PR Review updates

Jenkinsfile

@@ -47,12 +47,6 @@ pipeline {
       }
     }
 
-    stage('E2E Workflow Tests') {
-      steps {
-        sh 'cd bin/test-workflow && summon --environment gke ./start --enterprise --platform gke'
-      }
-    }
-
     stage("Scan images") {
       parallel {
         stage ("Scan main image for fixable vulns") {
@@ -88,6 +82,16 @@ pipeline {
       }
     }
 
+    stage('E2E Workflow Tests') {
+      parallel {
+        stage('Enterprise and test app deployed to GKE') {
+          steps {
+            sh 'cd bin/test-workflow && summon --environment gke ./start --enterprise --platform gke'
+          }
+        }
+      }
+    }
+
     stage('Publish client Docker images') {
       parallel {
         stage('On a master build') {

bin/test-workflow/0_prep_env.sh

@@ -5,15 +5,17 @@ set -o pipefail
 ### PLATFORM DETAILS
 export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}"
 
+# PLATFORM is used to differentiate between general Kubernetes platforms (K8s vs. oc), while
+# CLUSTER_TYPE is used to differentiate between sub-platforms (for vanilla K8s, KinD vs. GKE)
 if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
-  TEST_PLATFORM="${TEST_PLATFORM:-kind}"
+  CLUSTER_TYPE="${CLUSTER_TYPE:-kind}"
 else
-  TEST_PLATFORM="${TEST_PLATFORM:-gke}"
+  CLUSTER_TYPE="${CLUSTER_TYPE:-gke}"
   export UNIQUE_TEST_ID="$(uuidgen | tr "[:upper:]" "[:lower:]" | head -c 10)"
 fi
-export TEST_PLATFORM
+export CLUSTER_TYPE
 
-if [[ "${TEST_PLATFORM}" == "oc" ]]; then
+if [[ "$CLUSTER_TYPE" == "oc" ]]; then
   PLATFORM="openshift"
 else
   PLATFORM="kubernetes"
@@ -46,10 +48,10 @@ else
 fi
 
 export CONJUR_APPLIANCE_URL=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
-export SAMPLE_APP_BACKEND_DB_PASSWORD=$(openssl rand -hex 12)
+export SAMPLE_APP_BACKEND_DB_PASSWORD="$(openssl rand -hex 12)"
 
 ### PLATFORM SPECIFIC CONFIG
-if [[ "$TEST_PLATFORM" == "gke" ]]; then
+if [[ "$CLUSTER_TYPE" == "gke" ]]; then
     export CONJUR_FOLLOWER_URL="https://conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local"
     export CONJUR_ADMIN_PASSWORD="MySecretP@ss1"
     export CONJUR_APPLIANCE_IMAGE="registry2.itci.conjur.net/conjur-appliance:5.0-stable"
@@ -60,8 +62,8 @@ if [[ "$TEST_PLATFORM" == "gke" ]]; then
     export CONFIGURE_CONJUR_MASTER=true
     export PLATFORM_CONTAINER="platform-container"
 
-    docker build --tag  $PLATFORM_CONTAINER:$CONJUR_NAMESPACE_NAME \
+    docker build --tag "$PLATFORM_CONTAINER:$CONJUR_NAMESPACE_NAME" \
         --file Dockerfile \
-        --build-arg KUBECTL_CLI_URL=$KUBECTL_CLI_URL \
+        --build-arg KUBECTL_VERSION="$KUBECTL_VERSION" \
         .
 fi

bin/test-workflow/1_deploy_conjur.sh

@@ -11,23 +11,21 @@ function setup_conjur_enterprise {
   check_env_var GCLOUD_CLUSTER_NAME
   check_env_var GCLOUD_SERVICE_KEY
 
-  docker pull $CONJUR_APPLIANCE_IMAGE
+  docker pull "$CONJUR_APPLIANCE_IMAGE"
 
-  # rm -rf kubernetes-conjur-deploy
   pushd temp > /dev/null
-    git clone --single-branch --branch master [email protected]:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID
+    git clone --single-branch --branch master [email protected]:cyberark/kubernetes-conjur-deploy "kubernetes-conjur-deploy-$UNIQUE_TEST_ID"
   popd > /dev/null
 
   announce "Deploying Conjur Enterprise"
 
