-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Demo supports Conjur OSS and annotation-based authn-k8s
This change adds support for: - Running demo scripts directly on a Conjur OSS cluster that has been deployed via Conjur OSS Helm chart. - Creation of a Conjur CLI pod if it doesn't exist. - Selectable operation for annotation-based authn-k8s vs. host-ID-based authn-k8s. - Running demo scripts on platforms that do not have a load balancer configured (e.g. for testing on KinD or Minikube without having to load MetalLB). - CI for both annotation-based and host-ID based identity authentication for GKE and OpenShift. Addresses Issue #106
- Loading branch information
diverdane
committed
Oct 9, 2020
1 parent
d310cf5
commit 5b8e937
Showing
29 changed files
with
569 additions
and
347 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
if [[ $PLATFORM == openshift ]]; then | ||
oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Generating Conjur policy." | ||
|
||
prepare_conjur_cli_image() { | ||
announce "Pulling and pushing Conjur CLI image." | ||
|
||
docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest | ||
|
||
cli_app_image=$(platform_image conjur-cli) | ||
docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image | ||
|
||
if ! is_minienv; then | ||
docker push $cli_app_image | ||
fi | ||
} | ||
|
||
deploy_conjur_cli() { | ||
announce "Deploying Conjur CLI pod." | ||
|
||
if is_minienv; then | ||
IMAGE_PULL_POLICY='Never' | ||
else | ||
IMAGE_PULL_POLICY='Always' | ||
fi | ||
if [ "$CONJUR_OSS_HELM_INSTALLED" = "true" ]; then | ||
service_account='conjur-oss' | ||
else | ||
service_account='conjur-cluster' | ||
fi | ||
|
||
cli_app_image=$(platform_image conjur-cli) | ||
sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$service_account#g" ./$PLATFORM/conjur-cli.yml | | ||
sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" | | ||
sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" | | ||
$cli create -f - | ||
|
||
conjur_cli_pod=$(get_conjur_cli_pod_name) | ||
wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running" | ||
} | ||
|
||
configure_conjur_cli() { | ||
announce "Configuring Conjur CLI pod." | ||
|
||
if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then | ||
conjur_service='conjur-oss' | ||
else | ||
conjur_service='conjur-master' | ||
fi | ||
conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local} | ||
|
||
$cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url" | ||
$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD | ||
} | ||
|
||
pushd policy | ||
mkdir -p ./generated | ||
|
||
# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI | ||
|
||
if [[ "$PLATFORM" == "openshift" ]]; then | ||
is_openshift=true | ||
is_kubernetes=false | ||
else | ||
is_openshift=false | ||
is_kubernetes=true | ||
fi | ||
|
||
sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml | ||
|
||
sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | | ||
sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | | ||
sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" | | ||
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml | ||
|
||
sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | | ||
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml | ||
|
||
sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml | | ||
sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | | ||
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml | ||
popd | ||
|
||
# Create the random database password | ||
password=$(openssl rand -hex 12) | ||
|
||
set_namespace "$CONJUR_NAMESPACE_NAME" | ||
|
||
|
||
announce "Finding or creating a Conjur CLI pod" | ||
conjur_cli_pod=$(get_conjur_cli_pod_name) | ||
if [ -z "$conjur_cli_pod" ]; then | ||
prepare_conjur_cli_image | ||
deploy_conjur_cli | ||
conjur_cli_pod=$(get_conjur_cli_pod_name) | ||
configure_conjur_cli $conjur_cli_pod | ||
fi | ||
|
||
announce "Loading Conjur policy." | ||
|
||
$cli exec $conjur_cli_pod -- rm -rf /policy | ||
$cli cp ./policy $conjur_cli_pod:/policy | ||
|
||
$cli exec $conjur_cli_pod -- \ | ||
bash -c " | ||
conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local} | ||
CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \ | ||
CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \ | ||
DB_PASSWORD=${password} \ | ||
TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \ | ||
TEST_APP_DATABASE=${TEST_APP_DATABASE} \ | ||
/policy/load_policies.sh | ||
" | ||
|
||
$cli exec $conjur_cli_pod -- rm -rf ./policy | ||
|
||
echo "Conjur policy loaded." | ||
|
||
set_namespace "$TEST_APP_NAMESPACE_NAME" | ||
|
||
# Set DB password in Kubernetes manifests | ||
# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI | ||
pushd kubernetes | ||
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | ||
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | ||
popd | ||
|
||
# Set DB password in OC manifests | ||
# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI | ||
pushd openshift | ||
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml | ||
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml | ||
popd | ||
|
||
announce "Added DB password value: $password" |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Initializing Conjur certificate authority." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
conjur_master=$(get_master_pod_name) | ||
|
||
if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then | ||
$cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']" | ||
else | ||
$cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"] | ||
fi | ||
|
||
echo "Certificate authority initialized." |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
|
||
. utils.sh | ||
|
||
announce "Storing Conjur cert for test app configuration." | ||
|
||
set_namespace $CONJUR_NAMESPACE_NAME | ||
|
||
echo "Retrieving Conjur certificate." | ||
|
||
if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then | ||
master_pod_name=$(get_master_pod_name) | ||
ssl_cert=$($cli exec -c "conjur-oss-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) | ||
else | ||
if $cli get pods --selector role=follower --no-headers; then | ||
follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1) | ||
ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) | ||
else | ||
echo "Regular follower not found. Trying to assume a decomposed follower..." | ||
follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1) | ||
ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt) | ||
fi | ||
fi | ||
|
||
set_namespace $TEST_APP_NAMESPACE_NAME | ||
|
||
echo "Storing non-secret conjur cert as test app configuration data" | ||
|
||
$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME | ||
|
||
# Store the Conjur cert in a ConfigMap. | ||
$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") | ||
|
||
echo "Conjur cert stored." |
File renamed without changes.
Oops, something went wrong.