TEST of Conjur authn-k8s based on DeploymentConfigs on OpenShift

This is just a test commit to test the functionality of Conjur authn-k8s authentication using DeploymentConfigs on an OpenShift platform.
conjurdemos · Oct 14, 2020 · 3d3caea · 3d3caea
1 parent adf9017
commit 3d3caea
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 80 deletions.
diff --git a/8_app_verify_authentication.sh b/8_app_verify_authentication.sh
@@ -24,6 +24,7 @@ function finish {
   if [[ "$DETAILED_DUMP_ON_EXIT" == "true" ]]; then
     dump_kubernetes_resources
     dump_authentication_policy
+    dump_conjur_logs
   fi
 
   set +u

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -14,54 +14,54 @@ pipeline {
 
   stages {
     // Postgres Tests with Host-ID-based Authn
-    stage('Deploy Demos Postgres with Host-ID-based Authn') {
-      parallel {
-        stage('GKE, v5 Conjur, Postgres, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment gke ./test gke postgres host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.9, v5 Conjur, Postgres, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc ./test oc postgres host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.10, v5 Conjur, Postgres, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc310 ./test oc postgres host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.11, v5 Conjur, Postgres, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc311 ./test oc postgres host-id-based'
-          }
-        }
-      }
-    }
+    //stage('Deploy Demos Postgres with Host-ID-based Authn') {
+    //  parallel {
+    //    stage('GKE, v5 Conjur, Postgres, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment gke ./test gke postgres host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.9, v5 Conjur, Postgres, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc ./test oc postgres host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.10, v5 Conjur, Postgres, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc310 ./test oc postgres host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.11, v5 Conjur, Postgres, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc311 ./test oc postgres host-id-based'
+    //      }
+    //    }
+    //  }
+    //}
 
     // Postgres Tests with Annotation-based Authn
     stage('Deploy Demos Postgres with Annotation-based Authn') {
       parallel {
-        stage('GKE, v5 Conjur, Postgres, Annotation-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment gke ./test gke postgres annotation-based'
-          }
-        }
-
-        stage('OpenShift v3.9, v5 Conjur, Postgres, Annotation-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc ./test oc postgres annotation-based'
-          }
-        }
-
-        stage('OpenShift v3.10, v5 Conjur, Postgres, Annotation-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc310 ./test oc postgres annotation-based'
-          }
-        }
+        //stage('GKE, v5 Conjur, Postgres, Annotation-based Authn') {
+        //  steps {
+        //    sh 'cd ci && summon --environment gke ./test gke postgres annotation-based'
+        //  }
+        //}
+
+        //stage('OpenShift v3.9, v5 Conjur, Postgres, Annotation-based Authn') {
+        //  steps {
+        //    sh 'cd ci && summon --environment oc ./test oc postgres annotation-based'
+        //  }
+        //}
+
+        //stage('OpenShift v3.10, v5 Conjur, Postgres, Annotation-based Authn') {
+        //  steps {
+        //    sh 'cd ci && summon --environment oc310 ./test oc postgres annotation-based'
+        //  }
+        //}
 
         stage('OpenShift v3.11, v5 Conjur, Postgres, Annotation-based Authn') {
           steps {
@@ -72,34 +72,34 @@ pipeline {
     }
 
     // MySQL Tests
-    stage('Deploy Demos MySQL') {
-      parallel {
-        stage('GKE, v5 Conjur, MySQL, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment gke ./test gke mysql host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.9, v5 Conjur, MySQL, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc ./test oc mysql host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.10, v5 Conjur, MySQL, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc310 ./test oc mysql host-id-based'
-          }
-        }
-
-        stage('OpenShift v3.11, v5 Conjur, MySQL, Host-ID-based Authn') {
-          steps {
-            sh 'cd ci && summon --environment oc311 ./test oc mysql host-id-based'
-          }
-        }
-
-      }
-    }
+    //stage('Deploy Demos MySQL') {
+    //  parallel {
+    //    stage('GKE, v5 Conjur, MySQL, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment gke ./test gke mysql host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.9, v5 Conjur, MySQL, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc ./test oc mysql host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.10, v5 Conjur, MySQL, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc310 ./test oc mysql host-id-based'
+    //      }
+    //    }
+
+    //    stage('OpenShift v3.11, v5 Conjur, MySQL, Host-ID-based Authn') {
+    //      steps {
+    //        sh 'cd ci && summon --environment oc311 ./test oc mysql host-id-based'
+    //      }
+    //    }
+
+    //  }
+    //}
   }
 
