From 3fc2e631d196fd46c8620e2ad11bb9580d4aed34 Mon Sep 17 00:00:00 2001 From: Shlomo Heigh Date: Mon, 13 Mar 2023 15:54:01 -0400 Subject: [PATCH] Use Conjur CLI v8.0 --- deploy/3_load_conjur_policies.sh | 2 +- deploy/dev/reload.sh | 2 +- deploy/policy/load_policies.sh | 40 +++++++++---------- deploy/run.sh | 4 +- deploy/run_with_summon.sh | 2 +- deploy/teardown_resources.sh | 2 +- ...EST_ID_17_helm_job_deploys_successfully.sh | 2 +- ...helm_multiple_provider_multiple_secrets.sh | 4 +- ...D_19_helm_multiple_provider_same_secret.sh | 4 +- ...m_multiple_provider_same_serviceaccount.sh | 4 +- ...2_helm_rbac_defaults_taken_successfully.sh | 2 +- .../TEST_ID_23_helm_service_account_exists.sh | 2 +- ...ate_K8S_SECRETS_env_var_incorrect_value.sh | 2 +- ...EST_ID_25_helm_default_retry_successful.sh | 2 +- ..._helm_override_default_retry_successful.sh | 2 +- deploy/test/test_in_docker.sh | 3 +- deploy/utils.sh | 18 ++++----- 17 files changed, 49 insertions(+), 48 deletions(-) diff --git a/deploy/3_load_conjur_policies.sh b/deploy/3_load_conjur_policies.sh index 02e94706..7b2b7dbe 100755 --- a/deploy/3_load_conjur_policies.sh +++ b/deploy/3_load_conjur_policies.sh @@ -33,7 +33,7 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then $cli_with_timeout "cp ./policy $conjur_cli_pod:/policy" $cli_with_timeout "exec $conjur_cli_pod -- \ - bash -c \" + sh -c \" CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ APP_NAMESPACE_NAME=${APP_NAMESPACE_NAME} \ /policy/load_policies.sh diff --git a/deploy/dev/reload.sh b/deploy/dev/reload.sh index 865320da..4122fca9 100755 --- a/deploy/dev/reload.sh +++ b/deploy/dev/reload.sh @@ -32,7 +32,7 @@ main() { cert_location="/opt/conjur/etc/ssl/conjur.pem" if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then selector="app=conjur-cli" - cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem" + cert_location="/root/conjur-server.pem" fi conjur_pod_name="$(get_pod_name "$CONJUR_NAMESPACE_NAME" "$selector")" diff --git a/deploy/policy/load_policies.sh b/deploy/policy/load_policies.sh index f6715c7b..a49d139b 100755 --- a/deploy/policy/load_policies.sh +++ b/deploy/policy/load_policies.sh @@ -1,43 +1,41 @@ -#!/bin/bash +#!/bin/sh set -eo pipefail if [ "$CONJUR_APPLIANCE_URL" != "" ]; then echo "Running conjur init with $CONJUR_APPLIANCE_URL" - conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT + conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT --self-signed --force fi # check for unset vars after checking for appliance url set -u echo "Login to Conjur with the conjur-cli" -conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD +conjur login -i admin -p $CONJUR_ADMIN_PASSWORD readonly POLICY_DIR="/policy" # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI -readonly POLICY_FILES=( - "$POLICY_DIR/users.yml" - "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.project-authn.yml" - "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.cluster-authn-svc.yml" - "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.app-identity.yml" - "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.conjur-secrets.yml" +set -- "$POLICY_DIR/users.yml" \ + "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.project-authn.yml" \ + "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.cluster-authn-svc.yml" \ + "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.app-identity.yml" \ + "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.conjur-secrets.yml" \ "$POLICY_DIR/generated/$APP_NAMESPACE_NAME.authn-any-policy-branch.yml" -) -for policy_file in "${POLICY_FILES[@]}"; do +for policy_file in "$@"; do echo "Loading policy $policy_file..." - conjur policy load root "$policy_file" + conjur policy load -b root -f "$policy_file" done # the values of these secrets aren't important as we populate the secret that we # are testing in each test. We need them to have some value as both are required # in the pod -conjur variable values add secrets/test_secret "some-secret" -conjur variable values add "secrets/var with spaces" "some-secret" -conjur variable values add "secrets/var+with+pluses" "some-secret" -conjur variable values add "secrets/umlaut" "some-secret" -conjur variable values add secrets/url "postgresql://test-app-backend.app-test.svc.cluster.local:5432" -conjur variable values add secrets/username "some-user" -conjur variable values add secrets/password "7H1SiSmYp@5Sw0rd" - -conjur authn logout +conjur variable set -i secrets/test_secret -v "some-secret" +conjur variable set -i "secrets/var with spaces" -v "some-secret" +conjur variable set -i "secrets/var+with+pluses" -v "some-secret" +conjur variable set -i "secrets/umlaut" -v "some-secret" +conjur variable set -i secrets/url -v "postgresql://test-app-backend.app-test.svc.cluster.local:5432" +conjur variable set -i secrets/username -v "some-user" +conjur variable set -i secrets/password -v "7H1SiSmYp@5Sw0rd" + +conjur logout diff --git a/deploy/run.sh b/deploy/run.sh index 43cfac9f..7aa95406 100755 --- a/deploy/run.sh +++ b/deploy/run.sh @@ -11,7 +11,9 @@ main() { deployConjur() { pushd .. - git clone git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID + git clone --single-branch --branch master \ + git@github.com:cyberark/kubernetes-conjur-deploy \ + kubernetes-conjur-deploy-$UNIQUE_TEST_ID cmd="./start" if [ $CONJUR_DEPLOYMENT = "oss" ]; then diff --git a/deploy/run_with_summon.sh b/deploy/run_with_summon.sh index 6dff8dee..eb5d5f77 100755 --- a/deploy/run_with_summon.sh +++ b/deploy/run_with_summon.sh @@ -64,7 +64,7 @@ selector="role=follower" cert_location="/opt/conjur/etc/ssl/conjur.pem" if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then selector="app=conjur-cli" - cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem" + cert_location="/root/conjur-server.pem" fi conjur_pod_name="$(get_pod_name "$CONJUR_NAMESPACE_NAME" "$selector")" ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME -- cat $cert_location") diff --git a/deploy/teardown_resources.sh b/deploy/teardown_resources.sh index 2ef0c62b..a742958d 100755 --- a/deploy/teardown_resources.sh +++ b/deploy/teardown_resources.sh @@ -25,7 +25,7 @@ fi set_namespace $CONJUR_NAMESPACE_NAME -$cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add secrets/test_secret \"supersecret\"" +$cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i secrets/test_secret -v \"supersecret\"" set_namespace $APP_NAMESPACE_NAME diff --git a/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh index 7fdb08a9..5e894f46 100755 --- a/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh +++ b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh @@ -8,7 +8,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd # Deploy app to test against diff --git a/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh b/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh index 873517a7..117f6c97 100755 --- a/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh +++ b/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh @@ -13,7 +13,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd helm_chart_name="secrets-provider" @@ -33,7 +33,7 @@ pushd ../../ fill_helm_chart "another-" helm install -f "../helm/secrets-provider/ci/another-test-values-$UNIQUE_TEST_ID.yaml" \ another-secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd # Wait for Job completion diff --git a/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh b/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh index 0c98b0b3..93bd846f 