diff --git a/Jenkinsfile b/Jenkinsfile index 54b68aaa..ff053ec4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -82,6 +82,16 @@ pipeline { } } + stage('E2E Workflow Tests') { + parallel { + stage('Enterprise and test app deployed to GKE') { + steps { + sh 'cd bin/test-workflow && summon --environment gke ./start --enterprise --platform gke' + } + } + } + } + stage('Publish client Docker images') { parallel { stage('On a master build') { diff --git a/bin/test-workflow/0_prep_conjur_in_kind.sh b/bin/test-workflow/0_prep_conjur_in_kind.sh deleted file mode 100755 index 3a13c30d..00000000 --- a/bin/test-workflow/0_prep_conjur_in_kind.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -set -eo pipefail -cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) - -# Install Conjur in our cluster -mkdir -p temp -pushd temp > /dev/null - rm -rf conjur-oss-helm-chart - git clone https://github.com/cyberark/conjur-oss-helm-chart.git - - pushd conjur-oss-helm-chart/examples/common > /dev/null - source ./utils.sh - - announce "Setting demo environment variable defaults" - source ../kubernetes-in-docker/0_export_env_vars.sh - - announce "Creating a Kubernetes-in-Docker cluster if necessary" - ./1_create_kind_cluster.sh - - announce "Helm installing/upgrading Conjur OSS cluster" - ./2_helm_install_or_upgrade_conjur.sh - - # Wait for Conjur pods to become ready (just in case there are old - # Conjur pods getting terminated as part of Helm upgrade) - announce "Waiting for Conjur to become ready" - wait_for_conjur_ready - - announce "Enabling the Conjur Kubernetes authenticator if necessary" - ./4_ensure_authn_k8s_enabled.sh - - popd > /dev/null -popd > /dev/null diff --git a/bin/test-workflow/0_prep_env.sh b/bin/test-workflow/0_prep_env.sh new file mode 100755 index 00000000..4ebc2b02 --- /dev/null +++ b/bin/test-workflow/0_prep_env.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -o pipefail + +### PLATFORM DETAILS +export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" + +# PLATFORM is used to differentiate between general Kubernetes platforms (K8s vs. oc), while +# CLUSTER_TYPE is used to differentiate between sub-platforms (for vanilla K8s, KinD vs. GKE) +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + CLUSTER_TYPE="${CLUSTER_TYPE:-kind}" +else + CLUSTER_TYPE="${CLUSTER_TYPE:-gke}" + export UNIQUE_TEST_ID="$(uuidgen | tr "[:upper:]" "[:lower:]" | head -c 10)" +fi +export CLUSTER_TYPE + +if [[ "$CLUSTER_TYPE" == "oc" ]]; then + PLATFORM="openshift" +else + PLATFORM="kubernetes" +fi +export PLATFORM + +### DOCKER CONFIG +export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-true}" +export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}" +export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-localhost:5000}" +export PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-${DOCKER_REGISTRY_URL}}" +export PULL_DOCKER_REGISTRY_PATH="${PULL_DOCKER_REGISTRY_PATH:-${DOCKER_REGISTRY_PATH}}" + +### CONJUR AND TEST APP CONFIG +export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" +export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" +export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" +export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}" +export CONJUR_VERSION="${CONJUR_VERSION:-5}" +export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" +export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + conjur_service="conjur-oss" + export CONJUR_NAMESPACE_NAME="${CONJUR_NAMESPACE_NAME:-$conjur_service}" +else + conjur_service="conjur-master" + export CONJUR_NAMESPACE_NAME="${CONJUR_NAMESPACE_NAME:-$conjur_service-${UNIQUE_TEST_ID}}" + export TEST_APP_NAMESPACE_NAME="$TEST_APP_NAMESPACE_NAME-$UNIQUE_TEST_ID" +fi + +export CONJUR_APPLIANCE_URL=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local} +export SAMPLE_APP_BACKEND_DB_PASSWORD="$(openssl rand -hex 12)" + +### PLATFORM SPECIFIC CONFIG +if [[ "$CLUSTER_TYPE" == "gke" ]]; then + export CONJUR_FOLLOWER_URL="https://conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local" + export CONJUR_ADMIN_PASSWORD="MySecretP@ss1" + export CONJUR_APPLIANCE_IMAGE="registry2.itci.conjur.net/conjur-appliance:5.0-stable" + export CONJUR_FOLLOWER_COUNT=1 + export CONJUR_AUTHN_LOGIN="host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/$CONJUR_NAMESPACE_NAME/service_account/conjur-cluster" + export STOP_RUNNING_ENV=true + export DEPLOY_MASTER_CLUSTER=true + export CONFIGURE_CONJUR_MASTER=true + export PLATFORM_CONTAINER="platform-container" + + docker build --tag "$PLATFORM_CONTAINER:$CONJUR_NAMESPACE_NAME" \ + --file Dockerfile \ + --build-arg KUBECTL_VERSION="$KUBECTL_VERSION" \ + . +fi diff --git a/bin/test-workflow/1_deploy_conjur.sh b/bin/test-workflow/1_deploy_conjur.sh new file mode 100755 index 00000000..98eb15d7 --- /dev/null +++ b/bin/test-workflow/1_deploy_conjur.