E2E Workflow scripts test against Enterprise follower in K8s #349
Conversation
john-odonnell
force-pushed
the
e2e-follower-in-k8s
branch
2 times, most recently
from
485cbbd to
d56db09
Compare
john-odonnell
force-pushed
the
e2e-follower-in-k8s
branch
5 times, most recently
from
a6a7127 to
b4da873
Compare
Jenkinsfile
Outdated
| @@ -47,6 +47,12 @@ pipeline { | |||
| } | |||
| } | |||
|
|
|||
| stage('E2E Workflow Tests') { | |||
There was a problem hiding this comment.
I think this should be moved to run after the "Scan images" test stage. The general idea is to scan them before using them.
Also, can we add a "GKE" to the name of the stage (or add a sub-stage with "GKE" init, since we'll eventually have an OpenShift test) to distinguish these from the GitHub actions / KinD E2E tests?
There was a problem hiding this comment.
Moved, and included a sub-stage.
| export TEST_PLATFORM | ||
|
|
||
| if [[ "${TEST_PLATFORM}" == "oc" ]]; then | ||
| PLATFORM="openshift" |
There was a problem hiding this comment.
Trying to figure out why we need PLATFORM in addtion to TEST_PLATFORM. Do you happen to know why both are needed?
There was a problem hiding this comment.
After a little investigation, the only practical use of the long-form PLATFORM was when referencing directories of manifests (i.e. bin/test-workflow/kubernetes and bin/test-workflow/openshift which I assume is soon to come). Both were being used to run commands conditionally for Openshift.
I changed the long-form PLATFORM to MANIFEST_DIR, and TEST_PLATFORM to PLATFORM.
PLATFORM is used in conditionals.
MANIFEST_DIR is only used where the long-form "kubernetes" or "openshift" is needed.
EDIT
Going to have to roll this back. Kubernetes Conjur Deploy requires the PLATFORM envvar to differentiate between kubernetes and openshift. In the context of these tests, PLATFORM will be used to differentiate general platforms (k8s v. oc) and TEST_PLATFORM (rename to CLUSTER_TYPE, for specificity?) will be used to differentiate between sub-platforms (kind v. gke).
There was a problem hiding this comment.
AH, thanks for the explanation. I was thinking that the distinction between these 2 would be something like this.
Either way, maybe we can add a comment just above this line, since I suspect other readers may wonder what the difference is here.
| @@ -37,6 +37,7 @@ $cli --namespace $TEST_APP_NAMESPACE_NAME \ | |||
| --from-file=server.key=./etc/ca-key.pem | |||
|
|
|||
| helm repo add bitnami https://charts.bitnami.com/bitnami | |||
| helm repo update | |||
|
@diverdane Thanks for the review(s)! Just wondering - a lot of comments for wrapping envvar references in quotes. What does this achieve that the bare envvar reference doesn't? |
@john-odonnell , In Bash, it's generally good practice to wrap any variables and command substitutions (e.g. The idea is that you want to make sure the shell interprets the variable value as a single entity regardless of whether it contains spaces, etc. If the variable is part of a larger string that's already quoted, then the quotes directly around the variable aren't needed. I think CodeClimate would flag these, if we had it running for this repository. I think you can run CodeClimate locally from a Docker container. |
john-odonnell
force-pushed
the
e2e-follower-in-k8s
branch
2 times, most recently
from
3283e88 to
4641b55
Compare
There was a problem hiding this comment.
Looks FANTASTIC! Thanks for taking care of the missing quotes in existing code, that will make it easier when we turn on CodeClimate for this repo!
I'm ready to approve as soon as the kubectl install is working (and we at least upgrade the default version of kubectl).
| export CONJUR_OSS_HELM_INSTALLED="${CONJUR_OSS_HELM_INSTALLED:-true}" | ||
|
|
||
| if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then | ||
| CLUSTER_TYPE="${CLUSTER_TYPE:-kind}" |
There was a problem hiding this comment.
Thanks for making this name change, it's MUCH clearer!
bin/test-workflow/Dockerfile
Outdated
|
|
||
| # Install kubectl CLI | ||
| ARG KUBECTL_CLI_URL | ||
| RUN wget -O /usr/local/bin/kubectl ${KUBECTL_CLI_URL:-https://storage.googleapis.com/kubernetes-release/release/v1.7.6/bin/linux/amd64/kubectl} && \ |
There was a problem hiding this comment.
We should at least update the default kubectl version to 1.20.9 or 1.21.3.
And maybe use the command from the latest kubectl install documentation (even if the new command gets redirected to storage.googleapis.com. That would look like this:
curl -LO "${KUBECTL_CLI_URL:-https://dl.k8s.io/release/v1.21.3/bin/linux/amd64/kubectl}" && \
chmod +x kubectl && \
mv kubectl /usr/local/bin/kubectl
Or, maybe even better, if we simplify things and just look for a Kubernetes version:
curl -LO https://dl.k8s.io/release/v"${KUBECTL_VERSION:-1.21.3}"/bin/linux/amd64/kubectl && \
chmod +x kubectl && \
mv kubectl /usr/local/bin/kubectl
There was a problem hiding this comment.
Updated to the second version, and updated secrets.yml to account for this.
john-odonnell
force-pushed
the
e2e-follower-in-k8s
branch
4 times, most recently
from
859dbc6 to
73a057c
Compare
Conjur Leader and Follower in K8s cluster.
Maintains style with TEST_APP_NAMESPACE_NAME, and agrees with kubernetes-conjur-deploy required env var
john-odonnell
force-pushed
the
e2e-follower-in-k8s
branch
from
73a057c to
d2d53e8
Compare
diverdane
dismissed
imheresamir’s stale review
@john-odonnell will address concerns in next PR. @samir is okay with this.
* Maintain shell on failure * Test E2E workflow against Conjur Enterprise in KinD Conjur Leader and Follower in K8s cluster. * Enterprise E2E workflow updated for GKE * E2E workflow: CONJUR_NAMESPACE to CONJUR_NAMESPACE_NAME Maintains style with TEST_APP_NAMESPACE_NAME, and agrees with kubernetes-conjur-deploy required env var * Add Jenkinsfile stage for Enterprise/GKE E2E workflow * Update CI GHA workflow * E2E Workflow README updates * PR Review updates
What does this PR do?
End-to-end workflow scripts can now test Conjur Kubernetes authentication against Conjur Enterprise
with follower in K8s. Uses
cyberark/kubernetes-conjur-deployto setup a Conjur leader, standbys and follower in a GKE cluster.
Open Source / Enterprise workflow can be toggled from
startscript with--open-sourceor--enterpriseflagsWhat ticket does this PR close?
Resolves #243
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, orManual tests
If you are preparing for a release, have you run the following manual tests to verify existing functionality continues to function as expected?