conjurdemos · diverdane · Oct 22, 2020 · Sep 29, 2020
diff --git a/0_check_dependencies.sh → 0_prep_check_dependencies.sh b/0_check_dependencies.sh → 0_prep_check_dependencies.sh
diff --git a/1_prep_platform_login.sh b/1_prep_platform_login.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+if [[ $PLATFORM == openshift ]]; then
+  oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME
+fi
+
diff --git a/2_admin_load_conjur_policies.sh b/2_admin_load_conjur_policies.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Generating Conjur policy."
+
+prepare_conjur_cli_image() {
+  announce "Pulling and pushing Conjur CLI image."
+
+  docker pull cyberark/conjur-cli:$CONJUR_VERSION-latest
+
+  cli_app_image=$(platform_image conjur-cli)
+  docker tag cyberark/conjur-cli:$CONJUR_VERSION-latest $cli_app_image
+
+  if ! is_minienv; then
+    docker push $cli_app_image
+  fi
+}
+
+deploy_conjur_cli() {
+  announce "Deploying Conjur CLI pod."
+
+  if is_minienv; then
+    IMAGE_PULL_POLICY='Never'
+  else
+    IMAGE_PULL_POLICY='Always'
+  fi
+  if [ "$CONJUR_OSS_HELM_INSTALLED" = "true" ]; then
+    service_account='conjur-oss'
+  else
+    service_account='conjur-cluster'
+  fi
+
+  cli_app_image=$(platform_image conjur-cli)
+  sed -e "s#{{ CONJUR_SERVICE_ACCOUNT }}#$service_account#g" ./$PLATFORM/conjur-cli.yml |
+    sed -e "s#{{ DOCKER_IMAGE }}#$cli_app_image#g" |
+    sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
+    $cli create -f -
+
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+  wait_for_it 300 "$cli get pod $conjur_cli_pod -o jsonpath='{.status.phase}'| grep -q Running"
+}
+
+ensure_conjur_cli_initialized() {
+  announce "Ensure that Conjur CLI pod has a connection with Conjur initialized."
+
+  if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    conjur_service='conjur-oss'
+  else
+    conjur_service='conjur-master'
+  fi
+  conjur_url=${CONJUR_APPLIANCE_URL:-https://$conjur_service.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
+
+  $cli exec $1 -- bash -c "yes yes | conjur init -a $CONJUR_ACCOUNT -u $conjur_url"
+  $cli exec $1 -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
+}
+
+pushd policy
+  mkdir -p ./generated
+
+  # NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+
+  if [[ "$PLATFORM" == "openshift" ]]; then
+    is_openshift=true
+    is_kubernetes=false
+  else
+    is_openshift=false
+    is_kubernetes=true
+  fi
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/$TEST_APP_NAMESPACE_NAME.cluster-authn-svc.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.app-identity.yml
+
+  sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/authn-any-policy-branch.template.yml |
+    sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" |
+    sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/$TEST_APP_NAMESPACE_NAME.authn-any-policy-branch.yml
+popd
+
+# Create the random database password
+password=$(openssl rand -hex 12)
+
+set_namespace "$CONJUR_NAMESPACE_NAME"
+
+
+announce "Finding or creating a Conjur CLI pod"
+conjur_cli_pod=$(get_conjur_cli_pod_name)
+if [ -z "$conjur_cli_pod" ]; then
+  prepare_conjur_cli_image
+  deploy_conjur_cli
+  conjur_cli_pod=$(get_conjur_cli_pod_name)
+fi
+ensure_conjur_cli_initialized $conjur_cli_pod
+
+announce "Loading Conjur policy."
+
+$cli exec $conjur_cli_pod -- rm -rf /policy
+$cli cp ./policy $conjur_cli_pod:/policy
+
+$cli exec $conjur_cli_pod -- \
+  bash -c "
+  conjur_appliance_url=${CONJUR_APPLIANCE_URL:-https://conjur-oss.$CONJUR_NAMESPACE_NAME.svc.cluster.local}
+    CONJUR_ACCOUNT=${CONJUR_ACCOUNT} \
+    CONJUR_ADMIN_PASSWORD=${CONJUR_ADMIN_PASSWORD} \
+    DB_PASSWORD=${password} \
+    TEST_APP_NAMESPACE_NAME=${TEST_APP_NAMESPACE_NAME} \
+    TEST_APP_DATABASE=${TEST_APP_DATABASE} \
+    /policy/load_policies.sh
+  "
+
+$cli exec $conjur_cli_pod -- rm -rf ./policy
+
+echo "Conjur policy loaded."
+
+set_namespace "$TEST_APP_NAMESPACE_NAME"
+
+# Set DB password in Kubernetes manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+pushd kubernetes
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
+popd
+
+# Set DB password in OC manifests
+# NOTE: generated files are prefixed with the test app namespace to allow for parallel CI
+pushd openshift
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./postgres.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.postgres.yml
+  sed "s#{{ TEST_APP_DB_PASSWORD }}#$password#g" ./mysql.template.yml > ./tmp.${TEST_APP_NAMESPACE_NAME}.mysql.yml
+popd
+
+announce "Added DB password value: $password"
diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh
diff --git a/3_admin_init_conjur_cert_authority.sh b/3_admin_init_conjur_cert_authority.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Initializing Conjur certificate authority."
+
+set_namespace $CONJUR_NAMESPACE_NAME
+
+conjur_master=$(get_master_pod_name)
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    $cli exec $conjur_master -c conjur-oss -- bash -c "CONJUR_ACCOUNT=$CONJUR_ACCOUNT rake authn_k8s:ca_init['conjur/authn-k8s/$AUTHENTICATOR_ID']"
+else
+    $cli exec $conjur_master -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/$AUTHENTICATOR_ID"]
+fi
+
+echo "Certificate authority initialized."
diff --git a/3_init_conjur_cert_authority.sh b/3_init_conjur_cert_authority.sh
diff --git a/1_create_test_app_namespace.sh → 4_app_create_namespace.sh b/1_create_test_app_namespace.sh → 4_app_create_namespace.sh
@@ -5,10 +5,6 @@ set -euo pipefail
 
