Add Milestone Job integration tests for Helm Chart

CONTRIBUTING.md

@@ -66,7 +66,9 @@ You can now deploy a local development environment for Kubernetes using [Docker
 
    1. Navigate to Docker preferences
 
-   1. Click on "Advanced" and slide the "Memory" bar to 6
+   1. Click on "Resources" and slide the "Memory" bar to 6
+
+1. If you intend to deploy the Secrets Provider via Helm, you will need to install the Helm CLI. See [here](https://helm.sh/docs/intro/install/) for instructions on how to do so.
 
 #### Deploy
 
@@ -80,9 +82,9 @@ Run ` kubectl config current-context` to verify which context you are currently
 
 Run `kubectl config use-context docker-desktop` to switch to a local context. This is the context you will need to run the development environment
 
-1. Navigate to `bootstrap.env` and uncomment the `Local DEV Env` section, ensuring that `DEV=true`
+1. Navigate to `bootstrap.env` and uncomment the `Local DEV Env` section, ensuring that `DEV=true`. Additionally, you can deploy the Secrets Provider locally using HELM. To do so, _also_ uncomment `DEV_HELM`
 
-1. Run `./bin/start --dev --gke`, appending `--oss` or `--dap` according to the environment that needs to be deployed
+1. Run `./bin/start --dev`, appending `--oss` or `--dap` according to the environment that needs to be deployed
 
 1. To view the pod(s) that were deployed and the Secrets Provider logs, run `kubectl get pods` and `kubectl logs <pod-name> -c cyberark-secrets-provider` respectively. 
 You can also view Conjur/DAP pod logs by running `kubectl get pods -n local-conjur` and `kubectl logs <conjur-pod-name> -n local-conjur`

Jenkinsfile

@@ -48,9 +48,9 @@ pipeline {
             tasks["Kubernetes GKE, oss"] = {
               sh "./bin/start --docker --oss --gke"
             }
-            tasks["Openshift v3.11, oss"] = {
-              sh "./bin/start --docker --oss --oc311"
-            }
+            // tasks["Openshift v3.11, oss"] = {
+            //  sh "./bin/start --docker --oss --oc311"
+            // }
             // skip oc310 tests until the environment will be ready to use
             // tasks["Openshift v3.10, oss"] = {
             //   sh "./bin/start --docker --oss --oc310"

bin/build_utils

@@ -8,21 +8,21 @@ set -euo pipefail
 
 readonly VERSION_GO_FILE="pkg/secrets/version.go"
 
-function short_version_tag() {
+short_version_tag() {
   grep -v '^//' "${VERSION_GO_FILE}" | grep 'var Version =' | awk -F'= ' '{print $2}' | tr -d '"'
 }
 
-function git_tag() {
+git_tag() {
   git rev-parse --short HEAD
 }
 
-function full_version_tag() {
+full_version_tag() {
   echo "$(short_version_tag)-$(git_tag)"
 }
 
 # generate less specific versions, eg. given 1.2.3 will print 1.2 and 1
 # (note: the argument itself is not printed, append it explicitly if needed)
-function gen_versions() {
+gen_versions() {
   local version=$1
   while [[ $version = *.* ]]; do
     version=${version%.*}

bin/start

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 
-function print_help() {
+print_help() {
   cat << EOF
 Test the secrets-provider-for-k8s image. This script sets up a Conjur cluster in k8s and deploys a k8s environment with an app
 container and a secrets-provider-for-k8s init container. Finally it tests that the outcome is as expected (for example,
@@ -29,7 +29,7 @@ EOF
   exit
 }
 
