Skip to content

Commit

Permalink
WIP - Demo supports Conjur OSS and annotation-based authn-k8s
Browse files Browse the repository at this point in the history
Work-in-Progress: Needs testing on minikube/Kind, OpenShift,
and with DAP/appliance image.

This change adds support for:

- Running demo scripts directly on a Conjur OSS cluster that has been
  deployed via Conjur OSS Helm chart.
- Creation of a Conjur CLI pod if it doesn't exist.
- Selectable operation for annotation-based authn-k8s vs.
  host-ID-based authn-k8s.

Addresses Issue #106
  • Loading branch information
diverdane committed Sep 29, 2020
1 parent d310cf5 commit 483120b
Show file tree
Hide file tree
Showing 11 changed files with 185 additions and 24 deletions.
15 changes: 10 additions & 5 deletions 1_create_test_app_namespace.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,16 @@ else
set_namespace $TEST_APP_NAMESPACE_NAME
fi

$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME

sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
$cli create -f -
# A Conjur cluster that was deployed via Conjur OSS Helm chart includes a
# ClusterRoleBinding, so there is no need to delete/recreate a namespaced
# RoleBinding.
if [[ $CONJUR_OSS_CLUSTER != true ]]; then
$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME

sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
$cli create -f -
fi

if [[ $PLATFORM == openshift ]]; then
# add permissions for Conjur admin user
Expand Down
65 changes: 62 additions & 3 deletions 2_load_conjur_policies.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,56 @@ set -euo pipefail

announce "Generating Conjur policy."

prepare_conjur_cli_image() {
announce "Pulling and pushing Conjur CLI image."

docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest

cli_app_image=$(platform_image conjur-cli)
docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image

if ! is_minienv; then
docker push $cli_app_image
fi
}

deploy_conjur_cli() {
announce "Deploying Conjur CLI pod."

if is_minienv; then
IMAGE_PULL_POLICY='Never'
else
IMAGE_PULL_POLICY='Always'
fi
if [ "$CONJUR_OSS_CLUSTER" = "true" ]; then
service_account='conjur-oss'
else
service_account='conjur-cluster'
fi

cli_app_image=$(platform_image conjur-cli)
sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$service_account#g" ./$PLATFORM/conjur-cli.yml |
sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" |
sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
$cli create -f -

sleep 5
}

configure_conjur_cli() {
announce "Configuring Conjur CLI pod."

if [[ "$CONJUR_OSS_CLUSTER" == "true" ]]; then
conjur_master='conjur-oss'
else
conjur_master='conjur-master'
fi
conjur_url="${CONJUR_APPLIANCE_URL:-https://$conjur_master.$CONJUR_NAMESPACE_NAME.svc.cluster.local}"

$cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url"
$cli exec $1 -- conjur authn login -u admin -p "$CONJUR_ADMIN_PASSWORD"
}

pushd policy
mkdir -p ./generated

Expand Down Expand Up @@ -36,12 +86,21 @@ popd
# Create the random database password
password=$(openssl rand -hex 12)

if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" ]]; then

announce "Loading Conjur policy."
if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" || "${CONJUR_OSS_CLUSTER}" == "true" ]]; then

set_namespace "$CONJUR_NAMESPACE_NAME"


announce "Finding or creating a Conjur CLI pod"
conjur_cli_pod=$(get_conjur_cli_pod_name)
if [ -z "$conjur_cli_pod" ]; then
prepare_conjur_cli_image
deploy_conjur_cli
conjur_cli_pod=$(get_conjur_cli_pod_name)
configure_conjur_cli $conjur_cli_pod
fi

announce "Loading Conjur policy."