 announce "Creating Test App namespace."
 
-if [[ $PLATFORM == openshift ]]; then
-  oc login -u $OSHIFT_CLUSTER_ADMIN_USERNAME
-fi
-
 set_namespace default
 
 if has_namespace "$TEST_APP_NAMESPACE_NAME"; then
@@ -26,11 +22,16 @@ else
   set_namespace $TEST_APP_NAMESPACE_NAME
 fi
 
-$cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
+# A Conjur OSS cluster that was deployed via cyberark/conjur-oss-helm-chart
+# includes a ClusterRoleBinding (that has cluster-wide scope), so there is no
+# need to create a RoleBinding for this namespace.
+if [[ $CONJUR_OSS_HELM_INSTALLED != true ]]; then
+  $cli delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME
 
-sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
-  sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
-  $cli create -f -
+  sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./$PLATFORM/test-app-conjur-authenticator-role-binding.yml |
+    sed "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
+    $cli create -f -
+fi
 
 if [[ $PLATFORM == openshift ]]; then
   # add permissions for Conjur admin user

diff --git a/4_store_conjur_cert.sh b/4_store_conjur_cert.sh
diff --git a/5_app_store_conjur_cert.sh b/5_app_store_conjur_cert.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Storing Conjur cert for test app configuration."
+
+set_namespace $CONJUR_NAMESPACE_NAME
+
+echo "Retrieving Conjur certificate."
+
+if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+  master_pod_name=$(get_master_pod_name)
+  ssl_cert=$($cli exec -c "conjur-oss-nginx" $master_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
+else
+  if $cli get pods --selector role=follower --no-headers; then
+    follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1)
+    ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem)
+  else
+    echo "Regular follower not found. Trying to assume a decomposed follower..."
+    follower_pod_name=$($cli get pods --selector role=decomposed-follower --no-headers | awk '{ print $1 }' | head -1)
+    ssl_cert=$($cli exec -c "nginx" $follower_pod_name -- cat /opt/conjur/etc/ssl/cert/tls.crt)
+  fi
+fi
+
+set_namespace $TEST_APP_NAMESPACE_NAME
+
+echo "Storing non-secret conjur cert as test app configuration data"
+
+$cli delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME
+
+# Store the Conjur cert in a ConfigMap.
+$cli create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert")
+
+echo "Conjur cert stored."
diff --git a/5_build_and_push_containers.sh → 6_app_build_and_push_containers.sh b/5_build_and_push_containers.sh → 6_app_build_and_push_containers.sh