Create scripts for development environment and CI testing:
To generate and load authn-k8s-specific Conjur policy
To generate and load application-specific Conjur policy
To do Helm install for cluster prep and app Namespace prep
Use the Helm chart from #238 to deploy example application(s) with a selectable list of authenticator types to deploy
To verify secrets access for example application
Example Use Cases
The scripts described here can be used for:
Automated CI for testing Kubernetes authentication on for various Conjur OSS/Enterprise configurations
A quick-start guide for Kubernetes authentication
Katacoda tutorials for Kubernetes authentication
Out of Scope
For purposes of splitting out tasks into more manageable chunks, a couple of other issues have been created to implement some aspects of this feature separately:
This issue does not include the addition of support for Secrets Provider init/app containers.
Support for Secrets Provider authenticators will be added incrementally using Issue #247.
This issue does not include testing the script workflow on OpenShift platform. This testing will
be done incrementally, using Issue #248.
Implementation details
This issue involves basically making a copy or fork of conjurdemos/kubernetes-conjur-demo
scripts and modifying these scripts to use invocations of helm install ... with the following Helm charts, rather than using bash/sed/kubectl to do deployments:
Kubernetes cluster prep Helm chart (Issue #227)
Namespace prep Helm chart (Issue #236)
Sample application Helm chart (Issue #238)
The scripts for this workflow can be developed as follows:
Start with a clone/fork of the conjurdemos/kubernetes-conjur-demo script repository
The set_env_vars.sh script can probably be deleted. Most chart values for the
above Helm charts will likely be required settings. (Remove its invocation from start).
Modify the 0_prep_check_dependencies.sh file to require the existence of environment variable
settings that correspond to every required chart value for all 3 Helm charts. For example,
for the cluster prep Helm chart, add a check for an environment variable CONJUR_ACCOUNT
corresponding to the conjur.account chart value. NOTE: These environment variable settings will
be used on the helm install .... command line to set the corresponding chart value. For
example, for conjur.account, the following command line setting will be included for
helm install ...:
--set conjur.account="$CONJUR_ACCOUNT"
Passing in settings to these scripts as environment variables is more convenient
than creating a custom values.yaml file (and we can use Summon in CI).
Note that the checks for required environment variable settings are being added here,
even though the charts will check for required values settings themselves, so that we fail
quickly. For example, if we're missing env variable setting for the application deployment,
we won't have to wait run helm install of the other Helm charts before discovering the
missing setting.
Modify the 4_app_create_namespace.sh to:
Eliminate the creation of the RoleBinding
Add invocation of helm install ... for cluster prep helm chart (could be a separate bash script)
Add invocation of helm install ... for Namespace prep helm chart (could be a separate bash script)
Delete the 5_app_store_conjur_cert.sh script and remove its invocation from start
Modify the 7_app_deploy.sh to use new sample Application deploy Helm chart
DoD
[ ] The conjur-authn-k8s-client project includes utility scripts for policy loading to be used in the e2e tests and in the "quick start" demo
Note: in both cases (automated tests & demo), we are deploying Conjur so that we have access to the Conjur OSS server / Conjur Enterprise leader to load policy.
As a follow-up to this work, we may want to review the actual policies that are loaded here to make sure they are consistent with our current documented best practices and our own notes in dap-wiki (private)
Summary
Create scripts for development environment and CI testing:
Example Use Cases
The scripts described here can be used for:
Out of Scope
For purposes of splitting out tasks into more manageable chunks, a couple of other issues have been created to implement some aspects of this feature separately:
Implementation details
This issue involves basically making a copy or fork of conjurdemos/kubernetes-conjur-demo scripts and modifying these scripts to use invocations of
helm install ...
with the following Helm charts, rather than using bash/sed/kubectl to do deployments:The scripts for this workflow can be developed as follows:
set_env_vars.sh
script can probably be deleted. Most chart values for the above Helm charts will likely be required settings. (Remove its invocation fromstart
).Modify the
0_prep_check_dependencies.sh
file to require the existence of environment variable settings that correspond to every required chart value for all 3 Helm charts. For example, for the cluster prep Helm chart, add a check for an environment variableCONJUR_ACCOUNT
corresponding to theconjur.account
chart value. NOTE: These environment variable settings will be used on thehelm install ....
command line to set the corresponding chart value. For example, forconjur.account
, the following command line setting will be included forhelm install ...
:Passing in settings to these scripts as environment variables is more convenient than creating a custom
values.yaml
file (and we can use Summon in CI).Note that the checks for required environment variable settings are being added here, even though the charts will check for required values settings themselves, so that we fail quickly. For example, if we're missing env variable setting for the application deployment, we won't have to wait run helm install of the other Helm charts before discovering the missing setting.
4_app_create_namespace.sh
to:helm install ...
for cluster prep helm chart (could be a separate bash script)helm install ...
for Namespace prep helm chart (could be a separate bash script)5_app_store_conjur_cert.sh
script and remove its invocation fromstart
7_app_deploy.sh
to use new sample Application deploy Helm chartDoD
conjur-authn-k8s-client
project includes utility scripts for policy loading to be used in the e2e tests and in the "quick start" demoNote: in both cases (automated tests & demo), we are deploying Conjur so that we have access to the Conjur OSS server / Conjur Enterprise leader to load policy.