Test authn-k8s on Conjur-OSS deployed via Helm chart on OpenShift

[doodlesbykumbi]

What does this PR do ?

1. Adds a logical branch for deploying Conjur OSS via Helm on OpenShift, instead of using kubernetes-conjur-deploy.
   TODO: it's probably better to move this functionality to kubernetes-conjur-deploy.
   TODO: there really needs to be a better way of passing along conjur config to kubernetes-conjur-demo (fortunately we're working on this). At present kubernetes-conjur-demo seems too tightly coupled with kubernetes-conjur-deploy and knows too much about it, this makes it more difficult to make updates to either.
2. Adds flows to Jenkinsfile for test authn-k8s on Conjur-OSS deployed via Helm chart on OpenShift (using both host-ID-based and annotation-based identity.)

Resolves #110

[rpothier]

Should this test be grouped with the other Annotation-based below?

[diverdane]

Same for the Host-ID-based Authn stage above this one?
Or, if these Conjur OSS tests can't be merged below, the comment on line 16 should be changed or moved.

[izgeri]

@doodlesbykumbi I've been talking with @BradleyBoutcher about adding quick start flows (draft content here) to conjurdemos/dap-intro - this way we'd have a single repo to clone to get a basic Conjur OSS or Enterprise up and running on Jenkins. Maybe what you're highlighting here is also an argument for adding a similar super simple flow for Conjur OSS on Kubernetes to dap-intro that we can also use on tests?

The end goal of centralizing all of this content is that we can start to provide super simple patterns for running different Conjur editions in test automation, so that new projects have an easy way to get started writing integration tests.

ETA: not for this PR, obviously - just wanted to raise this as a future-thinking option.

[diverdane]

Looks good so far!!! I have a little bit more to review.

[diverdane]

Same for the Host-ID-based Authn stage above this one?
Or, if these Conjur OSS tests can't be merged below, the comment on line 16 should be changed or moved.

[diverdane]

Should probably use a "$cli" here instead of kubectl to switch between oc and kubectl.

We can also consider adding a comment timeout since we're deleting a namespace. Namespace deletion can involve deleting many objectss, including some objects like LoadBalancers that use finalizers, and sometimes there are bugs whereby finalizers aren't getting cleared. Granted, this only came into play for OC 4.3 so far, but maybe good to add a timeout?

I don't know if it makes sense to go this deeply, but in the stop script, we're also describing residual objects in the namespace:

  "$cli" delete --timeout="$KUBE_CLI_DELETE_TIMEOUT" \
      namespace "$TEST_APP_NAMESPACE_NAME" || \
      (echo "ERROR: Delete of namespace $TEST_APP_NAMESPACE_NAME failed" && \
      echo "Showing residual resources in namespace:" && \
      "$cli" describe all -n "$TEST_APP_NAMESPACE_NAME")

Might be enough just to display an error, without the residual objects?

[doodlesbykumbi]

I think both are good ideas. The residual objects will be great for debugging.

[doodlesbykumbi]

I thought about the $cli and realised there's no loss in generality by using only kubectl, especially since all the changes in this PR are for testing only but also because

1. kubectl is available in the test container
2. Both OpenShift and Kubernetes respect the Kubernetes API

[diverdane]

Yes, I think this makes sense, and would keep things more KISS.

[diverdane]

Looks good, just a few minor questions/suggestions.

[diverdane]

Peripheral comment: It will be nice to have the Helm chart automatically generate a dataKey (cyberark/conjur-oss-helm-chart#136)

[doodlesbykumbi]

It would! I also realised that we tend to generate certain things (like the datakey) that can be static for the sake of testing.

[diverdane]

kubectl here should be oc? Same for other instances of kubectl below.

[diverdane]

LGTM! It's so great to get this in!

[rpothier]

LGTM