   post {

diff --git a/ci/test b/ci/test
@@ -70,10 +70,11 @@ function main() {
 
 function deployConjur() {
   pushd ..
-    git clone --single-branch --branch master [email protected]:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID
+    #git clone --single-branch --branch master [email protected]:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID
+    git clone --single-branch --branch add_oc_deploy_configs [email protected]:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID
   popd
 
-  runDockerCommand "cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./start"
+  runDockerCommand "cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && CONJUR_LOG_LEVEL=debug ./start"
 }
 
 function deployDemo() {

diff --git a/policy/templates/project-authn-def.template.yml b/policy/templates/project-authn-def.template.yml
@@ -45,7 +45,7 @@
         # TODO: Add deployment-config annotation after the ClusterRole
         # for Kubernetes authentication in cyberark/kubernetes-conjur-deploy
         # add get permissions for DeploymentConfig resources.
-        #authn-k8s/deployment-config: test-app-summon-sidecar
+        authn-k8s/deployment-config: test-app-summon-sidecar
         authn-k8s/authentication-container-name: authenticator
         openshift: "{{ IS_OPENSHIFT }}"
     - !host
@@ -56,7 +56,7 @@
         # TODO: Add deployment-config annotation after the ClusterRole
         # for Kubernetes authentication in cyberark/kubernetes-conjur-deploy
         # add get permissions for DeploymentConfig resources.
-        #authn-k8s/deployment-config: test-app-summon-init
+        authn-k8s/deployment-config: test-app-summon-init
         authn-k8s/authentication-container-name: authenticator
         openshift: "{{ IS_OPENSHIFT }}"
     - !host
@@ -67,7 +67,7 @@
         # TODO: Add deployment-config annotation after the ClusterRole
         # for Kubernetes authentication in cyberark/kubernetes-conjur-deploy
         # add get permissions for DeploymentConfig resources.
-        #authn-k8s/deployment-config: test-app-secretless
+        authn-k8s/deployment-config: test-app-secretless
         authn-k8s/authentication-container-name: secretless
         openshift: "{{ IS_OPENSHIFT }}"
 

diff --git a/utils.sh b/utils.sh
@@ -83,7 +83,8 @@ get_pod_name() {
 }
 
 get_pods() {
-  $cli get pods --selector "$1" --no-headers | awk '{ print $1 }'
+  # get_pods <namespace> <list-of-selectors>
+  $cli get pods -n "$1" --selector "$2" --no-headers | awk '{ print $1 }'
 }
 
 get_nodeport(){
@@ -100,9 +101,9 @@ app_service_type() {
 }
 
 get_master_pod_name() {
-  pod_list=$(get_pods "app=conjur-node,role=master")
+  pod_list=$(get_pods "$CONJUR_NAMESPACE_NAME" "app=conjur-node,role=master")
   if [ -z "$pod_list" ]; then
-      pod_list=$(get_pods "app=conjur-oss")
+      pod_list=$(get_pods "$CONJUR_NAMESPACE_NAME" "app=conjur-oss")
   fi
   echo $pod_list | awk '{print $1}'
 }
@@ -270,3 +271,12 @@ function dump_authentication_policy {
   announce "Authentication policy:"
   cat policy/generated/$TEST_APP_NAMESPACE_NAME.project-authn.yml
 }
+
+function dump_conjur_logs {
+  conjur_master=$(get_master_pod_name)
+  if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
+    $cli logs -n $CONJUR_NAMESPACE_NAME $conjur_master conjur-oss
+  else
+    $cli logs -n $CONJUR_NAMESPACE_NAME $conjur_master
+  fi
+}