Skip to content

Commit

Permalink
WIP - Demo supports Conjur OSS and annotation-based authn-k8s
Browse files Browse the repository at this point in the history
Work-in-Progress: Needs testing on minikube/Kind, OpenShift,
and with DAP/appliance image.

This change adds support for:

- Running demo scripts directly on a Conjur OSS cluster that has been
  deployed via Conjur OSS Helm chart.
- Creation of a Conjur CLI pod if it doesn't exist.
- Selectable operation for annotation-based authn-k8s vs.
  host-ID-based authn-k8s.
- Running demo scripts on platforms that do not have a load balancer
  configured (e.g. for testing on KinD or Minikube without having to
  load MetalLB).
- CI for both annotation-based and host-ID based identity authentication
  for GKE and OpenShift.

Addresses Issue #106
  • Loading branch information
diverdane committed Oct 9, 2020
1 parent d310cf5 commit eeef8af
Show file tree
Hide file tree
Showing 29 changed files with 566 additions and 347 deletions.
File renamed without changes.
9 changes: 9 additions & 0 deletions 1_prep_platform_login.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -euo pipefail

. utils.sh

if [[ $PLATFORM == openshift ]]; then
oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME
fi

138 changes: 138 additions & 0 deletions 2_admin_load_conjur_policies.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#!/usr/bin/env bash
set -euo pipefail

. utils.sh

announce "Generating Conjur policy."

prepare_conjur_cli_image() {
announce "Pulling and pushing Conjur CLI image."

docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest

cli_app_image=$(platform_image conjur-cli)
docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image

if ! is_minienv; then
docker push $cli_app_image
fi
}

deploy_conjur_cli() {
announce "Deploying Conjur CLI pod."

if is_minienv; then
IMAGE_PULL_POLICY='Never'
else
IMAGE_PULL_POLICY='Always'
fi
if [ "$CONJUR_OSS_HELM_INSTALLED" = "true" ]; then
service_account='conjur-oss'
else
service_account='conjur-cluster'
fi

cli_app_image=$(platform_image conjur-cli)
sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$service_account#g" ./$PLATFORM/conjur-cli.yml |
sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" |
sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
$cli create -f -

conjur_cli_pod=$(get_conjur_cli_pod_name)
wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running"
}

configure_conjur_cli() {
announce "Configuring Conjur CLI pod."

if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
conjur_service='conjur-oss'
else
conjur_service='conjur-master'
fi
conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local}

$cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url"
$cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
}

pushd policy
mkdir -p ./generated

# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI

if [[ "$PLATFORM" == "openshift" ]]; then
is_openshift=true
is_kubernetes=false
else
is_openshift=false
is_kubernetes=true
fi

sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml

sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" |
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml

sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml

sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml |
sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml
popd

# Create the random database password
password=$(openssl rand -hex 12)

set_namespace "$CONJUR_NAMESPACE_NAME"


announce "Finding or creating a Conjur CLI pod"
conjur_cli_pod=$(get_conjur_cli_pod_name)
if [ -z "$conjur_cli_pod" ]; then
prepare_conjur_cli_image
deploy_conjur_cli
conjur_cli_pod=$(get_conjur_cli_pod_name)
configure_conjur_cli $conjur_cli_pod
fi

announce "Loading Conjur policy."

$cli exec $conjur_cli_pod -- rm -rf /policy
$cli cp ./policy $conjur_cli_pod:/policy

$cli exec $conjur_cli_pod -- \
bash -c "
conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \
CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \
DB_PASSWORD=${password} \
TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \
TEST_APP_DATABASE=${TEST_APP_DATABASE} \
/policy/load_policies.sh
"

$cli exec $conjur_cli_pod -- rm -rf ./policy

echo "Conjur policy loaded."

set_namespace "$TEST_APP_NAMESPACE_NAME"

# Set DB password in Kubernetes manifests
# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
pushd kubernetes
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
popd

# Set DB password in OC manifests
# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
pushd openshift
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
popd

announce "Added DB password value: $password"
79 changes: 0 additions & 79 deletions 2_load_conjur_policies.sh

This file was deleted.

23 changes: 23 additions & 0 deletions 3_admin_init_conjur_cert_authority.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
set -euo pipefail

. utils.sh

announce "Initializing Conjur certificate authority."

set_namespace $CONJUR_NAMESPACE_NAME

conjur_master=$(get_master_pod_name)

announce "CONJUR_NAMESPACE_NAMEnamespace: $CONJUR_NAMESPACE_NAME"
announce "conjur_master: $conjur_master"
announce "AUTHENTICATOR_ID: $AUTHENTICATOR_ID"
announce "CONJUR_OSS_HELM_INSTALLED: $CONJUR_OSS_HELM_INSTALLED"

if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
$cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
else
$cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
fi

echo "Certificate authority initialized."
14 changes: 0 additions & 14 deletions 3_init_conjur_cert_authority.sh

This file was deleted.

17 changes: 9 additions & 8 deletions 1_create_test_app_namespace.sh → 4_app_create_namespace.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ set -euo pipefail

announce "Creating Test App namespace."

if [[ $PLATFORM == openshift ]]; then
oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME
fi

set_namespace default

if has_namespace "$TEST_APP_NAMESPACE_NAME"; then
Expand All @@ -26,11 +22,16 @@ else
set_namespace $TEST_APP_NAMESPACE_NAME
fi

$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
# A Conjur OSS cluster that was deployed via cyberark/conjur-oss-helm-chart
# includes a ClusterRoleBinding (that has cluster-wide scope), so there is no
# need to create a RoleBinding for this namespace.
if [[ $CONJUR_OSS_HELM_INSTALLED != true ]]; then
$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME

sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
$cli create -f -
sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
$cli create -f -
fi

if [[ $PLATFORM == openshift ]]; then
# add permissions for Conjur admin user
Expand Down
30 changes: 0 additions & 30 deletions 4_store_conjur_cert.sh

This file was deleted.

35 changes: 35 additions & 0 deletions 5_app_store_conjur_cert.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
set -euo pipefail

. utils.sh

announce "Storing Conjur cert for test app configuration."

set_namespace $CONJUR_NAMESPACE_NAME

echo "Retrieving Conjur certificate."

if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
master_pod_name=$(get_master_pod_name)
ssl_cert=$($cli exec -c "conjur-oss-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
else
if $cli get pods --selector role=follower --no-headers; then
follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
else
echo "Regular follower not found. Trying to assume a decomposed follower..."
follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1)
ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
fi
fi

set_namespace $TEST_APP_NAMESPACE_NAME

echo "Storing non-secret conjur cert as test app configuration data"

$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME

# Store the Conjur cert in a ConfigMap.
$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert")

echo "Conjur cert stored."
File renamed without changes.
Loading

0 comments on commit eeef8af

Please sign in to comment.