$cli exec $conjur_cli_pod -- rm -rf /policy
$cli cp ./policy $conjur_cli_pod:/policy
Expand Down
6 changes: 5 additions & 1 deletion 3_init_conjur_cert_authority.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ set_namespace $CONJUR_NAMESPACE_NAME

conjur_master=$(get_master_pod_name)

$cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
if [[ "$CONJUR_OSS_CLUSTER" == "true" ]]; then
$cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
else
$cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
fi

echo "Certificate authority initialized."
17 changes: 11 additions & 6 deletions 4_store_conjur_cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,18 @@ set_namespace $CONJUR_NAMESPACE_NAME

echo "Retrieving Conjur certificate."

if $cli get pods --selector role=follower --no-headers; then
follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
if [[ "$CONJUR_OSS_CLUSTER" == "true" ]]; then
master_pod_name=$(get_master_pod_name)
ssl_cert=$($cli exec -c "conjur-oss-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
else
echo "Regular follower not found. Trying to assume a decomposed follower..."
follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
if $cli get pods --selector role=follower --no-headers; then
follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
else
echo "Regular follower not found. Trying to assume a decomposed follower..."
follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
fi
fi

set_namespace $TEST_APP_NAMESPACE_NAME
Expand Down
20 changes: 15 additions & 5 deletions 6_deploy_test_app.sh
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,21 @@ init_connection_specs() {
secretless_image="cyberark/secretless-broker"
fi

conjur_follower_name=${CONJUR_FOLLOWER_NAME:-conjur-follower}
conjur_appliance_url=https://$conjur_follower_name.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api
conjur_authenticator_url=https://$conjur_follower_name.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api/authn-k8s/$URLENCODED_AUTHN_ID
service_domain="$CONJUR_NAMESPACE_NAME.svc.cluster.local"
if [[ "$CONJUR_OSS_CLUSTER" == "true" ]]; then
conjur_appliance_url="${CONJUR_APPLIANCE_URL:-https://conjur-oss.$service_domain}"
else
conjur_follower_name="${CONJUR_FOLLOWER_NAME:-conjur-follower}"
conjur_appliance_url="https://$conjur_follower_name.$service_domain/api"
fi
conjur_authenticator_url="$conjur_appliance_url/authn-k8s/$URLENCODED_AUTHN_ID"

conjur_authn_login_prefix=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps/$TEST_APP_NAMESPACE_NAME/$CONJUR_AUTHN_LOGIN_RESOURCE
prefix_common="host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps"
if [[ "$ANNOTATION_BASED_AUTHN" == "true" ]]; then
conjur_authn_login_prefix="$prefix_common"
else
conjur_authn_login_prefix="$prefix_common/$TEST_APP_NAMESPACE_NAME/$CONJUR_AUTHN_LOGIN_RESOURCE"
fi
}

###########################
Expand All @@ -90,7 +100,7 @@ deploy_app_backend() {
case "${TEST_APP_DATABASE}" in
postgres)
echo "Create secrets for test app backend"
$cli --namespace $TEST_APP_NAMESPACE_NAME \
$cli --namespace "$TEST_APP_NAMESPACE_NAME" \
create secret generic \
test-app-backend-certs \
--from-file=server.crt=./etc/ca.pem \
Expand Down
1 change: 1 addition & 0 deletions 7_verify_authentication.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ set -euo pipefail

. utils.sh

init_bash_lib

RETRIES=150
# Seconds
Expand Down
14 changes: 14 additions & 0 deletions bootstrap.env
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,17 @@ export TEST_APP_NAMESPACE_NAME=[choose the namespace to deploy your apps to]
export TEST_APP_DATABASE=[choose the database to deploy your apps with (mysql|postgres) ]
export CONJUR_ACCOUNT=[Conjur account]
export CONJUR_ADMIN_PASSWORD=[password of Conjur admin user]
export ANNOTATION_BASED_AUTHN=[true or false, defaults to false]
export CONJUR_OSS_CLUSTER=[true or false, defaults to false]

# Set these explicitly if not using the kubernetes-conjur-deploy scripts.
export CONJUR_NAMESPACE_NAME=[namespace where Conjur is deployed]
export AUTHENTICATOR_ID=[authenticator ID]
export DOCKER_REGISTRY_URL=[set to Docker registry domain]
export DOCKER_REGISTRY_PATH=[set to Docker organization]

# Set these if using a private Dockerhub account
export DOCKER_USERNAME=[Docker username]
export DOCKER_PASSWORD=[Docker password]
export DOCKER_EMAIL=[Docker email]

