Add reusable workflow scripts

.gitignore

@@ -5,4 +5,9 @@ test
 
 temp
 
-helm/kubernetes-cluster-prep/files/conjur-cert.pem
+helm/conjur-config-cluster-prep/files/conjur-cert.pem
+
+bin/test-workflow/policy/generated/*
+tmp.*
+bin/test-workflow/output/
+bin/test-workflow/bash-lib/

.gitleaks.toml

@@ -0,0 +1,4 @@
+[allowlist]
+  files = [
+    "bin/test-workflow/etc/ca-key.pem" # test ssl certs
+  ]

bin/test-workflow/0_prep_conjur_in_kind.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -eo pipefail
+cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
+
+# Install Conjur in our cluster
+mkdir -p temp
+pushd temp > /dev/null
+    rm -rf conjur-oss-helm-chart
+    git clone https://github.com/cyberark/conjur-oss-helm-chart.git
+
+    pushd conjur-oss-helm-chart/examples/kubernetes-in-docker > /dev/null
+        source utils.sh
+
+        announce "Setting demo environment variable defaults"
+        source ./0_export_env_vars.sh
+
+        announce "Creating a Kubernetes-in-Docker cluster if necessary"
+        ./1_create_kind_cluster.sh
+
+        announce "Helm installing/upgrading Conjur OSS cluster"
+        ./2_helm_install_or_upgrade_conjur.sh
+
+        # Wait for Conjur pods to become ready (just in case there are old
+        # Conjur pods getting terminated as part of Helm upgrade)
+        announce "Waiting for Conjur to become ready"
+        wait_for_conjur_ready
+
+        announce "Enabling the Conjur Kubernetes authenticator if necessary"
+        ./4_ensure_authn_k8s_enabled.sh
+
+    popd > /dev/null
+popd > /dev/null

bin/test-workflow/1_prep_env.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eo pipefail
+
+export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}"
+export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-localhost:5000}"
+export PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-localhost:5000}"
+export PULL_DOCKER_REGISTRY_PATH="${PULL_DOCKER_REGISTRY_PATH:-localhost:5000}"
+export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}"
+export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}"
+export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}"
+export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}"
+export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}"
+export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}"
+export CONJUR_VERSION="${CONJUR_VERSION:-5}"
+export PLATFORM="${PLATFORM:-kubernetes}"
+export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}"
+export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}"
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    conjur_service='conjur-oss'
+else
+    conjur_service='conjur-master'
+fi
+
+export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-$conjur_service}"
+export CONJUR_APPLIANCE_URL=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE.svc.cluster.local}
+
+export CONJUR_ADMIN_PASSWORD="$(kubectl exec \
+            --namespace "$CONJUR_NAMESPACE" \
+            deploy/conjur-oss \
+            --container conjur-oss \
+            -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1)"
+
+# Create the random database password
+export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12)

