode 100644 bin/test-workflow/pg/Dockerfile create mode 100755 bin/test-workflow/pg/rotate_password create mode 100644 bin/test-workflow/policy/app-access.yml create mode 100755 bin/test-workflow/policy/load_policies.sh create mode 100644 bin/test-workflow/policy/templates/app-identity-def.template.yml create mode 100755 bin/test-workflow/policy/templates/authn-any-policy-branch.template.yml create mode 100644 bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml create mode 100644 bin/test-workflow/policy/templates/project-authn-def.template.yml create mode 100755 bin/test-workflow/policy/users.yml create mode 100755 bin/test-workflow/set_env_vars.sh create mode 100755 bin/test-workflow/start create mode 100755 bin/test-workflow/stop create mode 100644 bin/test-workflow/test_app_summon/Dockerfile create mode 100644 bin/test-workflow/test_app_summon/Dockerfile.builder create mode 100644 bin/test-workflow/test_app_summon/Dockerfile.oc create mode 100644 bin/test-workflow/test_app_summon/secrets.template.yml create mode 100755 bin/test-workflow/utils.sh diff --git a/bin/test-workflow b/bin/test-workflow deleted file mode 100755 index a02c9271..00000000 --- a/bin/test-workflow +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash - -cd "$(dirname "$0")/.." || ( echo "cannot cd into parent dir" && exit 1 ) - -function announce() { - echo " - =================== - ${1} - =================== - " -} - -# Install Conjur in our cluster, and load policies -mkdir -p temp &2> /dev/null -pushd temp - git clone https://github.com/cyberark/conjur-oss-helm-chart.git &2> /dev/null - - pushd conjur-oss-helm-chart/examples/kubernetes-in-docker - announce "Installing Conjur-OSS" - helm uninstall conjur-oss - ./start - popd -popd - -namespace="app-test" - -pushd helm - # Prepare our cluster with conjur and authnK8s credentials in a golden configmap - pushd conjur-config-cluster-prep - announce "Installing cluster prep chart" - helm uninstall cluster-prep -n conjur-oss - - ./bin/get-conjur-cert.sh -v -i -u https://conjur-oss.conjur-oss.svc.cluster.local - - helm install cluster-prep . -n conjur-oss --wait \ - --set conjur.account="myConjurAccount" \ - --set conjur.applianceUrl="https://conjur-oss.conjur-oss.svc.cluster.local" \ - --set conjur.certificateFilePath="files/conjur-cert.pem" \ - --set authnK8s.authenticatorID="my-authenticator-id" - popd - - # Prepare a given namespace with a subset of credentials from the golden configmap - pushd conjur-config-namespace-prep - announce "Installing application namespace prep chart" - helm uninstall namespace-prep -n $namespace - - helm install namespace-prep . -n $namespace --wait \ - --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ - --set authnK8s.namespace="conjur-oss" - popd - - # Deploy a given app with yet another subset of the subset of our golden configmap, allowing - # connection to Conjur - pushd conjur-app-deploy - announce "Installing application chart" - helm uninstall app -n $namespace - - helm install app . -n $namespace --wait \ - --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ - --set app-summon-sidecar.conjur.authnLogin="host/conjur/authn-k8s/my-authenticator-id/apps/test-app-summon-sidecar" - popd -popd diff --git a/bin/test-workflow/0_prep_check_dependencies.sh b/bin/test-workflow/0_prep_check_dependencies.sh new file mode 100755 index 00000000..0812c937 --- /dev/null +++ b/bin/test-workflow/0_prep_check_dependencies.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -eo pipefail + +. utils.sh + +check_env_var "CONJUR_NAMESPACE_NAME" +check_env_var "TEST_APP_NAMESPACE_NAME" +if [[ "$PLATFORM" == "kubernetes" ]] && ! is_minienv; then + check_env_var "DOCKER_REGISTRY_URL" +fi + +# TODO: consider getting rid of USE_DOCKER_LOCAL_REGISTRY in favour of always using +# DOCKER_REGISTRY_PATH which when empty would default to DOCKER_REGISTRY_URL. +if ! (( [[ "$PLATFORM" == "kubernetes" ]] && is_minienv ) \ + || [[ "$USE_DOCKER_LOCAL_REGISTRY" == "true" ]]); then + check_env_var "DOCKER_REGISTRY_PATH" +fi + +check_env_var "CONJUR_ACCOUNT" +check_env_var "CONJUR_ADMIN_PASSWORD" +check_env_var "AUTHENTICATOR_ID" +check_env_var "TEST_APP_DATABASE" +check_env_var "CONJUR_AUTHN_LOGIN_RESOURCE" +check_env_var "PULL_DOCKER_REGISTRY_URL" +check_env_var "PULL_DOCKER_REGISTRY_PATH" +ensure_env_database diff --git a/bin/test-workflow/1_prep_platform_login.sh b/bin/test-workflow/1_prep_platform_login.sh new file mode 100755 index 00000000..d9a389bf --- /dev/null +++ b/bin/test-workflow/1_prep_platform_login.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +if [[ $PLATFORM == openshift ]]; then + oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD +fi + diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh new file mode 100755 index 00000000..3c4bc6ff --- /dev/null +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -0,0 +1,134 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Generating Conjur policy." + +prepare_conjur_cli_image() { + announce "Pulling and pushing Conjur CLI image." + + docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest + + cli_app_image=$(platform_image_for_push conjur-cli) + docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image + + if ! is_minienv; then + docker push $cli_app_image + fi +} + +deploy_conjur_cli() { + announce "Deploying Conjur CLI pod." + + if is_minienv; then + IMAGE_PULL_POLICY='Never' + else + IMAGE_PULL_POLICY='Always' + fi + + cli_app_image=$(platform_image_for_pull conjur-cli) + sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" ./$PLATFORM/conjur-cli.yml | + sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" | + sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + $cli create -f - + + conjur_cli_pod=$(get_conjur_cli_pod_name) + wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running" +} + +ensure_conjur_cli_initialized() { + announce "Ensure that Conjur CLI pod has a connection with Conjur initialized." + + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + conjur_service='conjur-oss' + else + conjur_service='conjur-master' + fi + conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + + $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" + $cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD +} + +pushd policy + mkdir -p ./generated + + # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI + + if [[ "$PLATFORM" == "openshift" ]]; then + is_openshift=true + is_kubernetes=false + else + is_openshift=false + is_kubernetes=true + fi + + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml | + sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml + + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | + sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | + sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml + + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml + + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml | + sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml +popd + +# Create the random database password +password=$(openssl rand -hex 12) + +set_namespace "$CONJUR_NAMESPACE_NAME" + + +announce "Finding or creating a Conjur CLI pod" +conjur_cli_pod=$(get_conjur_cli_pod_name) +if [ -z "$conjur_cli_pod" ]; then + prepare_conjur_cli_image + deploy_conjur_cli + conjur_cli_pod=$(get_conjur_cli_pod_name) +fi +ensure_conjur_cli_initialized $conjur_cli_pod + +announce "Loading Conjur policy." + +$cli exec $conjur_cli_pod -- rm -rf /policy +$cli cp ./policy $conjur_cli_pod:/policy + +$cli exec $conjur_cli_pod -- \ + bash -c " + conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \ + CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ + DB_PASSWORD=${password} \ + TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \ + TEST_APP_DATABASE=${TEST_APP_DATABASE} \ + /policy/load_policies.sh + " + +$cli exec $conjur_cli_pod -- rm -rf ./policy + +echo "Conjur policy loaded." + +set_namespace "$TEST_APP_NAMESPACE_NAME" + +# Set DB password in Kubernetes manifests +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI +pushd kubernetes + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml +popd + +# Set DB password in OC manifests +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI +pushd openshift + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml + sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml +popd + +announce "Added DB password value: $password" diff --git a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh new file mode 100755 index 00000000..a168e3b8 --- /dev/null +++ b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Initializing Conjur certificate authority." + +set_namespace $CONJUR_NAMESPACE_NAME + +conjur_master=$(get_master_pod_name) + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']" +else + $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"] +fi + +echo "Certificate authority initialized." diff --git a/bin/test-workflow/4_app_create_namespace.sh b/bin/test-workflow/4_app_create_namespace.sh new file mode 100755 index 00000000..ab54c9b6 --- /dev/null +++ b/bin/test-workflow/4_app_create_namespace.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Creating Test App namespace." + +set_namespace default + +if has_namespace "$TEST_APP_NAMESPACE_NAME"; then + echo "Namespace '$TEST_APP_NAMESPACE_NAME' exists, not going to create it." + set_namespace $TEST_APP_NAMESPACE_NAME +else + echo "Creating '$TEST_APP_NAMESPACE_NAME' namespace." + + if [ $PLATFORM = 'kubernetes' ]; then + $cli create namespace $TEST_APP_NAMESPACE_NAME + elif [ $PLATFORM = 'openshift' ]; then + $cli new-project $TEST_APP_NAMESPACE_NAME + fi + + set_namespace $TEST_APP_NAMESPACE_NAME +fi + +$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + conjur_authn_cluster_role="$HELM_RELEASE-conjur-authenticator" +else + conjur_authn_cluster_role="conjur-authenticator-$CONJUR_NAMESPACE_NAME" +fi +sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml | + sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | + sed "s#{{ CONJUR_AUTHN_CLUSTER_ROLE }}#$conjur_authn_cluster_role#g" | + sed "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" | + $cli create -f - + +if [[ $PLATFORM == openshift ]]; then + # add permissions for Conjur admin user + oc adm policy add-role-to-user system:registry $OSHIFT_CONJUR_ADMIN_USERNAME + oc adm policy add-role-to-user system:image-builder $OSHIFT_CONJUR_ADMIN_USERNAME + + oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n default + oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n $TEST_APP_NAMESPACE_NAME + echo "Logging in as Conjur Openshift admin. Provide password as needed." + oc login -u $OSHIFT_CONJUR_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD +fi diff --git a/bin/test-workflow/5_app_store_conjur_cert.sh b/bin/test-workflow/5_app_store_conjur_cert.sh new file mode 100755 index 00000000..f3b7f029 --- /dev/null +++ b/bin/test-workflow/5_app_store_conjur_cert.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Storing Conjur cert for test app configuration." + +set_namespace $CONJUR_NAMESPACE_NAME + +echo "Retrieving Conjur certificate." + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + master_pod_name=$(get_master_pod_name) + ssl_cert=$($cli exec -c "${HELM_RELEASE}-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) +else + if $cli get pods --selector role=follower --no-headers; then + follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1) + ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) + else + echo "Regular follower not found. Trying to assume a decomposed follower..." + follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1) + ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) + fi +fi + +set_namespace $TEST_APP_NAMESPACE_NAME + +echo "Storing non-secret conjur cert as test app configuration data" + +$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME + +# Store the Conjur cert in a ConfigMap. +$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") + +echo "Conjur cert stored." diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh new file mode 100755 index 00000000..37349fae --- /dev/null +++ b/bin/test-workflow/6_app_build_and_push_containers.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +if [[ "$PLATFORM" == "openshift" ]]; then + docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH +fi + +announce "Building and pushing test app images." + +readonly APPS=( + "init" + "sidecar" +) + +pushd test_app_summon + if [[ "$PLATFORM" == "openshift" ]]; then + echo "Building Summon binaries to include in app image" + docker build -t test-app-builder -f Dockerfile.builder . + + # retrieve the summon binaries + id=$(docker create test-app-builder) + docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur + docker cp $id:/usr/local/bin/summon ./tmp.summon + docker rm --volumes $id + fi + + + for app_type in "${APPS[@]}"; do + # prep secrets.yml + # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI + sed "s#{{ TEST_APP_NAME }}#test-summon-$app_type-app#g" ./secrets.template.yml > "tmp.$TEST_APP_NAMESPACE_NAME.secrets.yml" + + dockerfile="Dockerfile" + if [[ "$PLATFORM" == "openshift" ]]; then + dockerfile="Dockerfile.oc" + fi + + echo "Building test app image" + docker build \ + --build-arg namespace=$TEST_APP_NAMESPACE_NAME \ + --tag test-app:$CONJUR_NAMESPACE_NAME \ + --file $dockerfile . + + test_app_image=$(platform_image_for_push "test-$app_type-app") + docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image + + if ! is_minienv; then + docker push $test_app_image + fi + done +popd + +# If in Kubernetes, build custom pg image +if [[ "$PLATFORM" != "openshift" ]]; then + pushd pg + docker build -t test-app-pg:$CONJUR_NAMESPACE_NAME . + test_app_pg_image=$(platform_image_for_push test-app-pg) + docker tag test-app-pg:$CONJUR_NAMESPACE_NAME $test_app_pg_image + + if ! is_minienv; then + docker push $test_app_pg_image + fi + popd +fi + +if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then + # Re-tag the locally-built conjur-authn-k8s-client:dev image + authn_image=$(platform_image_for_push conjur-authn-k8s-client) + docker tag conjur-authn-k8s-client:dev $authn_image + + # Re-tag the locally-built secretless-broker:latest image + secretless_image=$(platform_image_for_push secretless-broker) + docker tag secretless-broker:latest $secretless_image + + if ! is_minienv; then + docker push $authn_image + docker push $secretless_image + fi +fi diff --git a/bin/test-workflow/7_app_deploy.sh b/bin/test-workflow/7_app_deploy.sh new file mode 100755 index 00000000..efd20060 --- /dev/null +++ b/bin/test-workflow/7_app_deploy.sh @@ -0,0 +1,296 @@ +#!/usr/bin/env bash +set -eo pipefail + +. utils.sh + +main() { + announce "Deploying test apps for $TEST_APP_NAMESPACE_NAME." + + URLENCODED_AUTHN_ID=$(urlencode $AUTHENTICATOR_ID) + + set_namespace $TEST_APP_NAMESPACE_NAME + init_registry_creds + init_connection_specs + + if is_minienv; then + IMAGE_PULL_POLICY='Never' + else + IMAGE_PULL_POLICY='Always' + fi + + deploy_app_backend + deploy_secretless_app + deploy_sidecar_app + deploy_init_container_app + deploy_init_container_app_with_host_outside_apps +} + +########################### +init_registry_creds() { + if [[ "${PLATFORM}" == "kubernetes" ]] && [[ -n "${DOCKER_EMAIL}" ]]; then + announce "Creating image pull secret." + + kubectl delete --ignore-not-found secret dockerpullsecret + + kubectl create secret docker-registry dockerpullsecret \ + --docker-server=${PULL_DOCKER_REGISTRY_URL} \ + --docker-username=$DOCKER_USERNAME \ + --docker-password=$DOCKER_PASSWORD \ + --docker-email=$DOCKER_EMAIL + elif [[ "$PLATFORM" == "openshift" ]]; then + announce "Creating image pull secret." + + $cli delete --ignore-not-found secrets dockerpullsecret + + $cli secrets new-dockercfg dockerpullsecret \ + --docker-server=${PULL_DOCKER_REGISTRY_URL} \ + --docker-username=_ \ + --docker-password=$($cli whoami -t) \ + --docker-email=_ + + $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull + fi +} + +########################### +init_connection_specs() { + test_sidecar_app_docker_image=$(platform_image_for_pull test-sidecar-app) + test_init_app_docker_image=$(platform_image_for_pull test-init-app) + + if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then + authenticator_client_image=$(platform_image_for_pull conjur-authn-k8s-client) + secretless_image=$(platform_image_for_pull secretless-broker) + else + authenticator_client_image="cyberark/conjur-authn-k8s-client" + secretless_image="cyberark/secretless-broker" + fi + + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + else + conjur_follower_name=${CONJUR_FOLLOWER_NAME:-conjur-follower} + conjur_appliance_url=https://$conjur_follower_name.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api + fi + conjur_authenticator_url="$conjur_appliance_url/authn-k8s/$URLENCODED_AUTHN_ID" + + if [[ "$ANNOTATION_BASED_AUTHN" == "true" ]]; then + # For annotation-based Kubernetes authentication, the host ID to be used + # for authenticating is an application name. + conjur_authn_login_prefix=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps + else + # For host-ID-based Kubernetes authentication, the host ID to be used + # for authenticating is in the form: + # // + conjur_authn_login_prefix=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps/$TEST_APP_NAMESPACE_NAME/$CONJUR_AUTHN_LOGIN_RESOURCE + fi +} + +########################### +deploy_app_backend() { + $cli delete --ignore-not-found \ + service/test-summon-init-app-backend \ + service/test-summon-sidecar-app-backend \ + service/test-secretless-app-backend \ + statefulset/summon-init-pg \ + statefulset/summon-sidecar-pg \ + statefulset/secretless-pg \ + statefulset/summon-init-mysql \ + statefulset/summon-sidecar-mysql \ + statefulset/secretless-mysql \ + secret/test-app-backend-certs + + ensure_env_database + case "${TEST_APP_DATABASE}" in + postgres) + echo "Create secrets for test app backend" + $cli --namespace $TEST_APP_NAMESPACE_NAME \ + create secret generic \ + test-app-backend-certs \ + --from-file=server.crt=./etc/ca.pem \ + --from-file=server.key=./etc/ca-key.pem + + echo "Deploying test app backend" + + test_app_pg_docker_image=$(platform_image_for_pull test-app-pg) + + sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + $cli create -f - + ;; + mysql) + echo "Deploying test app backend" + + test_app_mysql_docker_image="mysql/mysql-server:5.7" + + sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + $cli create -f - + ;; + esac + +} + +########################### +deploy_sidecar_app() { + $cli delete --ignore-not-found \ + deployment/test-app-summon-sidecar \ + service/test-app-summon-sidecar \ + serviceaccount/test-app-summon-sidecar \ + serviceaccount/oc-test-app-summon-sidecar + + if [[ "$PLATFORM" == "openshift" ]]; then + oc delete --ignore-not-found \ + deploymentconfig/test-app-summon-sidecar \ + route/test-app-summon-sidecar + fi + + sleep 5 + + sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml | + sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | + $cli create -f - + + if [[ "$PLATFORM" == "openshift" ]]; then + oc expose service test-app-summon-sidecar + fi + + echo "Test app/sidecar deployed." +} + +########################### +deploy_init_container_app() { + $cli delete --ignore-not-found \ + deployment/test-app-summon-init \ + service/test-app-summon-init \ + serviceaccount/test-app-summon-init \ + serviceaccount/oc-test-app-summon-init + + if [[ "$PLATFORM" == "openshift" ]]; then + oc delete --ignore-not-found \ + deploymentconfig/test-app-summon-init \ + route/test-app-summon-init + fi + + sleep 5 + + sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml | + sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | + $cli create -f - + + if [[ "$PLATFORM" == "openshift" ]]; then + oc expose service test-app-summon-init + fi + + echo "Test app/init-container deployed." +} + +########################### +deploy_init_container_app_with_host_outside_apps() { + $cli delete --ignore-not-found \ + deployment/test-app-with-host-outside-apps-branch-summon-init \ + service/test-app-with-host-outside-apps-branch-summon-init \ + serviceaccount/test-app-with-host-outside-apps-branch-summon-init \ + serviceaccount/oc-test-app-with-host-outside-apps-branch-summon-init + + if [[ "$PLATFORM" == "openshift" ]]; then + oc delete --ignore-not-found \ + deploymentconfig/test-app-with-host-outside-apps-branch-summon-init \ + route/test-app-with-host-outside-apps-branch-summon-init + fi + + sleep 5 + + conjur_authn_login="host/some-apps/$TEST_APP_NAMESPACE_NAME/*/*" + + sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-with-host-outside-apps-branch-summon-init.yml | + sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN }}#$conjur_authn_login#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | + $cli create -f - + + if [[ "$PLATFORM" == "openshift" ]]; then + oc expose service test-app-with-host-outside-apps-branch-summon-init + fi + + echo "Test app/init-container deployed." +} + +########################### +deploy_secretless_app() { + $cli delete --ignore-not-found \ + deployment/test-app-secretless \ + service/test-app-secretless \ + serviceaccount/test-app-secretless \ + serviceaccount/oc-test-app-secretless \ + configmap/test-app-secretless-config + + if [[ "$PLATFORM" == "openshift" ]]; then + oc delete --ignore-not-found \ + deploymentconfig/test-app-secretless \ + route/test-app-secretless + fi + + $cli create configmap test-app-secretless-config \ + --from-file=etc/secretless.yml + + sleep 5 + + ensure_env_database + case "${TEST_APP_DATABASE}" in + postgres) + PORT=5432 + PROTOCOL=postgresql + ;; + mysql) + PORT=3306 + PROTOCOL=mysql + ;; + esac + secretless_db_url="$PROTOCOL://localhost:$PORT/test_app" + + sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" ./$PLATFORM/test-app-secretless.yml | + sed "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | + sed "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | + sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | + sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | + $cli create -f - + + if [[ "$PLATFORM" == "openshift" ]]; then + oc expose service test-app-secretless + fi + + echo "Secretless test app deployed." +} + +main $@ diff --git a/bin/test-workflow/8_app_verify_authentication.sh b/bin/test-workflow/8_app_verify_authentication.sh new file mode 100755 index 00000000..802e6361 --- /dev/null +++ b/bin/test-workflow/8_app_verify_authentication.sh @@ -0,0 +1,183 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +init_bash_lib + +RETRIES=150 +# Seconds +RETRY_WAIT=2 + +# Dump some kubernetes resources and Conjur authentication policy if this +# script exits prematurely +DETAILED_DUMP_ON_EXIT=true + +function finish { + readonly PIDS=( + "SIDECAR_PORT_FORWARD_PID" + "INIT_PORT_FORWARD_PID" + "INIT_WITH_HOST_OUTSIDE_APPS_PORT_FORWARD_PID" + "SECRETLESS_PORT_FORWARD_PID" + ) + + if [[ "$DETAILED_DUMP_ON_EXIT" == "true" ]]; then + dump_kubernetes_resources + dump_authentication_policy + fi + + set +u + + echo -e "\n\nStopping all port-forwarding" + for pid in "${PIDS[@]}"; do + if [ -n "${!pid}" ]; then + # Kill process, and swallow any errors + kill "${!pid}" > /dev/null 2>&1 + fi + done +} +trap finish EXIT + +announce "Validating that the deployments are functioning as expected." + +set_namespace "$TEST_APP_NAMESPACE_NAME" + +deploy_test_curl() { + $cli delete --ignore-not-found pod/test-curl + $cli create -f ./$PLATFORM/test-curl.yml +} + +check_test_curl() { + pods_ready "test-curl" +} + +pod_curl() { + kubectl exec test-curl -- curl "$@" +} + +if [[ "$TEST_APP_LOADBALANCER_SVCS" == "false" ]]; then + echo "Deploying a test curl pod" + deploy_test_curl + echo "Waiting for test curl pod to become available" + bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_test_curl +fi + +echo "Waiting for pods to become available" + +check_pods(){ + pods_ready "test-app-summon-init" && + pods_ready "test-app-with-host-outside-apps-branch-summon-init" && + pods_ready "test-app-summon-sidecar" && + pods_ready "test-app-secretless" +} +bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_pods + +if [[ "$PLATFORM" == "openshift" ]]; then + echo "Waiting for deployments to become available" + + check_deployment_status(){ + [[ "$(deployment_status "test-app-summon-init")" == "Complete" ]] && + [[ "$(deployment_status "test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && + [[ "$(deployment_status "test-app-summon-sidecar")" == "Complete" ]] && + [[ "$(deployment_status "test-app-secretless")" == "Complete" ]] + } + bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_deployment_status + + sidecar_pod=$(get_pod_name test-app-summon-sidecar) + init_pod=$(get_pod_name test-app-summon-init) + init_pod_with_host_outside_apps=$(get_pod_name test-app-with-host-outside-apps-branch-summon-init) + secretless_pod=$(get_pod_name test-app-secretless) + + # Routes are defined, but we need to do port-mapping to access them + oc port-forward "$sidecar_pod" 8081:8080 > /dev/null 2>&1 & + SIDECAR_PORT_FORWARD_PID=$! + oc port-forward "$init_pod" 8082:8080 > /dev/null 2>&1 & + INIT_PORT_FORWARD_PID=$! + oc port-forward "$secretless_pod" 8083:8080 > /dev/null 2>&1 & + SECRETLESS_PORT_FORWARD_PID=$! + oc port-forward "$init_pod_with_host_outside_apps" 8084:8080 > /dev/null 2>&1 & + INIT_WITH_HOST_OUTSIDE_APPS_PORT_FORWARD_PID=$! + + curl_cmd=curl + sidecar_url="localhost:8081" + init_url="localhost:8082" + secretless_url="localhost:8083" + init_url_with_host_outside_apps="localhost:8084" +else + if [[ "$TEST_APP_LOADBALANCER_SVCS" == "true" ]]; then + echo "Waiting for external IPs to become available" + check_services(){ + [[ -n "$(external_ip "test-app-summon-init")" ]] && + [[ -n "$(external_ip "test-app-with-host-outside-apps-branch-summon-init")" ]] && + [[ -n "$(external_ip "test-app-summon-sidecar")" ]] && + [[ -n "$(external_ip "test-app-secretless")" ]] + } + bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_services + + curl_cmd=curl + init_url=$(external_ip test-app-summon-init):8080 + init_url_with_host_outside_apps=$(external_ip test-app-with-host-outside-apps-branch-summon-init):8080 + sidecar_url=$(external_ip test-app-summon-sidecar):8080 + secretless_url=$(external_ip test-app-secretless):8080 + + else + # Apps don't have loadbalancer services, so test by curling from + # a pod that is inside the KinD cluster. + curl_cmd=pod_curl + init_url="test-app-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + init_url_with_host_outside_apps="test-app-with-host-outside-apps-branch-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + sidecar_url="test-app-summon-sidecar.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + secretless_url="test-app-secretless.