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +set -eo pipefail +cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) + +source utils.sh + +function setup_conjur_enterprise { + check_env_var GCLOUD_PROJECT_NAME + check_env_var GCLOUD_ZONE + check_env_var GCLOUD_CLUSTER_NAME + check_env_var GCLOUD_SERVICE_KEY + + docker pull "$CONJUR_APPLIANCE_IMAGE" + + pushd temp > /dev/null + git clone --single-branch --branch master git@github.com:cyberark/kubernetes-conjur-deploy "kubernetes-conjur-deploy-$UNIQUE_TEST_ID" + popd > /dev/null + + announce "Deploying Conjur Enterprise" + + if [[ "${CLUSTER_TYPE}" == "gke" ]]; then + run_command_with_platform "cd temp/kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./start" + fi +} + +function setup_conjur_open_source { + pushd temp > /dev/null + git clone https://github.com/cyberark/conjur-oss-helm-chart.git + + pushd conjur-oss-helm-chart/examples/common > /dev/null + source ./utils.sh + + announce "Setting demo environment variable defaults" + source ../kubernetes-in-docker/0_export_env_vars.sh + + announce "Creating a Kubernetes-in-Docker cluster if necessary" + ./1_create_kind_cluster.sh + + announce "Helm installing/upgrading Conjur OSS cluster" + ./2_helm_install_or_upgrade_conjur.sh + + # Wait for Conjur pods to become ready (just in case there are old + # Conjur pods getting terminated as part of Helm upgrade) + announce "Waiting for Conjur to become ready" + wait_for_conjur_ready + + announce "Enabling the Conjur Kubernetes authenticator if necessary" + ./4_ensure_authn_k8s_enabled.sh + popd > /dev/null + + rm -rf conjur-oss-helm-chart + popd > /dev/null +} + +mkdir -p temp +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + setup_conjur_open_source +else + setup_conjur_enterprise +fi diff --git a/bin/test-workflow/1_prep_env.sh b/bin/test-workflow/1_prep_env.sh deleted file mode 100755 index e1d1e017..00000000 --- a/bin/test-workflow/1_prep_env.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -export DOCKER_REGISTRY_URL="${DOCKER_REGISTRY_URL:-localhost:5000}" -export DOCKER_REGISTRY_PATH="${DOCKER_REGISTRY_PATH:-localhost:5000}" -export PULL_DOCKER_REGISTRY_URL="${PULL_DOCKER_REGISTRY_URL:-localhost:5000}" -export PULL_DOCKER_REGISTRY_PATH="${PULL_DOCKER_REGISTRY_PATH:-localhost:5000}" -export TEST_APP_NAMESPACE_NAME="${TEST_APP_NAMESPACE_NAME:-app-test}" -export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}" -export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}" -export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}" -export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" -export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}" -export CONJUR_VERSION="${CONJUR_VERSION:-5}" -export PLATFORM="${PLATFORM:-kubernetes}" -export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" -export USE_DOCKER_LOCAL_REGISTRY="${USE_DOCKER_LOCAL_REGISTRY:-false}" - -if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - conjur_service='conjur-oss' -else - conjur_service='conjur-master' -fi - -export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-$conjur_service}" -export CONJUR_APPLIANCE_URL=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE.svc.cluster.local} - -export CONJUR_ADMIN_PASSWORD="$(kubectl exec \ - --namespace "$CONJUR_NAMESPACE" \ - deploy/conjur-oss \ - --container conjur-oss \ - -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1)" - -# Create the random database password -export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12) diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index 97a6e144..5c6e52cf 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -7,13 +7,17 @@ PLATFORM="${PLATFORM:-kubernetes}" source utils.sh +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + export CONJUR_ADMIN_PASSWORD="$(get_admin_password)" +fi + check_env_var TEST_APP_NAMESPACE_NAME check_env_var CONJUR_VERSION check_env_var CONJUR_ACCOUNT check_env_var CONJUR_APPLIANCE_URL check_env_var CONJUR_ADMIN_PASSWORD check_env_var AUTHENTICATOR_ID -check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_NAMESPACE_NAME check_env_var TEST_APP_DATABASE check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD @@ -22,12 +26,12 @@ announce "Generating Conjur policy." prepare_conjur_cli_image() { announce "Pulling and pushing Conjur CLI image." - docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest + docker pull cyberark/conjur-cli:"$CONJUR_VERSION"-latest - cli_app_image=$(platform_image_for_push