bin/test-workflow/2_admin_load_conjur_policies.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
+
+PLATFORM="${PLATFORM:-kubernetes}"
+
+source utils.sh
+
+check_env_var TEST_APP_NAMESPACE_NAME
+check_env_var CONJUR_VERSION
+check_env_var CONJUR_ACCOUNT
+check_env_var CONJUR_APPLIANCE_URL
+check_env_var CONJUR_ADMIN_PASSWORD
+check_env_var AUTHENTICATOR_ID
+check_env_var CONJUR_NAMESPACE
+check_env_var TEST_APP_DATABASE
+check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD
+
+announce "Generating Conjur policy."
+
+prepare_conjur_cli_image() {
+  announce "Pulling and pushing Conjur CLI image."
+
+  docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest
+
+  cli_app_image=$(platform_image_for_push conjur-cli)
+  docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image
+
+  docker push $cli_app_image
+}
+
+deploy_conjur_cli() {
+  announce "Deploying Conjur CLI pod."
+
+  IMAGE_PULL_POLICY='Always'
+
+  cli_app_image=$(platform_image_for_pull conjur-cli)
+  sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$(conjur_service_account)#g" ./$PLATFORM/conjur-cli.yml |
+    sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" |
+    sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
+    $cli create -f -
+
+  # Wait until pod appears otherwise $conjur_cli_pod could be empty and we would wait forever
+  wait_for_it 300 "has_resource 'app=conjur-cli'"
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+  wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running"
+}
+
+ensure_conjur_cli_initialized() {
+  announce "Ensure that Conjur CLI pod has a connection with Conjur initialized."
+
+  $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $CONJUR_APPLIANCE_URL"
+  # Flaky with 500 Internal Server Error, mitigate with retry
+  wait_for_it 300 "$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD"
+}
+
+pushd policy > /dev/null
+  mkdir -p ./generated > /dev/null
+
+  # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+
+  if [[ "$PLATFORM" == "openshift" ]]; then
+    is_openshift=true
+    is_kubernetes=false
+  else
+    is_openshift=false
+    is_kubernetes=true
+  fi
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml |
+    sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml
+popd > /dev/null
+
+set_namespace "$CONJUR_NAMESPACE"
+
+announce "Finding or creating a Conjur CLI pod"
+conjur_cli_pod=$(get_conjur_cli_pod_name)
+if [ -z "$conjur_cli_pod" ]; then
+  prepare_conjur_cli_image
+  deploy_conjur_cli
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+fi
+ensure_conjur_cli_initialized $conjur_cli_pod
+
+announce "Loading Conjur policy."
+
+$cli exec $conjur_cli_pod -- rm -rf /policy
+$cli cp ./policy $conjur_cli_pod:/policy
+
+wait_for_it 300 "$cli exec $conjur_cli_pod -- \
+  bash -c \"
+  conjur_appliance_url=${CONJUR_APPLIANCE_URL}
+    CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \
+    CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \
+    DB_PASSWORD=${SAMPLE_APP_BACKEND_DB_PASSWORD} \
+    TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \
+    TEST_APP_DATABASE=${TEST_APP_DATABASE} \
+    /policy/load_policies.sh
+  \"
+"
+
+$cli exec $conjur_cli_pod -- rm -rf ./policy
+
+echo "Conjur policy loaded."

bin/test-workflow/3_admin_init_conjur_cert_authority.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
+
+PLATFORM="${PLATFORM:-kubernetes}"
+
+source utils.sh
+
+check_env_var CONJUR_NAMESPACE
+check_env_var CONJUR_OSS_HELM_INSTALLED
+check_env_var CONJUR_ACCOUNT
+check_env_var AUTHENTICATOR_ID
+
+announce "Initializing Conjur certificate authority."
+
+set_namespace $CONJUR_NAMESPACE
+
+conjur_master=$(get_master_pod_name)
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
+else
+    $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
+fi
+
+echo "Certificate authority initialized."

bin/test-workflow/4_admin_cluster_prep.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
+
+PLATFORM="${PLATFORM:-kubernetes}"
+TIMEOUT="${TIMEOUT:-5m0s}"
+
+source utils.sh
+
+check_env_var CONJUR_APPLIANCE_URL
+check_env_var CONJUR_NAMESPACE
+check_env_var CONJUR_ACCOUNT
+check_env_var AUTHENTICATOR_ID
+
+set_namespace default
+
+# Prepare our cluster with conjur and authnK8s credentials in a golden configmap
+announce "Installing cluster prep chart"
+pushd ../../helm/conjur-config-cluster-prep > /dev/null
+    ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_APPLIANCE_URL"
+
+    helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait --timeout $TIMEOUT \
+        --set conjur.account="$CONJUR_ACCOUNT" \
+        --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \
+        --set conjur.certificateFilePath="files/conjur-cert.pem" \
+        --set authnK8s.authenticatorID="$AUTHENTICATOR_ID"
+
+popd > /dev/null

bin/test-workflow/5_app_namespace_prep.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
+
+PLATFORM="${PLATFORM:-kubernetes}"
+TIMEOUT="${TIMEOUT:-5m0s}"
+
+source utils.sh
+
+check_env_var TEST_APP_NAMESPACE_NAME
+check_env_var CONJUR_NAMESPACE
+
+set_namespace default
+
+# Prepare a given namespace with a subset of credentials from the golden configmap
+announce "Installing namespace prep chart"
+pushd ../../helm/conjur-config-namespace-prep > /dev/null
+    # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist
+    helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \
+        --create-namespace \
+        --set authnK8s.goldenConfigMap="authn-k8s-configmap" \
+        --set authnK8s.namespace="$CONJUR_NAMESPACE"
+
+popd > /dev/null