diff --git a/1_create_test_app_namespace.sh b/1_create_test_app_namespace.sh index e8a01ba..aa7dd84 100755 --- a/1_create_test_app_namespace.sh +++ b/1_create_test_app_namespace.sh @@ -39,6 +39,15 @@ if [[ $PLATFORM == openshift ]]; then oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n default oc adm policy add-role-to-user admin $OSHIFT_CONJUR_ADMIN_USERNAME -n $TEST_APP_NAMESPACE_NAME + #oc adm policy add-role-to-user \ + # conjur-authenticator-$CONJUR_NAMESPACE_NAME \ + # system:serviceaccount:$CONJUR_NAMESPACE_NAME:conjur-cluster \ + # --rolebinding-name=test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME \ + # -n $TEST_APP_NAMESPACE_NAME + #oc adm policy add-role-to-user \ + # conjur-authenticator-$CONJUR_NAMESPACE_NAME \ + # system:serviceaccount:$CONJUR_NAMESPACE_NAME:conjur-cluster \ + # --rolebinding-name=test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME echo "Logging in as Conjur Openshift admin. Provide password as needed." oc login -u $OSHIFT_CONJUR_ADMIN_USERNAME fi diff --git a/4_store_conjur_cert.sh b/4_store_conjur_cert.sh index aaf370a..fb8da29 100755 --- a/4_store_conjur_cert.sh +++ b/4_store_conjur_cert.sh @@ -11,6 +11,10 @@ echo "Retrieving Conjur certificate." if $cli get pods --selector role=follower --no-headers; then follower_pod_name=$($cli get pods --selector role=follower --no-headers | awk '{ print $1 }' | head -1) + $cli exec $follower_pod_name -- sed -i "s/:info/:debug/" /opt/conjur/possum/config/environments/appliance.rb + $cli exec $follower_pod_name -- sv restart conjur/possum + echo "****TEMP**** Sleep for 20 seconds to allow for possum restart" + sleep 20 ssl_cert=$($cli exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) else echo "Regular follower not found. Trying to assume a decomposed follower..." diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh index 71bcbb7..90fb426 100755 --- a/7_verify_authentication.sh +++ b/7_verify_authentication.sh @@ -32,9 +32,34 @@ announce "Validating that the deployments are functioning as expected." set_namespace "$TEST_APP_NAMESPACE_NAME" +echo Conjur namespace: $CONJUR_NAMESPACE_NAME +announce "Describing Service Accounts in Conjur Namespace" +$cli describe sa -n $CONJUR_NAMESPACE_NAME +announce "Get OC version" +$cli version +announce "Get users" +$cli get users +announce "Describing rolebinding.rbac test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME" +$cli describe rolebinding.rbac test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME +announce "Describing rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME" +$cli describe rolebinding test-app-conjur-authenticator-role-binding-$CONJUR_NAMESPACE_NAME +announce "Describing DeploymentConfigs in test app namespace" +$cli describe deploymentconfigs + echo "Waiting for pods to become available" +retry_count=0 check_pods(){ + let "retry_count++" + if [[ $retry_count -eq 20 ]]; then + follower_pod_name=$($cli get pods -n $CONJUR_NAMESPACE_NAME --selector role=follower --no-headers | awk '{ print $1 }' | head -1) + announce "Checking for RBAC errors in follower pod logs." + echo Follower pod: $follower_pod_name + echo ================================ + $cli logs -n $CONJUR_NAMESPACE_NAME $follower_pod_name | grep RBAC + else + echo Retry count: $retry_count + fi pods_ready "test-app-summon-init" && pods_ready "test-app-with-host-outside-apps-branch-summon-init" && pods_ready "test-app-summon-sidecar" && @@ -42,17 +67,28 @@ check_pods(){ } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_pods + +$cli describe pod --selector "app=test-app-summon-init" +$cli describe pod --selector "test-app-with-host-outside-apps-branch-summon-init" +$cli describe pod --selector "test-app-summon-sidecar" +$cli describe pod --selector "test-app-secretless" + if [[ "$PLATFORM" == "openshift" ]]; then echo "Waiting for deployments to become available" check_deployment_status(){ - [[ "$(deployment_status "test-app-summon-init")" == "Complete" ]] && - [[ "$(deployment_status "test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && - [[ "$(deployment_status "test-app-summon-sidecar")" == "Complete" ]] && - [[ "$(deployment_status "test-app-secretless")" == "Complete" ]] + [[ "$(deployment_status "oc-test-app-summon-init")" == "Complete" ]] && + [[ "$(deployment_status "oc-test-app-with-host-outside-apps-branch-summon-init")" == "Complete" ]] && + [[ "$(deployment_status "oc-test-app-summon-sidecar")" == "Complete" ]] && + [[ "$(deployment_status "oc-test-app-secretless")" == "Complete" ]] } bl_retry_constant "${RETRIES}" "${RETRY_WAIT}" check_deployment_status + echo Deployment Status oc-test-app-summon-init: $(deployment_status "oc-test-app-summon-init") + echo Deployment Status oc-test-app-with-host-outside: $(deployment_status "oc-test-app-with-host-outside-apps-branch-summon-init") + echo Deployment Status oc-test-app-summon-sidecar: $(deployment_status "oc-test-app-summon-sidecar") + echo Deployment Status oc-test-app-secretless: $(deployment_status "oc-test-app-secretless") + sidecar_pod=$(get_pod_name test-app-summon-sidecar) init_pod=$(get_pod_name test-app-summon-init) init_pod_with_host_outside_apps=$(get_pod_name test-app-with-host-outside-apps-branch-summon-init) diff --git a/Jenkinsfile b/Jenkinsfile index 5747aca..9f7f8a3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -16,60 +16,72 @@ pipeline { // Postgres Tests stage('Deploy Demos Postgres') { parallel { - stage('GKE, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon --environment gke ./test gke postgres' - } - } + //stage('GKE, v5 Conjur, Postgres') { + // steps { + // sh 'cd ci && summon --environment gke ./test gke postgres' + // } + //} - stage('OpenShift v3.9, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon --environment oc ./test oc postgres' - } - } + //stage('GKE, v5 Conjur, Postgres, Deployment Authn ID') { + // steps { + // sh 'cd ci && CONJUR_AUTHN_LOGIN_RESOURCE=deployment summon --environment gke ./test gke postgres' + // } + //} - stage('OpenShift v3.10, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon --environment oc310 ./test oc postgres' - } - } + //stage('OpenShift v3.9, v5 Conjur, Postgres') { + // steps { + // sh 'cd ci && summon --environment oc ./test oc postgres' + // } + //} - stage('OpenShift v3.11, v5 Conjur, Postgres') { - steps { - sh 'cd ci && summon --environment oc311 ./test oc postgres' - } - } - } - } + //stage('OpenShift v3.10, v5 Conjur, Postgres') { + // steps { + // sh 'cd ci && summon --environment oc310 ./test oc postgres' + // } + //} -// MySQL Tests - stage('Deploy Demos MySQL') { - parallel { - stage('GKE, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon --environment gke ./test gke mysql' - } - } - - stage('OpenShift v3.9, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon --environment oc ./test oc mysql' - } - } + //stage('OpenShift v3.11, v5 Conjur, Postgres') { + // steps { + // sh 'cd ci && summon --environment oc311 ./test oc postgres' + // } + //} - stage('OpenShift v3.10, v5 Conjur, MySQL') { + stage('OpenShift v3.11, v5 Conjur, Postgres, Deployment Authn ID') { steps { - sh 'cd ci && summon --environment oc310 ./test oc mysql' - } - } - - stage('OpenShift v3.11, v5 Conjur, MySQL') { - steps { - sh 'cd ci && summon --environment oc311 ./test oc mysql' + sh 'cd ci && CONJUR_AUTHN_LOGIN_RESOURCE=deployment_config summon --environment oc311 ./test oc postgres' } } } } + +// MySQL Tests +// stage('Deploy Demos MySQL') { +// parallel { +// stage('GKE, v5 Conjur, MySQL') { +// steps { +// sh 'cd ci && summon --environment gke ./test gke mysql' +// } +// } +// +// stage('OpenShift v3.9, v5 Conjur, MySQL') { +// steps { +// sh 'cd ci && summon --environment oc ./test oc mysql' +// } +// } +// +// stage('OpenShift v3.10, v5 Conjur, MySQL') { +// steps { +// sh 'cd ci && summon --environment oc310 ./test oc mysql' +// } +// } +// +// stage('OpenShift v3.11, v5 Conjur, MySQL') { +// steps { +// sh 'cd ci && summon --environment oc311 ./test oc mysql' +// } +// } +// } +// } } post { diff --git a/ci/test b/ci/test index 8f22ab6..28d8cb6 100755 --- a/ci/test +++ b/ci/test @@ -68,10 +68,11 @@ function main() { function deployConjur() { pushd .. - git clone --single-branch --branch master git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID + #git clone --single-branch --branch master git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID + git clone --single-branch --branch openshift_deploy_configs git@github.com:cyberark/kubernetes-conjur-deploy kubernetes-conjur-deploy-$UNIQUE_TEST_ID popd - runDockerCommand "cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && ./start" + runDockerCommand "cd kubernetes-conjur-deploy-$UNIQUE_TEST_ID && CONJUR_LOG_LEVEL=debug ./start" } function deployDemo() { @@ -100,6 +101,8 @@ function prepareTestEnvironment() { export CONJUR_APPLIANCE_IMAGE=$registry:5.0-stable + export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}" + # Prepare Docker images docker pull $CONJUR_APPLIANCE_IMAGE docker build --tag $CONJUR_DEMO_TEST_IMAGE:$CONJUR_NAMESPACE_NAME \ @@ -136,6 +139,7 @@ function runDockerCommand() { -e CONJUR_NAMESPACE_NAME \ -e CONJUR_ACCOUNT \ -e CONJUR_ADMIN_PASSWORD \ + -e CONJUR_AUTHN_LOGIN_RESOURCE \ -e AUTHENTICATOR_ID \ -e TEST_APP_NAMESPACE_NAME \ -e TEST_APP_DATABASE \ diff --git a/openshift/test-app-conjur-authenticator-role-binding.yml b/openshift/test-app-conjur-authenticator-role-binding.yml index ebe0191..b81c607 100644 --- a/openshift/test-app-conjur-authenticator-role-binding.yml +++ b/openshift/test-app-conjur-authenticator-role-binding.yml @@ -8,6 +8,9 @@ subjects: - kind: ServiceAccount name: conjur-cluster namespace: {{ CONJUR_NAMESPACE_NAME }} + - kind: User + apiGroup: rbac.authorization.k8s.io + name: system:serviceaccount:{{ CONJUR_NAMESPACE_NAME }}:conjur-cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/openshift/test-app-secretless.yml b/openshift/test-app-secretless.yml index c6b0b3f..6d54fbb 100644 --- a/openshift/test-app-secretless.yml +++ b/openshift/test-app-secretless.yml @@ -24,7 +24,7 @@ kind: DeploymentConfig metadata: labels: app: test-app-secretless - name: test-app-secretless + name: oc-test-app-secretless spec: replicas: 1 selector: diff --git a/openshift/test-app-summon-init.yml b/openshift/test-app-summon-init.yml index e4d1ac2..9dd6445 100644 --- a/openshift/test-app-summon-init.yml +++ b/openshift/test-app-summon-init.yml @@ -24,7 +24,7 @@ kind: DeploymentConfig metadata: labels: app: test-app-summon-init - name: test-app-summon-init + name: oc-test-app-summon-init spec: replicas: 1 selector: diff --git a/openshift/test-app-summon-sidecar.yml b/openshift/test-app-summon-sidecar.yml index ded091b..55c5d20 100644 --- a/openshift/test-app-summon-sidecar.yml +++ b/openshift/test-app-summon-sidecar.yml @@ -24,7 +24,7 @@ kind: DeploymentConfig metadata: labels: app: test-app-summon-sidecar - name: test-app-summon-sidecar + name: oc-test-app-summon-sidecar spec: replicas: 1 selector: diff --git a/openshift/test-app-with-host-outside-apps-branch-summon-init.yml b/openshift/test-app-with-host-outside-apps-branch-summon-init.yml index 8bf0049..93a187c 100644 --- a/openshift/test-app-with-host-outside-apps-branch-summon-init.yml +++ b/openshift/test-app-with-host-outside-apps-branch-summon-init.yml @@ -24,7 +24,7 @@ kind: DeploymentConfig metadata: labels: app: test-app-with-host-outside-apps-branch-summon-init - name: test-app-with-host-outside-apps-branch-summon-init + name: oc-test-app-with-host-outside-apps-branch-summon-init spec: replicas: 1 selector: diff --git a/policy/templates/project-authn-def.template.yml b/policy/templates/project-authn-def.template.yml index 9c37ed1..7c63e3f 100644 --- a/policy/templates/project-authn-def.template.yml +++ b/policy/templates/project-authn-def.template.yml @@ -53,7 +53,7 @@ kubernetes/authentication-container-name: authenticator openshift: "{{ IS_OPENSHIFT }}" - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-sidecar + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment_config/oc-test-app-summon-sidecar annotations: kubernetes/authentication-container-name: authenticator openshift: "{{ IS_OPENSHIFT }}" @@ -63,7 +63,7 @@ kubernetes/authentication-container-name: authenticator openshift: "{{ IS_OPENSHIFT }}" - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-summon-init + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment_config/oc-test-app-summon-init annotations: kubernetes/authentication-container-name: authenticator openshift: "{{ IS_OPENSHIFT }}" @@ -73,7 +73,7 @@ kubernetes/authentication-container-name: secretless openshift: "{{ IS_OPENSHIFT }}" - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/deployment/oc-test-app-secretless + id: {{ TEST_APP_NAMESPACE_NAME }}/deployment_config/oc-test-app-secretless annotations: kubernetes/authentication-container-name: secretless openshift: "{{ IS_OPENSHIFT }}"