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + fi +fi + +echo "Waiting for urls to be ready" + +check_urls(){ + ( + $curl_cmd -sS --connect-timeout 3 "$init_url" && + $curl_cmd -sS --connect-timeout 3 "$init_url_with_host_outside_apps" && + $curl_cmd -sS --connect-timeout 3 "$sidecar_url" && + $curl_cmd -sS --connect-timeout 3 "$secretless_url" + ) > /dev/null +} + +bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_urls + +echo -e "\nAdding entry to the init app\n" +$curl_cmd \ + -d '{"name": "Mr. Init"}' \ + -H "Content-Type: application/json" \ + "$init_url"/pet + +echo -e "Adding entry to the init app with host outside apps\n" +$curl_cmd \ + -d '{"name": "Mr. Init"}' \ + -H "Content-Type: application/json" \ + "$init_url_with_host_outside_apps"/pet + +echo -e "Adding entry to the sidecar app\n" +$curl_cmd \ + -d '{"name": "Mr. Sidecar"}' \ + -H "Content-Type: application/json" \ + "$sidecar_url"/pet + +echo -e "Adding entry to the secretless app\n" +$curl_cmd \ + -d '{"name": "Mr. Secretless"}' \ + -H "Content-Type: application/json" \ + "$secretless_url"/pet + +echo -e "Querying init app\n" +$curl_cmd "$init_url"/pets + +echo -e "\n\nQuerying init app with hosts outside apps\n" +$curl_cmd "$init_url_with_host_outside_apps"/pets + +echo -e "\n\nQuerying sidecar app\n" +$curl_cmd "$sidecar_url"/pets + +echo -e "\n\nQuerying secretless app\n" +$curl_cmd "$secretless_url"/pets + +DETAILED_DUMP_ON_EXIT=false diff --git a/bin/test-workflow/etc/ca-key.pem b/bin/test-workflow/etc/ca-key.pem new file mode 100644 index 00000000..3145d827 --- /dev/null +++ b/bin/test-workflow/etc/ca-key.pem @@ -0,0 +1,30 @@ +// File generated cfssl +// DO NOT EDIT + +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAoFlYxgbah0wd53UjA4F0xImtCcGBpppNB5md/0tX2WHC1muV +seJrgCvdEDFT4efrDPTTJqxHHizVWhp9JK2gs6Y3sl+CNNcdvbi1jWwZ6LvYP+RZ +BPX9ZLEmL0UfJOxOH1mIucRPt67fZ469iv4yNIxGIfx0vapy3R/m5VOv1ZXCh+2s +wKGTh3VLg6p4Hcwrr0B2uuPRNq0/JUFDBx33sAcaIsDreY91Gv5ZZPagrP6YWMVZ +xYEf4qdoOyf/amg+xMxRm2W4z8FpXFdA+tSbhLD1sQJYVzPCMIaBT8SUmTwjlWzu +RWMxGMtwbQK8xjtH7Plff2nw/d0my+Ogg3AHawIDAQABAoIBAQCIgOco1YbNLQg8 +FST0hA1Sjt2m83uax7qRoL23Kn2jyiyier3ZzCW13CF5+nQtWVBpHDZwsrJsRsBt +zyT/x2uJ5BOAHvxqXUKtUwQDW6aG0PrcEVmS9pJ7WK9oCFDmDuDGoWLaufsfJJh8 +wTAslg9JWq0Nm6wKFoNoKRNX4LFMgbMPKZqg8fNen1Ytj/b6oUq5h5zY1I+shbIz +d/RegAdVjpX3eydTzBl3Uep7Oby9/+UbcCvjeQf+5rWZlbcvaNNsfr5TwcZBNMnH ++acPPuzeGiL44NIKo4v31mjDseuMrjknQ+dMYEJqsXaVFNqMXevgdetLBB7Q4JRB +Mn8nv2IZAoGBANFcfHp/ASNLwVbi6Frg2hnnkKJlv9cuFPG9fQ6BlRgtR4nqA5no +7V5rhxs7C2UIXFVxH9lzaHrW09d1xLn50JgJGoGSqypPMybZttmj7BAg1Gvd6Iq4 +BCG8Ys5aoiSQN2wIrvyNfMiPSVN/Cg0bhcllz7Nkfu76aXbc7qS36A9HAoGBAMQR +xn1DTtyVrmZWXjNXzkSXA7YHGeOEZHUjCdGghKN8NJQIz8BwPGs36fLKoJwG4Yqm +ZDIJeT2kuRUpydlzxIKAIA2vAPHsJd2dF2Oo8U7gSODdZNS9u+MLq4yynZ7unMJt +T2O88LcWvD1SgAN2RNENJkTKIUlhF+IpJ5yv3UC9AoGAZ0oWy6SPHifIyiIGepeG +YtNhAw3p+LJueNmAskByG0xzh/IhNrS5LyUjseaOd5kJXMoD6ZdLi5cjSqB6nzpF +lEyhfB2tPqF2Xgt5b6S02TwpMNJ5YL7qou47XQ1QA3P3M+CQ3F69moE+ruf1QIQ8 +nCETuLCzAxoeIBtdzXxCDA8CgYEAnYJKGkcAC2STfdLUShq3sZI/gPOjcIriyNcl +BCoXY95bvrB1dPq1Ds0UO99btvwwI9oXk7rYkxTJOp8fcHj33H5hQZzc/Xvfz3Br +YbxOXjb/VOWGIwFo9rRhU94JkavOcsKtjEo0dmDlR74G6MER937Ax3I522EMdrro +/46oB2ECgYAVJ66trKhHn9DsqP56mSVkbUZZcHvfnNCiNK4oOJdwG6kSv4E2KLWT +AZpL/KNyTPTlOeejXxBstKRDasylVpHCmX6hGCzlKOG407prIwP1wiMx11WyMN8n +DotRi5Kn0cR5Brt0wXk/fCTvSF/CQSl2eCpwwkttxkjziW7txNHt/Q== +-----END RSA PRIVATE KEY----- diff --git a/bin/test-workflow/etc/ca.pem b/bin/test-workflow/etc/ca.pem new file mode 100644 index 00000000..e2fde072 --- /dev/null +++ b/bin/test-workflow/etc/ca.pem @@ -0,0 +1,24 @@ +// File generated cfssl +// DO NOT EDIT + +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgIUaeVOQkQ3j7uff0Rl29dt2lmmcuUwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRQwEgYDVQQDEwt0ZXN0LXNlcnZlcjAeFw0xOTAxMDQxNzI2MDBaFw0y +NDAxMDMxNzI2MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLdGVzdC1zZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgWVjGBtqHTB3ndSMDgXTEia0JwYGmmk0H +mZ3/S1fZYcLWa5Wx4muAK90QMVPh5+sM9NMmrEceLNVaGn0kraCzpjeyX4I01x29 +uLWNbBnou9g/5FkE9f1ksSYvRR8k7E4fWYi5xE+3rt9njr2K/jI0jEYh/HS9qnLd +H+blU6/VlcKH7azAoZOHdUuDqngdzCuvQHa649E2rT8lQUMHHfewBxoiwOt5j3Ua +/llk9qCs/phYxVnFgR/ip2g7J/9qaD7EzFGbZbjPwWlcV0D61JuEsPWxAlhXM8Iw +hoFPxJSZPCOVbO5FYzEYy3BtArzGO0fs+V9/afD93SbL46CDcAdrAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSRuefr +vBvZHTvUOUVVnY/FIrTJATANBgkqhkiG9w0BAQsFAAOCAQEAe4L/D65XD6oNzwbv +SD7iHsU2igi76FnOhCLSCqAuCk6anGnKGhsuHDoVqdMP1fsSbbxnn1yr8AtBhr/A +Q2xLQ6nPuVkIwJqZ/Ya95rIPNUkyQfxW3diqkNeMLkJSlILbVQ7PN/HOsGPNq6FU +6PG1PU8GQJ7qnRdSD1OceV++TDbaJBUe36+BT+Q3YnfsrzmW7QL0ZDfMvRw3jehW +Ngv6QT4o9HWDkiOrzGRtVku7qKXA9C6if+lE0U6EmLhQPlTlLeFj/6+h5FW6sVH5 +tiOT7wBcaj3nf4uhkEKj2NKAFWTYvLW6pqYhZuA5yXprDifZjmoolBaHSvam4qpK +QcGRVA== +-----END CERTIFICATE----- diff --git a/bin/test-workflow/etc/secretless.yml b/bin/test-workflow/etc/secretless.yml new file mode 100644 index 00000000..6a630cbf --- /dev/null +++ b/bin/test-workflow/etc/secretless.yml @@ -0,0 +1,34 @@ +version: "2" +services: + test-app-pg: + protocol: pg + listenOn: tcp://0.0.0.0:5432 + credentials: + address: + from: conjur + get: test-secretless-app-db/url + username: + from: conjur + get: test-secretless-app-db/username + password: + from: conjur + get: test-secretless-app-db/password + sslmode: require + + test-app-mysql: + protocol: mysql + listenOn: tcp://0.0.0.0:3306 + credentials: + host: + from: conjur + get: test-secretless-app-db/host + port: + from: conjur + get: test-secretless-app-db/port + username: + from: conjur + get: test-secretless-app-db/username + password: + from: conjur + get: test-secretless-app-db/password + sslmode: require diff --git a/bin/test-workflow/kubernetes/conjur-cli.yml b/bin/test-workflow/kubernetes/conjur-cli.yml new file mode 100644 index 00000000..891f1079 --- /dev/null +++ b/bin/test-workflow/kubernetes/conjur-cli.yml @@ -0,0 +1,27 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: conjur-cli + labels: + app: conjur-cli +spec: + replicas: 1 + selector: + matchLabels: + app: conjur-cli + template: + metadata: + name: conjur-cli + labels: + app: conjur-cli + spec: + serviceAccountName: {{ CONJUR_SERVICE_ACCOUNT }} + containers: + - name: conjur-cli + image: {{ DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + command: ["sleep"] + args: ["infinity"] + imagePullSecrets: + - name: dockerpullsecret diff --git a/bin/test-workflow/kubernetes/mysql.template.yml b/bin/test-workflow/kubernetes/mysql.template.yml new file mode 100644 index 00000000..b3207127 --- /dev/null +++ b/bin/test-workflow/kubernetes/mysql.template.yml @@ -0,0 +1,137 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-init-mysql + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + containers: + - name: test-summon-init-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-sidecar-mysql + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + containers: + - name: test-summon-sidecar-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: secretless-mysql + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + containers: + - name: test-secretless-app-backend + image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 3306 + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app diff --git a/bin/test-workflow/kubernetes/postgres.template.yml b/bin/test-workflow/kubernetes/postgres.template.yml new file mode 100644 index 00000000..231e6101 --- /dev/null +++ b/bin/test-workflow/kubernetes/postgres.template.yml @@ -0,0 +1,166 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-init-pg + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-summon-init-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-sidecar-pg + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-summon-sidecar-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: secretless-pg + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + securityContext: + fsGroup: 999 + containers: + - name: test-secretless-app-backend + image: {{ TEST_APP_PG_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + ports: + - containerPort: 5432 + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] + env: + - name: POSTGRES_USER + value: test_app + - name: POSTGRES_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRES_DB + value: test_app + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + defaultMode: 384 diff --git a/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml new file mode 100644 index 00000000..5ed17893 --- /dev/null +++ b/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml @@ -0,0 +1,14 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE_NAME }} + namespace: {{ TEST_APP_NAMESPACE_NAME }} +subjects: + - kind: ServiceAccount + name: {{ CONJUR_SERVICE_ACCOUNT }} + namespace: {{ CONJUR_NAMESPACE_NAME }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ CONJUR_AUTHN_CLUSTER_ROLE }} diff --git a/bin/test-workflow/kubernetes/test-app-secretless.yml b/bin/test-workflow/kubernetes/test-app-secretless.yml new file mode 100644 index 00000000..5f4bcdd8 --- /dev/null +++ b/bin/test-workflow/kubernetes/test-app-secretless.yml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-app-secretless + labels: + app: test-app-secretless +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-secretless + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-app-secretless +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: test-app-secretless + name: test-app-secretless +spec: + replicas: 1 + selector: + matchLabels: + app: test-app-secretless + template: + metadata: + labels: + app: test-app-secretless + spec: + serviceAccountName: test-app-secretless + containers: + - image: cyberark/demo-app + imagePullPolicy: Always + name: test-app-secretless + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: DB_URL + value: {{ SECRETLESS_DB_URL }} + - image: {{ SECRETLESS_IMAGE }} + imagePullPolicy: Always + name: secretless + args: ["-f", "/etc/secretless/secretless.yml"] + ports: + - containerPort: 5432 + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-secretless" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - name: config + mountPath: "/etc/secretless" + readOnly: true + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: config + configMap: + name: test-app-secretless-config diff --git a/bin/test-workflow/kubernetes/test-app-summon-init.yml b/bin/test-workflow/kubernetes/test-app-summon-init.yml new file mode 100644 index 00000000..bdb02209 --- /dev/null +++ b/bin/test-workflow/kubernetes/test-app-summon-init.yml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-app-summon-init + labels: + app: test-app-summon-init +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-summon-init + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-app-summon-init +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: test-app-summon-init + name: test-app-summon-init +spec: + replicas: 1 + selector: + matchLabels: + app: test-app-summon-init + template: + metadata: + labels: + app: test-app-summon-init + spec: + serviceAccountName: test-app-summon-init + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + initContainers: + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: CONTAINER_MODE + value: init + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-summon-init" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml b/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml new file mode 100644 index 00000000..6940198b --- /dev/null +++ b/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml @@ -0,0 +1,104 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-app-summon-sidecar + labels: + app: test-app-summon-sidecar +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-summon-sidecar + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-app-summon-sidecar +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: test-app-summon-sidecar + name: test-app-summon-sidecar +spec: + replicas: 1 + selector: + matchLabels: + app: test-app-summon-sidecar + template: + metadata: + labels: + app: test-app-summon-sidecar + spec: + serviceAccountName: test-app-summon-sidecar + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: CONTAINER_MODE + value: sidecar + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-summon-sidecar" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml b/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml new file mode 100644 index 00000000..681a7098 --- /dev/null +++ b/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml @@ -0,0 +1,106 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-app-with-host-outside-apps-branch-summon-init + labels: + app: test-app-with-host-outside-apps-branch-summon-init +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-with-host-outside-apps-branch-summon-init + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-app-with-host-outside-apps-branch-summon-init +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: test-app-with-host-outside-apps-branch-summon-init + name: test-app-with-host-outside-apps-branch-summon-init +spec: + replicas: 1 + selector: + matchLabels: + app: test-app-with-host-outside-apps-branch-summon-init + template: + metadata: + labels: + app: test-app-with-host-outside-apps-branch-summon-init + spec: + serviceAccountName: test-app-with-host-outside-apps-branch-summon-init + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + initContainers: + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: CONTAINER_MODE + value: init + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN }}" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/kubernetes/test-curl.yml b/bin/test-workflow/kubernetes/test-curl.yml new file mode 100644 index 00000000..c3af6420 --- /dev/null +++ b/bin/test-workflow/kubernetes/test-curl.yml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-curl + labels: + name: test-curl +spec: + containers: + - name: busyboxplus + image: radial/busyboxplus:curl + imagePullPolicy: Always + command: ["sh", "-c", "tail -f /dev/null"] diff --git a/bin/test-workflow/openshift/conjur-cli.yml b/bin/test-workflow/openshift/conjur-cli.yml new file mode 100644 index 00000000..b6f610d2 --- /dev/null +++ b/bin/test-workflow/openshift/conjur-cli.yml @@ -0,0 +1,26 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: conjur-cli + labels: + app: conjur-cli +spec: + replicas: 1 + selector: + matchLabels: + app: conjur-cli + template: + metadata: + name: conjur-cli + labels: + app: conjur-cli + spec: + serviceAccountName: {{ CONJUR_SERVICE_ACCOUNT }} + containers: + - name: conjur-cli + image: {{ DOCKER_IMAGE }} + imagePullPolicy: {{ IMAGE_PULL_POLICY }} + command: ["sleep"] + args: ["infinity"] + imagePullSecrets: diff --git a/bin/test-workflow/openshift/mysql.template.yml b/bin/test-workflow/openshift/mysql.template.yml new file mode 100644 index 00000000..94e5fe13 --- /dev/null +++ b/bin/test-workflow/openshift/mysql.template.yml @@ -0,0 +1,131 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-init-mysql + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + containers: + - name: test-summon-init-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-sidecar-mysql + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + containers: + - name: test-summon-sidecar-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 3306 + targetPort: 3306 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: secretless-mysql + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + containers: + - name: test-secretless-app-backend + image: centos/mysql-57-centos7 + imagePullPolicy: Always + ports: + - containerPort: 3306 + env: + - name: MYSQL_USER + value: test_app + - name: MYSQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: MYSQL_DATABASE + value: test_app diff --git a/bin/test-workflow/openshift/postgres.template.yml b/bin/test-workflow/openshift/postgres.template.yml new file mode 100644 index 00000000..4c6f0c9c --- /dev/null +++ b/bin/test-workflow/openshift/postgres.template.yml @@ -0,0 +1,170 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-init-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-init-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-init-pg + labels: + app: test-summon-init-app-backend +spec: + serviceName: test-summon-init-app-backend + selector: + matchLabels: + app: test-summon-init-app-backend + template: + metadata: + labels: + app: test-summon-init-app-backend + spec: + containers: + - name: test-summon-init-app-backend + image: centos/postgresql-95-centos7 + imagePullPolicy: Always + ports: + - containerPort: 5432 + env: + - name: POSTGRESQL_USER + value: test_app + - name: POSTGRESQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRESQL_DATABASE + value: test_app + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + command: ["/bin/sh", "-c"] + args: + - mkdir -p /opt/app-root/certs/; + install -m 0600 /etc/certs/* /opt/app-root/certs; + run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-summon-sidecar-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-summon-sidecar-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: summon-sidecar-pg + labels: + app: test-summon-sidecar-app-backend +spec: + serviceName: test-summon-sidecar-app-backend + selector: + matchLabels: + app: test-summon-sidecar-app-backend + template: + metadata: + labels: + app: test-summon-sidecar-app-backend + spec: + containers: + - name: test-summon-sidecar-app-backend + image: centos/postgresql-95-centos7 + imagePullPolicy: Always + ports: + - containerPort: 5432 + env: + - name: POSTGRESQL_USER + value: test_app + - name: POSTGRESQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRESQL_DATABASE + value: test_app + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + command: ["/bin/sh", "-c"] + args: + - mkdir -p /opt/app-root/certs/; + install -m 0600 /etc/certs/* /opt/app-root/certs; + run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs + +--- +kind: Service +apiVersion: v1 +metadata: + name: test-secretless-app-backend + namespace: {{ TEST_APP_NAMESPACE_NAME }} +spec: + selector: + app: test-secretless-app-backend + ports: + - port: 5432 + targetPort: 5432 + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: secretless-pg + labels: + app: test-secretless-app-backend +spec: + serviceName: test-secretless-app-backend + selector: + matchLabels: + app: test-secretless-app-backend + template: + metadata: + labels: + app: test-secretless-app-backend + spec: + containers: + - name: test-secretless-app-backend + image: centos/postgresql-95-centos7 + imagePullPolicy: Always + ports: + - containerPort: 5432 + env: + - name: POSTGRESQL_USER + value: test_app + - name: POSTGRESQL_PASSWORD + value: {{ TEST_APP_DB_PASSWORD }} + - name: POSTGRESQL_DATABASE + value: test_app + volumeMounts: + - name: backend-certs + mountPath: "/etc/certs/" + readOnly: true + command: ["/bin/sh", "-c"] + args: + - mkdir -p /opt/app-root/certs/; + install -m 0600 /etc/certs/* /opt/app-root/certs; + run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key + volumes: + - name: backend-certs + secret: + secretName: test-app-backend-certs diff --git a/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml new file mode 100644 index 00000000..5ed17893 --- /dev/null +++ b/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml @@ -0,0 +1,14 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE_NAME }} + namespace: {{ TEST_APP_NAMESPACE_NAME }} +subjects: + - kind: ServiceAccount + name: {{ CONJUR_SERVICE_ACCOUNT }} + namespace: {{ CONJUR_NAMESPACE_NAME }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ CONJUR_AUTHN_CLUSTER_ROLE }} diff --git a/bin/test-workflow/openshift/test-app-secretless.yml b/bin/test-workflow/openshift/test-app-secretless.yml new file mode 100644 index 00000000..140d0164 --- /dev/null +++ b/bin/test-workflow/openshift/test-app-secretless.yml @@ -0,0 +1,95 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-app-secretless + labels: + app: test-app-secretless +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-secretless + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oc-test-app-secretless +--- +apiVersion: v1 +kind: DeploymentConfig +metadata: + labels: + app: test-app-secretless + name: test-app-secretless +spec: + replicas: 1 + selector: + app: test-app-secretless + template: + metadata: + labels: + app: test-app-secretless + spec: + serviceAccountName: oc-test-app-secretless + containers: + - image: cyberark/demo-app + imagePullPolicy: Always + name: test-app-secretless + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: DB_URL + value: {{ SECRETLESS_DB_URL }} + - image: {{ SECRETLESS_IMAGE }} + imagePullPolicy: Always + name: secretless + args: ["-f", "/etc/secretless/secretless.yml"] + ports: + - containerPort: 5432 + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: "{{ CONJUR_ACCOUNT }}" + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-secretless" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: "{{ CONFIG_MAP_NAME }}" + key: ssl-certificate + volumeMounts: + - name: config + mountPath: "/etc/secretless" + readOnly: true + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: config + configMap: + name: test-app-secretless-config diff --git a/bin/test-workflow/openshift/test-app-summon-init.yml b/bin/test-workflow/openshift/test-app-summon-init.yml new file mode 100644 index 00000000..dbe30e69 --- /dev/null +++ b/bin/test-workflow/openshift/test-app-summon-init.yml @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-app-summon-init + labels: + app: test-app-summon-init +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-summon-init + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oc-test-app-summon-init +--- +apiVersion: v1 +kind: DeploymentConfig +metadata: + labels: + app: test-app-summon-init + name: test-app-summon-init +spec: + replicas: 1 + selector: + app: test-app-summon-init + template: + metadata: + labels: + app: test-app-summon-init + spec: + serviceAccountName: oc-test-app-summon-init + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: Always + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + initContainers: + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: CONTAINER_MODE + value: init + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-summon-init" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/openshift/test-app-summon-sidecar.yml b/bin/test-workflow/openshift/test-app-summon-sidecar.yml new file mode 100644 index 00000000..a9647c11 --- /dev/null +++ b/bin/test-workflow/openshift/test-app-summon-sidecar.yml @@ -0,0 +1,102 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-app-summon-sidecar + labels: + app: test-app-summon-sidecar +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-summon-sidecar + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oc-test-app-summon-sidecar +--- +apiVersion: v1 +kind: DeploymentConfig +metadata: + labels: + app: test-app-summon-sidecar + name: test-app-summon-sidecar +spec: + replicas: 1 + selector: + app: test-app-summon-sidecar + template: + metadata: + labels: + app: test-app-summon-sidecar + spec: + serviceAccountName: oc-test-app-summon-sidecar + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: Always + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-summon-sidecar" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml b/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml new file mode 100644 index 00000000..fd0800c1 --- /dev/null +++ b/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-app-with-host-outside-apps-branch-summon-init + labels: + app: test-app-with-host-outside-apps-branch-summon-init +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + selector: + app: test-app-with-host-outside-apps-branch-summon-init + type: {{ SERVICE_TYPE }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oc-test-app-with-host-outside-apps-branch-summon-init +--- +apiVersion: v1 +kind: DeploymentConfig +metadata: + labels: + app: test-app-with-host-outside-apps-branch-summon-init + name: test-app-with-host-outside-apps-branch-summon-init +spec: + replicas: 1 + selector: + app: test-app-with-host-outside-apps-branch-summon-init + template: + metadata: + labels: + app: test-app-with-host-outside-apps-branch-summon-init + spec: + serviceAccountName: oc-test-app-with-host-outside-apps-branch-summon-init + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: Always + name: test-app + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /pets + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + env: + - name: CONJUR_APPLIANCE_URL + value: "{{ CONJUR_APPLIANCE_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_TOKEN_FILE + value: /run/conjur/access-token + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + initContainers: + - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} + imagePullPolicy: Always + name: authenticator + env: + - name: CONTAINER_MODE + value: init + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_AUTHN_URL + value: "{{ CONJUR_AUTHN_URL }}" + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: "{{ CONJUR_AUTHN_LOGIN }}" + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + imagePullSecrets: + - name: dockerpullsecret + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/bin/test-workflow/openshift/test-curl.yml b/bin/test-workflow/openshift/test-curl.yml new file mode 100644 index 00000000..c3af6420 --- /dev/null +++ b/bin/test-workflow/openshift/test-curl.yml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-curl + labels: + name: test-curl +spec: + containers: + - name: busyboxplus + image: radial/busyboxplus:curl + imagePullPolicy: Always + command: ["sh", "-c", "tail -f /dev/null"] diff --git a/bin/test-workflow/pg/Dockerfile b/bin/test-workflow/pg/Dockerfile new file mode 100644 index 00000000..3b7ee97f --- /dev/null +++ b/bin/test-workflow/pg/Dockerfile @@ -0,0 +1,5 @@ +FROM postgres:9.6 + +RUN mkdir -p /docker-entrypoint-initdb.d + +COPY rotate_password /usr/local/bin/ diff --git a/bin/test-workflow/pg/rotate_password b/bin/test-workflow/pg/rotate_password new file mode 100755 index 00000000..6f5384a1 --- /dev/null +++ b/bin/test-workflow/pg/rotate_password @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +new_password="$1" +if [[ -z $new_password ]]; then + echo "usage: $0 " + exit 1 +fi + +# Set the new password. +echo "ALTER ROLE test_app WITH PASSWORD '$new_password'" | psql -U postgres + +# Close all the connections, forcing them to reconnect. +cat < pg_backend_pid() +AND + usename='test_app'; +KILL_CONNECTIONS diff --git a/bin/test-workflow/policy/app-access.yml b/bin/test-workflow/policy/app-access.yml new file mode 100644 index 00000000..d7db27be --- /dev/null +++ b/bin/test-workflow/policy/app-access.yml @@ -0,0 +1,52 @@ +- !policy + id: test-summon-init-app-db + owner: !group secrets_admin + annotations: + description: This policy contains the creds to access the summon init app DB + + body: + - &init-variables + - !variable password + - !variable url + - !variable username + + - !permit + role: !layer /test-app + privileges: [ read, execute ] + resources: *init-variables + +- !policy + id: test-summon-sidecar-app-db + owner: !group secrets_admin + annotations: + description: This policy contains the creds to access the summon sidecar app DB + + body: + - &sidecar-variables + - !variable password + - !variable url + - !variable username + + - !permit + role: !layer /test-app + privileges: [ read, execute ] + resources: *sidecar-variables + +- !policy + id: test-secretless-app-db + owner: !group secrets_admin + annotations: + description: This policy contains the creds to access the secretless app DB + + body: + - &secretless-variables + - !variable password + - !variable url + - !variable port + - !variable host + - !variable username + + - !permit + role: !layer /test-app + privileges: [ read, execute ] + resources: *secretless-variables diff --git a/bin/test-workflow/policy/load_policies.sh b/bin/test-workflow/policy/load_policies.sh new file mode 100755 index 00000000..2137128b --- /dev/null +++ b/bin/test-workflow/policy/load_policies.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +set -eo pipefail + +if [ "$CONJUR_APPLIANCE_URL" != "" ]; then + conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT +fi + +# check for unset vars after checking for appliance url +set -u + +conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD + +readonly POLICY_DIR="/policy" + +# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI +readonly POLICY_FILES=( + "$POLICY_DIR/users.