The cluster helm test queries the /info endpoint for validation

[izgeri]

Overview

This issue builds on the framework created in Issue #229. For an overview of the cluster prep Helm chart Helm test framework, refer to Issue #229.

This issue adds a validation of the following Conjur configuration fields in the Golden ConfigMap:

• conjurAccount
• authnK8sAuthenticatorID using the /info Conjur API endpoint. Since this endpoint is currently only available for Conjur Enterprise, this feature will only work with Conjur Enterprise instances.

Addition of conjur.type (can be "oss" or "enterprise") to chart values

A conjur.type field should be added to the chart's values.yaml file. The default setting for this value will be "oss".

Expecting /info access vs. "best effort"

• When conjur.type is explicitly set to "enterprise", this will signify that the /info endpoint is expected to work, and a lack of response is a failure.
• When conjur.type is not explicitly set to "enterprise", then access to /info endpoint will be "best effort". That is, an attempt will be made to to access the /info endpoint. Failure to access this endpoint will not be considered a test failure.

Parsing /info endpoint data and validating

When access to the /info endpoint is successful, the returned data will be parsed for:

• Conjur account
• Enabled authn-k8s authenticator IDs

If the actual Conjur account does not match the conjurAccount value in the Golden ConfigMap, then a test failure is declared.

If the enabled authn-k8s authenticator IDs do not contain the authnK8sAuthenticatorID value in the Golden ConfigMap, then a test failure is declared.

Test results

Test failures must appear in the command line output of the helm test ... command. The output should be clear about which value has been misconfigured.

Test environments

Testing must be done both with Conjur OSS instance and a Conjur Enterprise instance.

DoD

• conjur.type added to chart values, defaulting to "oss"
• A JSON schema validation is added to values.schema.json for this new field
• Test cases added to cluster prep Helm chart test
• Testing performed on both Conjur OSS and Conjur Enterprise setup
• Helm test passes for "happy path" valid values
• Helm test fails for incorrect conjurAccount, and failure is clear on command line output
• Helm test fails for incorrect authnK8sAuthenticatorID, and failure is clear on command line output

[izgeri]

I wonder if conjur.type should be conjur.edition? We've started talking about how it's "One product, multiple editions", which is what gave me this idea :)