Demo supports Conjur OSS and annotation-based authn-k8s

[diverdane]

This change includes:

• Adds support for running demo scripts directly on a Conjur OSS cluster that has been
  deployed via Conjur OSS Helm chart.
• Adds support for creating a Conjur CLI pod for scripts to use if it doesn't exist (needed
  e.g. for running with Conjur OSS).
• Selectable operation for annotation-based authn-k8s vs. host-ID-based authn-k8s.
• Reorders and reorganizes scripts to separate the steps normally done by a security admin
  vs. steps that are done to deploy the application.
• Significant re-write of the README.md to differentiate security admin steps vs. app deploy
  steps to reconcile this documentation with our other community repos.
• CI for testing annotation-based authn-k8s on GKE.

Addresses Issue #106, Issue #92, and Issue #108

[izgeri]

We can't include this here - the DEPLOY_MASTER_CLUSTER flow is for dev only. Looking at your README updates I think there is a bit more reorganization we could do to make this extra-clear for this project - would you want to get on a call to chat about this today? Alternatively I could try to write up something based off of your branch to show what I am thinking.

[diverdane]

I'm all ears. Whichever way you think is most efficient.

[diverdane]

@izgeri - Thank you for the proposed changes! I incorporated your changes, but left out the command sequences for initializing the Conjur CA and loading policy since those commands are in the scripts (as optional parts of the script).

I took a stab at going a step further to reconcile this with our other repos and guides. I think we're getting closer to parity, but could maybe use a few more rounds of polishing.

I reordered, reorganized, and renamed the scripts to reconcile this workflow with our other repos. In the script names, I included either prep or admin or app to distinguish whether what's done in each script is usually preparation vs. tasks done by a security admin vs. tasks done to deploy the actual app without admin access. The scripts are now:

0_prep_check_dependencies.sh
1_prep_platform_login.sh
2_admin_load_conjur_policies.sh
3_admin_init_conjur_cert_authority.sh
4_app_create_namespace.sh
5_app_store_conjur_cert.sh
6_app_build_and_push_containers.sh
7_app_deploy.sh
8_app_verify_authentication.sh

In the README, I tried to explain the distinctions between the security admin and app deploy steps.

The CI is passing again, this is ready for re-review.

[izgeri]

Thanks @diverdane! I'm looking forward to reading this, but as I'm just seeing it now I won't get to it until Tuesday due to the long weekend. I really appreciate your thoughtful approach to the organization of the scripts in this project!

[doodlesbykumbi]

This is such a great and welcome body of work! The changes to the README are a massive improvement. I left only a couple comments but I think this looks great!

[doodlesbykumbi]

Nice!

[doodlesbykumbi]

I think we should really get rid of all the sed stuff, and confirm the manifests to x.yml.sh. I think that pattern is a lot easier to maintain and work with.

[diverdane]

That's a great idea! Or, we could use Helm charts for all of the Kubernetes YAML files, and Yaml.sh for the Conjur policy templating?

That said, I think this might be best handled as tech debt outside of the scope of our auth-k8s UX work.
I filed this issue for this cleanup: #113

[diverdane]

@kumbi, thanks for the review!

• I made the change that you suggested for using CONJUR_OSS_HELM_DEPLOYED directly.
• I also made an additional small change:
  • I moved the configure_conjur_cli function so that it's always run
  • I changed the name of this function to ensure_conjur_cli_initialized
    I did this to make things more robust. There were times when I had
    environment variables messed up, and the Conjur CLI pod got created
    but initialization failed at first. Fixing the env variable and re-running
    the script didn't work with the prior code, because the initialization was
    getting called conditionally: only when the Conjur CLI pod was created.
    Now it's always run, and it's okay if this gets called when the pod is already
    initialized.
• I filed and issue for replacing sed with either Yaml.sh or Helm charts
  (wherever that's possible):
  Replace use of sed for yaml templating with Yaml.sh or helm charts #113

[doodlesbykumbi]

This looks great! For some reason the build is currently failing, once that's resolve I hink we should be good to proceed. Before merging I also wanted to make sure that there aren't an other repos using this project that might break e.g. DEPLOY_MASTER_CLUSTER is no longer being used.

[doodlesbykumbi]

I think we can get rid of this now

[diverdane]

We still need to include this export because the scripts also clone and run the cyberark/kubernetes-conjur-deploy scripts, and those depend upon the DEPLOY_MASTER_CLUSTER environment variable.

To prevent possible breakage in the scenario where another repo is cloning & running this kubernetes-conjur-demo script repo, what I can do is this:

• In set_env_vars.sh, default the DEPLOY_MASTER_CLUSTER to false
• In set_env_vars.sh, default the CONFIGURE_CONJUR_MASTER to $DEPLOY_MASTER_CLUSTER

So the precedence for the value of CONFIGURE_CONJUR_MASTER would be:

1. CONFIGURE_CONJUR_MASTER env var, if that's set explicitly, otherwise...
2. DEPLOY_MASTER_CLUSTER env var, if that's set explicitly, otherwise...
3. false

That means for any existing workflow that depends upon DEPLOY_MASTER_CLUSTER and is unaware of the newer lingo CONFIGURE_CONJUR_MASTER, item 2 will cover them.

[doodlesbykumbi]

@diverdane Thank you I think this should work perfectly fine. I wonder if it's a good idea to invest (in the future) in finding all the things we care about that depend on this and overhauling them to the new.

[diverdane]

For some reason the build is currently failing...

For the life of me, I can't figure out why this failed. Just before the point of failure, the conjur-master-ext service is created:

[2020-10-20T19:49:01.750Z] ++++++++++++++++++++++++++++++++++++++
[2020-10-20T19:49:01.750Z] 
[2020-10-20T19:49:01.750Z] Creating load balancer for master and standbys.
[2020-10-20T19:49:01.750Z] 
[2020-10-20T19:49:01.750Z] ++++++++++++++++++++++++++++++++++++++
[2020-10-20T19:49:02.696Z] service/conjur-master-ext created

But then moments later, there's an error revolving around this service not existing:

[2020-10-20T19:49:03.723Z] ++++++++++++++++++++++++++++++++++++++
[2020-10-20T19:49:03.723Z] 
[2020-10-20T19:49:03.723Z] Configuring master pod.
[2020-10-20T19:49:03.723Z] 
[2020-10-20T19:49:03.723Z] ++++++++++++++++++++++++++++++++++++++
[2020-10-20T19:49:03.981Z] pod/conjur-cluster-569f787bdb-86kxd labeled
[2020-10-20T19:49:04.241Z] error: you need to provide a route port via --port when exposing a non-existent service

I looked to see that all of the parallel OpenShift CI tests that are happening are using their own projects (namespaces), and they definitely are, so it's not being caused by deletion of a project/namespace by another parallel test.

I'm going to re-run the tests.

[diverdane]

@kumbi, I made a stab at making sure that these scripts are backwards-compatible with other repos that use these scripts and make use of the DEPLOY_MASTER_CLUSTER env variable. Details are in my comments above. Please take a look and let me know if there's a better way.

[doodlesbykumbi]

LGTM. Once again, really great work! This is just such a comprehensively great update.

[doodlesbykumbi]

@diverdane Thank you I think this should work perfectly fine. I wonder if it's a good idea to invest (in the future) in finding all the things we care about that depend on this and overhauling them to the new.