-function runScriptWithSummon() {
+runScriptWithSummon() {
     summon --environment $SUMMON_ENV -f ./summon/secrets.yml $1
 }
 

bootstrap.env

@@ -18,8 +18,10 @@ export APP_NAMESPACE_NAME=app-$UNIQUE_TEST_ID
 # export AUTHENTICATOR_ID=authn-dev-env
 # export APP_NAMESPACE_NAME=local-secrets-provider
 # export CONJUR_NAMESPACE_NAME=local-conjur
-# export DEV=true
 # export STOP_RUNNING_ENV=true
 # export CONJUR_ACCOUNT=cucumber
 # export CONJUR_LOG_LEVEL=debug
-
+# export CONJUR_AUTHENTICATORS=authn-k8s/${AUTHENTICATOR_ID}
+# export DEV=true
+# Uncomment to deploy the Secrets Provider using HELM
+# export DEV_HELM=true

deploy/2_create_app_namespace.sh

@@ -26,10 +26,7 @@ fi
 
 $cli_with_timeout delete --ignore-not-found rolebinding app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
 
-CONFIG_DIR="config/k8s"
-if [[ "$PLATFORM" = "openshift" ]]; then
-    CONFIG_DIR="config/openshift"
-fi
+set_config_directory_path
 
 wait_for_it 600  "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -"
 

deploy/dev/5_load_environment.sh

@@ -3,30 +3,40 @@ set -euxo pipefail
 
 . utils.sh
 
-function main() {
+main() {
+  export DEV_HELM=${DEV_HELM:-"false"}
   ./teardown_resources.sh
 
   set_namespace "$APP_NAMESPACE_NAME"
 
-  configure_secret
+  if [ "${DEV_HELM}" = "true" ]; then
+    setup_helm_environment
 
-  deploy_env
-}
+    create_k8s_secret
+    export IMAGE_PULL_POLICY="Never"
+    export IMAGE="secrets-provider-for-k8s"
+    export TAG="dev"
+    deploy_chart
+
+    deploy_helm_app
+  else
+    create_k8s_secret
 
-function configure_secret() {
-  announce "Configuring K8s Secret and access."
+    create_secret_access_role
 
-  export CONFIG_DIR="$PWD/config/k8s"
-  if [[ "$PLATFORM" = "openshift" ]]; then
-      export CONFIG_DIR="$PWD/config/openshift"
+    create_secret_access_role_binding
+
+    deploy_init_env
   fi
+}
 
-  echo "Create secret k8s-secret"
-  $cli_with_timeout create -f $CONFIG_DIR/k8s-secret.yml
+create_k8s_secret() {
+  announce "Creating K8s Secret."
 
-  create_secret_access_role
+  set_config_directory_path
 
-  create_secret_access_role_binding
+  echo "Create secret k8s-secret"
+  $cli_with_timeout create -f $CONFIG_DIR/k8s-secret.yml
 }
 
 main

deploy/dev/config/k8s/secrets-provider-init-container.sh.yml

@@ -7,17 +7,17 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: init-env
-  name: init-env
+    app: test-env
+  name: test-env
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: init-env
+      app: test-env
   template:
     metadata:
       labels:
-        app: init-env
+        app: test-env
     spec:
       serviceAccountName: ${APP_NAMESPACE_NAME}-sa
       containers:

deploy/dev/reload.sh

@@ -3,32 +3,49 @@ set -xeuo pipefail
 
 . utils.sh
 
-# Script for making it easy to make a change locally and redeploy
-pushd ..
-  ./bin/build
-popd
+main() {
+  export DEV_HELM=${DEV_HELM:-"false"}
 
-set_namespace $APP_NAMESPACE_NAME
+   # Clean-up previous run
+  if [ "$(helm ls -aq | wc -l | tr -d ' ')" != 0 ]; then
+    helm delete $(helm ls -aq)
+  fi
+  $cli_with_timeout "delete deployment test-env --ignore-not-found=true"
 
-docker tag "secrets-provider-for-k8s:dev" "${APP_NAMESPACE_NAME}/secrets-provider"
+  pushd ..
+    ./bin/build
+  popd
 
-selector="role=follower"
-cert_location="/opt/conjur/etc/ssl/conjur.pem"
-if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then
-  selector="app=conjur-cli"
-  cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem"
-fi
+  set_namespace $APP_NAMESPACE_NAME
 
