In recent CI runs, the stage running end-to-end tests against Conjur Enterprise in GKE succeed without installing the Namespace Prep Helm chart or deploying the test apps.
++++++++++++++++++++++++++++++++++++++
Installing cluster prep chart
++++++++++++++++++++++++++++++++++++++
. . .
The Conjur/Authenticator Namespace preparation is complete.
The following have been deployed:
- Golden ConfigMap
- Authenticator ClusterRole
++++++++++++++++++++++++++++++++++++++
Removing test environment
++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++
Installing namespace prep chart
++++++++++++++++++++++++++++++++++++++
Release "namespace-prep-7bc09deb-9" does not exist. Installing it now.
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(RoleBinding.subjects[0]): missing required field "name" in io.k8s.api.rbac.v1.Subject
The authnK8sServiceAccount field in the Golden ConfigMap template is wrapped in a conditional, and is only created if the Cluster Prep Helm chart was told to create a serviceAccount. The chart's values.yml file states:
# If 'authnK8s.serviceAccount.create` is set to `true`, then this defaults
# to "conjur-serviceaccount". If 'authnK8s.serviceAccount.create` is set
# to `false`, then this is a required value.
# name: conjur-serviceaccount
# name:
In cases where authnK8s.serviceAccount.create is set to false, the provided name was not being used for the authnK8sServiceAccount field in the Golden ConfigMap.
Implemented Changes
End-to-end test stage for Enterprise-in-GKE now installs Namespace prep Helm chart and deploys test apps
When authnK8s.serviceAccount.create is set to false, the Golden ConfigMap template uses authnK8s.serviceAccount.name to fill its authnK8sServiceAccount field.
Connected Issue/Story
Resolves #[relevant GitHub issue(s), e.g. 76]
CyberArk internal issue link: [insert issue ID]()
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
[ ] The CHANGELOG has been updated, or
[x] This PR does not include user-facing changes and doesn't require a
CHANGELOG update
Test coverage
[ ] This PR includes new unit and integration tests to go with the code
changes, or
[x] The changes in this PR do not require tests
Documentation
[ ] Docs (e.g. READMEs) were updated in this PR
[ ] A follow-up issue to update official docs has been filed here: [insert issue ID]()
[x] This PR does not require updating any documentation
Behavior
[ ] This PR changes product behavior and has been reviewed by a PO, or
[ ] These changes are part of a larger initiative that will be reviewed later, or
[x] No behavior was changed with this PR
Security
[ ] Security architect has reviewed the changes in this PR,
[ ] These changes are part of a larger initiative with a separate security review, or
[x] There are no security aspects to these changes
Desired Outcome
In recent CI runs, the stage running end-to-end tests against Conjur Enterprise in GKE succeed without installing the Namespace Prep Helm chart or deploying the test apps.
From a passing Jenkins run:
Updating this led to another bug: Jenkins logs:
The
authnK8sServiceAccountfield in the Golden ConfigMap template is wrapped in a conditional, and is only created if the Cluster Prep Helm chart was told to create a serviceAccount. The chart'svalues.ymlfile states:In cases where
authnK8s.serviceAccount.createis set tofalse, the providednamewas not being used for theauthnK8sServiceAccountfield in the Golden ConfigMap.Implemented Changes
authnK8s.serviceAccount.createis set tofalse, the Golden ConfigMap template usesauthnK8s.serviceAccount.nameto fill itsauthnK8sServiceAccountfield.Connected Issue/Story
Resolves #[relevant GitHub issue(s), e.g. 76]
CyberArk internal issue link: [insert issue ID]()
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be merged.
Changelog
Test coverage
Documentation
READMEs) were updated in this PRBehavior
Security