-  if [[ "${TEST_PLATFORM}" == "gke" ]]; then
+  if [[ "${CLUSTER_TYPE}" == "gke" ]]; then
     run_command_with_platform "cd temp/kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./start"
   fi
 }
 
 function setup_conjur_open_source {
   pushd temp > /dev/null
-    rm -rf temp/conjur-oss-helm-chart
     git clone https://github.com/cyberark/conjur-oss-helm-chart.git
 
     pushd conjur-oss-helm-chart/examples/common > /dev/null
@@ -50,6 +48,8 @@ function setup_conjur_open_source {
       announce "Enabling the Conjur Kubernetes authenticator if necessary"
       ./4_ensure_authn_k8s_enabled.sh
     popd > /dev/null
+
+    rm -rf conjur-oss-helm-chart
   popd > /dev/null
 }
 

bin/test-workflow/2_admin_load_conjur_policies.sh

@@ -7,7 +7,9 @@ PLATFORM="${PLATFORM:-kubernetes}"
 
 source utils.sh
 
-export CONJUR_ADMIN_PASSWORD="$(get_admin_password)"
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+  export CONJUR_ADMIN_PASSWORD="$(get_admin_password)"
+fi
 
 check_env_var TEST_APP_NAMESPACE_NAME
 check_env_var CONJUR_VERSION
@@ -24,12 +26,12 @@ announce "Generating Conjur policy."
 prepare_conjur_cli_image() {
   announce "Pulling and pushing Conjur CLI image."
 
-  docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest
+  docker pull cyberark/conjur-cli:"$CONJUR_VERSION"-latest
 
-  cli_app_image=$(platform_image_for_push conjur-cli)
-  docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image
+  cli_app_image="$(platform_image_for_push conjur-cli)"
+  docker tag cyberark/conjur-cli:"$CONJUR_VERSION"-latest "$cli_app_image"
 
-  docker push $cli_app_image
+  docker push "$cli_app_image"
 }
 
 deploy_conjur_cli() {
@@ -71,39 +73,39 @@ pushd policy > /dev/null
   fi
 
   sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml |
-    sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml
+    sed "s#{{ CONJUR_NAMESPACE }}#$CONJUR_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".cluster-authn-svc.yml
 
   sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
     sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
     sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" |
-    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".project-authn.yml
 
   sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
-    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".app-identity.yml
 
   sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml |
     sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
-    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".authn-any-policy-branch.yml
 popd > /dev/null
 
 set_namespace "$CONJUR_NAMESPACE_NAME"
 
 announce "Finding or creating a Conjur CLI pod"
-conjur_cli_pod=$(get_conjur_cli_pod_name)
+conjur_cli_pod="$(get_conjur_cli_pod_name)"
 if [ -z "$conjur_cli_pod" ]; then
   prepare_conjur_cli_image
   deploy_conjur_cli
-  conjur_cli_pod=$(get_conjur_cli_pod_name)
+  conjur_cli_pod="$(get_conjur_cli_pod_name)"
 fi
 
 if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
-  ensure_conjur_cli_initialized $conjur_cli_pod
+  ensure_conjur_cli_initialized "$conjur_cli_pod"
 fi
 
 announce "Loading Conjur policy."
 
-$cli exec $conjur_cli_pod -- rm -rf /policy
-$cli cp ./policy $conjur_cli_pod:/policy
+$cli exec "$conjur_cli_pod" -- rm -rf /policy
+$cli cp ./policy "$conjur_cli_pod:/policy"
 
 wait_for_it 300 "$cli exec $conjur_cli_pod -- \
   bash -c \"
@@ -117,6 +119,6 @@ wait_for_it 300 "$cli exec $conjur_cli_pod -- \
   \"
 "
 
-$cli exec $conjur_cli_pod -- rm -rf ./policy
+$cli exec "$conjur_cli_pod" -- rm -rf ./policy
 
 echo "Conjur policy loaded."

bin/test-workflow/3_admin_init_conjur_cert_authority.sh

@@ -3,8 +3,6 @@
 set -euo pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
-PLATFORM="${PLATFORM:-kubernetes}"
-
 source utils.sh
 
 check_env_var CONJUR_NAMESPACE_NAME
@@ -16,12 +14,12 @@ announce "Initializing Conjur certificate authority."
 
