There are reusable scripts for development environments and automated testing

[izgeri]

Summary

Create scripts for development environment and CI testing:

• To generate and load authn-k8s-specific Conjur policy
• To generate and load application-specific Conjur policy
• To do Helm install for cluster prep and app Namespace prep
• Use the Helm chart from There is a helm chart for deploying a sample app with a Conjur sidecar #238 to deploy example application(s) with a selectable list of authenticator types to deploy
• To verify secrets access for example application

Example Use Cases

The scripts described here can be used for:

• Automated CI for testing Kubernetes authentication on for various Conjur OSS/Enterprise configurations
• A quick-start guide for Kubernetes authentication
• Katacoda tutorials for Kubernetes authentication

Out of Scope

For purposes of splitting out tasks into more manageable chunks, a couple of other issues have been created to implement some aspects of this feature separately:

• This issue does not include the addition of support for Secrets Provider init/app containers.
  Support for Secrets Provider authenticators will be added incrementally using Issue Deployment scripts include support for Secrets Provider init and standalone app containers #247.
• This issue does not include testing the script workflow on OpenShift platform. This testing will
  be done incrementally, using Issue Conjur OSS install on OpenShift #248.

Implementation details

This issue involves basically making a copy or fork of conjurdemos/kubernetes-conjur-demo
scripts and modifying these scripts to use invocations of helm install ... with the following Helm charts, rather than using bash/sed/kubectl to do deployments:

• Kubernetes cluster prep Helm chart (Issue There is a helm chart to prepare a cluster for Conjur Kubernetes Authentication #227)
• Namespace prep Helm chart (Issue There is a helm chart to prepare a namespace in a cluster for Conjur Kubernetes authenticationi #236)
• Sample application Helm chart (Issue There is a helm chart for deploying a sample app with a Conjur sidecar #238)

The scripts for this workflow can be developed as follows:

• Start with a clone/fork of the conjurdemos/kubernetes-conjur-demo script repository

• The set_env_vars.sh script can probably be deleted. Most chart values for the
  above Helm charts will likely be required settings. (Remove its invocation from start).

• Modify the 0_prep_check_dependencies.sh file to require the existence of environment variable
  settings that correspond to every required chart value for all 3 Helm charts. For example,
  for the cluster prep Helm chart, add a check for an environment variable CONJUR_ACCOUNT
  corresponding to the conjur.account chart value. NOTE: These environment variable settings will
  be used on the helm install .... command line to set the corresponding chart value. For
  example, for conjur.account, the following command line setting will be included for
  helm install ...:

            --set conjur.account="$CONJUR_ACCOUNT"
  

  Passing in settings to these scripts as environment variables is more convenient
  than creating a custom values.yaml file (and we can use Summon in CI).

  Note that the checks for required environment variable settings are being added here,
  even though the charts will check for required values settings themselves, so that we fail
  quickly. For example, if we're missing env variable setting for the application deployment,
  we won't have to wait run helm install of the other Helm charts before discovering the
  missing setting.

• Modify the 4_app_create_namespace.sh to:

  • Eliminate the creation of the RoleBinding
  • Add invocation of helm install ... for cluster prep helm chart (could be a separate bash script)
  • Add invocation of helm install ... for Namespace prep helm chart (could be a separate bash script)

• Delete the 5_app_store_conjur_cert.sh script and remove its invocation from start

• Modify the 7_app_deploy.sh to use new sample Application deploy Helm chart

DoD

• The conjur-authn-k8s-client project includes utility scripts for policy loading to be used in the e2e tests and in the "quick start" demo

Note: in both cases (automated tests & demo), we are deploying Conjur so that we have access to the Conjur OSS server / Conjur Enterprise leader to load policy.

[izgeri]

As a follow-up to this work, we may want to review the actual policies that are loaded here to make sure they are consistent with our current documented best practices and our own notes in dap-wiki (private)