100755 --- a/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh +++ b/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh @@ -8,7 +8,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd # Check for Job completion @@ -24,7 +24,7 @@ pushd ../../ fill_helm_chart "another-" helm install -f "../helm/secrets-provider/ci/another-test-values-$UNIQUE_TEST_ID.yaml" \ another-secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd helm_chart_name="another-secrets-provider" diff --git a/deploy/test/test_cases/TEST_ID_20_helm_multiple_provider_same_serviceaccount.sh b/deploy/test/test_cases/TEST_ID_20_helm_multiple_provider_same_serviceaccount.sh index 19ffd2d6..d84306d4 100755 --- a/deploy/test/test_cases/TEST_ID_20_helm_multiple_provider_same_serviceaccount.sh +++ b/deploy/test/test_cases/TEST_ID_20_helm_multiple_provider_same_serviceaccount.sh @@ -8,7 +8,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd # Check for Job completion @@ -26,7 +26,7 @@ pushd ../../ fill_helm_chart "another-" helm install -f "../helm/secrets-provider/ci/another-test-values-$UNIQUE_TEST_ID.yaml" \ another-secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd helm_chart_name="another-secrets-provider" diff --git a/deploy/test/test_cases/TEST_ID_22_helm_rbac_defaults_taken_successfully.sh b/deploy/test/test_cases/TEST_ID_22_helm_rbac_defaults_taken_successfully.sh index 5cf46d65..54f99cad 100755 --- a/deploy/test/test_cases/TEST_ID_22_helm_rbac_defaults_taken_successfully.sh +++ b/deploy/test/test_cases/TEST_ID_22_helm_rbac_defaults_taken_successfully.sh @@ -16,7 +16,7 @@ pushd ../../ fill_helm_chart_no_override_defaults helm install -f "../helm/secrets-provider/ci/take-default-test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd # Validate that known defaults were taken if not supplied diff --git a/deploy/test/test_cases/TEST_ID_23_helm_service_account_exists.sh b/deploy/test/test_cases/TEST_ID_23_helm_service_account_exists.sh index d50e39a4..5a20acd5 100755 --- a/deploy/test/test_cases/TEST_ID_23_helm_service_account_exists.sh +++ b/deploy/test/test_cases/TEST_ID_23_helm_service_account_exists.sh @@ -17,7 +17,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd ## Validate that resources were not created diff --git a/deploy/test/test_cases/TEST_ID_24_helm_validate_K8S_SECRETS_env_var_incorrect_value.sh b/deploy/test/test_cases/TEST_ID_24_helm_validate_K8S_SECRETS_env_var_incorrect_value.sh index 282c26c9..475cc60f 100755 --- a/deploy/test/test_cases/TEST_ID_24_helm_validate_K8S_SECRETS_env_var_incorrect_value.sh +++ b/deploy/test/test_cases/TEST_ID_24_helm_validate_K8S_SECRETS_env_var_incorrect_value.sh @@ -13,7 +13,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd echo "Expecting Secrets Provider to fail with debug message 'CSPFK004D Failed to retrieve k8s secret. Reason: secrets K8S_SECRET-non-existent-secret not found'" diff --git a/deploy/test/test_cases/TEST_ID_25_helm_default_retry_successful.sh b/deploy/test/test_cases/TEST_ID_25_helm_default_retry_successful.sh index 9d2ab4dc..e9ac3214 100755 --- a/deploy/test/test_cases/TEST_ID_25_helm_default_retry_successful.sh +++ b/deploy/test/test_cases/TEST_ID_25_helm_default_retry_successful.sh @@ -31,7 +31,7 @@ pushd ../../ helm install -f "../helm/secrets-provider/ci/take-default-test-values-$UNIQUE_TEST_ID.yaml" \ -f "../helm/secrets-provider/ci/take-image-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd pod_name="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-helm')" diff --git a/deploy/test/test_cases/TEST_ID_26_helm_override_default_retry_successful.sh b/deploy/test/test_cases/TEST_ID_26_helm_override_default_retry_successful.sh index fd98c0e7..7e51d61e 100755 --- a/deploy/test/test_cases/TEST_ID_26_helm_override_default_retry_successful.sh +++ b/deploy/test/test_cases/TEST_ID_26_helm_override_default_retry_successful.sh @@ -14,7 +14,7 @@ pushd ../../ fill_helm_chart helm install -f "../helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ../helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="test/test_cases/conjur-server.pem" popd pod_name="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-helm')" diff --git a/deploy/test/test_in_docker.sh b/deploy/test/test_in_docker.sh index c3ceab42..197836cf 100755 --- a/deploy/test/test_in_docker.sh +++ b/deploy/test/test_in_docker.sh @@ -37,7 +37,8 @@ deployConjur() { # from inside the container docker pull $CONJUR_APPLIANCE_IMAGE - git clone git@github.com:cyberark/kubernetes-conjur-deploy \ + git clone --single-branch --branch master \ + git@github.com:cyberark/kubernetes-conjur-deploy \ kubernetes-conjur-deploy-$UNIQUE_TEST_ID cmd="./start" diff --git a/deploy/utils.sh b/deploy/utils.sh index ba04f7d0..c718c234 100644 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -191,9 +191,9 @@ configure_cli_pod() { conjur_cli_pod=$(get_conjur_cli_pod_name) - $cli_with_timeout "exec $conjur_cli_pod -- bash -c \"yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url\"" + $cli_with_timeout "exec $conjur_cli_pod -- sh -c \"echo y | conjur init -a $CONJUR_ACCOUNT -u $conjur_url --self-signed --force\"" - $cli_with_timeout exec $conjur_cli_pod -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD + $cli_with_timeout exec $conjur_cli_pod -- conjur login -i admin -p $CONJUR_ADMIN_PASSWORD } configure_conjur_url() { @@ -216,7 +216,7 @@ fetch_ssl_from_conjur() { cert_location="/opt/conjur/etc/ssl/conjur.pem" if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then selector="app=conjur-cli" - export cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem" + export cert_location="/root/conjur-server.pem" fi export conjur_pod_name="$(get_pod_name "$CONJUR_NAMESPACE_NAME" "$selector")" @@ -227,9 +227,9 @@ setup_helm_environment() { configure_conjur_url - ssl_location="conjur-$UNIQUE_TEST_ID.pem" + ssl_location="conjur-server.pem" if [ "${DEV}" = "true" ]; then - ssl_location="../conjur-$UNIQUE_TEST_ID.pem" + ssl_location="../conjur-server.pem" fi fetch_ssl_from_conjur @@ -327,7 +327,7 @@ deploy_chart() { fill_helm_chart helm install -f "helm/secrets-provider/ci/test-values-$UNIQUE_TEST_ID.yaml" \ secrets-provider ./helm/secrets-provider \ - --set-file environment.conjur.sslCertificate.value="conjur-$UNIQUE_TEST_ID.pem" + --set-file environment.conjur.sslCertificate.value="conjur-server.pem" popd } @@ -444,7 +444,7 @@ set_conjur_secret() { echo "Set secret '$SECRET_NAME' to '$SECRET_VALUE'" set_namespace "$CONJUR_NAMESPACE_NAME" configure_cli_pod - $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add $SECRET_NAME $SECRET_VALUE" + $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i $SECRET_NAME -v $SECRET_VALUE" set_namespace $APP_NAMESPACE_NAME } @@ -471,7 +471,7 @@ load_policy() { $cli_with_timeout "cp ../../policy $conjur_cli_pod:/policy" $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- \ - conjur policy load --delete root \"/policy/generated/$APP_NAMESPACE_NAME.$filename.yml\"" + conjur policy update -b root -f \"/policy/generated/$APP_NAMESPACE_NAME.$filename.yml\"" $cli_with_timeout "exec $conjur_cli_pod -- rm -rf ./policy" @@ -504,7 +504,7 @@ test_secret_is_provided() { set_namespace "$CONJUR_NAMESPACE_NAME" conjur_cli_pod=$(get_conjur_cli_pod_name) - $cli_with_timeout "exec $conjur_cli_pod -- conjur variable values add \"$variable_name\" $secret_value" + $cli_with_timeout "exec $conjur_cli_pod -- conjur variable set -i \"$variable_name\" -v $secret_value" set_namespace "$APP_NAMESPACE_NAME" deploy_init_env