 set_namespace $CONJUR_NAMESPACE_NAME
 
-conjur_master=$(get_master_pod_name)
+conjur_master="$(get_master_pod_name)"
 
 if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
-    $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
+    $cli exec "$conjur_master" -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
 else
-    $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
+    $cli exec "$conjur_master" -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
 fi
 
 echo "Certificate authority initialized."

bin/test-workflow/4_admin_cluster_prep.sh

@@ -3,7 +3,6 @@
 set -euo pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
-PLATFORM="${PLATFORM:-kubernetes}"
 TIMEOUT="${TIMEOUT:-5m0s}"
 
 source utils.sh
@@ -24,15 +23,15 @@ pushd ../../helm/conjur-config-cluster-prep > /dev/null
   if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
     ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_APPLIANCE_URL"
 
-    helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \
+    helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \
         --set conjur.account="$CONJUR_ACCOUNT" \
         --set conjur.applianceUrl="$CONJUR_APPLIANCE_URL" \
         --set conjur.certificateFilePath="files/conjur-cert.pem" \
         --set authnK8s.authenticatorID="$AUTHENTICATOR_ID"
   else
     ./bin/get-conjur-cert.sh -v -i -s -u "$CONJUR_FOLLOWER_URL"
 
-    helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \
+    helm upgrade --install cluster-prep . -n "$CONJUR_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \
         --set conjur.account="$CONJUR_ACCOUNT" \
         --set conjur.applianceUrl="$CONJUR_FOLLOWER_URL" \
         --set conjur.certificateFilePath="files/conjur-cert.pem" \

bin/test-workflow/5_app_namespace_prep.sh

@@ -3,7 +3,6 @@
 set -euo pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
-PLATFORM="${PLATFORM:-kubernetes}"
 TIMEOUT="${TIMEOUT:-5m0s}"
 
 source utils.sh
@@ -17,7 +16,7 @@ set_namespace default
 announce "Installing namespace prep chart"
 pushd ../../helm/conjur-config-namespace-prep > /dev/null
     # Namespace $TEST_APP_NAMESPACE_NAME will be created if it does not exist
-    helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \
+    helm upgrade --install namespace-prep . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \
         --create-namespace \
         --set authnK8s.goldenConfigMap="conjur-configmap" \
         --set authnK8s.namespace="$CONJUR_NAMESPACE_NAME"

bin/test-workflow/6_app_build_and_push_containers.sh

@@ -12,7 +12,7 @@ CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}"
 source utils.sh
 
 if [[ "$PLATFORM" == "openshift" ]]; then
-    docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH
+    docker login -u _ -p $(oc whoami -t) "$DOCKER_REGISTRY_PATH"
 fi
 
 announce "Building and pushing test app images."
@@ -28,10 +28,10 @@ pushd test_app_summon
     docker build -t test-app-builder -f Dockerfile.builder .
 
     # retrieve the summon binaries
-    id=$(docker create test-app-builder)
-    docker cp $id:/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur
-    docker cp $id:/usr/local/bin/summon ./tmp.summon
-    docker rm --volumes $id
+    id="$(docker create test-app-builder)"
+    docker cp "$id":/usr/local/lib/summon/summon-conjur ./tmp.summon-conjur
+    docker cp "$id":/usr/local/bin/summon ./tmp.summon
+    docker rm --volumes "$id"
   fi
 
 
@@ -47,13 +47,13 @@ pushd test_app_summon
 
     echo "Building test app image"
     docker build \
-      --build-arg namespace=$TEST_APP_NAMESPACE_NAME \
-      --tag test-app:$CONJUR_NAMESPACE_NAME \
-      --file $dockerfile .
+      --build-arg namespace="$TEST_APP_NAMESPACE_NAME" \
+      --tag test-app:"$CONJUR_NAMESPACE_NAME" \
+      --file "$dockerfile" .
 
     test_app_image=$(platform_image_for_push "test-$app_type-app")
-    docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image
+    docker tag "test-app:$CONJUR_NAMESPACE_NAME" "$test_app_image"
 
-    docker push $test_app_image
+    docker push "$test_app_image"
   done
 popd

bin/test-workflow/7_app_deploy_backend.sh

@@ -3,7 +3,6 @@
 set -euo pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
-PLATFORM="${PLATFORM:-kubernetes}"
 TIMEOUT="${TIMEOUT:-5m0s}"
 
 source utils.sh
@@ -13,24 +12,24 @@ check_env_var SAMPLE_APP_BACKEND_DB_PASSWORD
 
 announce "Deploying test app postgres backend for $TEST_APP_NAMESPACE_NAME."
 