conjur-cli) - docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image + cli_app_image="$(platform_image_for_push conjur-cli)" + docker tag cyberark/conjur-cli:"$CONJUR_VERSION"-latest "$cli_app_image" - docker push $cli_app_image + docker push "$cli_app_image" } deploy_conjur_cli() { @@ -69,36 +73,39 @@ pushd policy > /dev/null fi sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml | - sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml + sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".cluster-authn-svc.yml sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml | sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".project-authn.yml sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".app-identity.yml sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml | sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".authn-any-policy-branch.yml popd > /dev/null -set_namespace "$CONJUR_NAMESPACE" +set_namespace "$CONJUR_NAMESPACE_NAME" announce "Finding or creating a Conjur CLI pod" -conjur_cli_pod=$(get_conjur_cli_pod_name) +conjur_cli_pod="$(get_conjur_cli_pod_name)" if [ -z "$conjur_cli_pod" ]; then prepare_conjur_cli_image deploy_conjur_cli - conjur_cli_pod=$(get_conjur_cli_pod_name) + conjur_cli_pod="$(get_conjur_cli_pod_name)" +fi + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + ensure_conjur_cli_initialized "$conjur_cli_pod" fi -ensure_conjur_cli_initialized $conjur_cli_pod announce "Loading Conjur policy." -$cli exec $conjur_cli_pod -- rm -rf /policy -$cli cp ./policy $conjur_cli_pod:/policy +$cli exec "$conjur_cli_pod" -- rm -rf /policy +$cli cp ./policy "$conjur_cli_pod:/policy" wait_for_it 300 "$cli exec $conjur_cli_pod -- \ bash -c \" @@ -112,6 +119,6 @@ wait_for_it 300 "$cli exec $conjur_cli_pod -- \ \" " -$cli exec $conjur_cli_pod -- rm -rf ./policy +$cli exec "$conjur_cli_pod" -- rm -rf ./policy echo "Conjur policy loaded." diff --git a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh index 954cdb72..ab5601d5 100755 --- a/bin/test-workflow/3_admin_init_conjur_cert_authority.sh +++ b/bin/test-workflow/3_admin_init_conjur_cert_authority.sh @@ -3,25 +3,23 @@ set -euo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -PLATFORM="${PLATFORM:-kubernetes}" - source utils.sh -check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_NAMESPACE_NAME check_env_var CONJUR_OSS_HELM_INSTALLED check_env_var CONJUR_ACCOUNT check_env_var AUTHENTICATOR_ID announce "Initializing Conjur certificate authority." -set_namespace $CONJUR_NAMESPACE +set_namespace $CONJUR_NAMESPACE_NAME -conjur_master=$(get_master_pod_name) +conjur_master="$(get_master_pod_name)" if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then - $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']" + $cli exec "$conjur_master" -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']" else - $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"] + $cli exec "$conjur_master" -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"] fi echo "Certificate authority initialized." diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index a1d02044..a56ad9d0 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -3,27 +3,40 @@ set -euo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -PLATFORM="${PLATFORM:-kubernetes}" TIMEOUT="${TIMEOUT:-5m0s}" source utils.sh check_env_var CONJUR_APPLIANCE_URL -check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_NAMESPACE_NAME check_env_var CONJUR_ACCOUNT check_env_var AUTHENTICATOR_ID +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "false" ]]; then + check_env_var CONJUR_FOLLOWER_URL +fi set_namespace default # Prepare our cluster with conjur and authnK8s credentials in a golden configmap announce "Installing cluster prep chart" pushd ../../helm/conjur-config-cluster-prep > /dev/null + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_APPLIANCE_URL" - helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE" --debug --wait --timeout $TIMEOUT \ + helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \ --set conjur.account="$CONJUR_ACCOUNT" \ --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \ --set conjur.certificateFilePath="files/conjur-cert.pem" \ --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" - + else + ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_FOLLOWER_URL" + + helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \ + --set conjur.account="$CONJUR_ACCOUNT" \ + --set conjur.applianceUrl="$CONJUR_FOLLOWER_URL" \ + --set conjur.certificateFilePath="files/conjur-cert.pem" \ + --set authnK8s.authenticatorID="$AUTHENTICATOR_ID" \ + --set authnK8s.serviceAccount.create=false \ + --set