-conjur_pod_name=$($cli_with_timeout get pods --selector=$selector --namespace $CONJUR_NAMESPACE_NAME --no-headers | awk '{ print $1 }' | head -1)
-ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location")
+  if [ "${DEV_HELM}" = "true" ]; then
+    setup_helm_environment
 
-export CONJUR_SSL_CERTIFICATE=$ssl_cert
+    export IMAGE_PULL_POLICY="Never"
+    export IMAGE="secrets-provider-for-k8s"
+    export TAG="dev"
+    deploy_chart
 
-export CONFIG_DIR="$PWD/config/k8s"
-if [[ "$PLATFORM" = "openshift" ]]; then
-  export CONFIG_DIR="$PWD/config/openshift"
-fi
+    deploy_helm_app
+  else
+    selector="role=follower"
+    cert_location="/opt/conjur/etc/ssl/conjur.pem"
+    if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then
+      selector="app=conjur-cli"
+      cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem"
+    fi
 
-$cli_with_timeout "delete deployment init-env --ignore-not-found=true"
+    conjur_pod_name=$($cli_with_timeout get pods --selector=$selector --namespace $CONJUR_NAMESPACE_NAME --no-headers | awk '{ print $1 }' | head -1)
+    ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location")
 
-deploy_env
+    export CONJUR_SSL_CERTIFICATE=$ssl_cert
+
+    set_config_directory_path
+
+    $cli_with_timeout "delete deployment init-env --ignore-not-found=true"
+
+    deploy_init_env
+  fi
+}
+
+main

deploy/platform_login.sh

@@ -3,7 +3,7 @@
 set -euo pipefail
 IFS=$'\n\t'
 
-function main() {
+main() {
   # Log in to platform
   if [[ "$PLATFORM" = "kubernetes" ]]; then
     gcloud auth activate-service-account \

deploy/policy/templates/conjur-secrets.template.sh.yml

@@ -8,6 +8,7 @@ cat << EOL
   body:
     - &variables
       - !variable test_secret
+      - !variable another_test_secret
       - !variable var with spaces
       - !variable var+with+pluses
 

deploy/run.sh

@@ -4,12 +4,12 @@ set -xeuo pipefail
 . utils.sh
 printenv > /tmp/printenv_local.debug
 
-function main() {
+main() {
   deployConjur
   ./run_with_summon.sh
 }
 
-function deployConjur() {
+deployConjur() {
   pushd ..
     git clone [email protected]:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID
 

deploy/run_with_summon.sh

@@ -4,15 +4,18 @@ set -xeuo pipefail
 . utils.sh
 
 # Clean up when script completes and fails
-function finish {
+finish() {
   # There is a TRAP in test_in_docker.sh to account for Docker deployments so we do not need to add another one here
   # Stop the running processes
   if [[ $RUN_IN_DOCKER = false && $DEV = false ]]; then
     announce 'Wrapping up and removing environment'
-    ./stop
-    cd ./kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./stop
+    repo_root_path=$(git rev-parse --show-toplevel)
+    "$repo_root_path/deploy/stop"
+    pushd $repo_root_path/kubernetes-conjur-deploy-$UNIQUE_TEST_ID
+      ./stop
+    popd
     # Remove the deploy directory
-    rm -rf "../kubernetes-conjur-deploy-$UNIQUE_TEST_ID"
+    rm -rf "$repo_root_path/kubernetes-conjur-deploy-$UNIQUE_TEST_ID"
   fi
 }
 trap finish EXIT
@@ -59,7 +62,7 @@ ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESP
 
 export CONJUR_SSL_CERTIFICATE=$ssl_cert
 
-if [ "${DEV}" = "false"  ]; then
+if [[ "${DEV}" = "false" ]]; then
   pushd ./test/test_cases > /dev/null
     ./run_tests.sh
   popd > /dev/null