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml" + "$POLICY_DIR/generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml" + "$POLICY_DIR/app-access.yml" +) + +for policy_file in "${POLICY_FILES[@]}"; do + echo "Loading policy $policy_file..." + conjur policy load root $policy_file +done + +# load secret values for each app +readonly APPS=( + "test-summon-init-app" + "test-summon-sidecar-app" + "test-secretless-app" +) + +for app_name in "${APPS[@]}"; do + echo "Loading secret values for $app_name" + conjur variable values add "$app_name-db/password" $DB_PASSWORD + conjur variable values add "$app_name-db/username" "test_app" + + case "${TEST_APP_DATABASE}" in + postgres) + PORT=5432 + PROTOCOL=postgresql + ;; + mysql) + PORT=3306 + PROTOCOL=mysql + ;; + *) + echo "Expected TEST_APP_DATABASE to be 'mysql' or 'postgres', got '${TEST_APP_DATABASE}'" + exit 1 + ;; + esac + db_host="$app_name-backend.$TEST_APP_NAMESPACE_NAME.svc.cluster.local" + db_address="$db_host:$PORT" + + if [[ "$app_name" = "test-secretless-app" ]]; then + # Secretless doesn't require the full connection URL, just the host/port + conjur variable values add "$app_name-db/url" "$db_address" + conjur variable values add "$app_name-db/port" "$PORT" + conjur variable values add "$app_name-db/host" "$db_host" + else + # The authenticator sidecar injects the full pg connection string into the + # app environment using Summon + conjur variable values add "$app_name-db/url" "$PROTOCOL://$db_address/test_app" + fi +done + +conjur authn logout diff --git a/bin/test-workflow/policy/templates/app-identity-def.template.yml b/bin/test-workflow/policy/templates/app-identity-def.template.yml new file mode 100644 index 00000000..08dbb300 --- /dev/null +++ b/bin/test-workflow/policy/templates/app-identity-def.template.yml @@ -0,0 +1,14 @@ +--- +- !policy + id: test-app + owner: !group devops + annotations: + description: This policy connects authn identities to an application identity. It defines a layer named for an application that contains the whitelisted identities that can authenticate to the authn-k8s endpoint. Any permissions granted to the application layer will be inherited by the whitelisted authn identities, thereby granting access to the authenticated identity. + body: + - !layer + + # add authn identities to application layer so authn roles inherit app's permissions + - !grant + role: !layer + members: + - !layer /conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/apps diff --git a/bin/test-workflow/policy/templates/authn-any-policy-branch.template.yml b/bin/test-workflow/policy/templates/authn-any-policy-branch.template.yml new file mode 100755 index 00000000..e499059e --- /dev/null +++ b/bin/test-workflow/policy/templates/authn-any-policy-branch.template.yml @@ -0,0 +1,33 @@ +### This policy is defined to verify that hosts can authenticate with Conjur +### from anywhere in the policy branch, to retrieve secrets for k8s + +# Define a policy and add a host to it +- !policy + id: some-apps + owner: !group devops + annotations: + description: Identities permitted to authenticate + body: + - !layer + annotations: + description: Layer of authenticator identities permitted to call authn svc + - &hosts + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/*/* + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + + - !grant + role: !layer + members: *hosts + +# Inherit test-app's permissions +- !grant + role: !layer test-app + members: !layer some-apps + +# Allow the host to authenticate with the authn-k8s authenticator +- !grant + role: !layer conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/users + members: !layer some-apps diff --git a/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml b/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml new file mode 100644 index 00000000..ed0aca91 --- /dev/null +++ b/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml @@ -0,0 +1,43 @@ +--- +# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it +- !policy + id: conjur/authn-k8s/{{ AUTHENTICATOR_ID }} + owner: !group cluster_admin + annotations: + description: Namespace defs for the Conjur cluster in dev + body: + - !webservice + annotations: + description: authn service for cluster + + - !host + id: validator + annotations: + description: Validation host used when configuring a cluster + authn-k8s/namespace: {{ CONJUR_NAMESPACE_NAME }} + + - !policy + id: ca + body: + - !variable + id: cert + annotations: + description: CA cert for Kubernetes Pods. + - !variable + id: key + annotations: + description: CA key for Kubernetes Pods. + + # define layer of whitelisted authn ids permitted to call authn service + - !layer users + + - !permit + resource: !webservice + privilege: [ read, authenticate ] + role: !layer users + +- !grant + role: !layer conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/users + members: + - !layer conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/apps + - !host conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/validator diff --git a/bin/test-workflow/policy/templates/project-authn-def.template.yml b/bin/test-workflow/policy/templates/project-authn-def.template.yml new file mode 100644 index 00000000..42c4fcb9 --- /dev/null +++ b/bin/test-workflow/policy/templates/project-authn-def.template.yml @@ -0,0 +1,133 @@ +--- +# This policy defines a layer of whitelisted identities permitted to authenticate to the authn-k8s endpoint. +- !policy + id: conjur/authn-k8s/{{ AUTHENTICATOR_ID }}/apps + owner: !group devops + annotations: + description: Identities permitted to authenticate + body: + - !layer + annotations: + description: Layer of authenticator identities permitted to call authn svc + - &hosts + # Annotation-based authentication (host ID is an application name, and + # permitted application identities are listed as annotations) + - !host + id: test-app-summon-sidecar + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: test-app-summon-sidecar + authn-k8s/deployment: test-app-summon-sidecar + authn-k8s/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: test-app-summon-init + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: test-app-summon-init + authn-k8s/deployment: test-app-summon-init + authn-k8s/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: test-app-secretless + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: test-app-secretless + authn-k8s/deployment: test-app-secretless + authn-k8s/authentication-container-name: secretless + kubernetes: "{{ IS_KUBERNETES }}" + + - !host + id: oc-test-app-summon-sidecar + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: oc-test-app-summon-sidecar + authn-k8s/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: oc-test-app-summon-init + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: oc-test-app-summon-init + authn-k8s/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: oc-test-app-secretless + annotations: + authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + authn-k8s/service-account: oc-test-app-secretless + authn-k8s/authentication-container-name: secretless + openshift: "{{ IS_OPENSHIFT }}" + + # Host-ID based authentication (application identity in the host itself) + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/*/* + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-summon-sidecar + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-summon-sidecar + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-summon-init + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-summon-init + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-secretless + annotations: + kubernetes/authentication-container-name: secretless + kubernetes: "{{ IS_KUBERNETES }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-secretless + annotations: + kubernetes/authentication-container-name: secretless + kubernetes: "{{ IS_KUBERNETES }}" + + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-summon-sidecar + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-sidecar + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-summon-init + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-init + annotations: + kubernetes/authentication-container-name: authenticator + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-secretless + annotations: + kubernetes/authentication-container-name: secretless + openshift: "{{ IS_OPENSHIFT }}" + - !host + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-secretless + annotations: + kubernetes/authentication-container-name: secretless + openshift: "{{ IS_OPENSHIFT }}" + + - !grant + role: !layer + members: *hosts diff --git a/bin/test-workflow/policy/users.yml b/bin/test-workflow/policy/users.yml new file mode 100755 index 00000000..d75eb164 --- /dev/null +++ b/bin/test-workflow/policy/users.yml @@ -0,0 +1,40 @@ +--- +# initializes users for openshift/kubernetes demo +# ted - cluster admin +# bob - devops admin +# alice - secrets admin +# carol - developer + +- !group operations +- !group cluster_admin +- !group devops +- !group secrets_admin +- !group developer + +# cluster_admin, security_admin and devops admin groups are members of the operations group +- !grant + role: !group operations + members: + - !group cluster_admin + - !group secrets_admin + - !group devops + +- !user ted +- !grant + role: !group cluster_admin + member: !user ted + +- !user bob +- !grant + role: !group devops + member: !user bob + +- !user alice +- !grant + role: !group secrets_admin + member: !user alice + +- !user carol +- !grant + role: !group developer + member: !user carol diff --git a/bin/test-workflow/set_env_vars.sh b/bin/test-workflow/set_env_vars.sh new file mode 100755 index 00000000..7c1a936b --- /dev/null +++ b/bin/test-workflow/set_env_vars.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +# Set the default values of environment variables used by the scripts +export PULL_DOCKER_REGISTRY_URL=${PULL_DOCKER_REGISTRY_URL:-${DOCKER_REGISTRY_URL}} +export PULL_DOCKER_REGISTRY_PATH=${PULL_DOCKER_REGISTRY_PATH:-${DOCKER_REGISTRY_PATH}} + +PLATFORM="${PLATFORM:-kubernetes}" # default to kubernetes if env var not set +CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" # default to service_account + +CONJUR_VERSION="${CONJUR_VERSION:-5}" + +MINIKUBE="${MINIKUBE:-false}" +MINISHIFT="${MINISHIFT:-false}" + +LOCAL_AUTHENTICATOR="${LOCAL_AUTHENTICATOR:-false}" + +# Some older workflows that use this script repo may depend upon +# the the use of 'DEPLOY_MASTER_CLUSTER' environment variable rather than +# the newer (and more accurately named) 'CONFIGURE_CONJUR_MASTER'. +DEPLOY_MASTER_CLUSTER="${DEPLOY_MASTER_CLUSTER:-false}" +CONFIGURE_CONJUR_MASTER="${CONFIGURE_CONJUR_MASTER:-$DEPLOY_MASTER_CLUSTER}" + +ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-false}" +CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-false}" +TEST_APP_LOADBALANCER_SVCS="${TEST_APP_LOADBALANCER_SVCS:-true}" +HELM_RELEASE="${HELM_RELEASE:-conjur-oss}" + +USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" +DOCKER_EMAIL="${DOCKER_EMAIL:-}" diff --git a/bin/test-workflow/start b/bin/test-workflow/start new file mode 100755 index 00000000..d96b547b --- /dev/null +++ b/bin/test-workflow/start @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -xeuo pipefail + +. set_env_vars.sh +. utils.sh +init_bash_lib + +./0_prep_check_dependencies.sh + +./stop + +./1_prep_platform_login.sh + +if [[ "${CONFIGURE_CONJUR_MASTER}" == "true" || "${CONJUR_OSS_HELM_INSTALLED}" == "true" ]]; then + # Only automatically run these scripts for dev/demo envs deploying a master + # cluster directly to k8s/oc + ./2_admin_load_conjur_policies.sh + ./3_admin_init_conjur_cert_authority.sh +fi + +./4_app_create_namespace.sh +./5_app_store_conjur_cert.sh +./6_app_build_and_push_containers.sh +./7_app_deploy.sh +./8_app_verify_authentication.sh + diff --git a/bin/test-workflow/stop b/bin/test-workflow/stop new file mode 100755 index 00000000..014341bd --- /dev/null +++ b/bin/test-workflow/stop @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +KUBE_CLI_DELETE_TIMEOUT="10m" + +set_namespace "$TEST_APP_NAMESPACE_NAME" +"$cli" get pods + +set_namespace default + +if [[ "$PLATFORM" == "openshift" ]]; then + oc login -u "$OSHIFT_CLUSTER_ADMIN_USERNAME" -p "$OPENSHIFT_PASSWORD" +fi + +if has_namespace "$TEST_APP_NAMESPACE_NAME"; then + "$cli" delete --timeout="$KUBE_CLI_DELETE_TIMEOUT" \ + namespace "$TEST_APP_NAMESPACE_NAME" || \ + (echo "ERROR: Delete of namespace $TEST_APP_NAMESPACE_NAME failed" && \ + echo "Showing residual resources in namespace:" && \ + "$cli" describe all -n "$TEST_APP_NAMESPACE_NAME") + + printf "Waiting for $TEST_APP_NAMESPACE_NAME namespace deletion to complete" + + while : ; do + printf "." + + if has_namespace "$TEST_APP_NAMESPACE_NAME"; then + sleep 5 + else + break + fi + done + + echo "" +fi + +echo "Test app environment purged." diff --git a/bin/test-workflow/test_app_summon/Dockerfile b/bin/test-workflow/test_app_summon/Dockerfile new file mode 100644 index 00000000..82eb1e4a --- /dev/null +++ b/bin/test-workflow/test_app_summon/Dockerfile @@ -0,0 +1,32 @@ +FROM ruby:2.4 as test-app-builder +MAINTAINER CyberArk +LABEL builder="test-app-builder" + +#---some useful tools for interactive usage---# +RUN apt-get update && \ + apt-get install -y --no-install-recommends curl + +#---install summon and summon-conjur---# +RUN curl -sSL https://raw.githubusercontent.com/cyberark/summon/master/install.sh \ + | env TMPDIR=$(mktemp -d) bash && \ + curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh \ + | env TMPDIR=$(mktemp -d) bash +# as per https://github.com/cyberark/summon#linux +# and https://github.com/cyberark/summon-conjur#install +ENV PATH="/usr/local/lib/summon:${PATH}" + +# ============= MAIN CONTAINER ============== # + +FROM cyberark/demo-app +ARG namespace +MAINTAINER CyberArk + +#---copy summon into image---# +COPY --from=test-app-builder /usr/local/lib/summon /usr/local/lib/summon +COPY --from=test-app-builder /usr/local/bin/summon /usr/local/bin/summon + +#---copy secrets.yml into image---# +COPY tmp.$namespace.secrets.yml /etc/secrets.yml + +#---override entrypoint to wrap command with summon---# +ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] diff --git a/bin/test-workflow/test_app_summon/Dockerfile.builder b/bin/test-workflow/test_app_summon/Dockerfile.builder new file mode 100644 index 00000000..46cb3e93 --- /dev/null +++ b/bin/test-workflow/test_app_summon/Dockerfile.builder @@ -0,0 +1,15 @@ +FROM ruby:2.4 +MAINTAINER CyberArk + +#---some useful tools for interactive usage---# +RUN apt-get update && \ + apt-get install -y --no-install-recommends curl + +#---install summon and summon-conjur---# +RUN curl -sSL https://raw.githubusercontent.com/cyberark/summon/master/install.sh \ + | env TMPDIR=$(mktemp -d) bash && \ + curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh \ + | env TMPDIR=$(mktemp -d) bash +# as per https://github.com/cyberark/summon#linux +# and https://github.com/cyberark/summon-conjur#install +ENV PATH="/usr/local/lib/summon:${PATH}" diff --git a/bin/test-workflow/test_app_summon/Dockerfile.oc b/bin/test-workflow/test_app_summon/Dockerfile.oc new file mode 100644 index 00000000..03e8e7a0 --- /dev/null +++ b/bin/test-workflow/test_app_summon/Dockerfile.oc @@ -0,0 +1,13 @@ +FROM cyberark/demo-app +ARG namespace +MAINTAINER CyberArk + +#---copy summon into image---# +COPY tmp.summon-conjur /usr/local/lib/summon/summon-conjur +COPY tmp.summon /usr/local/bin/summon + +#---copy secrets.yml into image---# +COPY tmp.$namespace.secrets.yml /etc/secrets.yml + +#---override entrypoint to wrap command with summon---# +ENTRYPOINT [ "summon", "--provider", "summon-conjur", "-f", "/etc/secrets.yml", "java", "-jar", "/app.jar"] diff --git a/bin/test-workflow/test_app_summon/secrets.template.yml b/bin/test-workflow/test_app_summon/secrets.template.yml new file mode 100644 index 00000000..2b6876e7 --- /dev/null +++ b/bin/test-workflow/test_app_summon/secrets.template.yml @@ -0,0 +1,3 @@ +DB_URL: !var {{ TEST_APP_NAME }}-db/url +DB_USERNAME: !var {{ TEST_APP_NAME }}-db/username +DB_PASSWORD: !var {{ TEST_APP_NAME }}-db/password diff --git a/bin/test-workflow/utils.sh b/bin/test-workflow/utils.sh new file mode 100755 index 00000000..a784d0e7 --- /dev/null +++ b/bin/test-workflow/utils.sh @@ -0,0 +1,278 @@ +#!/usr/bin/env bash + +. set_env_vars.sh + +if [ $PLATFORM = 'kubernetes' ]; then + cli=kubectl +elif [ $PLATFORM = 'openshift' ]; then + cli=oc +fi + +init_bash_lib() { + git submodule update --init --recursive + bash_lib="$(dirname "${BASH_SOURCE[0]}")/bash-lib" + . "${bash_lib}/init" +} + +check_env_var() { + if [[ -z "${!1+x}" ]]; then +# where ${var+x} is a parameter expansion which evaluates to nothing if var is unset, and substitutes the string x otherwise. +# https://stackoverflow.com/questions/3601515/how-to-check-if-a-variable-is-set-in-bash/13864829#13864829 + echo "You must set $1 before running these scripts." + exit 1 + fi +} + +ensure_env_database() { + local valid_dbs=( + 'postgres' + 'mysql' + ) + + if ! echo "${valid_dbs[@]}" | grep -Eq "\b${TEST_APP_DATABASE}\b"; then + printf "TEST_APP_DATABASE value not found in valid_dbs: '%s'\n" "${TEST_APP_DATABASE}" + printf "valid_dbs:\n" + printf "'%s'\n" "${valid_dbs[@]}" + exit 1 + fi +} + +announce() { + echo "++++++++++++++++++++++++++++++++++++++" + echo "" + echo "$@" + echo "" + echo "++++++++++++++++++++++++++++++++++++++" +} + +platform_image_for_pull() { + if [[ ${PLATFORM} = "openshift" ]]; then + echo "${PULL_DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" + elif is_minienv; then + echo "$1:$CONJUR_NAMESPACE_NAME" + elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then + echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" + else + echo "${PULL_DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + fi +} + +platform_image_for_push() { + if [[ ${PLATFORM} = "openshift" ]]; then + echo "${DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" + elif is_minienv; then + echo "$1:$CONJUR_NAMESPACE_NAME" + elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then + echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" + else + echo "${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + fi +} + +has_namespace() { + if $cli get namespace "$1" &>/dev/null; then + true + else + false + fi +} + +get_pod_name() { + local pod_identifier=$1 + + # Query to get the pod name, ignoring temp "deploy" pods + pod_name=$($cli get pods | grep "$pod_identifier" | grep -v "deploy" | awk '{ print $1 }') + echo "$pod_name" +} + +get_pods() { + $cli get pods --selector "$1" --no-headers | awk '{ print $1 }' +} + +get_nodeport(){ + svc_name="$1" + echo "$(kubectl get svc $svc_name -o jsonpath='{.spec.ports[0].nodePort}')" +} + +app_service_type() { + if [[ "$TEST_APP_LOADBALANCER_SVCS" == "true" ]]; then + echo "LoadBalancer" + else + echo "NodePort" + fi +} + +get_master_pod_name() { + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + pod_list=$(get_pods "app=conjur-oss") + else + pod_list=$(get_pods "app=conjur-node,role=master") + fi + echo $pod_list | awk '{print $1}' +} + +get_conjur_cli_pod_name() { + pod_list=$($cli get pods -n "$CONJUR_NAMESPACE_NAME" --selector app=conjur-cli --no-headers | awk '{ print $1 }') + echo $pod_list | awk '{print $1}' +} + +run_conjur_cmd_as_admin() { + local command=$(cat $@) + + conjur authn logout > /dev/null + conjur authn login -u admin -p "$CONJUR_ADMIN_PASSWORD" > /dev/null + + local output=$(eval "$command") + + conjur authn logout > /dev/null + echo "$output" +} + +conjur_service_account() { + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + echo "conjur-oss" + else + echo "conjur-cluster" + fi +} + +set_namespace() { + if [[ $# != 1 ]]; then + printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 + exit -1 + fi + + $cli config set-context $($cli config current-context) --namespace="$1" > /dev/null +} + +load_policy() { + local POLICY_FILE=$1 + + run_conjur_cmd_as_admin < /dev/null && echo 'Success!' && return 0 + echo -n . + sleep $spacer + done + + # Last run evaluated. If this fails we return an error exit code to caller + eval $@ + else + echo "Waiting for '$@' forever" + + while ! eval $@ > /dev/null; do + echo -n . + sleep $spacer + done + echo 'Success!' + fi +} + +function is_minienv() { + MINI_ENV="${MINI_ENV:-false}" + + if hash minishift 2>/dev/null; then + # Check if Minishift is running too + if [[ "$MINI_ENV" == "false" ]] && [[ "$(minishift status | grep Running)" = "" ]]; then + false + else + true + fi + else + if [[ "$MINI_ENV" == "false" ]]; then + false + else + true + fi + fi +} + +function external_ip() { + local service=$1 + + echo "$($cli get svc $service -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" +} + +function deployment_status() { + local deployment=$1 + + echo "$($cli describe deploymentconfig $deployment | awk '/^\tStatus:/' | + awk '{ print $2 }')" +} + +function pods_ready() { + local app_label=$1 + + $cli describe pod --selector "app=$app_label" | awk '/Ready/{if ($2 != "True") exit 1}' +} + +function urlencode() { + # urlencode + + # Run as a subshell so that we can indiscriminately set LC_COLLATE + ( + LC_COLLATE=C + + local length="${#1}" + for (( i = 0; i < length; i++ )); do + local c="${1:i:1}" + case $c in + [a-zA-Z0-9.~_-]) printf "$c" ;; + *) printf '%%%02X' "'$c" ;; + esac + done + ) +} + +function dump_kubernetes_resources() { + echo "Status of pods in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME pods + echo "Display pods in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME pods -o yaml + echo "Describe pods in namespace $TEST_APP_NAMESPACE_NAME:" + $cli describe -n $TEST_APP_NAMESPACE_NAME pods + echo "Services:in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME svc + echo "ServiceAccounts:in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME serviceaccounts + echo "Deployments in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME deployments + if [[ "$PLATFORM" == "openshift" ]]; then + echo "DeploymentConfigs in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME deploymentconfigs + fi + echo "Roles in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME roles + echo "RoleBindings in namespace $TEST_APP_NAMESPACE_NAME:" + $cli get -n $TEST_APP_NAMESPACE_NAME rolebindings + echo "ClusterRoles in the cluster:" + $cli get clusterroles + echo "ClusterRoleBindings in the cluster:" + $cli get clusterrolebindings +} + +function dump_authentication_policy { + announce "Authentication policy:" + cat policy/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml +} From 4cff56844a3526a13727e8e87a5ccceb8859f6ed Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 06:06:07 -0700 Subject: [PATCH 03/18] Implement changes to workflow scripts --- bin/test-workflow/0_prep_conjur_in_kind.sh | 38 ++++ ...encies.sh => 1_prep_check_dependencies.sh} | 17 +- bin/test-workflow/1_prep_platform_login.sh | 9 - .../2_admin_load_conjur_policies.sh | 43 ++--- .../3_admin_init_conjur_cert_authority.sh | 2 +- bin/test-workflow/4_app_create_namespace.sh | 47 ----- .../4_kubernetes_cluster_prep.sh | 22 +++ bin/test-workflow/5_app_namespace_prep.sh | 20 +++ bin/test-workflow/5_app_store_conjur_cert.sh | 35 ---- .../6_app_build_and_push_containers.sh | 17 +- bin/test-workflow/7_app_deploy.sh | 101 +++++------ .../8_app_verify_authentication.sh | 74 ++++---- .../kubernetes/postgres.template.yml | 166 ------------------ ...-app-conjur-authenticator-role-binding.yml | 4 +- .../kubernetes/test-app-summon-sidecar.yml | 104 ----------- ...-app-conjur-authenticator-role-binding.yml | 4 +- bin/test-workflow/pg/Dockerfile | 5 - bin/test-workflow/pg/rotate_password | 22 --- .../cluster-authn-svc-def.template.yml | 2 +- .../templates/project-authn-def.template.yml | 69 -------- bin/test-workflow/set_env_vars.sh | 4 +- bin/test-workflow/start | 26 +-- .../test_app_summon/tmp.app-test.secrets.yml | 3 + bin/test-workflow/utils.sh | 24 ++- 24 files changed, 227 insertions(+), 631 deletions(-) create mode 100755 bin/test-workflow/0_prep_conjur_in_kind.sh rename bin/test-workflow/{0_prep_check_dependencies.sh => 1_prep_check_dependencies.sh} (62%) delete mode 100755 bin/test-workflow/1_prep_platform_login.sh delete mode 100755 bin/test-workflow/4_app_create_namespace.sh create mode 100755 bin/test-workflow/4_kubernetes_cluster_prep.sh create mode 100755 bin/test-workflow/5_app_namespace_prep.sh delete mode 100755 bin/test-workflow/5_app_store_conjur_cert.sh delete mode 100644 bin/test-workflow/kubernetes/postgres.template.yml delete mode 100644 bin/test-workflow/kubernetes/test-app-summon-sidecar.yml delete mode 100644 bin/test-workflow/pg/Dockerfile delete mode 100755 bin/test-workflow/pg/rotate_password create mode 100644 bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml diff --git a/bin/test-workflow/0_prep_conjur_in_kind.sh b/bin/test-workflow/0_prep_conjur_in_kind.sh new file mode 100755 index 00000000..df72295a --- /dev/null +++ b/bin/test-workflow/0_prep_conjur_in_kind.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -eo pipefail + +rm -rf bash-lib +git clone https://github.com/cyberark/bash-lib.git + +# Install Conjur in our cluster +mkdir -p temp +pushd temp > /dev/null + rm -rf conjur-oss-helm-chart + git clone https://github.com/cyberark/conjur-oss-helm-chart.git + + pushd conjur-oss-helm-chart/examples/kubernetes-in-docker > /dev/null + . utils.sh + + announce "Setting demo environment variable defaults" + . ./0_export_env_vars.sh + + announce "Creating a Kubernetes-in-Docker cluster if necessary" + ./1_create_kind_cluster.sh + + announce "Helm installing/upgrading Conjur OSS cluster" + ./2_helm_install_or_upgrade_conjur.sh + + # Wait for Conjur pods to become ready (just in case there are old + # Conjur pods getting terminated as part of Helm upgrade) + announce "Waiting for Conjur to become ready" + wait_for_conjur_ready + + announce "Retrieving the Conjur admin password" + export CONJUR_ADMIN_PASSWORD="$(./3_retrieve_admin_password.sh)" + + announce "Enabling the Conjur Kubernetes authenticator if necessary" + ./4_ensure_authn_k8s_enabled.sh + + popd > /dev/null +popd > /dev/null diff --git a/bin/test-workflow/0_prep_check_dependencies.sh b/bin/test-workflow/1_prep_check_dependencies.sh similarity index 62% rename from bin/test-workflow/0_prep_check_dependencies.sh rename to bin/test-workflow/1_prep_check_dependencies.sh index 0812c937..75503d09 100755 --- a/bin/test-workflow/0_prep_check_dependencies.sh +++ b/bin/test-workflow/1_prep_check_dependencies.sh @@ -1,10 +1,9 @@ -#!/usr/bin/env bash +#!/bin/bash + set -eo pipefail . utils.sh -check_env_var "CONJUR_NAMESPACE_NAME" -check_env_var "TEST_APP_NAMESPACE_NAME" if [[ "$PLATFORM" == "kubernetes" ]] && ! is_minienv; then check_env_var "DOCKER_REGISTRY_URL" fi @@ -16,6 +15,8 @@ if ! (( [[ "$PLATFORM" == "kubernetes" ]] && is_minienv ) \ check_env_var "DOCKER_REGISTRY_PATH" fi +check_env_var "CONJUR_NAMESPACE" +check_env_var "TEST_APP_NAMESPACE_NAME" check_env_var "CONJUR_ACCOUNT" check_env_var "CONJUR_ADMIN_PASSWORD" check_env_var "AUTHENTICATOR_ID" @@ -23,4 +24,14 @@ check_env_var "TEST_APP_DATABASE" check_env_var "CONJUR_AUTHN_LOGIN_RESOURCE" check_env_var "PULL_DOCKER_REGISTRY_URL" check_env_var "PULL_DOCKER_REGISTRY_PATH" + +export CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local}" + +# For annotation-based Kubernetes authentication, the host ID to be used +# for authenticating is an application name. +export CONJUR_AUTHN_LOGIN_PREFIX="host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps" + +# Create the random database password +export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12) + ensure_env_database diff --git a/bin/test-workflow/1_prep_platform_login.sh b/bin/test-workflow/1_prep_platform_login.sh deleted file mode 100755 index d9a389bf..00000000 --- a/bin/test-workflow/1_prep_platform_login.