-set_namespace $TEST_APP_NAMESPACE_NAME
+set_namespace "$TEST_APP_NAMESPACE_NAME"
 
 app_name="app-backend-pg"
 
 # Uninstall backend if it exists so any PVCs can be deleted
 if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^$app_name$")" = "$app_name" ]; then
-    helm uninstall $app_name -n "$TEST_APP_NAMESPACE_NAME"
+    helm uninstall "$app_name" -n "$TEST_APP_NAMESPACE_NAME"
 fi
 
 # Delete any created PVCs
-$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \
-  pvc -l app.kubernetes.io/instance=$app_name
+$cli delete --namespace "$TEST_APP_NAMESPACE_NAME" --ignore-not-found \
+  pvc -l app.kubernetes.io/instance="$app_name"
 
 echo "Create secrets for test app backend"
-$cli delete --namespace $TEST_APP_NAMESPACE_NAME --ignore-not-found \
+$cli delete --namespace "$TEST_APP_NAMESPACE_NAME" --ignore-not-found \
   secret test-app-backend-certs
 
-$cli --namespace $TEST_APP_NAMESPACE_NAME \
+$cli --namespace "$TEST_APP_NAMESPACE_NAME" \
   create secret generic \
   test-app-backend-certs \
   --from-file=server.crt=./etc/ca.pem \
@@ -39,7 +38,7 @@ $cli --namespace $TEST_APP_NAMESPACE_NAME \
 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo update
 
-helm install $app_name bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --wait --timeout $TIMEOUT \
+helm install "$app_name" bitnami/postgresql -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \
     --set image.repository="postgres" \
     --set image.tag="9.6" \
     --set postgresqlDataDir="/data/pgdata" \
@@ -53,5 +52,5 @@ helm install $app_name bitnami/postgresql -n $TEST_APP_NAMESPACE_NAME --debug --
     --set securityContext.fsGroup="999" \
     --set postgresqlDatabase="test_app" \
     --set postgresqlUsername="test_app" \
-    --set postgresqlPassword=$SAMPLE_APP_BACKEND_DB_PASSWORD
+    --set postgresqlPassword="$SAMPLE_APP_BACKEND_DB_PASSWORD"
 

bin/test-workflow/8_app_deploy.sh

@@ -3,7 +3,6 @@
 set -euo pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
-PLATFORM="${PLATFORM:-kubernetes}"
 TIMEOUT="${TIMEOUT:-5m0s}"
 
 source utils.sh
@@ -13,15 +12,15 @@ check_env_var CONJUR_AUTHN_LOGIN_PREFIX
 
 announce "Deploying summon-sidecar test app in $TEST_APP_NAMESPACE_NAME."
 
-set_namespace $TEST_APP_NAMESPACE_NAME
+set_namespace "$TEST_APP_NAMESPACE_NAME"
 
 # Uninstall sample app if it exists
 if [ "$(helm list -q -n $TEST_APP_NAMESPACE_NAME | grep "^app-summon-sidecar$")" = "app-summon-sidecar" ]; then
     helm uninstall app-summon-sidecar -n "$TEST_APP_NAMESPACE_NAME"
 fi
 
 pushd ../../helm/conjur-app-deploy > /dev/null
-  helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout $TIMEOUT \
+  helm install app-summon-sidecar . -n "$TEST_APP_NAMESPACE_NAME" --debug --wait --timeout "$TIMEOUT" \
       --set global.conjur.conjurConnConfigMap="conjur-connect" \
       --set app-summon-sidecar.enabled=true \
       --set app-summon-sidecar.conjur.authnLogin="$CONJUR_AUTHN_LOGIN_PREFIX/test-app-summon-sidecar" \

bin/test-workflow/9_app_verify_authentication.sh

@@ -53,7 +53,7 @@ set_namespace "$TEST_APP_NAMESPACE_NAME"
 
 deploy_test_curl() {
   $cli delete --ignore-not-found pod/test-curl
-  $cli create -f ./$PLATFORM/test-curl.yml
+  $cli create -f ./"$PLATFORM"/test-curl.yml
 }
 
 check_test_curl() {