deploy/teardown_resources.sh

@@ -7,31 +7,62 @@ set -euxo pipefail
 set_namespace $CONJUR_NAMESPACE_NAME
 
 configure_cli_pod
-if [ "${DEV}" = "false" ]; then
-  $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add secrets/test_secret \"supersecret\""
+
+## Helm Chart clean-up
+#rm -f conjur.pem
+
+helm_ci_path="../helm/secrets-provider/ci"
+if [[ "${DEV}" = "false" || "${RUN_IN_DOCKER}" = "true" ]]; then
+  helm_ci_path="../../../helm/secrets-provider/ci"
+fi
+pushd $helm_ci_path
+  find . -type f ! -name '*template.yaml' -delete
+popd
+
+# Delete Helm Chart if already exists
+set_namespace $APP_NAMESPACE_NAME
+if [ "$(helm ls -aq | wc -l | tr -d ' ')" != 0 ]; then
+  helm delete $(helm ls -aq)
 fi
 
+set_namespace $CONJUR_NAMESPACE_NAME
+
+$cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add secrets/test_secret \"supersecret\""
+
 set_namespace $APP_NAMESPACE_NAME
 
 $cli_with_timeout "delete secret dockerpullsecret --ignore-not-found=true"
 
 $cli_with_timeout "delete clusterrole secrets-access-${UNIQUE_TEST_ID} --ignore-not-found=true"
 
+$cli_with_timeout "delete role another-secrets-provider-role --ignore-not-found=true"
+
 $cli_with_timeout "delete secret test-k8s-secret --ignore-not-found=true"
 
+$cli_with_timeout "delete secret another-test-k8s-secret --ignore-not-found=true"
+
 $cli_with_timeout "delete serviceaccount ${APP_NAMESPACE_NAME}-sa --ignore-not-found=true"
 
+$cli_with_timeout "delete serviceaccount another-secrets-provider-service-account --ignore-not-found=true"
+
 $cli_with_timeout "delete rolebinding secrets-access-role-binding --ignore-not-found=true"
 
+$cli_with_timeout "delete rolebinding another-secrets-provider-role-binding --ignore-not-found=true"
+
 if [ "${PLATFORM}" = "kubernetes" ]; then
   $cli_with_timeout "delete deployment test-env --ignore-not-found=true"
+  $cli_with_timeout "delete deployment another-test-env --ignore-not-found=true"
 elif [ "${PLATFORM}" = "openshift" ]; then
   $cli_with_timeout "delete deploymentconfig test-env --ignore-not-found=true"
+  $cli_with_timeout "delete deploymentconfig another-test-env --ignore-not-found=true"
 fi
 
 $cli_with_timeout "delete configmap conjur-master-ca-env --ignore-not-found=true"
 
-if [ "${DEV}" = "false" ]; then
-  echo "Verifying there are no (terminating) pods of type test-env"
-  $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | wc -l | tr -d ' ' | grep '^0$'"
-fi
+echo "Verifying there are no (terminating) pods of type test-env"
+$cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | wc -l | tr -d ' ' | grep '^0$'"
+
+$cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=another-test-env --no-headers | wc -l | tr -d ' ' | grep '^0$'"
+
+echo "Verifying there are no (terminating) pods for Secrets Provider deployed with Helm"
+$cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-helm --no-headers | wc -l | tr -d ' ' | grep '^0$'"

deploy/test/Dockerfile

@@ -24,3 +24,13 @@ RUN mkdir -p ocbin && \
     tar xvf oc.tar.gz --strip-components=1 -C ocbin && \
     mv ocbin/oc /usr/local/bin/oc && \
     rm -rf ocbin oc.tar.gz
+
+# Install Helm
+RUN curl https://baltocdn.com/helm/signing.asc | apt-key add - && \
+    apt-get install apt-transport-https --yes && \
+    echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list && \
+    apt-get update && \
+    apt-get install helm=3.2.*
+
+# Adds ability to perform mathematical operations with floats for testing
+RUN apt-get install -y bc