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -. utils.sh - -if [[ $PLATFORM == openshift ]]; then - oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD -fi - diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index 3c4bc6ff..a511da3f 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -33,6 +33,8 @@ deploy_conjur_cli() { sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | $cli create -f - + # Wait until pod appears otherwise $conjur_cli_pod could be empty and we would wait forever + wait_for_it 300 "has_resource 'app=conjur-cli'" conjur_cli_pod=$(get_conjur_cli_pod_name) wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running" } @@ -45,14 +47,15 @@ ensure_conjur_cli_initialized() { else conjur_service='conjur-master' fi - conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE.svc.cluster.local} $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" - $cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD + # Flaky with 500 Internal Server Error, mitigate with retry + wait_for_it 300 "$cli exec $1 2>/dev/null -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD" } -pushd policy - mkdir -p ./generated +pushd policy > /dev/null + mkdir -p ./generated > /dev/null # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI @@ -65,7 +68,7 @@ pushd policy fi sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml | - sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml + sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | @@ -78,13 +81,9 @@ pushd policy sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml | sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml -popd - -# Create the random database password -password=$(openssl rand -hex 12) - -set_namespace "$CONJUR_NAMESPACE_NAME" +popd > /dev/null +set_namespace "$CONJUR_NAMESPACE" announce "Finding or creating a Conjur CLI pod" conjur_cli_pod=$(get_conjur_cli_pod_name) @@ -102,10 +101,10 @@ $cli cp ./policy $conjur_cli_pod:/policy $cli exec $conjur_cli_pod -- \ bash -c " - conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local} CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \ CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ - DB_PASSWORD=${password} \ + DB_PASSWORD=${SAMPLE_APP_BACKEND_DB_PASSWORD} \ TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \ TEST_APP_DATABASE=${TEST_APP_DATABASE} \ /policy/load_policies.sh @@ -114,21 +113,3 @@ $cli exec $conjur_cli_pod -- \ $cli exec $conjur_cli_pod -- rm -rf ./policy echo "Conjur policy loaded." - -set_namespace "$TEST_APP_NAMESPACE_NAME" - -# Set DB password in Kubernetes manifests -# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI -pushd kubernetes - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml -popd - -# Set DB password in OC manifests -# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI -pushd openshift - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml - sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml -popd - -announce "Added DB password value: $password" diff --git a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh index a168e3b8..86c4b935 100755 --- a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh +++ b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh @@ -5,7 +5,7 @@ set -euo pipefail announce "Initializing Conjur certificate authority." -set_namespace $CONJUR_NAMESPACE_NAME +set_namespace $CONJUR_NAMESPACE conjur_master=$(get_master_pod_name) diff --git a/bin/test-workflow/4_app_create_namespace.sh b/bin/test-workflow/4_app_create_namespace.sh deleted file mode 100755 index ab54c9b6..00000000 --- a/bin/test-workflow/4_app_create_namespace.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -. utils.sh - -announce "Creating Test App namespace." - -set_namespace default - -if has_namespace "$TEST_APP_NAMESPACE_NAME"; then - echo "Namespace '$TEST_APP_NAMESPACE_NAME' exists, not going to create it." - set_namespace $TEST_APP_NAMESPACE_NAME -else - echo "Creating '$TEST_APP_NAMESPACE_NAME' namespace." - - if [ $PLATFORM = 'kubernetes' ]; then - $cli create namespace $TEST_APP_NAMESPACE_NAME - elif [ $PLATFORM = 'openshift' ]; then - $cli new-project $TEST_APP_NAMESPACE_NAME - fi - - set_namespace $TEST_APP_NAMESPACE_NAME -fi - -$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME - -if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - conjur_authn_cluster_role="$HELM_RELEASE-conjur-authenticator" -else - conjur_authn_cluster_role="conjur-authenticator-$CONJUR_NAMESPACE_NAME" -fi -sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml | - sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | - sed "s#{{ CONJUR_AUTHN_CLUSTER_ROLE }}#$conjur_authn_cluster_role#g" | - sed "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" | - $cli create -f - - -if [[ $PLATFORM == openshift ]]; then - # add permissions for Conjur admin user - oc adm policy add-role-to-user system:registry $OSHIFT_CONJUR_ADMIN_USERNAME - oc adm policy add-role-to-user system:image-builder $OSHIFT_CONJUR_ADMIN_USERNAME - - oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n default - oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n $TEST_APP_NAMESPACE_NAME - echo "Logging in as Conjur Openshift admin. Provide password as needed." - oc login -u $OSHIFT_CONJUR_ADMIN_USERNAME -p $OPENSHIFT_PASSWORD -fi diff --git a/bin/test-workflow/4_kubernetes_cluster_prep.sh b/bin/test-workflow/4_kubernetes_cluster_prep.sh new file mode 100755 index 00000000..f53a4110 --- /dev/null +++ b/bin/test-workflow/4_kubernetes_cluster_prep.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +set_namespace default + +# Prepare our cluster with conjur and authnK8s credentials in a golden configmap +announce "Installing cluster prep chart" +pushd $(dirname "$0")/../../helm/kubernetes-cluster-prep > /dev/null + if [ "$(helm list -q -n $CONJUR_NAMESPACE | grep "^cluster-prep$")" = "cluster-prep" ]; then + helm uninstall cluster-prep -n "$CONJUR_NAMESPACE" + fi + + ./bin/get-conjur-cert.sh -v -i -u "$CONJUR_APPLIANCE_URL" + + helm install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait \ + --set conjur.account="$CONJUR_ACCOUNT" \ + --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \ + --set conjur.certificateFilePath="files/conjur-cert.pem" \ + --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" +popd > /dev/null diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh new file mode 100755 index 00000000..f4a8d08c --- /dev/null +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +set_namespace default + +# Prepare a given namespace with a subset of credentials from the golden configmap +announce "Installing application namespace prep chart" +pushd $(dirname "$0")/../../helm/application-namespace-prep > /dev/null + if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^namespace-prep$")" = "namespace-prep" ]; then + helm uninstall namespace-prep -n "$TEST_APP_NAMESPACE_NAME" + fi + + # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist + helm install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ + --create-namespace \ + --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ + --set authnK8s.namespace="$CONJUR_NAMESPACE" +popd > /dev/null diff --git a/bin/test-workflow/5_app_store_conjur_cert.sh b/bin/test-workflow/5_app_store_conjur_cert.sh deleted file mode 100755 index f3b7f029..00000000 --- a/bin/test-workflow/5_app_store_conjur_cert.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -. utils.sh - -announce "Storing Conjur cert for test app configuration." - -set_namespace $CONJUR_NAMESPACE_NAME - -echo "Retrieving Conjur certificate." - -if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - master_pod_name=$(get_master_pod_name) - ssl_cert=$($cli exec -c "${HELM_RELEASE}-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) -else - if $cli get pods --selector role=follower --no-headers; then - follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1) - ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) - else - echo "Regular follower not found. Trying to assume a decomposed follower..." - follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1) - ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) - fi -fi - -set_namespace $TEST_APP_NAMESPACE_NAME - -echo "Storing non-secret conjur cert as test app configuration data" - -$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME - -# Store the Conjur cert in a ConfigMap. -$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") - -echo "Conjur cert stored." diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh index 37349fae..622ff873 100755 --- a/bin/test-workflow/6_app_build_and_push_containers.sh +++ b/bin/test-workflow/6_app_build_and_push_containers.sh @@ -40,11 +40,11 @@ pushd test_app_summon echo "Building test app image" docker build \ --build-arg namespace=$TEST_APP_NAMESPACE_NAME \ - --tag test-app:$CONJUR_NAMESPACE_NAME \ + --tag test-app:$CONJUR_NAMESPACE \ --file $dockerfile . test_app_image=$(platform_image_for_push "test-$app_type-app") - docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image + docker tag test-app:$CONJUR_NAMESPACE $test_app_image if ! is_minienv; then docker push $test_app_image @@ -52,19 +52,6 @@ pushd test_app_summon done popd -# If in Kubernetes, build custom pg image -if [[ "$PLATFORM" != "openshift" ]]; then - pushd pg - docker build -t test-app-pg:$CONJUR_NAMESPACE_NAME . - test_app_pg_image=$(platform_image_for_push test-app-pg) - docker tag test-app-pg:$CONJUR_NAMESPACE_NAME $test_app_pg_image - - if ! is_minienv; then - docker push $test_app_pg_image - fi - popd -fi - if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then # Re-tag the locally-built conjur-authn-k8s-client:dev image authn_image=$(platform_image_for_push conjur-authn-k8s-client) diff --git a/bin/test-workflow/7_app_deploy.sh b/bin/test-workflow/7_app_deploy.sh index efd20060..141fb22b 100755 --- a/bin/test-workflow/7_app_deploy.sh +++ b/bin/test-workflow/7_app_deploy.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eo pipefail +set -euo pipefail . utils.sh @@ -19,10 +19,10 @@ main() { fi deploy_app_backend - deploy_secretless_app + # deploy_secretless_app deploy_sidecar_app - deploy_init_container_app - deploy_init_container_app_with_host_outside_apps + # deploy_init_container_app + # deploy_init_container_app_with_host_outside_apps } ########################### @@ -66,23 +66,12 @@ init_connection_specs() { fi if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local} + conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local} else conjur_follower_name=${CONJUR_FOLLOWER_NAME:-conjur-follower} - conjur_appliance_url=https://$conjur_follower_name.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api + conjur_appliance_url=https://$conjur_follower_name.$CONJUR_NAMESPACE.svc.cluster.local/api fi conjur_authenticator_url="$conjur_appliance_url/authn-k8s/$URLENCODED_AUTHN_ID" - - if [[ "$ANNOTATION_BASED_AUTHN" == "true" ]]; then - # For annotation-based Kubernetes authentication, the host ID to be used - # for authenticating is an application name. - conjur_authn_login_prefix=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps - else - # For host-ID-based Kubernetes authentication, the host ID to be used - # for authenticating is in the form: - # // - conjur_authn_login_prefix=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps/$TEST_APP_NAMESPACE_NAME/$CONJUR_AUTHN_LOGIN_RESOURCE - fi } ########################### @@ -92,7 +81,6 @@ deploy_app_backend() { service/test-summon-sidecar-app-backend \ service/test-secretless-app-backend \ statefulset/summon-init-pg \ - statefulset/summon-sidecar-pg \ statefulset/secretless-pg \ statefulset/summon-init-mysql \ statefulset/summon-sidecar-mysql \ @@ -111,12 +99,30 @@ deploy_app_backend() { echo "Deploying test app backend" - test_app_pg_docker_image=$(platform_image_for_pull test-app-pg) - - sed "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - $cli create -f - + # Install postgresql helm chart + if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^summon-sidecar-app-backend-pg$")" = "summon-sidecar-app-backend-pg" ]; then + helm uninstall summon-sidecar-app-backend-pg -n "$TEST_APP_NAMESPACE_NAME" + fi + + kubectl delete --ignore-not-found pvc -l app.kubernetes.io/instance=summon-sidecar-app-backend-pg + + helm repo add bitnami https://charts.bitnami.com/bitnami + + helm install summon-sidecar-app-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait \ + --set image.repository="postgres" \ + --set image.tag="9.6" \ + --set postgresqlDataDir="/data/pgdata" \ + --set persistence.mountPath="/data/" \ + --set fullnameOverride="test-summon-sidecar-app-backend" \ + --set tls.enabled=true \ + --set volumePermissions.enabled=true \ + --set tls.certificatesSecret="test-app-backend-certs" \ + --set tls.certFilename="server.crt" \ + --set tls.certKeyFilename="server.key" \ + --set securityContext.fsGroup="999" \ + --set postgresqlDatabase="test_app" \ + --set postgresqlUsername="test_app" \ + --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD ;; mysql) echo "Deploying test app backend" @@ -134,36 +140,19 @@ deploy_app_backend() { ########################### deploy_sidecar_app() { - $cli delete --ignore-not-found \ - deployment/test-app-summon-sidecar \ - service/test-app-summon-sidecar \ - serviceaccount/test-app-summon-sidecar \ - serviceaccount/oc-test-app-summon-sidecar - - if [[ "$PLATFORM" == "openshift" ]]; then - oc delete --ignore-not-found \ - deploymentconfig/test-app-summon-sidecar \ - route/test-app-summon-sidecar - fi - - sleep 5 - - sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_sidecar_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml | - sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | - sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | - sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | - $cli create -f - - - if [[ "$PLATFORM" == "openshift" ]]; then - oc expose service test-app-summon-sidecar - fi + pushd $(dirname "$0")/../../helm/app-deploy > /dev/null + # Deploy a given app with yet another subset of the subset of our golden configmap, allowing + # connection to Conjur + announce "Installing sidecar application chart" + if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^sidecar-app$")" = "sidecar-app" ]; then + helm uninstall sidecar-app -n "$TEST_APP_NAMESPACE_NAME" + fi + + helm install sidecar-app . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ + --set authn-k8s.enabled=true \ + --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ + --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" + popd > /dev/null echo "Test app/sidecar deployed." } @@ -188,7 +177,7 @@ deploy_init_container_app() { sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$CONJUR_AUTHN_LOGIN_PREFIX#g" | sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | @@ -279,7 +268,7 @@ deploy_secretless_app() { sed "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | sed "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" | + sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$CONJUR_AUTHN_LOGIN_PREFIX#g" | sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | diff --git a/bin/test-workflow/8_app_verify_authentication.sh b/bin/test-workflow/8_app_verify_authentication.sh index 802e6361..6623dc14 100755 --- a/bin/test-workflow/8_app_verify_authentication.sh +++ b/bin/test-workflow/8_app_verify_authentication.sh @@ -65,10 +65,10 @@ fi echo "Waiting for pods to become available" check_pods(){ - pods_ready "test-app-summon-init" && - pods_ready "test-app-with-host-outside-apps-branch-summon-init" && - pods_ready "test-app-summon-sidecar" && - pods_ready "test-app-secretless" + # pods_ready "test-app-summon-init" && + # pods_ready "test-app-with-host-outside-apps-branch-summon-init" && + pods_ready "test-app-summon-sidecar" # && + # pods_ready "test-app-secretless" } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_pods @@ -76,10 +76,10 @@ if [[ "$PLATFORM" == "openshift" ]]; then echo "Waiting for deployments to become available" check_deployment_status(){ - [[ "$(deployment_status "test-app-summon-init")" == "Complete" ]] && - [[ "$(deployment_status "test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && - [[ "$(deployment_status "test-app-summon-sidecar")" == "Complete" ]] && - [[ "$(deployment_status "test-app-secretless")" == "Complete" ]] + # [[ "$(deployment_status "test-app-summon-init")" == "Complete" ]] && + # [[ "$(deployment_status "test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && + [[ "$(deployment_status "test-app-summon-sidecar")" == "Complete" ]] # && + # [[ "$(deployment_status "test-app-secretless")" == "Complete" ]] } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_deployment_status @@ -107,10 +107,10 @@ else if [[ "$TEST_APP_LOADBALANCER_SVCS" == "true" ]]; then echo "Waiting for external IPs to become available" check_services(){ - [[ -n "$(external_ip "test-app-summon-init")" ]] && - [[ -n "$(external_ip "test-app-with-host-outside-apps-branch-summon-init")" ]] && - [[ -n "$(external_ip "test-app-summon-sidecar")" ]] && - [[ -n "$(external_ip "test-app-secretless")" ]] + # [[ -n "$(external_ip "test-app-summon-init")" ]] && + # [[ -n "$(external_ip "test-app-with-host-outside-apps-branch-summon-init")" ]] && + [[ -n "$(external_ip "test-app-summon-sidecar")" ]] # && + # [[ -n "$(external_ip "test-app-secretless")" ]] } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_services @@ -135,26 +135,26 @@ echo "Waiting for urls to be ready" check_urls(){ ( - $curl_cmd -sS --connect-timeout 3 "$init_url" && - $curl_cmd -sS --connect-timeout 3 "$init_url_with_host_outside_apps" && - $curl_cmd -sS --connect-timeout 3 "$sidecar_url" && - $curl_cmd -sS --connect-timeout 3 "$secretless_url" + # $curl_cmd -sS --connect-timeout 3 "$init_url" && + # $curl_cmd -sS --connect-timeout 3 "$init_url_with_host_outside_apps" && + $curl_cmd -sS --connect-timeout 3 "$sidecar_url" # && + # $curl_cmd -sS --connect-timeout 3 "$secretless_url" ) > /dev/null } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_urls -echo -e "\nAdding entry to the init app\n" -$curl_cmd \ - -d '{"name": "Mr. Init"}' \ - -H "Content-Type: application/json" \ - "$init_url"/pet +# echo -e "\nAdding entry to the init app\n" +# $curl_cmd \ +# -d '{"name": "Mr. Init"}' \ +# -H "Content-Type: application/json" \ +# "$init_url"/pet -echo -e "Adding entry to the init app with host outside apps\n" -$curl_cmd \ - -d '{"name": "Mr. Init"}' \ - -H "Content-Type: application/json" \ - "$init_url_with_host_outside_apps"/pet +# echo -e "Adding entry to the init app with host outside apps\n" +# $curl_cmd \ +# -d '{"name": "Mr. Init"}' \ +# -H "Content-Type: application/json" \ +# "$init_url_with_host_outside_apps"/pet echo -e "Adding entry to the sidecar app\n" $curl_cmd \ @@ -162,22 +162,22 @@ $curl_cmd \ -H "Content-Type: application/json" \ "$sidecar_url"/pet -echo -e "Adding entry to the secretless app\n" -$curl_cmd \ - -d '{"name": "Mr. Secretless"}' \ - -H "Content-Type: application/json" \ - "$secretless_url"/pet +# echo -e "Adding entry to the secretless app\n" +# $curl_cmd \ +# -d '{"name": "Mr. Secretless"}' \ +# -H "Content-Type: application/json" \ +# "$secretless_url"/pet -echo -e "Querying init app\n" -$curl_cmd "$init_url"/pets +# echo -e "Querying init app\n" +# $curl_cmd "$init_url"/pets -echo -e "\n\nQuerying init app with hosts outside apps\n" -$curl_cmd "$init_url_with_host_outside_apps"/pets +# echo -e "\n\nQuerying init app with hosts outside apps\n" +# $curl_cmd "$init_url_with_host_outside_apps"/pets echo -e "\n\nQuerying sidecar app\n" $curl_cmd "$sidecar_url"/pets -echo -e "\n\nQuerying secretless app\n" -$curl_cmd "$secretless_url"/pets +# echo -e "\n\nQuerying secretless app\n" +# $curl_cmd "$secretless_url"/pets DETAILED_DUMP_ON_EXIT=false diff --git a/bin/test-workflow/kubernetes/postgres.template.yml b/bin/test-workflow/kubernetes/postgres.template.yml deleted file mode 100644 index 231e6101..00000000 --- a/bin/test-workflow/kubernetes/postgres.template.yml +++ /dev/null @@ -1,166 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-init-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-init-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-init-pg - labels: - app: test-summon-init-app-backend -spec: - serviceName: test-summon-init-app-backend - selector: - matchLabels: - app: test-summon-init-app-backend - template: - metadata: - labels: - app: test-summon-init-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-summon-init-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_USER - value: test_app - - name: POSTGRES_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-sidecar-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-sidecar-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-sidecar-pg - labels: - app: test-summon-sidecar-app-backend -spec: - serviceName: test-summon-sidecar-app-backend - selector: - matchLabels: - app: test-summon-sidecar-app-backend - template: - metadata: - labels: - app: test-summon-sidecar-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-summon-sidecar-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_USER - value: test_app - - name: POSTGRES_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-secretless-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-secretless-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: secretless-pg - labels: - app: test-secretless-app-backend -spec: - serviceName: test-secretless-app-backend - selector: - matchLabels: - app: test-secretless-app-backend - template: - metadata: - labels: - app: test-secretless-app-backend - spec: - securityContext: - fsGroup: 999 - containers: - - name: test-secretless-app-backend - image: {{ TEST_APP_PG_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 5432 - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - args: ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/certs/server.crt", "-c", "ssl_key_file=/etc/certs/server.key"] - env: - - name: POSTGRES_USER - value: test_app - - name: POSTGRES_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRES_DB - value: test_app - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - defaultMode: 384 diff --git a/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml index 5ed17893..1b3c9fc3 100644 --- a/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml +++ b/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml @@ -2,12 +2,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE_NAME }} + name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE }} namespace: {{ TEST_APP_NAMESPACE_NAME }} subjects: - kind: ServiceAccount name: {{ CONJUR_SERVICE_ACCOUNT }} - namespace: {{ CONJUR_NAMESPACE_NAME }} + namespace: {{ CONJUR_NAMESPACE }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml b/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml deleted file mode 100644 index 6940198b..00000000 --- a/bin/test-workflow/kubernetes/test-app-summon-sidecar.yml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: test-app-summon-sidecar - labels: - app: test-app-summon-sidecar -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-summon-sidecar - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-app-summon-sidecar ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: test-app-summon-sidecar - name: test-app-summon-sidecar -spec: - replicas: 1 - selector: - matchLabels: - app: test-app-summon-sidecar - template: - metadata: - labels: - app: test-app-summon-sidecar - spec: - serviceAccountName: test-app-summon-sidecar - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: CONTAINER_MODE - value: sidecar - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-summon-sidecar" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml index 5ed17893..1b3c9fc3 100644 --- a/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml +++ b/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml @@ -2,12 +2,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE_NAME }} + name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE }} namespace: {{ TEST_APP_NAMESPACE_NAME }} subjects: - kind: ServiceAccount name: {{ CONJUR_SERVICE_ACCOUNT }} - namespace: {{ CONJUR_NAMESPACE_NAME }} + namespace: {{ CONJUR_NAMESPACE }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/bin/test-workflow/pg/Dockerfile b/bin/test-workflow/pg/Dockerfile deleted file mode 100644 index 3b7ee97f..00000000 --- a/bin/test-workflow/pg/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM postgres:9.6 - -RUN mkdir -p /docker-entrypoint-initdb.d - -COPY rotate_password /usr/local/bin/ diff --git a/bin/test-workflow/pg/rotate_password b/bin/test-workflow/pg/rotate_password deleted file mode 100755 index 6f5384a1..00000000 --- a/bin/test-workflow/pg/rotate_password +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bash - -new_password="$1" -if [[ -z $new_password ]]; then - echo "usage: $0 " - exit 1 -fi - -# Set the new password. -echo "ALTER ROLE test_app WITH PASSWORD '$new_password'" | psql -U postgres - -# Close all the connections, forcing them to reconnect. -cat < pg_backend_pid() -AND - usename='test_app'; -KILL_CONNECTIONS diff --git a/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml b/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml index ed0aca91..ce122936 100644 --- a/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml +++ b/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml @@ -14,7 +14,7 @@ id: validator annotations: description: Validation host used when configuring a cluster - authn-k8s/namespace: {{ CONJUR_NAMESPACE_NAME }} + authn-k8s/namespace: {{ CONJUR_NAMESPACE }} - !policy id: ca diff --git a/bin/test-workflow/policy/templates/project-authn-def.template.yml b/bin/test-workflow/policy/templates/project-authn-def.template.yml index 42c4fcb9..76e2c752 100644 --- a/bin/test-workflow/policy/templates/project-authn-def.template.yml +++ b/bin/test-workflow/policy/templates/project-authn-def.template.yml @@ -59,75 +59,6 @@ authn-k8s/authentication-container-name: secretless openshift: "{{ IS_OPENSHIFT }}" - # Host-ID based authentication (application identity in the host itself) - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/*/* - annotations: - kubernetes/authentication-container-name: authenticator - openshift: "{{ IS_OPENSHIFT }}" - - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-summon-sidecar - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "{{ IS_KUBERNETES }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-summon-sidecar - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "{{ IS_KUBERNETES }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-summon-init - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "{{ IS_KUBERNETES }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-summon-init - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "{{ IS_KUBERNETES }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app-secretless - annotations: - kubernetes/authentication-container-name: secretless - kubernetes: "{{ IS_KUBERNETES }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/test-app-secretless - annotations: - kubernetes/authentication-container-name: secretless - kubernetes: "{{ IS_KUBERNETES }}" - - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-summon-sidecar - annotations: - kubernetes/authentication-container-name: authenticator - openshift: "{{ IS_OPENSHIFT }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-sidecar - annotations: - kubernetes/authentication-container-name: authenticator - openshift: "{{ IS_OPENSHIFT }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-summon-init - annotations: - kubernetes/authentication-container-name: authenticator - openshift: "{{ IS_OPENSHIFT }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-init - annotations: - kubernetes/authentication-container-name: authenticator - openshift: "{{ IS_OPENSHIFT }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/oc-test-app-secretless - annotations: - kubernetes/authentication-container-name: secretless - openshift: "{{ IS_OPENSHIFT }}" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-secretless - annotations: - kubernetes/authentication-container-name: secretless - openshift: "{{ IS_OPENSHIFT }}" - - !grant role: !layer members: *hosts diff --git a/bin/test-workflow/set_env_vars.sh b/bin/test-workflow/set_env_vars.sh index 7c1a936b..76e710a0 100755 --- a/bin/test-workflow/set_env_vars.sh +++ b/bin/test-workflow/set_env_vars.sh @@ -20,8 +20,8 @@ LOCAL_AUTHENTICATOR="${LOCAL_AUTHENTICATOR:-false}" DEPLOY_MASTER_CLUSTER="${DEPLOY_MASTER_CLUSTER:-false}" CONFIGURE_CONJUR_MASTER="${CONFIGURE_CONJUR_MASTER:-$DEPLOY_MASTER_CLUSTER}" -ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-false}" -CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-false}" +ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-true}" +CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" TEST_APP_LOADBALANCER_SVCS="${TEST_APP_LOADBALANCER_SVCS:-true}" HELM_RELEASE="${HELM_RELEASE:-conjur-oss}" diff --git a/bin/test-workflow/start b/bin/test-workflow/start index d96b547b..82f01bf1 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -1,26 +1,18 @@ -#!