54 changes: 54 additions & 0 deletions policy/templates/project-authn-def.template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,60 @@
annotations:
description: Layer of authenticator identities permitted to call authn svc
- &hosts
# Annotation-based authentication (host ID is an application name, and
# permitted application identities are listed as annotations)
- !host
id: test-app-summon-sidecar
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: test-app-summon-sidecar
authn-k8s/deployment: test-app-summon-sidecar
authn-k8s/authentication-container-name: authenticator
kubernetes: "{{ IS_KUBERNETES }}"
- !host
id: test-app-summon-init
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: test-app-summon-init
authn-k8s/deployment: test-app-summon-init
authn-k8s/authentication-container-name: authenticator
kubernetes: "{{ IS_KUBERNETES }}"
- !host
id: test-app-secretless
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: test-app-secretless
authn-k8s/deployment: test-app-secretless
authn-k8s/authentication-container-name: secretless
kubernetes: "{{ IS_KUBERNETES }}"

- !host
id: oc-test-app-summon-sidecar
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: oc-test-app-summon-sidecar
authn-k8s/deployment: oc-test-app-summon-sidecar
authn-k8s/authentication-container-name: authenticator
openshift: "{{ IS_OPENSHIFT }}"
- !host
id: oc-test-app-summon-init
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: oc-test-app-summon-init
authn-k8s/deployment: oc-test-app-summon-init
authn-k8s/authentication-container-name: authenticator
openshift: "{{ IS_OPENSHIFT }}"
- !host
id: oc-test-app-secretless
annotations:
authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }}
authn-k8s/service-account: oc-test-app-secretless
authn-k8s/deployment: oc-test-app-secretless
authn-k8s/authentication-container-name: secretless
openshift: "{{ IS_OPENSHIFT }}"

# Host-ID based authentication (the host ID includes the application
# identity directly)
- !host
id: {{ TEST_APP_NAMESPACE_NAME }}/*/*
annotations:
Expand Down
6 changes: 4 additions & 2 deletions set_env_vars.sh
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
#!/usr/bin/env bash

set -euo pipefail

# Set the default values of environment variables used by the scripts
PLATFORM="${PLATFORM:-kubernetes}" # default to kubernetes if env var not set
CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" # default to service_account

CONJUR_VERSION="${CONJUR_VERSION:-5}"

MINIKUBE="${MINIKUBE:-false}"
MINISHIFT="${MINISHIFT:-false}"

LOCAL_AUTHENTICATOR="${LOCAL_AUTHENTICATOR:-false}"
DEPLOY_MASTER_CLUSTER="${DEPLOY_MASTER_CLUSTER:-false}"
CONJUR_OSS_CLUSTER="${CONJUR_OSS_CLUSTER:-false}"
ANNOTATION_BASED_AUTHN="${ANNOTATION_BASED_AUTHN:-false}"

DOCKER_EMAIL="${DOCKER_EMAIL:-}"
2 changes: 1 addition & 1 deletion start
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ init_bash_lib

./1_create_test_app_namespace.sh

if [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
if [[ "${DEPLOY_MASTER_CLUSTER}" == "true" || "${CONJUR_OSS_CLUSTER}" == "true" ]]; then
# Only automatically run these scripts for dev/demo envs deploying a master
# cluster directly to k8s/oc
./2_load_conjur_policies.sh
Expand Down
9 changes: 8 additions & 1 deletion utils.sh
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,15 @@ get_pod_name() {
echo "$pod_name"
}

get_pods() {
$cli get pods --selector "$1" --no-headers | awk '{ print $1 }'
}

get_master_pod_name() {
pod_list=$($cli get pods --selector app=conjur-node,role=master --no-headers | awk '{ print $1 }')
pod_list=$(get_pods "app=conjur-node,role=master")
if [ -z "$pod_list" ]; then
pod_list=$(get_pods "app=conjur-oss")
fi
echo $pod_list | awk '{print $1}'
}

Expand Down

0 comments on commit 483120b

Please sign in to comment.