authnK8s.serviceAccount.name="conjur-cluster" + fi popd > /dev/null diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index 169de976..4d8639c7 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -3,13 +3,12 @@ set -euo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -PLATFORM="${PLATFORM:-kubernetes}" TIMEOUT="${TIMEOUT:-5m0s}" source utils.sh check_env_var TEST_APP_NAMESPACE_NAME -check_env_var CONJUR_NAMESPACE +check_env_var CONJUR_NAMESPACE_NAME set_namespace default @@ -17,9 +16,9 @@ set_namespace default announce "Installing namespace prep chart" pushd ../../helm/conjur-config-namespace-prep > /dev/null # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist - helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \ + helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \ --create-namespace \ --set authnK8s.goldenConfigMap="conjur-configmap" \ - --set authnK8s.namespace="$CONJUR_NAMESPACE" + --set authnK8s.namespace="$CONJUR_NAMESPACE_NAME" popd > /dev/null diff --git a/bin/test-workflow/6_app_build_and_push_containers.sh b/bin/test-workflow/6_app_build_and_push_containers.sh index de0b83ef..0dfbaf3d 100755 --- a/bin/test-workflow/6_app_build_and_push_containers.sh +++ b/bin/test-workflow/6_app_build_and_push_containers.sh @@ -12,7 +12,7 @@ CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" source utils.sh if [[ "$PLATFORM" == "openshift" ]]; then - docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH + docker login -u _ -p $(oc whoami -t) "$DOCKER_REGISTRY_PATH" fi announce "Building and pushing test app images." @@ -28,10 +28,10 @@ pushd test_app_summon docker build -t test-app-builder -f Dockerfile.builder . # retrieve the summon binaries - id=$(docker create test-app-builder) - docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur - docker cp $id:/usr/local/bin/summon ./tmp.summon - docker rm --volumes $id + id="$(docker create test-app-builder)" + docker cp "$id":/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur + docker cp "$id":/usr/local/bin/summon ./tmp.summon + docker rm --volumes "$id" fi @@ -47,13 +47,13 @@ pushd test_app_summon echo "Building test app image" docker build \ - --build-arg namespace=$TEST_APP_NAMESPACE_NAME \ - --tag test-app:$CONJUR_NAMESPACE \ - --file $dockerfile . + --build-arg namespace="$TEST_APP_NAMESPACE_NAME" \ + --tag test-app:"$CONJUR_NAMESPACE_NAME" \ + --file "$dockerfile" . test_app_image=$(platform_image_for_push "test-$app_type-app") - docker tag test-app:$CONJUR_NAMESPACE $test_app_image + docker tag "test-app:$CONJUR_NAMESPACE_NAME" "$test_app_image" - docker push $test_app_image + docker push "$test_app_image" done popd diff --git a/bin/test-workflow/7_app_deploy_backend.sh b/bin/test-workflow/7_app_deploy_backend.sh index 60397fc3..1326adef 100755 --- a/bin/test-workflow/7_app_deploy_backend.sh +++ b/bin/test-workflow/7_app_deploy_backend.sh @@ -3,7 +3,6 @@ set -euo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -PLATFORM="${PLATFORM:-kubernetes}" TIMEOUT="${TIMEOUT:-5m0s}" source utils.sh @@ -13,32 +12,33 @@ check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD announce "Deploying test app postgres backend for $TEST_APP_NAMESPACE_NAME." -set_namespace $TEST_APP_NAMESPACE_NAME +set_namespace "$TEST_APP_NAMESPACE_NAME" app_name="app-backend-pg" # Uninstall backend if it exists so any PVCs can be deleted if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^$app_name$")" = "$app_name" ]; then - helm uninstall $app_name -n "$TEST_APP_NAMESPACE_NAME" + helm uninstall "$app_name" -n "$TEST_APP_NAMESPACE_NAME" fi # Delete any created PVCs -$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ - pvc -l app.kubernetes.io/instance=$app_name +$cli delete --namespace "$TEST_APP_NAMESPACE_NAME" --ignore-not-found \ + pvc -l app.kubernetes.io/instance="$app_name" echo "Create secrets for test app backend" -$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \ +$cli delete --namespace "$TEST_APP_NAMESPACE_NAME" --ignore-not-found \ secret test-app-backend-certs -$cli --namespace $TEST_APP_NAMESPACE_NAME \ +$cli --namespace "$TEST_APP_NAMESPACE_NAME" \ create secret generic \ test-app-backend-certs \ --from-file=server.crt=./etc/ca.pem \ --from-file=server.key=./etc/ca-key.pem helm repo add bitnami https://charts.bitnami.com/bitnami +helm repo update -helm install $app_name bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait --timeout $TIMEOUT \ +helm install "$app_name" bitnami/postgresql -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \ --set image.repository="postgres" \ --set image.tag="9.6" \ --set postgresqlDataDir="/data/pgdata" \ @@ -52,5 +52,5 @@ helm install $app_name bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug -- --set securityContext.fsGroup="999" \ --set postgresqlDatabase="test_app" \ --set postgresqlUsername="test_app" \ - --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD + --set postgresqlPassword="$SAMPLE_APP_BACKEND_DB_PASSWORD" diff --git a/bin/test-workflow/8_app_deploy.sh b/bin/test-workflow/8_app_deploy.sh index 31038696..ae7364db 100755 --- a/bin/test-workflow/8_app_deploy.sh +++ b/bin/test-workflow/8_app_deploy.sh @@ -3,7 +3,6 @@ set -euo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -PLATFORM="${PLATFORM:-kubernetes}" TIMEOUT="${TIMEOUT:-5m0s}" source utils.sh @@ -13,7 +12,7 @@ check_env_var CONJUR_AUTHN_LOGIN_PREFIX announce "Deploying summon-sidecar test app in $TEST_APP_NAMESPACE_NAME." -set_namespace $TEST_APP_NAMESPACE_NAME +set_namespace "$TEST_APP_NAMESPACE_NAME" # Uninstall sample app if it exists if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" = "app-summon-sidecar" ]; then @@ -21,10 +20,12 @@ if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" fi pushd ../../helm/conjur-app-deploy > /dev/null - helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \ + helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \ --set global.conjur.conjurConnConfigMap="conjur-connect" \ --set app-summon-sidecar.enabled=true \ - --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" + --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" \ + --set app-summon-sidecar.app.image.tag="$CONJUR_NAMESPACE_NAME" \ + --set app-summon-sidecar.app.image.repository="$DOCKER_REGISTRY_PATH/test-sidecar-app" popd > /dev/null diff --git a/bin/test-workflow/9_app_verify_authentication.sh b/bin/test-workflow/9_app_verify_authentication.sh index ca4d0ac2..a44b55db 100755 --- a/bin/test-workflow/9_app_verify_authentication.sh +++ b/bin/test-workflow/9_app_verify_authentication.sh @@ -53,7 +53,7 @@ set_namespace "$TEST_APP_NAMESPACE_NAME" deploy_test_curl() { $cli delete --ignore-not-found pod/test-curl - $cli create -f ./$PLATFORM/test-curl.yml + $cli create -f ./"$PLATFORM"/test-curl.yml } check_test_curl() { diff --git a/bin/test-workflow/Dockerfile b/bin/test-workflow/Dockerfile new file mode 100644 index 00000000..e9af1899 --- /dev/null +++ b/bin/test-workflow/Dockerfile @@ -0,0 +1,25 @@ +FROM google/cloud-sdk + +RUN mkdir -p /src +WORKDIR /src + +# Install Docker client +RUN apt-get update -y && \ + apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common wget && \ + curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add - && \ + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" && \ + apt-get update && \ + apt-get install -y docker-ce && \ + rm -rf /var/lib/apt/lists/* + +# Install kubectl CLI +ARG KUBECTL_VERSION +RUN curl -LO https://dl.k8s.io/release/v"${KUBECTL_VERSION:-1.21.3}"/bin/linux/amd64/kubectl && \ + mv kubectl /usr/local/bin/kubectl && \ + chmod +x /usr/local/bin/kubectl + +# Install Helm CLI +ARG HELM_CLI_VERSION +RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 +RUN chmod 700 get_helm.sh +RUN ./get_helm.sh --no-sudo --version ${HELM_CLI_VERSION:-v3.5.2} diff --git a/bin/test-workflow/README.md b/bin/test-workflow/README.md index 78a62787..d294059a 100644 --- a/bin/test-workflow/README.md +++ b/bin/test-workflow/README.md @@ -10,15 +10,24 @@ ## Overview -The scripts within this folder encompass an end-to-end workflow for testing Conjur Kubernetes authentication by deploying a PetStore demo application to a Kubernetes-in-Docker (KinD) cluster. The authenticator and cluster configuration is validated at a high level via basic POST and GET requests to the PetStore app; implicitly verifying communication with the app's backend database (with credentials provided by a particular Conjur Kubernetes authenticator). +The scripts within this folder encompass an end-to-end workflow for testing Conjur Kubernetes authentication by deploying a PetStore demo application to a Kubernetes cluster. The authenticator and cluster configuration is validated at a high level via basic POST and GET requests to the PetStore app; implicitly verifying communication with the app's backend database (with credentials provided by a particular Conjur Kubernetes authenticator). The workflow: -* Deploys Conjur Open Source to a KinD cluster +* Deploys Conjur to a Kubernetes cluster * Prepares the cluster with Conjur Config Cluster Prep Helm chart * Prepares and enables the Kubernetes authenticator in Conjur * Prepares PetStore app namespace with Conjur NameSpace Prep Helm chart * Deploys and verifies the PetStore demo application with authenticator sidecar +The workflow currently supports testing Kubernetes authentication against Conjur Open Source