/usr/bin/env bash -set -xeuo pipefail +#!/bin/bash -. set_env_vars.sh -. utils.sh -init_bash_lib +set -eo pipefail -./0_prep_check_dependencies.sh +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -./stop +. ./0_prep_conjur_in_kind.sh -./1_prep_platform_login.sh +. ./1_prep_check_dependencies.sh -if [[ "${CONFIGURE_CONJUR_MASTER}" == "true" || "${CONJUR_OSS_HELM_INSTALLED}" == "true" ]]; then - # Only automatically run these scripts for dev/demo envs deploying a master - # cluster directly to k8s/oc - ./2_admin_load_conjur_policies.sh - ./3_admin_init_conjur_cert_authority.sh -fi +./2_admin_load_conjur_policies.sh +./3_admin_init_conjur_cert_authority.sh -./4_app_create_namespace.sh -./5_app_store_conjur_cert.sh +./4_kubernetes_cluster_prep.sh +./5_app_namespace_prep.sh ./6_app_build_and_push_containers.sh ./7_app_deploy.sh ./8_app_verify_authentication.sh - diff --git a/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml b/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml new file mode 100644 index 00000000..b0ff47fd --- /dev/null +++ b/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml @@ -0,0 +1,3 @@ +DB_URL: !var test-summon-sidecar-app-db/url +DB_USERNAME: !var test-summon-sidecar-app-db/username +DB_PASSWORD: !var test-summon-sidecar-app-db/password diff --git a/bin/test-workflow/utils.sh b/bin/test-workflow/utils.sh index a784d0e7..e6fab673 100755 --- a/bin/test-workflow/utils.sh +++ b/bin/test-workflow/utils.sh @@ -49,11 +49,11 @@ platform_image_for_pull() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${PULL_DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" elif is_minienv; then - echo "$1:$CONJUR_NAMESPACE_NAME" + echo "$1:$CONJUR_NAMESPACE" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then - echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" + echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" else - echo "${PULL_DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + echo "${PULL_DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE" fi } @@ -61,11 +61,11 @@ platform_image_for_push() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" elif is_minienv; then - echo "$1:$CONJUR_NAMESPACE_NAME" + echo "$1:$CONJUR_NAMESPACE" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then - echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" + echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" else - echo "${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + echo "${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE" fi } @@ -77,6 +77,16 @@ has_namespace() { fi } +has_resource() { + local selector=$1 + local num_matching_resources=$($cli get pods -n "$CONJUR_NAMESPACE" --selector $selector --no-headers 2>/dev/null | wc -l) + if [ $num_matching_resources -gt 0 ]; then + return 0 + else + return 1 + fi +} + get_pod_name() { local pod_identifier=$1 @@ -112,7 +122,7 @@ get_master_pod_name() { } get_conjur_cli_pod_name() { - pod_list=$($cli get pods -n "$CONJUR_NAMESPACE_NAME" --selector app=conjur-cli --no-headers | awk '{ print $1 }') + pod_list=$($cli get pods -n "$CONJUR_NAMESPACE" --selector app=conjur-cli --no-headers | awk '{ print $1 }') echo $pod_list | awk '{print $1}' } From 686b908db650b80fcc27b54ea15c914b06efe6a8 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 06:19:23 -0700 Subject: [PATCH 04/18] Sample app helm chart changes for selecting subchart --- helm/conjur-app-deploy/Chart.yaml | 1 + .../templates/conjur_authn_configmap.yaml | 2 -- ...decar.yml => test-app-summon-sidecar.yaml} | 2 -- helm/conjur-app-deploy/values.yaml | 18 ++++++++--------- .../bin/get-conjur-cert.sh | 20 +++++++++---------- 5 files changed, 18 insertions(+), 25 deletions(-) rename helm/conjur-app-deploy/charts/app-summon-sidecar/templates/{test-app-summon-sidecar.yml => test-app-summon-sidecar.yaml} (98%) diff --git a/helm/conjur-app-deploy/Chart.yaml b/helm/conjur-app-deploy/Chart.yaml index 6fadfaa0..8051f64b 100644 --- a/helm/conjur-app-deploy/Chart.yaml +++ b/helm/conjur-app-deploy/Chart.yaml @@ -19,3 +19,4 @@ dependencies: - name: app-summon-sidecar repository: "file://charts/app-summon-sidecar" version: ">= 0.0.1" + condition: authn-k8s.enabled diff --git a/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/conjur_authn_configmap.yaml b/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/conjur_authn_configmap.yaml index dae05ce8..2316ec49 100644 --- a/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/conjur_authn_configmap.yaml +++ b/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/conjur_authn_configmap.yaml @@ -1,4 +1,3 @@ -{{- if .Values.conjur.authnConfigMap.create -}} apiVersion: v1 kind: ConfigMap metadata: @@ -14,4 +13,3 @@ metadata: data: # authn-k8s Configuration conjurAuthnLogin: {{ required "A valid conjur.authnLogin is required!" .Values.conjur.authnLogin }} -{{- end }} diff --git a/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yml b/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yaml similarity index 98% rename from helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yml rename to helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yaml index b0e786d7..650e9669 100644 --- a/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yml +++ b/helm/conjur-app-deploy/charts/app-summon-sidecar/templates/test-app-summon-sidecar.yaml @@ -1,4 +1,3 @@ -{{- if .Values.create -}} apiVersion: v1 kind: Service metadata: @@ -94,4 +93,3 @@ spec: - name: conjur-access-token emptyDir: medium: Memory -{{ end -}} diff --git a/helm/conjur-app-deploy/values.yaml b/helm/conjur-app-deploy/values.yaml index 5f23027a..98bf91ec 100644 --- a/helm/conjur-app-deploy/values.yaml +++ b/helm/conjur-app-deploy/values.yaml @@ -13,16 +13,14 @@ global: # associated sample application container) will be deployed to the # same application Namespace. The default (app-summon-sidecar) is to enable only an authn-k8s # sidecar container. Uncomment authenticator types as desired. -app-summon-sidecar: - create: true - conjur: - authnLogin: +authn-k8s: + enabled: true -# secretless-broker: -# create: true +secretless-broker: + enabled: false -# secrets-provider-init: -# create: true +secrets-provider-init: + enabled: false -# secrets-provider-standalone: -# create: true +secrets-provider-standalone: + enabled: false diff --git a/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh b/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh index e2a224bb..6698143f 100755 --- a/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh +++ b/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh @@ -208,12 +208,6 @@ function get_domain_name() { echo "$1" | sed -e 's|^[^/]*//||' -e 's|/.*$||' } -function get_openssl_deployment() { - openssl_deployment="$1" - - kubectl get pod -l "app=$openssl_deployment" -o jsonpath='{.items[*].metadata.name}' -} - function get_openssl_pod() { openssl_deployment="$1" @@ -224,15 +218,19 @@ function ensure_openssl_pod_created() { openssl_deployment="$1" # Create a test deployment if it hasn't been created already - existing_deployment="$(get_openssl_pod $openssl_deployment)" - if [ -z "$existing_deployment" ]; then - echo "Creating SSL deployment $openssl_deployment" + openssl_pod="$(get_openssl_pod $openssl_deployment)" + if [ -z "$openssl_pod" ]; then kubectl create deployment "$openssl_deployment" \ - --image cyberark/conjur-k8s-cluster-test:edge + --image cyberark/conjur-cli:5 \ + -- sleep infinity # Remember that we need to clean up the deployment that we just created deployment_was_created=true + + # Some flakiness here - wait currently will fail if the resource doesn't exist yet + # See https://github.com/kubernetes/kubernetes/issues/83242 + # TODO: Remove sleep after this is fixed in kubectl + sleep 5 # Wait for Pod to be ready - echo "Waiting for OpenSSL test pod to be ready" kubectl wait --for=condition=ready pod -l "app=$openssl_deployment" fi } From 92db9e032443c589187d2fa366143a8f16a1bd63 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 06:50:31 -0700 Subject: [PATCH 05/18] Squash some newly observed flakiness --- bin/test-workflow/2_admin_load_conjur_policies.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index a511da3f..ccf88bb1 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -51,7 +51,8 @@ ensure_conjur_cli_initialized() { $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" # Flaky with 500 Internal Server Error, mitigate with retry - wait_for_it 300 "$cli exec $1 2>/dev/null -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD" + wait_for_it 300 "$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD" + sleep 5 } pushd policy > /dev/null From 2c8624182ee4aa816cfb5f8b3249c2527a61db80 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 18 May 2021 08:18:48 -0700 Subject: [PATCH 06/18] Revert inadvertant changes to get-conjur-cert.sh --- .../test_app_summon/tmp.app-test.secrets.yml | 3 --- .../bin/get-conjur-cert.sh | 17 ++++++++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) delete mode 100644 bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml diff --git a/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml b/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml deleted file mode 100644 index b0ff47fd..00000000 --- a/bin/test-workflow/test_app_summon/tmp.app-test.secrets.yml +++ /dev/null @@ -1,3 +0,0 @@ -DB_URL: !var test-summon-sidecar-app-db/url -DB_USERNAME: !var test-summon-sidecar-app-db/username -DB_PASSWORD: !var test-summon-sidecar-app-db/password diff --git a/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh b/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh index 6698143f..d070a780 100755 --- a/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh +++ b/helm/conjur-config-cluster-prep/bin/get-conjur-cert.sh @@ -208,6 +208,12 @@ function get_domain_name() { echo "$1" | sed -e 's|^[^/]*//||' -e 's|/.*$||' } +function get_openssl_deployment() { + openssl_deployment="$1" + + kubectl get pod -l "app=$openssl_deployment" -o jsonpath='{.items[*].metadata.name}' +} + function get_openssl_pod() { openssl_deployment="$1" @@ -218,14 +224,15 @@ function ensure_openssl_pod_created() { openssl_deployment="$1" # Create a test deployment if it hasn't been created already - openssl_pod="$(get_openssl_pod $openssl_deployment)" - if [ -z "$openssl_pod" ]; then + existing_deployment="$(get_openssl_pod $openssl_deployment)" + if [ -z "$existing_deployment" ]; then + echo "Creating SSL deployment $openssl_deployment" kubectl create deployment "$openssl_deployment" \ - --image cyberark/conjur-cli:5 \ - -- sleep infinity + --image cyberark/conjur-k8s-cluster-test:edge # Remember that we need to clean up the deployment that we just created deployment_was_created=true - + # Wait for Pod to be ready + echo "Waiting for OpenSSL test pod to be ready" # Some flakiness here - wait currently will fail if the resource doesn't exist yet # See https://github.com/kubernetes/kubernetes/issues/83242 # TODO: Remove sleep after this is fixed in kubectl From b4a57416b6e2236361a10a1e3b7f80c98f22a99a Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 19 May 2021 10:48:29 -0700 Subject: [PATCH 07/18] Change name of summon-sidecar sample app enable flag --- bin/test-workflow/7_app_deploy.sh | 2 +- helm/conjur-app-deploy/Chart.yaml | 2 +- helm/conjur-app-deploy/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/test-workflow/7_app_deploy.sh b/bin/test-workflow/7_app_deploy.sh index 141fb22b..963e20f7 100755 --- a/bin/test-workflow/7_app_deploy.sh +++ b/bin/test-workflow/7_app_deploy.sh @@ -149,7 +149,7 @@ deploy_sidecar_app() { fi helm install sidecar-app . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ - --set authn-k8s.enabled=true \ + --set app-summon-sidecar.enabled=true \ --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" popd > /dev/null diff --git a/helm/conjur-app-deploy/Chart.yaml b/helm/conjur-app-deploy/Chart.yaml index 8051f64b..593ed489 100644 --- a/helm/conjur-app-deploy/Chart.yaml +++ b/helm/conjur-app-deploy/Chart.yaml @@ -19,4 +19,4 @@ dependencies: - name: app-summon-sidecar repository: "file://charts/app-summon-sidecar" version: ">= 0.0.1" - condition: authn-k8s.enabled + condition: app-summon-sidecar.enabled diff --git a/helm/conjur-app-deploy/values.yaml b/helm/conjur-app-deploy/values.yaml index 98bf91ec..695717d6 100644 --- a/helm/conjur-app-deploy/values.yaml +++ b/helm/conjur-app-deploy/values.yaml @@ -13,7 +13,7 @@ global: # associated sample application container) will be deployed to the # same application Namespace. The default (app-summon-sidecar) is to enable only an authn-k8s # sidecar container. Uncomment authenticator types as desired. -authn-k8s: +app-summon-sidecar: enabled: true secretless-broker: From fb0ce19453ec8217b669033157889e0cba2f8e40 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 15:10:49 -0700 Subject: [PATCH 08/18] Prune unnecessary yaml files --- bin/test-workflow/etc/secretless.yml | 34 ---- .../kubernetes/mysql.template.yml | 137 -------------- ...-app-conjur-authenticator-role-binding.yml | 14 -- .../kubernetes/test-app-secretless.yml | 95 ---------- .../kubernetes/test-app-summon-init.yml | 105 ----------- ...h-host-outside-apps-branch-summon-init.yml | 106 ----------- bin/test-workflow/openshift/conjur-cli.yml | 26 --- .../openshift/mysql.template.yml | 131 -------------- .../openshift/postgres.template.yml | 170 ------------------ ...-app-conjur-authenticator-role-binding.yml | 14 -- .../openshift/test-app-secretless.yml | 95 ---------- .../openshift/test-app-summon-init.yml | 105 ----------- .../openshift/test-app-summon-sidecar.yml | 102 ----------- ...h-host-outside-apps-branch-summon-init.yml | 105 ----------- bin/test-workflow/openshift/test-curl.yml | 13 -- bin/test-workflow/stop | 39 ---- 16 files changed, 1291 deletions(-) delete mode 100644 bin/test-workflow/etc/secretless.yml delete mode 100644 bin/test-workflow/kubernetes/mysql.template.yml delete mode 100644 bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml delete mode 100644 bin/test-workflow/kubernetes/test-app-secretless.yml delete mode 100644 bin/test-workflow/kubernetes/test-app-summon-init.yml delete mode 100644 bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml delete mode 100644 bin/test-workflow/openshift/conjur-cli.yml delete mode 100644 bin/test-workflow/openshift/mysql.template.yml delete mode 100644 bin/test-workflow/openshift/postgres.template.yml delete mode 100644 bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml delete mode 100644 bin/test-workflow/openshift/test-app-secretless.yml delete mode 100644 bin/test-workflow/openshift/test-app-summon-init.yml delete mode 100644 bin/test-workflow/openshift/test-app-summon-sidecar.yml delete mode 100644 bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml delete mode 100644 bin/test-workflow/openshift/test-curl.yml delete mode 100755 bin/test-workflow/stop diff --git a/bin/test-workflow/etc/secretless.yml b/bin/test-workflow/etc/secretless.yml deleted file mode 100644 index 6a630cbf..00000000 --- a/bin/test-workflow/etc/secretless.yml +++ /dev/null @@ -1,34 +0,0 @@ -version: "2" -services: - test-app-pg: - protocol: pg - listenOn: tcp://0.0.0.0:5432 - credentials: - address: - from: conjur - get: test-secretless-app-db/url - username: - from: conjur - get: test-secretless-app-db/username - password: - from: conjur - get: test-secretless-app-db/password - sslmode: require - - test-app-mysql: - protocol: mysql - listenOn: tcp://0.0.0.0:3306 - credentials: - host: - from: conjur - get: test-secretless-app-db/host - port: - from: conjur - get: test-secretless-app-db/port - username: - from: conjur - get: test-secretless-app-db/username - password: - from: conjur - get: test-secretless-app-db/password - sslmode: require diff --git a/bin/test-workflow/kubernetes/mysql.template.yml b/bin/test-workflow/kubernetes/mysql.template.yml deleted file mode 100644 index b3207127..00000000 --- a/bin/test-workflow/kubernetes/mysql.template.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-init-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-init-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-init-mysql - labels: - app: test-summon-init-app-backend -spec: - serviceName: test-summon-init-app-backend - selector: - matchLabels: - app: test-summon-init-app-backend - template: - metadata: - labels: - app: test-summon-init-app-backend - spec: - containers: - - name: test-summon-init-app-backend - image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 3306 - env: - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-sidecar-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-sidecar-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-sidecar-mysql - labels: - app: test-summon-sidecar-app-backend -spec: - serviceName: test-summon-sidecar-app-backend - selector: - matchLabels: - app: test-summon-sidecar-app-backend - template: - metadata: - labels: - app: test-summon-sidecar-app-backend - spec: - containers: - - name: test-summon-sidecar-app-backend - image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 3306 - env: - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-secretless-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-secretless-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: secretless-mysql - labels: - app: test-secretless-app-backend -spec: - serviceName: test-secretless-app-backend - selector: - matchLabels: - app: test-secretless-app-backend - template: - metadata: - labels: - app: test-secretless-app-backend - spec: - containers: - - name: test-secretless-app-backend - image: {{ TEST_APP_DATABASE_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - ports: - - containerPort: 3306 - env: - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app diff --git a/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml deleted file mode 100644 index 1b3c9fc3..00000000 --- a/bin/test-workflow/kubernetes/test-app-conjur-authenticator-role-binding.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE }} - namespace: {{ TEST_APP_NAMESPACE_NAME }} -subjects: - - kind: ServiceAccount - name: {{ CONJUR_SERVICE_ACCOUNT }} - namespace: {{ CONJUR_NAMESPACE }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ CONJUR_AUTHN_CLUSTER_ROLE }} diff --git a/bin/test-workflow/kubernetes/test-app-secretless.yml b/bin/test-workflow/kubernetes/test-app-secretless.yml deleted file mode 100644 index 5f4bcdd8..00000000 --- a/bin/test-workflow/kubernetes/test-app-secretless.yml +++ /dev/null @@ -1,95 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: test-app-secretless - labels: - app: test-app-secretless -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-secretless - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-app-secretless ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: test-app-secretless - name: test-app-secretless -spec: - replicas: 1 - selector: - matchLabels: - app: test-app-secretless - template: - metadata: - labels: - app: test-app-secretless - spec: - serviceAccountName: test-app-secretless - containers: - - image: cyberark/demo-app - imagePullPolicy: Always - name: test-app-secretless - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: DB_URL - value: {{ SECRETLESS_DB_URL }} - - image: {{ SECRETLESS_IMAGE }} - imagePullPolicy: Always - name: secretless - args: ["-f", "/etc/secretless/secretless.yml"] - ports: - - containerPort: 5432 - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-secretless" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - name: config - mountPath: "/etc/secretless" - readOnly: true - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: config - configMap: - name: test-app-secretless-config diff --git a/bin/test-workflow/kubernetes/test-app-summon-init.yml b/bin/test-workflow/kubernetes/test-app-summon-init.yml deleted file mode 100644 index bdb02209..00000000 --- a/bin/test-workflow/kubernetes/test-app-summon-init.yml +++ /dev/null @@ -1,105 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: test-app-summon-init - labels: - app: test-app-summon-init -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-summon-init - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-app-summon-init ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: test-app-summon-init - name: test-app-summon-init -spec: - replicas: 1 - selector: - matchLabels: - app: test-app-summon-init - template: - metadata: - labels: - app: test-app-summon-init - spec: - serviceAccountName: test-app-summon-init - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - initContainers: - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: CONTAINER_MODE - value: init - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-summon-init" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml b/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml deleted file mode 100644 index 681a7098..00000000 --- a/bin/test-workflow/kubernetes/test-app-with-host-outside-apps-branch-summon-init.yml +++ /dev/null @@ -1,106 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: test-app-with-host-outside-apps-branch-summon-init - labels: - app: test-app-with-host-outside-apps-branch-summon-init -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-with-host-outside-apps-branch-summon-init - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-app-with-host-outside-apps-branch-summon-init ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: test-app-with-host-outside-apps-branch-summon-init - name: test-app-with-host-outside-apps-branch-summon-init -spec: - replicas: 1 - selector: - matchLabels: - app: test-app-with-host-outside-apps-branch-summon-init - template: - metadata: - labels: - app: test-app-with-host-outside-apps-branch-summon-init - spec: - serviceAccountName: test-app-with-host-outside-apps-branch-summon-init - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - initContainers: - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: CONTAINER_MODE - value: init - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN }}" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/openshift/conjur-cli.yml b/bin/test-workflow/openshift/conjur-cli.yml deleted file mode 100644 index b6f610d2..00000000 --- a/bin/test-workflow/openshift/conjur-cli.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: conjur-cli - labels: - app: conjur-cli -spec: - replicas: 1 - selector: - matchLabels: - app: conjur-cli - template: - metadata: - name: conjur-cli - labels: - app: conjur-cli - spec: - serviceAccountName: {{ CONJUR_SERVICE_ACCOUNT }} - containers: - - name: conjur-cli - image: {{ DOCKER_IMAGE }} - imagePullPolicy: {{ IMAGE_PULL_POLICY }} - command: ["sleep"] - args: ["infinity"] - imagePullSecrets: diff --git a/bin/test-workflow/openshift/mysql.template.yml b/bin/test-workflow/openshift/mysql.template.yml deleted file mode 100644 index 94e5fe13..00000000 --- a/bin/test-workflow/openshift/mysql.template.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-init-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-init-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-init-mysql - labels: - app: test-summon-init-app-backend -spec: - serviceName: test-summon-init-app-backend - selector: - matchLabels: - app: test-summon-init-app-backend - template: - metadata: - labels: - app: test-summon-init-app-backend - spec: - containers: - - name: test-summon-init-app-backend - image: centos/mysql-57-centos7 - imagePullPolicy: Always - ports: - - containerPort: 3306 - env: - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-sidecar-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-sidecar-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-sidecar-mysql - labels: - app: test-summon-sidecar-app-backend -spec: - serviceName: test-summon-sidecar-app-backend - selector: - matchLabels: - app: test-summon-sidecar-app-backend - template: - metadata: - labels: - app: test-summon-sidecar-app-backend - spec: - containers: - - name: test-summon-sidecar-app-backend - image: centos/mysql-57-centos7 - imagePullPolicy: Always - ports: - - containerPort: 3306 - env: - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-secretless-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-secretless-app-backend - ports: - - port: 3306 - targetPort: 3306 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: secretless-mysql - labels: - app: test-secretless-app-backend -spec: - serviceName: test-secretless-app-backend - selector: - matchLabels: - app: test-secretless-app-backend - template: - metadata: - labels: - app: test-secretless-app-backend - spec: - containers: - - name: test-secretless-app-backend - image: centos/mysql-57-centos7 - imagePullPolicy: Always - ports: - - containerPort: 3306 - env: - - name: MYSQL_USER - value: test_app - - name: MYSQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: MYSQL_DATABASE - value: test_app diff --git a/bin/test-workflow/openshift/postgres.template.yml b/bin/test-workflow/openshift/postgres.template.yml deleted file mode 100644 index 4c6f0c9c..00000000 --- a/bin/test-workflow/openshift/postgres.template.yml +++ /dev/null @@ -1,170 +0,0 @@ ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-init-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-init-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-init-pg - labels: - app: test-summon-init-app-backend -spec: - serviceName: test-summon-init-app-backend - selector: - matchLabels: - app: test-summon-init-app-backend - template: - metadata: - labels: - app: test-summon-init-app-backend - spec: - containers: - - name: test-summon-init-app-backend - image: centos/postgresql-95-centos7 - imagePullPolicy: Always - ports: - - containerPort: 5432 - env: - - name: POSTGRESQL_USER - value: test_app - - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRESQL_DATABASE - value: test_app - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - command: ["/bin/sh", "-c"] - args: - - mkdir -p /opt/app-root/certs/; - install -m 0600 /etc/certs/* /opt/app-root/certs; - run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-summon-sidecar-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-summon-sidecar-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: summon-sidecar-pg - labels: - app: test-summon-sidecar-app-backend -spec: - serviceName: test-summon-sidecar-app-backend - selector: - matchLabels: - app: test-summon-sidecar-app-backend - template: - metadata: - labels: - app: test-summon-sidecar-app-backend - spec: - containers: - - name: test-summon-sidecar-app-backend - image: centos/postgresql-95-centos7 - imagePullPolicy: Always - ports: - - containerPort: 5432 - env: - - name: POSTGRESQL_USER - value: test_app - - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRESQL_DATABASE - value: test_app - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - command: ["/bin/sh", "-c"] - args: - - mkdir -p /opt/app-root/certs/; - install -m 0600 /etc/certs/* /opt/app-root/certs; - run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs - ---- -kind: Service -apiVersion: v1 -metadata: - name: test-secretless-app-backend - namespace: {{ TEST_APP_NAMESPACE_NAME }} -spec: - selector: - app: test-secretless-app-backend - ports: - - port: 5432 - targetPort: 5432 - ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: secretless-pg - labels: - app: test-secretless-app-backend -spec: - serviceName: test-secretless-app-backend - selector: - matchLabels: - app: test-secretless-app-backend - template: - metadata: - labels: - app: test-secretless-app-backend - spec: - containers: - - name: test-secretless-app-backend - image: centos/postgresql-95-centos7 - imagePullPolicy: Always - ports: - - containerPort: 5432 - env: - - name: POSTGRESQL_USER - value: test_app - - name: POSTGRESQL_PASSWORD - value: {{ TEST_APP_DB_PASSWORD }} - - name: POSTGRESQL_DATABASE - value: test_app - volumeMounts: - - name: backend-certs - mountPath: "/etc/certs/" - readOnly: true - command: ["/bin/sh", "-c"] - args: - - mkdir -p /opt/app-root/certs/; - install -m 0600 /etc/certs/* /opt/app-root/certs; - run-postgresql -c ssl=on -c ssl_cert_file=/opt/app-root/certs/server.crt -c ssl_key_file=/opt/app-root/certs/server.key - volumes: - - name: backend-certs - secret: - secretName: test-app-backend-certs diff --git a/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml b/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml deleted file mode 100644 index 1b3c9fc3..00000000 --- a/bin/test-workflow/openshift/test-app-conjur-authenticator-role-binding.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: test-app-conjur-authenticator-role-binding-{{ CONJUR_NAMESPACE }} - namespace: {{ TEST_APP_NAMESPACE_NAME }} -subjects: - - kind: ServiceAccount - name: {{ CONJUR_SERVICE_ACCOUNT }} - namespace: {{ CONJUR_NAMESPACE }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ CONJUR_AUTHN_CLUSTER_ROLE }} diff --git a/bin/test-workflow/openshift/test-app-secretless.yml b/bin/test-workflow/openshift/test-app-secretless.yml deleted file mode 100644 index 140d0164..00000000 --- a/bin/test-workflow/openshift/test-app-secretless.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: test-app-secretless - labels: - app: test-app-secretless -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-secretless - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: oc-test-app-secretless ---- -apiVersion: v1 -kind: DeploymentConfig -metadata: - labels: - app: test-app-secretless - name: test-app-secretless -spec: - replicas: 1 - selector: - app: test-app-secretless - template: - metadata: - labels: - app: test-app-secretless - spec: - serviceAccountName: oc-test-app-secretless - containers: - - image: cyberark/demo-app - imagePullPolicy: Always - name: test-app-secretless - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: DB_URL - value: {{ SECRETLESS_DB_URL }} - - image: {{ SECRETLESS_IMAGE }} - imagePullPolicy: Always - name: secretless - args: ["-f", "/etc/secretless/secretless.yml"] - ports: - - containerPort: 5432 - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: "{{ CONJUR_ACCOUNT }}" - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-secretless" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: "{{ CONFIG_MAP_NAME }}" - key: ssl-certificate - volumeMounts: - - name: config - mountPath: "/etc/secretless" - readOnly: true - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: config - configMap: - name: test-app-secretless-config diff --git a/bin/test-workflow/openshift/test-app-summon-init.yml b/bin/test-workflow/openshift/test-app-summon-init.yml deleted file mode 100644 index dbe30e69..00000000 --- a/bin/test-workflow/openshift/test-app-summon-init.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: test-app-summon-init - labels: - app: test-app-summon-init -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-summon-init - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: oc-test-app-summon-init ---- -apiVersion: v1 -kind: DeploymentConfig -metadata: - labels: - app: test-app-summon-init - name: test-app-summon-init -spec: - replicas: 1 - selector: - app: test-app-summon-init - template: - metadata: - labels: - app: test-app-summon-init - spec: - serviceAccountName: oc-test-app-summon-init - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: Always - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - initContainers: - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: CONTAINER_MODE - value: init - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-summon-init" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/openshift/test-app-summon-sidecar.yml b/bin/test-workflow/openshift/test-app-summon-sidecar.yml deleted file mode 100644 index a9647c11..00000000 --- a/bin/test-workflow/openshift/test-app-summon-sidecar.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: test-app-summon-sidecar - labels: - app: test-app-summon-sidecar -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-summon-sidecar - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: oc-test-app-summon-sidecar ---- -apiVersion: v1 -kind: DeploymentConfig -metadata: - labels: - app: test-app-summon-sidecar - name: test-app-summon-sidecar -spec: - replicas: 1 - selector: - app: test-app-summon-sidecar - template: - metadata: - labels: - app: test-app-summon-sidecar - spec: - serviceAccountName: oc-test-app-summon-sidecar - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: Always - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/oc-test-app-summon-sidecar" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml b/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml deleted file mode 100644 index fd0800c1..00000000 --- a/bin/test-workflow/openshift/test-app-with-host-outside-apps-branch-summon-init.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: test-app-with-host-outside-apps-branch-summon-init - labels: - app: test-app-with-host-outside-apps-branch-summon-init -spec: - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - selector: - app: test-app-with-host-outside-apps-branch-summon-init - type: {{ SERVICE_TYPE }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: oc-test-app-with-host-outside-apps-branch-summon-init ---- -apiVersion: v1 -kind: DeploymentConfig -metadata: - labels: - app: test-app-with-host-outside-apps-branch-summon-init - name: test-app-with-host-outside-apps-branch-summon-init -spec: - replicas: 1 - selector: - app: test-app-with-host-outside-apps-branch-summon-init - template: - metadata: - labels: - app: test-app-with-host-outside-apps-branch-summon-init - spec: - serviceAccountName: oc-test-app-with-host-outside-apps-branch-summon-init - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: Always - name: test-app - ports: - - name: http - containerPort: 8080 - readinessProbe: - httpGet: - path: /pets - port: http - initialDelaySeconds: 15 - timeoutSeconds: 5 - env: - - name: CONJUR_APPLIANCE_URL - value: "{{ CONJUR_APPLIANCE_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_TOKEN_FILE - value: /run/conjur/access-token - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - initContainers: - - image: {{ AUTHENTICATOR_CLIENT_IMAGE }} - imagePullPolicy: Always - name: authenticator - env: - - name: CONTAINER_MODE - value: init - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_AUTHN_URL - value: "{{ CONJUR_AUTHN_URL }}" - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: "{{ CONJUR_AUTHN_LOGIN }}" - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - imagePullSecrets: - - name: dockerpullsecret - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/bin/test-workflow/openshift/test-curl.yml b/bin/test-workflow/openshift/test-curl.yml deleted file mode 100644 index c3af6420..00000000 --- a/bin/test-workflow/openshift/test-curl.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-curl - labels: - name: test-curl -spec: - containers: - - name: busyboxplus - image: radial/busyboxplus:curl - imagePullPolicy: Always - command: ["sh", "-c", "tail -f /dev/null"] diff --git a/bin/test-workflow/stop b/bin/test-workflow/stop deleted file mode 100755 index 014341bd..00000000 --- a/bin/test-workflow/stop +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -. utils.sh - -KUBE_CLI_DELETE_TIMEOUT="10m" - -set_namespace "$TEST_APP_NAMESPACE_NAME" -"$cli" get pods - -set_namespace default - -if [[ "$PLATFORM" == "openshift" ]]; then - oc login -u "$OSHIFT_CLUSTER_ADMIN_USERNAME" -p "$OPENSHIFT_PASSWORD" -fi - -if has_namespace "$TEST_APP_NAMESPACE_NAME"; then - "$cli" delete --timeout="$KUBE_CLI_DELETE_TIMEOUT" \ - namespace "$TEST_APP_NAMESPACE_NAME" || \ - (echo "ERROR: Delete of namespace $TEST_APP_NAMESPACE_NAME failed" && \ - echo "Showing residual resources in namespace:" && \ - "$cli" describe all -n "$TEST_APP_NAMESPACE_NAME") - - printf "Waiting for $TEST_APP_NAMESPACE_NAME namespace deletion to complete" - - while : ; do - printf "." - - if has_namespace "$TEST_APP_NAMESPACE_NAME"; then - sleep 5 - else - break - fi - done - - echo "" -fi - -echo "Test app environment purged." From 9e36071962df50b471bf426de90d63498f807f58 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 18:03:59 -0700 Subject: [PATCH 09/18] Clean up app deploy script --- bin/test-workflow/0_prep_conjur_in_kind.sh | 1 + .../2_admin_load_conjur_policies.sh | 8 +- bin/test-workflow/7_app_deploy.sh | 285 ------------------ bin/test-workflow/7_app_deploy_backend.sh | 46 +++ .../8_app_deploy_summon_sidecar.sh | 21 ++ ...tion.sh => 9_app_verify_authentication.sh} | 0 bin/test-workflow/start | 5 +- 7 files changed, 75 insertions(+), 291 deletions(-) delete mode 100755 bin/test-workflow/7_app_deploy.sh create mode 100755 bin/test-workflow/7_app_deploy_backend.sh create mode 100755 bin/test-workflow/8_app_deploy_summon_sidecar.sh rename bin/test-workflow/{8_app_verify_authentication.sh => 9_app_verify_authentication.sh} (100%) diff --git a/bin/test-workflow/0_prep_conjur_in_kind.sh b/bin/test-workflow/0_prep_conjur_in_kind.sh index df72295a..253d4b04 100755 --- a/bin/test-workflow/0_prep_conjur_in_kind.sh +++ b/bin/test-workflow/0_prep_conjur_in_kind.sh @@ -30,6 +30,7 @@ pushd temp > /dev/null announce "Retrieving the Conjur admin password" export CONJUR_ADMIN_PASSWORD="$(./3_retrieve_admin_password.sh)" + echo "CONJUR_ADMIN_PASSWORD=$CONJUR_ADMIN_PASSWORD" announce "Enabling the Conjur Kubernetes authenticator if necessary" ./4_ensure_authn_k8s_enabled.sh diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index ccf88bb1..48a13963 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -52,7 +52,6 @@ ensure_conjur_cli_initialized() { $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" # Flaky with 500 Internal Server Error, mitigate with retry wait_for_it 300 "$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD" - sleep 5 } pushd policy > /dev/null @@ -100,8 +99,8 @@ announce "Loading Conjur policy." $cli exec $conjur_cli_pod -- rm -rf /policy $cli cp ./policy $conjur_cli_pod:/policy -$cli exec $conjur_cli_pod -- \ - bash -c " +wait_for_it 300 "$cli exec $conjur_cli_pod -- \ + bash -c \" conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local} CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \ CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ @@ -109,7 +108,8 @@ $cli exec $conjur_cli_pod -- \ TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \ TEST_APP_DATABASE=${TEST_APP_DATABASE} \ /policy/load_policies.sh - " + \" +" $cli exec $conjur_cli_pod -- rm -rf ./policy diff --git a/bin/test-workflow/7_app_deploy.sh b/bin/test-workflow/7_app_deploy.sh deleted file mode 100755 index 963e20f7..00000000 --- a/bin/test-workflow/7_app_deploy.sh +++ /dev/null @@ -1,285 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -. utils.sh - -main() { - announce "Deploying test apps for $TEST_APP_NAMESPACE_NAME." - - URLENCODED_AUTHN_ID=$(urlencode $AUTHENTICATOR_ID) - - set_namespace $TEST_APP_NAMESPACE_NAME - init_registry_creds - init_connection_specs - - if is_minienv; then - IMAGE_PULL_POLICY='Never' - else - IMAGE_PULL_POLICY='Always' - fi - - deploy_app_backend - # deploy_secretless_app - deploy_sidecar_app - # deploy_init_container_app - # deploy_init_container_app_with_host_outside_apps -} - -########################### -init_registry_creds() { - if [[ "${PLATFORM}" == "kubernetes" ]] && [[ -n "${DOCKER_EMAIL}" ]]; then - announce "Creating image pull secret." - - kubectl delete --ignore-not-found secret dockerpullsecret - - kubectl create secret docker-registry dockerpullsecret \ - --docker-server=${PULL_DOCKER_REGISTRY_URL} \ - --docker-username=$DOCKER_USERNAME \ - --docker-password=$DOCKER_PASSWORD \ - --docker-email=$DOCKER_EMAIL - elif [[ "$PLATFORM" == "openshift" ]]; then - announce "Creating image pull secret." - - $cli delete --ignore-not-found secrets dockerpullsecret - - $cli secrets new-dockercfg dockerpullsecret \ - --docker-server=${PULL_DOCKER_REGISTRY_URL} \ - --docker-username=_ \ - --docker-password=$($cli whoami -t) \ - --docker-email=_ - - $cli secrets add serviceaccount/default secrets/dockerpullsecret --for=pull - fi -} - -########################### -init_connection_specs() { - test_sidecar_app_docker_image=$(platform_image_for_pull test-sidecar-app) - test_init_app_docker_image=$(platform_image_for_pull test-init-app) - - if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then - authenticator_client_image=$(platform_image_for_pull conjur-authn-k8s-client) - secretless_image=$(platform_image_for_pull secretless-broker) - else - authenticator_client_image="cyberark/conjur-authn-k8s-client" - secretless_image="cyberark/secretless-broker" - fi - - if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local} - else - conjur_follower_name=${CONJUR_FOLLOWER_NAME:-conjur-follower} - conjur_appliance_url=https://$conjur_follower_name.$CONJUR_NAMESPACE.svc.cluster.local/api - fi - conjur_authenticator_url="$conjur_appliance_url/authn-k8s/$URLENCODED_AUTHN_ID" -} - -########################### -deploy_app_backend() { - $cli delete --ignore-not-found \ - service/test-summon-init-app-backend \ - service/test-summon-sidecar-app-backend \ - service/test-secretless-app-backend \ - statefulset/summon-init-pg \ - statefulset/secretless-pg \ - statefulset/summon-init-mysql \ - statefulset/summon-sidecar-mysql \ - statefulset/secretless-mysql \ - secret/test-app-backend-certs - - ensure_env_database - case "${TEST_APP_DATABASE}" in - postgres) - echo "Create secrets for test app backend" - $cli --namespace $TEST_APP_NAMESPACE_NAME \ - create secret generic \ - test-app-backend-certs \ - --from-file=server.crt=./etc/ca.pem \ - --from-file=server.key=./etc/ca-key.pem - - echo "Deploying test app backend" - - # Install postgresql helm chart - if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^summon-sidecar-app-backend-pg$")" = "summon-sidecar-app-backend-pg" ]; then - helm uninstall summon-sidecar-app-backend-pg -n "$TEST_APP_NAMESPACE_NAME" - fi - - kubectl delete --ignore-not-found pvc -l app.kubernetes.io/instance=summon-sidecar-app-backend-pg - - helm repo add bitnami https://charts.bitnami.com/bitnami - - helm install summon-sidecar-app-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait \ - --set image.repository="postgres" \ - --set image.tag="9.6" \ - --set postgresqlDataDir="/data/pgdata" \ - --set persistence.mountPath="/data/" \ - --set fullnameOverride="test-summon-sidecar-app-backend" \ - --set tls.enabled=true \ - --set volumePermissions.enabled=true \ - --set tls.certificatesSecret="test-app-backend-certs" \ - --set tls.certFilename="server.crt" \ - --set tls.certKeyFilename="server.key" \ - --set securityContext.fsGroup="999" \ - --set postgresqlDatabase="test_app" \ - --set postgresqlUsername="test_app" \ - --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD - ;; - mysql) - echo "Deploying test app backend" - - test_app_mysql_docker_image="mysql/mysql-server:5.7" - - sed "s#{{ TEST_APP_DATABASE_DOCKER_IMAGE }}#$test_app_mysql_docker_image#g" ./$PLATFORM/tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - $cli create -f - - ;; - esac - -} - -########################### -deploy_sidecar_app() { - pushd $(dirname "$0")/../../helm/app-deploy > /dev/null - # Deploy a given app with yet another subset of the subset of our golden configmap, allowing - # connection to Conjur - announce "Installing sidecar application chart" - if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^sidecar-app$")" = "sidecar-app" ]; then - helm uninstall sidecar-app -n "$TEST_APP_NAMESPACE_NAME" - fi - - helm install sidecar-app . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ - --set app-summon-sidecar.enabled=true \ - --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ - --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" - popd > /dev/null - - echo "Test app/sidecar deployed." -} - -########################### -deploy_init_container_app() { - $cli delete --ignore-not-found \ - deployment/test-app-summon-init \ - service/test-app-summon-init \ - serviceaccount/test-app-summon-init \ - serviceaccount/oc-test-app-summon-init - - if [[ "$PLATFORM" == "openshift" ]]; then - oc delete --ignore-not-found \ - deploymentconfig/test-app-summon-init \ - route/test-app-summon-init - fi - - sleep 5 - - sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml | - sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$CONJUR_AUTHN_LOGIN_PREFIX#g" | - sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | - sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | - $cli create -f - - - if [[ "$PLATFORM" == "openshift" ]]; then - oc expose service test-app-summon-init - fi - - echo "Test app/init-container deployed." -} - -########################### -deploy_init_container_app_with_host_outside_apps() { - $cli delete --ignore-not-found \ - deployment/test-app-with-host-outside-apps-branch-summon-init \ - service/test-app-with-host-outside-apps-branch-summon-init \ - serviceaccount/test-app-with-host-outside-apps-branch-summon-init \ - serviceaccount/oc-test-app-with-host-outside-apps-branch-summon-init - - if [[ "$PLATFORM" == "openshift" ]]; then - oc delete --ignore-not-found \ - deploymentconfig/test-app-with-host-outside-apps-branch-summon-init \ - route/test-app-with-host-outside-apps-branch-summon-init - fi - - sleep 5 - - conjur_authn_login="host/some-apps/$TEST_APP_NAMESPACE_NAME/*/*" - - sed "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_init_app_docker_image#g" ./$PLATFORM/test-app-with-host-outside-apps-branch-summon-init.yml | - sed "s#{{ AUTHENTICATOR_CLIENT_IMAGE }}#$authenticator_client_image#g" | - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | - sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN }}#$conjur_authn_login#g" | - sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" | - sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | - $cli create -f - - - if [[ "$PLATFORM" == "openshift" ]]; then - oc expose service test-app-with-host-outside-apps-branch-summon-init - fi - - echo "Test app/init-container deployed." -} - -########################### -deploy_secretless_app() { - $cli delete --ignore-not-found \ - deployment/test-app-secretless \ - service/test-app-secretless \ - serviceaccount/test-app-secretless \ - serviceaccount/oc-test-app-secretless \ - configmap/test-app-secretless-config - - if [[ "$PLATFORM" == "openshift" ]]; then - oc delete --ignore-not-found \ - deploymentconfig/test-app-secretless \ - route/test-app-secretless - fi - - $cli create configmap test-app-secretless-config \ - --from-file=etc/secretless.yml - - sleep 5 - - ensure_env_database - case "${TEST_APP_DATABASE}" in - postgres) - PORT=5432 - PROTOCOL=postgresql - ;; - mysql) - PORT=3306 - PROTOCOL=mysql - ;; - esac - secretless_db_url="$PROTOCOL://localhost:$PORT/test_app" - - sed "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" ./$PLATFORM/test-app-secretless.yml | - sed "s#{{ SECRETLESS_IMAGE }}#$secretless_image#g" | - sed "s#{{ SECRETLESS_DB_URL }}#$secretless_db_url#g" | - sed "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" | - sed "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$CONJUR_AUTHN_LOGIN_PREFIX#g" | - sed "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" | - sed "s#{{ SERVICE_TYPE }}#$(app_service_type)#g" | - $cli create -f - - - if [[ "$PLATFORM" == "openshift" ]]; then - oc expose service test-app-secretless - fi - - echo "Secretless test app deployed." -} - -main $@ diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh new file mode 100755 index 00000000..f3d91a47 --- /dev/null +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Deploying summon-sidecar test app postgres backend for $TEST_APP_NAMESPACE_NAME." + +set_namespace $TEST_APP_NAMESPACE_NAME + +echo "Create secrets for test app backend" +$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ + secret test-app-backend-certs + +$cli --namespace $TEST_APP_NAMESPACE_NAME \ + create secret generic \ + test-app-backend-certs \ + --from-file=server.crt=./etc/ca.pem \ + --from-file=server.key=./etc/ca-key.pem + +echo "Deploying test app backend" + +# Install postgresql helm chart +if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar-backend-pg$")" = "app-summon-sidecar-backend-pg" ]; then + helm uninstall app-summon-sidecar-backend-pg -n "$TEST_APP_NAMESPACE_NAME" +fi + +$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ + pvc -l app.kubernetes.io/instance=app-summon-sidecar-backend-pg + +helm repo add bitnami https://charts.bitnami.com/bitnami + +helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait \ + --set image.repository="postgres" \ + --set image.tag="9.6" \ + --set postgresqlDataDir="/data/pgdata" \ + --set persistence.mountPath="/data/" \ + --set fullnameOverride="test-summon-sidecar-app-backend" \ + --set tls.enabled=true \ + --set volumePermissions.enabled=true \ + --set tls.certificatesSecret="test-app-backend-certs" \ + --set tls.certFilename="server.crt" \ + --set tls.certKeyFilename="server.key" \ + --set securityContext.fsGroup="999" \ + --set postgresqlDatabase="test_app" \ + --set postgresqlUsername="test_app" \ + --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy_summon_sidecar.sh new file mode 100755 index 00000000..f155f0e3 --- /dev/null +++ b/bin/test-workflow/8_app_deploy_summon_sidecar.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +set -euo pipefail + +. utils.sh + +announce "Deploying summon-sidecar test app for $TEST_APP_NAMESPACE_NAME." + +set_namespace $TEST_APP_NAMESPACE_NAME + +if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" = "app-summon-sidecar" ]; then + helm uninstall app-summon-sidecar -n "$TEST_APP_NAMESPACE_NAME" +fi + +pushd $(dirname "$0")/../../helm/app-deploy > /dev/null + helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ + --set app-summon-sidecar.enabled=true \ + --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ + --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" +popd > /dev/null + +echo "Test app/sidecar deployed." diff --git a/bin/test-workflow/8_app_verify_authentication.sh b/bin/test-workflow/9_app_verify_authentication.sh similarity index 100% rename from bin/test-workflow/8_app_verify_authentication.sh rename to bin/test-workflow/9_app_verify_authentication.sh diff --git a/bin/test-workflow/start b/bin/test-workflow/start index 82f01bf1..78eb9aed 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -14,5 +14,6 @@ cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) ./4_kubernetes_cluster_prep.sh ./5_app_namespace_prep.sh ./6_app_build_and_push_containers.sh -./7_app_deploy.sh -./8_app_verify_authentication.sh +./7_app_deploy_backend.sh +./8_app_deploy_summon_sidecar.sh +./9_app_verify_authentication.sh From fb60ba8ed1683659e3d31947757cb72279c9d480 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 18:46:30 -0700 Subject: [PATCH 10/18] Modify app-ns-prep chart to create secret containing backend cert --- bin/test-workflow/5_app_namespace_prep.sh | 3 ++- bin/test-workflow/7_app_deploy_backend.sh | 10 ---------- .../files}/ca-key.pem | 0 .../conjur-config-namespace-prep/files}/ca.pem | 0 .../templates/app_backend_secret.yaml | 16 ++++++++++++++++ .../values.schema.json | 6 +++++- helm/conjur-config-namespace-prep/values.yaml | 1 + 7 files changed, 24 insertions(+), 12 deletions(-) rename {bin/test-workflow/etc => helm/conjur-config-namespace-prep/files}/ca-key.pem (100%) rename {bin/test-workflow/etc => helm/conjur-config-namespace-prep/files}/ca.pem (100%) create mode 100644 helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index f4a8d08c..d97629bf 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -16,5 +16,6 @@ pushd $(dirname "$0")/../../helm/application-namespace-prep > /dev/null helm install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ --create-namespace \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ - --set authnK8s.namespace="$CONJUR_NAMESPACE" + --set authnK8s.namespace="$CONJUR_NAMESPACE" \ + --set authnK8s.backendSecret="test-app-backend-certs" popd > /dev/null diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index f3d91a47..de85022c 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -7,16 +7,6 @@ announce "Deploying summon-sidecar test app postgres backend for $TEST_APP_NAMES set_namespace $TEST_APP_NAMESPACE_NAME -echo "Create secrets for test app backend" -$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ - secret test-app-backend-certs - -$cli --namespace $TEST_APP_NAMESPACE_NAME \ - create secret generic \ - test-app-backend-certs \ - --from-file=server.crt=./etc/ca.pem \ - --from-file=server.key=./etc/ca-key.pem - echo "Deploying test app backend" # Install postgresql helm chart diff --git a/bin/test-workflow/etc/ca-key.pem b/helm/conjur-config-namespace-prep/files/ca-key.pem similarity index 100% rename from bin/test-workflow/etc/ca-key.pem rename to helm/conjur-config-namespace-prep/files/ca-key.pem diff --git a/bin/test-workflow/etc/ca.pem b/helm/conjur-config-namespace-prep/files/ca.pem similarity index 100% rename from bin/test-workflow/etc/ca.pem rename to helm/conjur-config-namespace-prep/files/ca.pem diff --git a/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml b/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml new file mode 100644 index 00000000..5a7edfbd --- /dev/null +++ b/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ .Values.authnK8s.backendSecret }} + labels: + app.kubernetes.io/name: {{ .Values.authnK8s.backendSecret }} + app.kubernetes.io/component: authn-k8s-{{ .Values.authnK8s.backendSecret }} + app.kubernetes.io/instance: {{ .Release.Namespace }} + app.kubernetes.io/part-of: authn-k8s-namespace-config + app.kubernetes.io/managed-by: Helm + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +data: + server.crt: {{ .Files.Get "files/ca.pem" | b64enc }} + server.key: {{ .Files.Get "files/ca-key.pem" | b64enc }} diff --git a/helm/conjur-config-namespace-prep/values.schema.json b/helm/conjur-config-namespace-prep/values.schema.json index deeb5411..661d34fe 100644 --- a/helm/conjur-config-namespace-prep/values.schema.json +++ b/helm/conjur-config-namespace-prep/values.schema.json @@ -4,7 +4,8 @@ "authnK8s": { "required": [ "goldenConfigMap", - "namespace" + "namespace", + "backendSecret" ], "properties": { "goldenConfigMap": { @@ -12,6 +13,9 @@ }, "namespace": { "type": "string" + }, + "backendSecret": { + "type": "string" } } }, diff --git a/helm/conjur-config-namespace-prep/values.yaml b/helm/conjur-config-namespace-prep/values.yaml index 11920125..6e4d64e7 100644 --- a/helm/conjur-config-namespace-prep/values.yaml +++ b/helm/conjur-config-namespace-prep/values.yaml @@ -2,6 +2,7 @@ authnK8s: # These are required values # goldenConfigMap: # namespace: + # backendSecret: authnRoleBinding: create: true From 66531f2a462d8d27631591adf0ad86a76db44814 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 18:50:40 -0700 Subject: [PATCH 11/18] Remove helm uninstalls where possible --- bin/test-workflow/4_kubernetes_cluster_prep.sh | 6 +----- bin/test-workflow/5_app_namespace_prep.sh | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/bin/test-workflow/4_kubernetes_cluster_prep.sh b/bin/test-workflow/4_kubernetes_cluster_prep.sh index f53a4110..618e9b36 100755 --- a/bin/test-workflow/4_kubernetes_cluster_prep.sh +++ b/bin/test-workflow/4_kubernetes_cluster_prep.sh @@ -8,13 +8,9 @@ set_namespace default # Prepare our cluster with conjur and authnK8s credentials in a golden configmap announce "Installing cluster prep chart" pushd $(dirname "$0")/../../helm/kubernetes-cluster-prep > /dev/null - if [ "$(helm list -q -n $CONJUR_NAMESPACE | grep "^cluster-prep$")" = "cluster-prep" ]; then - helm uninstall cluster-prep -n "$CONJUR_NAMESPACE" - fi - ./bin/get-conjur-cert.sh -v -i -u "$CONJUR_APPLIANCE_URL" - helm install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait \ + helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait \ --set conjur.account="$CONJUR_ACCOUNT" \ --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \ --set conjur.certificateFilePath="files/conjur-cert.pem" \ diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index d97629bf..5bcb016f 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -8,12 +8,8 @@ set_namespace default # Prepare a given namespace with a subset of credentials from the golden configmap announce "Installing application namespace prep chart" pushd $(dirname "$0")/../../helm/application-namespace-prep > /dev/null - if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^namespace-prep$")" = "namespace-prep" ]; then - helm uninstall namespace-prep -n "$TEST_APP_NAMESPACE_NAME" - fi - # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist - helm install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ + helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ --create-namespace \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="$CONJUR_NAMESPACE" \ From 447380cfd7b90c22618de3d35e496af86fd50947 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 18:56:31 -0700 Subject: [PATCH 12/18] Update app-ns-prep lint test --- helm/conjur-config-namespace-prep/test-lint | 1 + helm/conjur-config-namespace-prep/test-schema | 3 ++- .../tests/authenticator_rolebinding_test.yaml | 1 + .../tests/conjur_connect_configmap_test.yaml | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/helm/conjur-config-namespace-prep/test-lint b/helm/conjur-config-namespace-prep/test-lint index 20d5fcaf..2d93e6b4 100755 --- a/helm/conjur-config-namespace-prep/test-lint +++ b/helm/conjur-config-namespace-prep/test-lint @@ -6,4 +6,5 @@ banner $BOLD "Running Helm lint for chart \"conjur-config-namespace-prep\"" helm lint . \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="app-test" \ + --set authnK8s.backendSecret="test-backend-secret" \ --set test.mock.enable=true diff --git a/helm/conjur-config-namespace-prep/test-schema b/helm/conjur-config-namespace-prep/test-schema index afbd5a6d..24641de9 100755 --- a/helm/conjur-config-namespace-prep/test-schema +++ b/helm/conjur-config-namespace-prep/test-schema @@ -18,7 +18,8 @@ test_failed=false function authenticator_variable_test() { helm lint . --strict \ --set "authnK8s.goldenConfigMap=authn-k8s-configmap"\ - --set "authnK8s.namespace=golden" + --set "authnK8s.namespace=golden" \ + --set "authnK8s.backendSecret=test-backend-secret" } function authenticator_missing_configmap_test() { diff --git a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml index da3ef3b8..08c22b77 100644 --- a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml @@ -6,6 +6,7 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden + authnK8s.backendSecret: test-backend-secret tests: #======================================================================= diff --git a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml index 2efbbe5e..7efc380f 100644 --- a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml @@ -6,6 +6,7 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden + authnK8s.backendSecret: test-backend-secret tests: From 3ebb40651ba15f54661cacec70d3c84f4c181767 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 20:43:11 -0700 Subject: [PATCH 13/18] Decouple conjur deploy and cleanup --- bin/test-workflow/0_prep_conjur_in_kind.sh | 4 -- .../1_prep_check_dependencies.sh | 37 ------------- bin/test-workflow/1_prep_env.sh | 29 +++++++++++ .../2_admin_load_conjur_policies.sh | 10 +--- ...luster_prep.sh => 4_admin_cluster_prep.sh} | 0 .../6_app_build_and_push_containers.sh | 19 +------ .../9_app_verify_authentication.sh | 41 ++++----------- bin/test-workflow/set_env_vars.sh | 29 ----------- bin/test-workflow/start | 6 +-- bin/test-workflow/utils.sh | 52 ------------------- 10 files changed, 45 insertions(+), 182 deletions(-) delete mode 100755 bin/test-workflow/1_prep_check_dependencies.sh create mode 100755 bin/test-workflow/1_prep_env.sh rename bin/test-workflow/{4_kubernetes_cluster_prep.sh => 4_admin_cluster_prep.sh} (100%) delete mode 100755 bin/test-workflow/set_env_vars.sh diff --git a/bin/test-workflow/0_prep_conjur_in_kind.sh b/bin/test-workflow/0_prep_conjur_in_kind.sh index 253d4b04..ec0209ea 100755 --- a/bin/test-workflow/0_prep_conjur_in_kind.sh +++ b/bin/test-workflow/0_prep_conjur_in_kind.sh @@ -28,10 +28,6 @@ pushd temp > /dev/null announce "Waiting for Conjur to become ready" wait_for_conjur_ready - announce "Retrieving the Conjur admin password" - export CONJUR_ADMIN_PASSWORD="$(./3_retrieve_admin_password.sh)" - echo "CONJUR_ADMIN_PASSWORD=$CONJUR_ADMIN_PASSWORD" - announce "Enabling the Conjur Kubernetes authenticator if necessary" ./4_ensure_authn_k8s_enabled.sh diff --git a/bin/test-workflow/1_prep_check_dependencies.sh b/bin/test-workflow/1_prep_check_dependencies.sh deleted file mode 100755 index 75503d09..00000000 --- a/bin/test-workflow/1_prep_check_dependencies.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -. utils.sh - -if [[ "$PLATFORM" == "kubernetes" ]] && ! is_minienv; then - check_env_var "DOCKER_REGISTRY_URL" -fi - -# TODO: consider getting rid of USE_DOCKER_LOCAL_REGISTRY in favour of always using -# DOCKER_REGISTRY_PATH which when empty would default to DOCKER_REGISTRY_URL. -if ! (( [[ "$PLATFORM" == "kubernetes" ]] && is_minienv ) \ - || [[ "$USE_DOCKER_LOCAL_REGISTRY" == "true" ]]); then - check_env_var "DOCKER_REGISTRY_PATH" -fi - -check_env_var "CONJUR_NAMESPACE" -check_env_var "TEST_APP_NAMESPACE_NAME" -check_env_var "CONJUR_ACCOUNT" -check_env_var "CONJUR_ADMIN_PASSWORD" -check_env_var "AUTHENTICATOR_ID" -check_env_var "TEST_APP_DATABASE" -check_env_var "CONJUR_AUTHN_LOGIN_RESOURCE" -check_env_var "PULL_DOCKER_REGISTRY_URL" -check_env_var "PULL_DOCKER_REGISTRY_PATH" - -export CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local}" - -# For annotation-based Kubernetes authentication, the host ID to be used -# for authenticating is an application name. -export CONJUR_AUTHN_LOGIN_PREFIX="host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps" - -# Create the random database password -export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12) - -ensure_env_database diff --git a/bin/test-workflow/1_prep_env.sh b/bin/test-workflow/1_prep_env.sh new file mode 100755 index 00000000..6a184ea2 --- /dev/null +++ b/bin/test-workflow/1_prep_env.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -eo pipefail + +export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}" +export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-localhost:5000}" +export PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-localhost:5000}" +export PULL_DOCKER_REGISTRY_PATH="${PULL_DOCKER_REGISTRY_PATH:-localhost:5000}" +export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss}" +export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" +export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" +export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" +export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" +export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" +export CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local}" +export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}" +export CONJUR_VERSION="${CONJUR_VERSION:-5}" +export PLATFORM="${PLATFORM:-kubernetes}" # default to kubernetes if env var not set +export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" +export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" + +export CONJUR_ADMIN_PASSWORD="$(kubectl exec \ + --namespace "$CONJUR_NAMESPACE" \ + deploy/conjur-oss \ + --container conjur-oss \ + -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1)" + +# Create the random database password +export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12) diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index 48a13963..d5f9d46f 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -13,19 +13,13 @@ prepare_conjur_cli_image() { cli_app_image=$(platform_image_for_push conjur-cli) docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image - if ! is_minienv; then - docker push $cli_app_image - fi + docker push $cli_app_image } deploy_conjur_cli() { announce "Deploying Conjur CLI pod." - if is_minienv; then - IMAGE_PULL_POLICY='Never' - else - IMAGE_PULL_POLICY='Always' - fi + IMAGE_PULL_POLICY='Always' cli_app_image=$(platform_image_for_pull conjur-cli) sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" ./$PLATFORM/conjur-cli.yml | diff --git a/bin/test-workflow/4_kubernetes_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh similarity index 100% rename from bin/test-workflow/4_kubernetes_cluster_prep.sh rename to bin/test-workflow/4_admin_cluster_prep.sh diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh index 622ff873..1e4c25ab 100755 --- a/bin/test-workflow/6_app_build_and_push_containers.sh +++ b/bin/test-workflow/6_app_build_and_push_containers.sh @@ -46,23 +46,6 @@ pushd test_app_summon test_app_image=$(platform_image_for_push "test-$app_type-app") docker tag test-app:$CONJUR_NAMESPACE $test_app_image - if ! is_minienv; then - docker push $test_app_image - fi + docker push $test_app_image done popd - -if [[ "$LOCAL_AUTHENTICATOR" == "true" ]]; then - # Re-tag the locally-built conjur-authn-k8s-client:dev image - authn_image=$(platform_image_for_push conjur-authn-k8s-client) - docker tag conjur-authn-k8s-client:dev $authn_image - - # Re-tag the locally-built secretless-broker:latest image - secretless_image=$(platform_image_for_push secretless-broker) - docker tag secretless-broker:latest $secretless_image - - if ! is_minienv; then - docker push $authn_image - docker push $secretless_image - fi -fi diff --git a/bin/test-workflow/9_app_verify_authentication.sh b/bin/test-workflow/9_app_verify_authentication.sh index 6623dc14..4d7cbd7d 100755 --- a/bin/test-workflow/9_app_verify_authentication.sh +++ b/bin/test-workflow/9_app_verify_authentication.sh @@ -55,12 +55,10 @@ pod_curl() { kubectl exec test-curl -- curl "$@" } -if [[ "$TEST_APP_LOADBALANCER_SVCS" == "false" ]]; then - echo "Deploying a test curl pod" - deploy_test_curl - echo "Waiting for test curl pod to become available" - bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_test_curl -fi +echo "Deploying a test curl pod" +deploy_test_curl +echo "Waiting for test curl pod to become available" +bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_test_curl echo "Waiting for pods to become available" @@ -104,31 +102,12 @@ if [[ "$PLATFORM" == "openshift" ]]; then secretless_url="localhost:8083" init_url_with_host_outside_apps="localhost:8084" else - if [[ "$TEST_APP_LOADBALANCER_SVCS" == "true" ]]; then - echo "Waiting for external IPs to become available" - check_services(){ - # [[ -n "$(external_ip "test-app-summon-init")" ]] && - # [[ -n "$(external_ip "test-app-with-host-outside-apps-branch-summon-init")" ]] && - [[ -n "$(external_ip "test-app-summon-sidecar")" ]] # && - # [[ -n "$(external_ip "test-app-secretless")" ]] - } - bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_services - - curl_cmd=curl - init_url=$(external_ip test-app-summon-init):8080 - init_url_with_host_outside_apps=$(external_ip test-app-with-host-outside-apps-branch-summon-init):8080 - sidecar_url=$(external_ip test-app-summon-sidecar):8080 - secretless_url=$(external_ip test-app-secretless):8080 - - else - # Apps don't have loadbalancer services, so test by curling from - # a pod that is inside the KinD cluster. - curl_cmd=pod_curl - init_url="test-app-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" - init_url_with_host_outside_apps="test-app-with-host-outside-apps-branch-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" - sidecar_url="test-app-summon-sidecar.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" - secretless_url="test-app-secretless.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" - fi + # Test by curling from a pod that is inside the KinD cluster. + curl_cmd=pod_curl + init_url="test-app-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + init_url_with_host_outside_apps="test-app-with-host-outside-apps-branch-summon-init.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + sidecar_url="test-app-summon-sidecar.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" + secretless_url="test-app-secretless.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:8080" fi echo "Waiting for urls to be ready" diff --git a/bin/test-workflow/set_env_vars.sh b/bin/test-workflow/set_env_vars.sh deleted file mode 100755 index 76e710a0..00000000 --- a/bin/test-workflow/set_env_vars.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -# Set the default values of environment variables used by the scripts -export PULL_DOCKER_REGISTRY_URL=${PULL_DOCKER_REGISTRY_URL:-${DOCKER_REGISTRY_URL}} -export PULL_DOCKER_REGISTRY_PATH=${PULL_DOCKER_REGISTRY_PATH:-${DOCKER_REGISTRY_PATH}} - -PLATFORM="${PLATFORM:-kubernetes}" # default to kubernetes if env var not set -CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" # default to service_account - -CONJUR_VERSION="${CONJUR_VERSION:-5}" - -MINIKUBE="${MINIKUBE:-false}" -MINISHIFT="${MINISHIFT:-false}" - -LOCAL_AUTHENTICATOR="${LOCAL_AUTHENTICATOR:-false}" - -# Some older workflows that use this script repo may depend upon -# the the use of 'DEPLOY_MASTER_CLUSTER' environment variable rather than -# the newer (and more accurately named) 'CONFIGURE_CONJUR_MASTER'. -DEPLOY_MASTER_CLUSTER="${DEPLOY_MASTER_CLUSTER:-false}" -CONFIGURE_CONJUR_MASTER="${CONFIGURE_CONJUR_MASTER:-$DEPLOY_MASTER_CLUSTER}" - -ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-true}" -CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" -TEST_APP_LOADBALANCER_SVCS="${TEST_APP_LOADBALANCER_SVCS:-true}" -HELM_RELEASE="${HELM_RELEASE:-conjur-oss}" - -USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" -DOCKER_EMAIL="${DOCKER_EMAIL:-}" diff --git a/bin/test-workflow/start b/bin/test-workflow/start index 78eb9aed..d68596a4 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -4,14 +4,14 @@ set -eo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -. ./0_prep_conjur_in_kind.sh +./0_prep_conjur_in_kind.sh -. ./1_prep_check_dependencies.sh +. ./1_prep_env.sh ./2_admin_load_conjur_policies.sh ./3_admin_init_conjur_cert_authority.sh -./4_kubernetes_cluster_prep.sh +./4_admin_cluster_prep.sh ./5_app_namespace_prep.sh ./6_app_build_and_push_containers.sh ./7_app_deploy_backend.sh diff --git a/bin/test-workflow/utils.sh b/bin/test-workflow/utils.sh index e6fab673..2b33fb4e 100755 --- a/bin/test-workflow/utils.sh +++ b/bin/test-workflow/utils.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -. set_env_vars.sh - if [ $PLATFORM = 'kubernetes' ]; then cli=kubectl elif [ $PLATFORM = 'openshift' ]; then @@ -23,20 +21,6 @@ check_env_var() { fi } -ensure_env_database() { - local valid_dbs=( - 'postgres' - 'mysql' - ) - - if ! echo "${valid_dbs[@]}" | grep -Eq "\b${TEST_APP_DATABASE}\b"; then - printf "TEST_APP_DATABASE value not found in valid_dbs: '%s'\n" "${TEST_APP_DATABASE}" - printf "valid_dbs:\n" - printf "'%s'\n" "${valid_dbs[@]}" - exit 1 - fi -} - announce() { echo "++++++++++++++++++++++++++++++++++++++" echo "" @@ -48,8 +32,6 @@ announce() { platform_image_for_pull() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${PULL_DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" - elif is_minienv; then - echo "$1:$CONJUR_NAMESPACE" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" else @@ -60,8 +42,6 @@ platform_image_for_pull() { platform_image_for_push() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" - elif is_minienv; then - echo "$1:$CONJUR_NAMESPACE" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" else @@ -99,19 +79,6 @@ get_pods() { $cli get pods --selector "$1" --no-headers | awk '{ print $1 }' } -get_nodeport(){ - svc_name="$1" - echo "$(kubectl get svc $svc_name -o jsonpath='{.spec.ports[0].nodePort}')" -} - -app_service_type() { - if [[ "$TEST_APP_LOADBALANCER_SVCS" == "true" ]]; then - echo "LoadBalancer" - else - echo "NodePort" - fi -} - get_master_pod_name() { if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then pod_list=$(get_pods "app=conjur-oss") @@ -199,25 +166,6 @@ function wait_for_it() { fi } -function is_minienv() { - MINI_ENV="${MINI_ENV:-false}" - - if hash minishift 2>/dev/null; then - # Check if Minishift is running too - if [[ "$MINI_ENV" == "false" ]] && [[ "$(minishift status | grep Running)" = "" ]]; then - false - else - true - fi - else - if [[ "$MINI_ENV" == "false" ]]; then - false - else - true - fi - fi -} - function external_ip() { local service=$1 From 408962b103257f3f0a348cf7d2f15651a2f83bcf Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 21:24:42 -0700 Subject: [PATCH 14/18] Add env var checks scripts for reusability --- bin/test-workflow/1_prep_env.sh | 2 +- bin/test-workflow/4_admin_cluster_prep.sh | 7 +++++++ bin/test-workflow/5_app_namespace_prep.sh | 5 +++++ bin/test-workflow/7_app_deploy_backend.sh | 5 +++++ .../8_app_deploy_summon_sidecar.sh | 5 +++++ .../9_app_verify_authentication.sh | 18 ------------------ 6 files changed, 23 insertions(+), 19 deletions(-) diff --git a/bin/test-workflow/1_prep_env.sh b/bin/test-workflow/1_prep_env.sh index 6a184ea2..8ac1ed06 100755 --- a/bin/test-workflow/1_prep_env.sh +++ b/bin/test-workflow/1_prep_env.sh @@ -15,7 +15,7 @@ export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_accou export CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local}" export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}" export CONJUR_VERSION="${CONJUR_VERSION:-5}" -export PLATFORM="${PLATFORM:-kubernetes}" # default to kubernetes if env var not set +export PLATFORM="${PLATFORM:-kubernetes}" export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index 618e9b36..112dea07 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -1,8 +1,15 @@ #!/usr/bin/env bash set -euo pipefail +export PLATFORM="${PLATFORM:-kubernetes}" + . utils.sh +check_env_var CONJUR_APPLIANCE_URL +check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_ACCOUNT +check_env_var AUTHENTICATOR_ID + set_namespace default # Prepare our cluster with conjur and authnK8s credentials in a golden configmap diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index 5bcb016f..1f2b44ab 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -1,8 +1,13 @@ #!/usr/bin/env bash set -euo pipefail +export PLATFORM="${PLATFORM:-kubernetes}" + . utils.sh +check_env_var TEST_APP_NAMESPACE_NAME +check_env_var CONJUR_NAMESPACE + set_namespace default # Prepare a given namespace with a subset of credentials from the golden configmap diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index de85022c..e429109c 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -1,8 +1,13 @@ #!/usr/bin/env bash set -euo pipefail +export PLATFORM="${PLATFORM:-kubernetes}" + . utils.sh +check_env_var TEST_APP_NAMESPACE_NAME +check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD + announce "Deploying summon-sidecar test app postgres backend for $TEST_APP_NAMESPACE_NAME." set_namespace $TEST_APP_NAMESPACE_NAME diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy_summon_sidecar.sh index f155f0e3..3dc7e216 100755 --- a/bin/test-workflow/8_app_deploy_summon_sidecar.sh +++ b/bin/test-workflow/8_app_deploy_summon_sidecar.sh @@ -1,8 +1,13 @@ #!/usr/bin/env bash set -euo pipefail +export PLATFORM="${PLATFORM:-kubernetes}" + . utils.sh +check_env_var TEST_APP_NAMESPACE_NAME +check_env_var CONJUR_AUTHN_LOGIN_PREFIX + announce "Deploying summon-sidecar test app for $TEST_APP_NAMESPACE_NAME." set_namespace $TEST_APP_NAMESPACE_NAME diff --git a/bin/test-workflow/9_app_verify_authentication.sh b/bin/test-workflow/9_app_verify_authentication.sh index 4d7cbd7d..70331aa0 100755 --- a/bin/test-workflow/9_app_verify_authentication.sh +++ b/bin/test-workflow/9_app_verify_authentication.sh @@ -62,25 +62,7 @@ bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_test_curl echo "Waiting for pods to become available" -check_pods(){ - # pods_ready "test-app-summon-init" && - # pods_ready "test-app-with-host-outside-apps-branch-summon-init" && - pods_ready "test-app-summon-sidecar" # && - # pods_ready "test-app-secretless" -} -bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_pods - if [[ "$PLATFORM" == "openshift" ]]; then - echo "Waiting for deployments to become available" - - check_deployment_status(){ - # [[ "$(deployment_status "test-app-summon-init")" == "Complete" ]] && - # [[ "$(deployment_status "test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && - [[ "$(deployment_status "test-app-summon-sidecar")" == "Complete" ]] # && - # [[ "$(deployment_status "test-app-secretless")" == "Complete" ]] - } - bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_deployment_status - sidecar_pod=$(get_pod_name test-app-summon-sidecar) init_pod=$(get_pod_name test-app-summon-init) init_pod_with_host_outside_apps=$(get_pod_name test-app-with-host-outside-apps-branch-summon-init) From 4a127f4cf9f7f413d6591757407c43ee458d6a18 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 21:34:57 -0700 Subject: [PATCH 15/18] Add timeout env var to helm --- bin/test-workflow/4_admin_cluster_prep.sh | 4 +++- bin/test-workflow/5_app_namespace_prep.sh | 4 +++- bin/test-workflow/7_app_deploy_backend.sh | 4 +++- bin/test-workflow/8_app_deploy_summon_sidecar.sh | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index 112dea07..f87ae887 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -2,6 +2,7 @@ set -euo pipefail export PLATFORM="${PLATFORM:-kubernetes}" +export TIMEOUT="${TIMEOUT:-5m0s}" . utils.sh @@ -21,5 +22,6 @@ pushd $(dirname "$0")/../../helm/kubernetes-cluster-prep > /dev/null --set conjur.account="$CONJUR_ACCOUNT" \ --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \ --set conjur.certificateFilePath="files/conjur-cert.pem" \ - --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" + --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" \ + --timeout $TIMEOUT popd > /dev/null diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index 1f2b44ab..e2933ad1 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -2,6 +2,7 @@ set -euo pipefail export PLATFORM="${PLATFORM:-kubernetes}" +export TIMEOUT="${TIMEOUT:-5m0s}" . utils.sh @@ -18,5 +19,6 @@ pushd $(dirname "$0")/../../helm/application-namespace-prep > /dev/null --create-namespace \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="$CONJUR_NAMESPACE" \ - --set authnK8s.backendSecret="test-app-backend-certs" + --set authnK8s.backendSecret="test-app-backend-certs" \ + --timeout $TIMEOUT popd > /dev/null diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index e429109c..6fba0219 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -2,6 +2,7 @@ set -euo pipefail export PLATFORM="${PLATFORM:-kubernetes}" +export TIMEOUT="${TIMEOUT:-5m0s}" . utils.sh @@ -38,4 +39,5 @@ helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMES --set securityContext.fsGroup="999" \ --set postgresqlDatabase="test_app" \ --set postgresqlUsername="test_app" \ - --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD + --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD \ + --timeout $TIMEOUT diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy_summon_sidecar.sh index 3dc7e216..d9078cb2 100755 --- a/bin/test-workflow/8_app_deploy_summon_sidecar.sh +++ b/bin/test-workflow/8_app_deploy_summon_sidecar.sh @@ -2,6 +2,7 @@ set -euo pipefail export PLATFORM="${PLATFORM:-kubernetes}" +export TIMEOUT="${TIMEOUT:-5m0s}" . utils.sh @@ -20,7 +21,8 @@ pushd $(dirname "$0")/../../helm/app-deploy > /dev/null helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ --set app-summon-sidecar.enabled=true \ --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ - --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" + --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" \ + --timeout $TIMEOUT popd > /dev/null echo "Test app/sidecar deployed." From 75690a588cd879495dd2731da6d7d8c70841d0c3 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Wed, 26 May 2021 22:20:25 -0700 Subject: [PATCH 16/18] Fixups after rebasing onto current master --- .gitignore | 2 +- bin/test-workflow/4_admin_cluster_prep.sh | 4 ++-- bin/test-workflow/5_app_namespace_prep.sh | 4 ++-- bin/test-workflow/8_app_deploy_summon_sidecar.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 26d85dc9..328b4d39 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,7 @@ test temp -helm/kubernetes-cluster-prep/files/conjur-cert.pem +helm/conjur-config-cluster-prep/files/conjur-cert.pem bin/test-workflow/policy/generated/* tmp.* diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index f87ae887..7597408c 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -15,8 +15,8 @@ set_namespace default # Prepare our cluster with conjur and authnK8s credentials in a golden configmap announce "Installing cluster prep chart" -pushd $(dirname "$0")/../../helm/kubernetes-cluster-prep > /dev/null - ./bin/get-conjur-cert.sh -v -i -u "$CONJUR_APPLIANCE_URL" +pushd $(dirname "$0")/../../helm/conjur-config-cluster-prep > /dev/null + ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_APPLIANCE_URL" helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait \ --set conjur.account="$CONJUR_ACCOUNT" \ diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index e2933ad1..48508057 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -12,8 +12,8 @@ check_env_var CONJUR_NAMESPACE set_namespace default # Prepare a given namespace with a subset of credentials from the golden configmap -announce "Installing application namespace prep chart" -pushd $(dirname "$0")/../../helm/application-namespace-prep > /dev/null +announce "Installing namespace prep chart" +pushd $(dirname "$0")/../../helm/conjur-config-namespace-prep > /dev/null # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ --create-namespace \ diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy_summon_sidecar.sh index d9078cb2..6e344761 100755 --- a/bin/test-workflow/8_app_deploy_summon_sidecar.sh +++ b/bin/test-workflow/8_app_deploy_summon_sidecar.sh @@ -17,7 +17,7 @@ if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" helm uninstall app-summon-sidecar -n "$TEST_APP_NAMESPACE_NAME" fi -pushd $(dirname "$0")/../../helm/app-deploy > /dev/null +pushd $(dirname "$0")/../../helm/conjur-app-deploy > /dev/null helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ --set app-summon-sidecar.enabled=true \ --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ From 1f49f518d49c2ef334e7b645e897186b07cbbb25 Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Thu, 27 May 2021 14:39:14 -0700 Subject: [PATCH 17/18] Make scripts more reusable --- bin/test-workflow/0_prep_conjur_in_kind.sh | 8 +++--- bin/test-workflow/1_prep_env.sh | 11 ++++++-- .../2_admin_load_conjur_policies.sh | 27 ++++++++++++------- .../3_admin_init_conjur_cert_authority.sh | 11 +++++++- bin/test-workflow/4_admin_cluster_prep.sh | 16 ++++++----- bin/test-workflow/5_app_namespace_prep.sh | 18 ++++++++----- .../6_app_build_and_push_containers.sh | 10 ++++++- bin/test-workflow/7_app_deploy_backend.sh | 19 ++++++------- .../8_app_deploy_summon_sidecar.sh | 19 +++++++------ .../9_app_verify_authentication.sh | 11 +++++++- bin/test-workflow/start | 3 +-- helm/conjur-app-deploy/values.yaml | 8 +++--- .../templates/NOTES.txt | 1 + .../templates/app_backend_secret.yaml | 10 +++---- helm/conjur-config-namespace-prep/test-lint | 4 ++- helm/conjur-config-namespace-prep/test-schema | 4 ++- .../tests/authenticator_rolebinding_test.yaml | 4 ++- .../tests/conjur_connect_configmap_test.yaml | 5 ++-- .../values.schema.json | 12 +++++++-- helm/conjur-config-namespace-prep/values.yaml | 4 ++- 20 files changed, 135 insertions(+), 70 deletions(-) diff --git a/bin/test-workflow/0_prep_conjur_in_kind.sh b/bin/test-workflow/0_prep_conjur_in_kind.sh index ec0209ea..19ded397 100755 --- a/bin/test-workflow/0_prep_conjur_in_kind.sh +++ b/bin/test-workflow/0_prep_conjur_in_kind.sh @@ -1,9 +1,7 @@ #!/bin/bash set -eo pipefail - -rm -rf bash-lib -git clone https://github.com/cyberark/bash-lib.git +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) # Install Conjur in our cluster mkdir -p temp @@ -12,10 +10,10 @@ pushd temp > /dev/null git clone https://github.com/cyberark/conjur-oss-helm-chart.git pushd conjur-oss-helm-chart/examples/kubernetes-in-docker > /dev/null - . utils.sh + source utils.sh announce "Setting demo environment variable defaults" - . ./0_export_env_vars.sh + source ./0_export_env_vars.sh announce "Creating a Kubernetes-in-Docker cluster if necessary" ./1_create_kind_cluster.sh diff --git a/bin/test-workflow/1_prep_env.sh b/bin/test-workflow/1_prep_env.sh index 8ac1ed06..e1d1e017 100755 --- a/bin/test-workflow/1_prep_env.sh +++ b/bin/test-workflow/1_prep_env.sh @@ -6,19 +6,26 @@ export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}" export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-localhost:5000}" export PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-localhost:5000}" export PULL_DOCKER_REGISTRY_PATH="${PULL_DOCKER_REGISTRY_PATH:-localhost:5000}" -export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss}" export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" -export CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local}" export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}" export CONJUR_VERSION="${CONJUR_VERSION:-5}" export PLATFORM="${PLATFORM:-kubernetes}" export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + conjur_service='conjur-oss' +else + conjur_service='conjur-master' +fi + +export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-$conjur_service}" +export CONJUR_APPLIANCE_URL=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE.svc.cluster.local} + export CONJUR_ADMIN_PASSWORD="$(kubectl exec \ --namespace "$CONJUR_NAMESPACE" \ deploy/conjur-oss \ diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index d5f9d46f..97a6e144 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -1,7 +1,21 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) + +PLATFORM="${PLATFORM:-kubernetes}" + +source utils.sh -. utils.sh +check_env_var TEST_APP_NAMESPACE_NAME +check_env_var CONJUR_VERSION +check_env_var CONJUR_ACCOUNT +check_env_var CONJUR_APPLIANCE_URL +check_env_var CONJUR_ADMIN_PASSWORD +check_env_var AUTHENTICATOR_ID +check_env_var CONJUR_NAMESPACE +check_env_var TEST_APP_DATABASE +check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD announce "Generating Conjur policy." @@ -36,14 +50,7 @@ deploy_conjur_cli() { ensure_conjur_cli_initialized() { announce "Ensure that Conjur CLI pod has a connection with Conjur initialized." - if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - conjur_service='conjur-oss' - else - conjur_service='conjur-master' - fi - conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE.svc.cluster.local} - - $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" + $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $CONJUR_APPLIANCE_URL" # Flaky with 500 Internal Server Error, mitigate with retry wait_for_it 300 "$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD" } @@ -95,7 +102,7 @@ $cli cp ./policy $conjur_cli_pod:/policy wait_for_it 300 "$cli exec $conjur_cli_pod -- \ bash -c \" - conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE.svc.cluster.local} + conjur_appliance_url=${CONJUR_APPLIANCE_URL} CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \ CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ DB_PASSWORD=${SAMPLE_APP_BACKEND_DB_PASSWORD} \ diff --git a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh index 86c4b935..954cdb72 100755 --- a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh +++ b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh @@ -1,7 +1,16 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) + +PLATFORM="${PLATFORM:-kubernetes}" + +source utils.sh -. utils.sh +check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_OSS_HELM_INSTALLED +check_env_var CONJUR_ACCOUNT +check_env_var AUTHENTICATOR_ID announce "Initializing Conjur certificate authority." diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index 7597408c..a1d02044 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -export PLATFORM="${PLATFORM:-kubernetes}" -export TIMEOUT="${TIMEOUT:-5m0s}" +PLATFORM="${PLATFORM:-kubernetes}" +TIMEOUT="${TIMEOUT:-5m0s}" -. utils.sh +source utils.sh check_env_var CONJUR_APPLIANCE_URL check_env_var CONJUR_NAMESPACE @@ -15,13 +17,13 @@ set_namespace default # Prepare our cluster with conjur and authnK8s credentials in a golden configmap announce "Installing cluster prep chart" -pushd $(dirname "$0")/../../helm/conjur-config-cluster-prep > /dev/null +pushd ../../helm/conjur-config-cluster-prep > /dev/null ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_APPLIANCE_URL" - helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait \ + helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait --timeout $TIMEOUT \ --set conjur.account="$CONJUR_ACCOUNT" \ --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \ --set conjur.certificateFilePath="files/conjur-cert.pem" \ - --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" \ - --timeout $TIMEOUT + --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" + popd > /dev/null diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index 48508057..b72e7a28 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -export PLATFORM="${PLATFORM:-kubernetes}" -export TIMEOUT="${TIMEOUT:-5m0s}" +PLATFORM="${PLATFORM:-kubernetes}" +TIMEOUT="${TIMEOUT:-5m0s}" -. utils.sh +source utils.sh check_env_var TEST_APP_NAMESPACE_NAME check_env_var CONJUR_NAMESPACE @@ -13,12 +15,14 @@ set_namespace default # Prepare a given namespace with a subset of credentials from the golden configmap announce "Installing namespace prep chart" -pushd $(dirname "$0")/../../helm/conjur-config-namespace-prep > /dev/null +pushd ../../helm/conjur-config-namespace-prep > /dev/null # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist - helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ + helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \ --create-namespace \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="$CONJUR_NAMESPACE" \ - --set authnK8s.backendSecret="test-app-backend-certs" \ - --timeout $TIMEOUT + --set authnK8s.backendSecretToCreate="test-app-backend-certs" \ + --set authnK8s.backendCertificateFilePath="files/ca.pem" \ + --set authnK8s.backendKeyFilePath="files/ca-key.pem" + popd > /dev/null diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh index 1e4c25ab..de0b83ef 100755 --- a/bin/test-workflow/6_app_build_and_push_containers.sh +++ b/bin/test-workflow/6_app_build_and_push_containers.sh @@ -1,7 +1,15 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) + +PLATFORM="${PLATFORM:-kubernetes}" +USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-true}" +DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}" +PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-localhost:5000}" +CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" -. utils.sh +source utils.sh if [[ "$PLATFORM" == "openshift" ]]; then docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index 6fba0219..f93e2b7d 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -export PLATFORM="${PLATFORM:-kubernetes}" -export TIMEOUT="${TIMEOUT:-5m0s}" +PLATFORM="${PLATFORM:-kubernetes}" +TIMEOUT="${TIMEOUT:-5m0s}" -. utils.sh +source utils.sh check_env_var TEST_APP_NAMESPACE_NAME check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD @@ -13,19 +15,18 @@ announce "Deploying summon-sidecar test app postgres backend for $TEST_APP_NAMES set_namespace $TEST_APP_NAMESPACE_NAME -echo "Deploying test app backend" - -# Install postgresql helm chart +# Uninstall backend if it exists so any PVCs can be deleted if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar-backend-pg$")" = "app-summon-sidecar-backend-pg" ]; then helm uninstall app-summon-sidecar-backend-pg -n "$TEST_APP_NAMESPACE_NAME" fi +# Delete any created PVCs $cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ pvc -l app.kubernetes.io/instance=app-summon-sidecar-backend-pg helm repo add bitnami https://charts.bitnami.com/bitnami -helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait \ +helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait --timeout $TIMEOUT \ --set image.repository="postgres" \ --set image.tag="9.6" \ --set postgresqlDataDir="/data/pgdata" \ @@ -39,5 +40,5 @@ helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMES --set securityContext.fsGroup="999" \ --set postgresqlDatabase="test_app" \ --set postgresqlUsername="test_app" \ - --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD \ - --timeout $TIMEOUT + --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD + diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy_summon_sidecar.sh index 6e344761..bd0de7d5 100755 --- a/bin/test-workflow/8_app_deploy_summon_sidecar.sh +++ b/bin/test-workflow/8_app_deploy_summon_sidecar.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -export PLATFORM="${PLATFORM:-kubernetes}" -export TIMEOUT="${TIMEOUT:-5m0s}" +PLATFORM="${PLATFORM:-kubernetes}" +TIMEOUT="${TIMEOUT:-5m0s}" -. utils.sh +source utils.sh check_env_var TEST_APP_NAMESPACE_NAME check_env_var CONJUR_AUTHN_LOGIN_PREFIX @@ -13,16 +15,17 @@ announce "Deploying summon-sidecar test app for $TEST_APP_NAMESPACE_NAME." set_namespace $TEST_APP_NAMESPACE_NAME +# Uninstall sample app if it exists if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" = "app-summon-sidecar" ]; then helm uninstall app-summon-sidecar -n "$TEST_APP_NAMESPACE_NAME" fi -pushd $(dirname "$0")/../../helm/conjur-app-deploy > /dev/null - helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait \ - --set app-summon-sidecar.enabled=true \ +pushd ../../helm/conjur-app-deploy > /dev/null + helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \ --set global.conjur.conjurConnConfigMap="conjur-connect-configmap" \ - --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" \ - --timeout $TIMEOUT + --set app-summon-sidecar.enabled=true \ + --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" + popd > /dev/null echo "Test app/sidecar deployed." diff --git a/bin/test-workflow/9_app_verify_authentication.sh b/bin/test-workflow/9_app_verify_authentication.sh index 70331aa0..ca4d0ac2 100755 --- a/bin/test-workflow/9_app_verify_authentication.sh +++ b/bin/test-workflow/9_app_verify_authentication.sh @@ -1,7 +1,16 @@ #!/usr/bin/env bash + set -euo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) + +PLATFORM="${PLATFORM:-kubernetes}" + +source utils.sh + +check_env_var TEST_APP_NAMESPACE_NAME -. utils.sh +rm -rf bash-lib +git clone https://github.com/cyberark/bash-lib.git init_bash_lib diff --git a/bin/test-workflow/start b/bin/test-workflow/start index d68596a4..9d4afb98 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -1,12 +1,11 @@ #!/bin/bash set -eo pipefail - cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) ./0_prep_conjur_in_kind.sh -. ./1_prep_env.sh +source ./1_prep_env.sh ./2_admin_load_conjur_policies.sh ./3_admin_init_conjur_cert_authority.sh diff --git a/helm/conjur-app-deploy/values.yaml b/helm/conjur-app-deploy/values.yaml index 695717d6..0cc01a1a 100644 --- a/helm/conjur-app-deploy/values.yaml +++ b/helm/conjur-app-deploy/values.yaml @@ -12,15 +12,15 @@ global: # can be selected. All enabled authenticator types (along with their # associated sample application container) will be deployed to the # same application Namespace. The default (app-summon-sidecar) is to enable only an authn-k8s -# sidecar container. Uncomment authenticator types as desired. +# sidecar container. Enable authenticator types as desired. app-summon-sidecar: enabled: true -secretless-broker: +app-summon-init: enabled: false -secrets-provider-init: +app-secretless-broker: enabled: false -secrets-provider-standalone: +app-secrets-provider: enabled: false diff --git a/helm/conjur-config-namespace-prep/templates/NOTES.txt b/helm/conjur-config-namespace-prep/templates/NOTES.txt index afbc3f5b..444344af 100644 --- a/helm/conjur-config-namespace-prep/templates/NOTES.txt +++ b/helm/conjur-config-namespace-prep/templates/NOTES.txt @@ -5,4 +5,5 @@ A Conjur Connection Configmap {{- end }} {{- if .Values.authnRoleBinding.create }} An authenticator Rolebinding +A Secret containing the sample app backend TLS certificate and key {{- end }} diff --git a/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml b/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml index 5a7edfbd..4160b197 100644 --- a/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml +++ b/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml @@ -2,15 +2,15 @@ apiVersion: v1 kind: Secret type: Opaque metadata: - name: {{ .Values.authnK8s.backendSecret }} + name: {{ .Values.authnK8s.backendSecretToCreate }} labels: - app.kubernetes.io/name: {{ .Values.authnK8s.backendSecret }} - app.kubernetes.io/component: authn-k8s-{{ .Values.authnK8s.backendSecret }} + app.kubernetes.io/name: {{ .Values.authnK8s.backendSecretToCreate }} + app.kubernetes.io/component: authn-k8s-{{ .Values.authnK8s.backendSecretToCreate }} app.kubernetes.io/instance: {{ .Release.Namespace }} app.kubernetes.io/part-of: authn-k8s-namespace-config app.kubernetes.io/managed-by: Helm meta.helm.sh/release-name: {{ .Release.Name }} meta.helm.sh/release-namespace: {{ .Release.Namespace }} data: - server.crt: {{ .Files.Get "files/ca.pem" | b64enc }} - server.key: {{ .Files.Get "files/ca-key.pem" | b64enc }} + server.crt: {{ .Files.Get .Values.authnK8s.backendCertificateFilePath | b64enc | quote }} + server.key: {{ .Files.Get .Values.authnK8s.backendKeyFilePath | b64enc | quote }} diff --git a/helm/conjur-config-namespace-prep/test-lint b/helm/conjur-config-namespace-prep/test-lint index 2d93e6b4..59458200 100755 --- a/helm/conjur-config-namespace-prep/test-lint +++ b/helm/conjur-config-namespace-prep/test-lint @@ -6,5 +6,7 @@ banner $BOLD "Running Helm lint for chart \"conjur-config-namespace-prep\"" helm lint . \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="app-test" \ - --set authnK8s.backendSecret="test-backend-secret" \ + --set authnK8s.backendSecretToCreate="test-backend-secret" \ + --set authnK8s.backendCertificateFilePath="files/ca.pem" + --set authnK8s.backendKeyFilePath="files/ca-key.pem" --set test.mock.enable=true diff --git a/helm/conjur-config-namespace-prep/test-schema b/helm/conjur-config-namespace-prep/test-schema index 24641de9..0ad5670a 100755 --- a/helm/conjur-config-namespace-prep/test-schema +++ b/helm/conjur-config-namespace-prep/test-schema @@ -19,7 +19,9 @@ function authenticator_variable_test() { helm lint . --strict \ --set "authnK8s.goldenConfigMap=authn-k8s-configmap"\ --set "authnK8s.namespace=golden" \ - --set "authnK8s.backendSecret=test-backend-secret" + --set "authnK8s.backendSecretToCreate=test-backend-secret" + --set "authnK8s.backendCertificateFilePath=files/ca.pem" + --set "authnK8s.backendKeyFilePath=files/ca-key.pem" } function authenticator_missing_configmap_test() { diff --git a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml index 08c22b77..77294251 100644 --- a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml @@ -6,7 +6,9 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden - authnK8s.backendSecret: test-backend-secret + authnK8s.backendSecretToCreate: test-backend-secret + authnK8s.backendCertificateFilePath: files/ca.pem + authnK8s.backendKeyFilePath: files/ca-key.pem tests: #======================================================================= diff --git a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml index 7efc380f..875aacd4 100644 --- a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml @@ -6,8 +6,9 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden - authnK8s.backendSecret: test-backend-secret - + authnK8s.backendSecretToCreate: test-backend-secret + authnK8s.backendCertificateFilePath: files/ca.pem + authnK8s.backendKeyFilePath: files/ca-key.pem tests: #======================================================================= diff --git a/helm/conjur-config-namespace-prep/values.schema.json b/helm/conjur-config-namespace-prep/values.schema.json index 661d34fe..786745f4 100644 --- a/helm/conjur-config-namespace-prep/values.schema.json +++ b/helm/conjur-config-namespace-prep/values.schema.json @@ -5,7 +5,9 @@ "required": [ "goldenConfigMap", "namespace", - "backendSecret" + "backendSecretToCreate", + "backendCertificateFilePath", + "backendKeyFilePath" ], "properties": { "goldenConfigMap": { @@ -14,7 +16,13 @@ "namespace": { "type": "string" }, - "backendSecret": { + "backendSecretToCreate": { + "type": "string" + }, + "backendCertificateFilePath": { + "type": "string" + }, + "backendKeyFilePath": { "type": "string" } } diff --git a/helm/conjur-config-namespace-prep/values.yaml b/helm/conjur-config-namespace-prep/values.yaml index 6e4d64e7..5fa67ac5 100644 --- a/helm/conjur-config-namespace-prep/values.yaml +++ b/helm/conjur-config-namespace-prep/values.yaml @@ -2,7 +2,9 @@ authnK8s: # These are required values # goldenConfigMap: # namespace: - # backendSecret: + # backendSecretToCreate: + # backendCertificateFilePath + # backendKeyFilePath authnRoleBinding: create: true From 1385ed11c04ff4d71157ea906edf9059f9b7bfba Mon Sep 17 00:00:00 2001 From: Samir Shetty Date: Tue, 1 Jun 2021 07:33:03 -0700 Subject: [PATCH 18/18] Revert Secret creation in namespace-prep --- bin/test-workflow/5_app_namespace_prep.sh | 5 +---- bin/test-workflow/7_app_deploy_backend.sh | 20 +++++++++++++++---- ...ploy_summon_sidecar.sh => 8_app_deploy.sh} | 2 +- bin/test-workflow/start | 2 +- .../templates/app_backend_secret.yaml | 16 --------------- helm/conjur-config-namespace-prep/test-lint | 3 --- helm/conjur-config-namespace-prep/test-schema | 5 +---- .../tests/authenticator_rolebinding_test.yaml | 3 --- .../tests/conjur_connect_configmap_test.yaml | 3 --- .../values.schema.json | 14 +------------ helm/conjur-config-namespace-prep/values.yaml | 3 --- 11 files changed, 21 insertions(+), 55 deletions(-) rename bin/test-workflow/{8_app_deploy_summon_sidecar.sh => 8_app_deploy.sh} (92%) delete mode 100644 helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index b72e7a28..8a67fb09 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -20,9 +20,6 @@ pushd ../../helm/conjur-config-namespace-prep > /dev/null helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \ --create-namespace \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ - --set authnK8s.namespace="$CONJUR_NAMESPACE" \ - --set authnK8s.backendSecretToCreate="test-app-backend-certs" \ - --set authnK8s.backendCertificateFilePath="files/ca.pem" \ - --set authnK8s.backendKeyFilePath="files/ca-key.pem" + --set authnK8s.namespace="$CONJUR_NAMESPACE" popd > /dev/null diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index f93e2b7d..0d5d425b 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -15,18 +15,30 @@ announce "Deploying summon-sidecar test app postgres backend for $TEST_APP_NAMES set_namespace $TEST_APP_NAMESPACE_NAME +app_name="app-summon-sidecar-backend-pg" + # Uninstall backend if it exists so any PVCs can be deleted -if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar-backend-pg$")" = "app-summon-sidecar-backend-pg" ]; then - helm uninstall app-summon-sidecar-backend-pg -n "$TEST_APP_NAMESPACE_NAME" +if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^$app_name$")" = "$app_name" ]; then + helm uninstall $app_name -n "$TEST_APP_NAMESPACE_NAME" fi # Delete any created PVCs $cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ - pvc -l app.kubernetes.io/instance=app-summon-sidecar-backend-pg + pvc -l app.kubernetes.io/instance=$app_name + +echo "Create secrets for test app backend" +$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ + secret test-app-backend-certs + +$cli --namespace $TEST_APP_NAMESPACE_NAME \ + create secret generic \ + test-app-backend-certs \ + --from-file=server.crt=./etc/ca.pem \ + --from-file=server.key=./etc/ca-key.pem helm repo add bitnami https://charts.bitnami.com/bitnami -helm install app-summon-sidecar-backend-pg bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait --timeout $TIMEOUT \ +helm install $app_name bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait --timeout $TIMEOUT \ --set image.repository="postgres" \ --set image.tag="9.6" \ --set postgresqlDataDir="/data/pgdata" \ diff --git a/bin/test-workflow/8_app_deploy_summon_sidecar.sh b/bin/test-workflow/8_app_deploy.sh similarity index 92% rename from bin/test-workflow/8_app_deploy_summon_sidecar.sh rename to bin/test-workflow/8_app_deploy.sh index bd0de7d5..286b377b 100755 --- a/bin/test-workflow/8_app_deploy_summon_sidecar.sh +++ b/bin/test-workflow/8_app_deploy.sh @@ -11,7 +11,7 @@ source utils.sh check_env_var TEST_APP_NAMESPACE_NAME check_env_var CONJUR_AUTHN_LOGIN_PREFIX -announce "Deploying summon-sidecar test app for $TEST_APP_NAMESPACE_NAME." +announce "Deploying summon-sidecar test app in $TEST_APP_NAMESPACE_NAME." set_namespace $TEST_APP_NAMESPACE_NAME diff --git a/bin/test-workflow/start b/bin/test-workflow/start index 9d4afb98..b5fd7fc8 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -14,5 +14,5 @@ source ./1_prep_env.sh ./5_app_namespace_prep.sh ./6_app_build_and_push_containers.sh ./7_app_deploy_backend.sh -./8_app_deploy_summon_sidecar.sh +./8_app_deploy.sh ./9_app_verify_authentication.sh diff --git a/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml b/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml deleted file mode 100644 index 4160b197..00000000 --- a/helm/conjur-config-namespace-prep/templates/app_backend_secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ .Values.authnK8s.backendSecretToCreate }} - labels: - app.kubernetes.io/name: {{ .Values.authnK8s.backendSecretToCreate }} - app.kubernetes.io/component: authn-k8s-{{ .Values.authnK8s.backendSecretToCreate }} - app.kubernetes.io/instance: {{ .Release.Namespace }} - app.kubernetes.io/part-of: authn-k8s-namespace-config - app.kubernetes.io/managed-by: Helm - meta.helm.sh/release-name: {{ .Release.Name }} - meta.helm.sh/release-namespace: {{ .Release.Namespace }} -data: - server.crt: {{ .Files.Get .Values.authnK8s.backendCertificateFilePath | b64enc | quote }} - server.key: {{ .Files.Get .Values.authnK8s.backendKeyFilePath | b64enc | quote }} diff --git a/helm/conjur-config-namespace-prep/test-lint b/helm/conjur-config-namespace-prep/test-lint index 59458200..20d5fcaf 100755 --- a/helm/conjur-config-namespace-prep/test-lint +++ b/helm/conjur-config-namespace-prep/test-lint @@ -6,7 +6,4 @@ banner $BOLD "Running Helm lint for chart \"conjur-config-namespace-prep\"" helm lint . \ --set authnK8s.goldenConfigMap="authn-k8s-configmap" \ --set authnK8s.namespace="app-test" \ - --set authnK8s.backendSecretToCreate="test-backend-secret" \ - --set authnK8s.backendCertificateFilePath="files/ca.pem" - --set authnK8s.backendKeyFilePath="files/ca-key.pem" --set test.mock.enable=true diff --git a/helm/conjur-config-namespace-prep/test-schema b/helm/conjur-config-namespace-prep/test-schema index 0ad5670a..afbd5a6d 100755 --- a/helm/conjur-config-namespace-prep/test-schema +++ b/helm/conjur-config-namespace-prep/test-schema @@ -18,10 +18,7 @@ test_failed=false function authenticator_variable_test() { helm lint . --strict \ --set "authnK8s.goldenConfigMap=authn-k8s-configmap"\ - --set "authnK8s.namespace=golden" \ - --set "authnK8s.backendSecretToCreate=test-backend-secret" - --set "authnK8s.backendCertificateFilePath=files/ca.pem" - --set "authnK8s.backendKeyFilePath=files/ca-key.pem" + --set "authnK8s.namespace=golden" } function authenticator_missing_configmap_test() { diff --git a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml index 77294251..da3ef3b8 100644 --- a/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/authenticator_rolebinding_test.yaml @@ -6,9 +6,6 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden - authnK8s.backendSecretToCreate: test-backend-secret - authnK8s.backendCertificateFilePath: files/ca.pem - authnK8s.backendKeyFilePath: files/ca-key.pem tests: #======================================================================= diff --git a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml index 875aacd4..060e2007 100644 --- a/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml +++ b/helm/conjur-config-namespace-prep/tests/conjur_connect_configmap_test.yaml @@ -6,9 +6,6 @@ templates: defaults: &defaultRequired authnK8s.goldenConfigMap: authn-k8s-configmap authnK8s.namespace: golden - authnK8s.backendSecretToCreate: test-backend-secret - authnK8s.backendCertificateFilePath: files/ca.pem - authnK8s.backendKeyFilePath: files/ca-key.pem tests: #======================================================================= diff --git a/helm/conjur-config-namespace-prep/values.schema.json b/helm/conjur-config-namespace-prep/values.schema.json index 786745f4..deeb5411 100644 --- a/helm/conjur-config-namespace-prep/values.schema.json +++ b/helm/conjur-config-namespace-prep/values.schema.json @@ -4,10 +4,7 @@ "authnK8s": { "required": [ "goldenConfigMap", - "namespace", - "backendSecretToCreate", - "backendCertificateFilePath", - "backendKeyFilePath" + "namespace" ], "properties": { "goldenConfigMap": { @@ -15,15 +12,6 @@ }, "namespace": { "type": "string" - }, - "backendSecretToCreate": { - "type": "string" - }, - "backendCertificateFilePath": { - "type": "string" - }, - "backendKeyFilePath": { - "type": "string" } } }, diff --git a/helm/conjur-config-namespace-prep/values.yaml b/helm/conjur-config-namespace-prep/values.yaml index 5fa67ac5..11920125 100644 --- a/helm/conjur-config-namespace-prep/values.yaml +++ b/helm/conjur-config-namespace-prep/values.yaml @@ -2,9 +2,6 @@ authnK8s: # These are required values # goldenConfigMap: # namespace: - # backendSecretToCreate: - # backendCertificateFilePath - # backendKeyFilePath authnRoleBinding: create: true