or Enterprise. Each can be run from the `start` script: + +```bash +# run Open Source workflow +./start +# run Enterprise workflow on GKE +./start --enterprise --platform gke +``` + ## Ongoing Improvements * Demo app can be published to DockerHub instead of local builds @@ -27,38 +36,55 @@ The workflow: ([#322](https://github.com/cyberark/conjur-authn-k8s-client/issues/322) & [#323](https://github.com/cyberark/conjur-authn-k8s-client/issues/323)) -## Quick Start Guide +## Prerequisites -### Prerequisites +#### Common +* [git](https://git-scm.com/downloads) +* [Docker](https://docs.docker.com/get-docker/) -* [Docker](https://docs.docker.com/get-docker/) and [KinD](https://github.com/kubernetes-sigs/kind#installation-and-usage) +#### Conjur Open Source Workflow +* [Kubernetes in Docker (KinD)](https://github.com/kubernetes-sigs/kind#installation-and-usage) * [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) * [Helm](https://helm.sh/docs/intro/install/) -* [git](https://git-scm.com/downloads) + +#### Conjur Enterprise Workflow +* Google Kubernetes Engine (GKE) cluster access, which requires the following environment variables to be set: + * `GCLOUD_PROJECT_NAME` + * `GCLOUD_ZONE` + * `GCLOUD_CLUSTER_NAME` + * `GCLOUD_SERVICE_KEY` + +## Quick Start Guide ### Steps -1) Prepare a Cluster and Deploy Conjur Open Source +1) Prepare Environment - - Start a KinD cluster with local Docker registry - - Create a new namespace for Conjur, `conjur-oss` - - Deploy Conjur Open Source with Helm - - The Conjur Open Source Helm Chart is published on [GitHub](https://github.com/cyberark/conjur-oss-helm-chart). + - The following scripts use environment variables to persist information regarding the workflow's configuration. Each is set to a default value, and can be changed by setting the envvar before invoking the script. - - The Conjur Open Source Helm Chart repository contains an [example](https://github.com/cyberark/conjur-oss-helm-chart/tree/main/examples/kubernetes-in-docker) folder with scripts and instructions for deploying the Conjur Open Source Helm Chart on KinD. The scripts from the example folder are used to accomplish this step by git cloning the Conjur Open Source Helm Chart repository and using them to carry out the tasks mentioned above. - - Enable the Kubernetes Authenticator in Conjur - - To perform these steps, run: + - Prepare the environment by running: ```bash - ./0_prep_conjur_in_kind.sh + source ./0_prep_env.sh ``` -2) Prepare Environment +2) Deploy Conjur to Kubernetes Cluster - - The following scripts use environment variables to persist information regarding the workflow's configuration. Each is set to a default value, and can be changed by setting the envvar before invoking the script. + - The workflow can either deploy Conjur Open Source or Conjur Enterprise, and decides based on the `CONJUR_OSS_HELM_INSTALLED` environment variable + - Deploy Conjur Open Source to KinD + - Start a KinD cluster with local Docker registry + - Create a new namespace for Conjur + - Deploy Conjur Open Source with Helm + - The Conjur Open Source Helm Chart is published on [GitHub](https://github.com/cyberark/conjur-oss-helm-chart). - - Prepare the environment by running: + - The Conjur Open Source Helm Chart repository contains an [example](https://github.com/cyberark/conjur-oss-helm-chart/tree/main/examples/kubernetes-in-docker) folder with scripts and instructions for deploying the Conjur Open Source Helm Chart on KinD. The scripts from the example folder are used to accomplish this step by git cloning the Conjur Open Source Helm Chart repository and using them to carry out the tasks mentioned above. + - Deploy Conjur Enterprise to GKE + - Create a new namespace for Conjur + - Deploy Conjur Enterprise + - Conjur Enterprise is deployed with scripts in the [Kubernetes Conjur Deploy GitHub repo](https://github.com/cyberark/kubernetes-conjur-deploy). + - Enable the Kubernetes Authenticator in Conjur + - To perform these steps, run: ```bash - source ./1_prep_env.sh + ./1_deploy_conjur.sh ``` 3) Load Conjur Policy @@ -95,7 +121,7 @@ The workflow: 5) Cluster Preparation - - In this step, the KinD cluster is prepared to enable applications to authenticate with Conjur Open Source using: + - In this step, the Kubernetes cluster is prepared to enable applications to authenticate with Conjur Open Source using: - a "Golden" ConfigMap - an authenticator ClusterRole @@ -123,7 +149,7 @@ The workflow: 6) App Namespace Preparation - - In this step, a new namespace is created in the KinD cluster for the PetStore test app deployment, and it is prepared to authenticate with Conjur Open Source using: + - In this step, a new namespace is created in the Kubernetes cluster for the PetStore test app deployment, and it is prepared to authenticate with Conjur Open Source using: - a Conjur connection ConfigMap - an authenticator RoleBinding diff --git a/bin/test-workflow/platform_login.sh b/bin/test-workflow/platform_login.sh new file mode 100755 index 00000000..a7c8015a --- /dev/null +++ b/bin/test-workflow/platform_login.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +set -euo pipefail +IFS=$'\n\t' + +function main { + if [[ "$CLUSTER_TYPE" == "gke" ]]; then + gcloud auth activate-service-account \ + --key-file "$GCLOUD_SERVICE_KEY" + gcloud container clusters get-credentials "$GCLOUD_CLUSTER_NAME" \ + --zone "$GCLOUD_ZONE" \ + --project "$GCLOUD_PROJECT_NAME" + docker login "$DOCKER_REGISTRY_URL" \ + -u oauth2accesstoken \ + -p "$(gcloud auth print-access-token)" + elif [[ "$CLUSTER_TYPE" == "oc" ]]; then + oc login "$OPENSHIFT_URL" \ + --username="$OPENSHIFT_USERNAME" \ + --password="$OPENSHIFT_PASSWORD" \ + --insecure-skip-tls-verify=true + docker login \ + -u _ -p "$(oc whoami -t)" \ + "$DOCKER_REGISTRY_PATH" + fi +} + +main diff --git a/bin/test-workflow/secrets.yml b/bin/test-workflow/secrets.yml new file mode 100644 index 00000000..f5c07fe2 --- /dev/null +++ b/bin/test-workflow/secrets.yml @@ -0,0 +1,22 @@ +common: + CONJUR_ACCOUNT: myConjurAccount + CONJUR_ADMIN_PASSWORD: "MySecretP@ss1" + + KUBECTL_VERSION: "1.21.3" + + GCLOUD_CLUSTER_NAME: "" + GCLOUD_ZONE: "" + GCLOUD_PROJECT_NAME: "" + GCLOUD_SERVICE_KEY: "" + +gke: + GCLOUD_CLUSTER_NAME: !var ci/google-container-engine-testbed/gcloud-cluster-name + GCLOUD_ZONE: !var ci/google-container-engine-testbed/gcloud-zone + GCLOUD_PROJECT_NAME: !var ci/google-container-engine-testbed/gcloud-project-name + GCLOUD_SERVICE_KEY: !var:file ci/google-container-engine-testbed/gcloud-service-key + + PLATFORM: kubernetes + TEST_PLATFORM: gke + USE_DOCKER_LOCAL_REGISTRY: false + DOCKER_REGISTRY_URL: us.gcr.io + DOCKER_REGISTRY_PATH: us.gcr.io/conjur-gke-dev diff --git a/bin/test-workflow/start b/bin/test-workflow/start index b5fd7fc8..d1ca6e0d 100755 --- a/bin/test-workflow/start +++ b/bin/test-workflow/start @@ -3,16 +3,96 @@ set -eo pipefail cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) -./0_prep_conjur_in_kind.sh +function print_help { + cat << EOF +Runs the end-to-end workflow for testing Conjur Kubernetes authentication. +By default, the workflow is run against Conjur Open Source, but can be run +against Conjur Enterprise. -source ./1_prep_env.sh +Usage: ./start [options]: -./2_admin_load_conjur_policies.sh -./3_admin_init_conjur_cert_authority.sh + -e, --enterprise Run the E2E workflow against Conjur Enterprise + -p, --platform Platform on which to deploy Conjur + For Open Source workflow: + - Defaults to 'kind' + For Enterprise workflow: + - Defaults to 'gke' + All other selections are rejected + -h, --help Show the help message +EOF + exit +} -./4_admin_cluster_prep.sh -./5_app_namespace_prep.sh -./6_app_build_and_push_containers.sh -./7_app_deploy_backend.sh -./8_app_deploy.sh +function cleanup { + announce "Removing test environment" + ./stop +} + +while true; do + case "$1" in + -e|--enterprise ) + CONJUR_OSS_HELM_INSTALLED="false" + shift + ;; + -p|--platform ) + CLUSTER_TYPE="$2" + shift + shift + ;; + -h|--help ) + print_help + shift + ;; + * ) + if [ -z "$1" ]; then + break + else + echo "$1 is not a valid option" + exit 1 + fi + ;; + esac +done + +export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + if [[ -z "$CLUSTER_TYPE" ]]; then + CLUSTER_TYPE="kind" + elif [[ "$CLUSTER_TYPE" != "kind" ]]; then + echo "Conjur Open Source workflow not compatible with platform \"$CLUSTER_TYPE\"" + echo "Workflow currently only compatible with \"kind\"" + exit + fi +else + if [[ -z "$CLUSTER_TYPE" ]]; then + CLUSTER_TYPE="gke" + elif [[ "$CLUSTER_TYPE" != "gke" ]]; then + echo "Conjur Enterprise workflow not compatible with platform \"$CLUSTER_TYPE\"" + echo "Workflow currently only compatible with \"gke\"" + exit + fi +fi +export CLUSTER_TYPE + +trap cleanup EXIT +source ./utils.sh + +source ./0_prep_env.sh +./1_deploy_conjur.sh + +workflow=" +./2_admin_load_conjur_policies.sh && +./3_admin_init_conjur_cert_authority.sh && +./4_admin_cluster_prep.sh && +./5_app_namespace_prep.sh && +./6_app_build_and_push_containers.sh && +./7_app_deploy_backend.sh && +./8_app_deploy.sh && ./9_app_verify_authentication.sh +" + +if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then + eval "$workflow" +else + run_command_with_platform "$workflow" +fi diff --git a/bin/test-workflow/stop b/bin/test-workflow/stop new file mode 100755 index 00000000..22c179cf --- /dev/null +++ b/bin/test-workflow/stop @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -uo pipefail + +source utils.sh + +if [[ "${CONJUR_OSS_HELM_INSTALLED}" == "true" ]]; then + $cli delete namespace "$CONJUR_NAMESPACE_NAME" + $cli delete namespace "$TEST_APP_NAMESPACE_NAME" +else + run_command_with_platform " + cd temp/kubernetes-conjur-deploy-$UNIQUE_TEST_ID && + ./stop && + $cli delete namespace $TEST_APP_NAMESPACE_NAME && + $cli delete clusterrole conjur-clusterrole + " + rm -rf temp/kubernetes-conjur-deploy-"$UNIQUE_TEST_ID" +fi diff --git a/bin/test-workflow/utils.sh b/bin/test-workflow/utils.sh index 2b33fb4e..d5ace653 100755 --- a/bin/test-workflow/utils.sh +++ b/bin/test-workflow/utils.sh @@ -33,9 +33,9 @@ platform_image_for_pull() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${PULL_DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then - echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" + echo "${PULL_DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" else - echo "${PULL_DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE" + echo "${PULL_DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" fi } @@ -43,9 +43,9 @@ platform_image_for_push() { if [[ ${PLATFORM} = "openshift" ]]; then echo "${DOCKER_REGISTRY_PATH}/$TEST_APP_NAMESPACE_NAME/$1:$TEST_APP_NAMESPACE_NAME" elif [[ "$USE_DOCKER_LOCAL_REGISTRY" = "true" ]]; then - echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE" + echo "${DOCKER_REGISTRY_URL}/$1:$CONJUR_NAMESPACE_NAME" else - echo "${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE" + echo "${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" fi } @@ -59,7 +59,7 @@ has_namespace() { has_resource() { local selector=$1 - local num_matching_resources=$($cli get pods -n "$CONJUR_NAMESPACE" --selector $selector --no-headers 2>/dev/null | wc -l) + local num_matching_resources=$($cli get pods -n "$CONJUR_NAMESPACE_NAME" --selector $selector --no-headers 2>/dev/null | wc -l) if [ $num_matching_resources -gt 0 ]; then return 0 else @@ -85,11 +85,11 @@ get_master_pod_name() { else pod_list=$(get_pods "app=conjur-node,role=master") fi - echo $pod_list | awk '{print $1}' + echo "$pod_list" | awk '{print $1}' } get_conjur_cli_pod_name() { - pod_list=$($cli get pods -n "$CONJUR_NAMESPACE" --selector app=conjur-cli --no-headers | awk '{ print $1 }') + pod_list=$($cli get pods -n "$CONJUR_NAMESPACE_NAME" --selector app=conjur-cli --no-headers | awk '{ print $1 }') echo $pod_list | awk '{print $1}' } @@ -234,3 +234,63 @@ function dump_authentication_policy { announce "Authentication policy:" cat policy/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml } + +function get_admin_password { + echo "$(kubectl exec \ + --namespace "$CONJUR_NAMESPACE_NAME" \ + deploy/conjur-oss \ + --container conjur-oss \ + -- conjurctl role retrieve-key "$CONJUR_ACCOUNT":user:admin | tail -1)" +} + +function run_command_with_platform { + GCLOUD_INCLUDES="" + if [[ ! -z "${GCLOUD_SERVICE_KEY}" ]]; then + GCLOUD_INCLUDES="-v$GCLOUD_SERVICE_KEY:/tmp$GCLOUD_SERVICE_KEY" + fi + docker run --rm \ + -i \ + -e CONJUR_OSS_HELM_INSTALLED \ + -e PLATFORM \ + -e CLUSTER_TYPE \ + -e USE_DOCKER_LOCAL_REGISTRY \ + -e DOCKER_REGISTRY_URL \ + -e DOCKER_REGISTRY_PATH \ + -e PULL_DOCKER_REGISTRY_URL \ + -e PULL_DOCKER_REGISTRY_PATH \ + -e CONJUR_ACCOUNT \ + -e CONJUR_ADMIN_PASSWORD \ + -e CONJUR_APPLIANCE_URL \ + -e CONJUR_AUTHN_LOGIN_PREFIX \ + -e AUTHENTICATOR_ID \ + -e CONJUR_NAMESPACE_NAME \ + -e CONJUR_VERSION \ + -e SAMPLE_APP_BACKEND_DB_PASSWORD \ + -e TEST_APP_DATABASE \ + -e TEST_APP_NAMESPACE_NAME \ + -e CONJUR_APPLIANCE_IMAGE \ + -e CONJUR_FOLLOWER_URL \ + -e DEPLOY_MASTER_CLUSTER \ + -e GCLOUD_CLUSTER_NAME \ + -e GCLOUD_ZONE \ + -e GCLOUD_PROJECT_NAME \ + -e OPENSHIFT_VERSION \ + -e OPENSHIFT_URL \ + -e OPENSHIFT_USERNAME \ + -e OPENSHIFT_PASSWORD \ + -e OSHIFT_CONJUR_ADMIN_USERNAME \ + -e OSHIFT_CLUSTER_ADMIN_USERNAME \ + -e CONJUR_LOG_LEVEL \ + -e TEST_APP_LOADBALANCER_SVCS \ + -e GCLOUD_SERVICE_KEY=/tmp"$GCLOUD_SERVICE_KEY" \ + "$GCLOUD_INCLUDES" \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v ~/.config:/root/.config \ + -v "$PWD/../..":/src \ + -w /src/bin/test-workflow \ + "$PLATFORM_CONTAINER:$CONJUR_NAMESPACE_NAME" \ + bash -c " + ./platform_login.sh + $* + " +} diff --git a/bin/validate-helm b/bin/validate-helm index 015b7225..a0190eaa 100755 --- a/bin/validate-helm +++ b/bin/validate-helm @@ -33,8 +33,8 @@ function popd() { function create_cluster() { # Create kind cluster - ./0_prep_conjur_in_kind.sh - . ./1_prep_env.sh + . ./0_prep_env.sh + ./1_deploy_conjur.sh ./2_admin_load_conjur_policies.sh ./3_admin_init_conjur_cert_authority.sh }