diverdane
commented
3 years ago Prerequisites / Assumptions / Separate Work
Required Helm charts
The E2E scripts that are being developed as described in Issue #2062 depend upon the availability of three Helm charts that are being developed in separate issues:
- Cluster prep Helm chart (https://github.com/cyberark/conjur-authn-k8s-client/issues/227)
- Namespace prep Helm chart (https://github.com/cyberark/conjur-authn-k8s-client/issues/236)
Conjur deployments are assumed available
For the E2E workflow described below, it's assumed that a Conjur instance has been deployed and is available at the time that the E2E workflow scripts / Helm deployments are invoked. The "front end" work of deploying Conjur instances will be developed in these CI-centric issues:
- Conjur OSS CI (https://github.com/cyberark/conjur-authn-k8s-client/issues/242)
- Conjur Enterprise with follower inside Kubernetes (https://github.com/cyberark/conjur-authn-k8s-client/issues/243)
- Conjur Enterprise with follower outside Kubernetes (https://github.com/cyberark/conjur-authn-k8s-client/issues/244)
- Conjur Enterprise with follower outside OpenShift (https://github.com/cyberark/conjur-authn-k8s-client/issues/245)
Required Workflow
The test setup should support the following workflow:
- Kubernetes cluster prep using new Cluster Prep helm chart
- Deployment of a Conjur CLI pod if one is not present
- Loading of authenticator Conjur policy using Conjur CLI pod
- Application namespace prep using new Application Namespace prep Helm chart
- Loading of application Conjur policy using Conjur CLI pod
- Deployment of a Pod that contains one of the following authenticator containers and an application (e.g. debian or Pet Store)
- Secrets Provider init container
- Secrets Provider standalone app container
- Secretless Broker
- authn-k8s sidecar
- Validation that the application can access Conjur secrets
Issues Which will Accomplish the Creation of an E2E framework
=========================================================
- https://github.com/cyberark/conjur-authn-k8s-client/issues/238: There is a helm chart for deploying a sample app with a Conjur sidecar
=========================================================
-
https://github.com/cyberark/conjur-authn-k8s-client/issues/239: There are reusable scripts for development environments and automated testing
NOTE: These scripts skip the addition of support for Secrets Provider init/app containers. This support will be added incrementally and separately (see Issue #xxxxxx)
This issue involves basically making a copy or fork of conjurdemos/kubernetes-conjur-demo scripts and modifying these scripts to use Helm chart installs (for cluster prep, Namespace prep, and application deploy), rather than using bash/sed/kubectl to do deployments.
The scripts for Issue https://github.com/cyberark/conjur-authn-k8s-client/issues/239 can be developed as follows:
- Start with a clone/fork of the conjurdemos/kubernetes-conjur-demo script repository
- Modify the
set_env_vars.shscript to define & set environment variables that will be used as--set <key>=<value>command line settings for all chart values in each Helm chart (cluster prep, Namespace prep, and application deploy). (See thevalues.yamlfiles in each Helm chart to see what values are needed). - Delete the
0_prep_check_dependencies.shfile, and remove its invocation from thestartscript. The Helm charts should now provide the required checking for required settings. - Modify the
4_app_create_namespace.shto:- Eliminate the creation of the RoleBinding
- Add invocation of
helm install ...for cluster prep helm chart (could be a separate bash script) - Add invocation of
helm install ...for Namespace prep helm chart (could be a separate bash script)
- Delete the
5_app_store_conjur_cert.shscript and remove its invocation fromstart - Modify the
7_app_deploy.shto use new sample Application deploy Helm chart
=========================================================
- https://github.com/cyberark/conjur-authn-k8s-client/issues/247:
Add support for Secrets Provider init/app container to reusable scripts
- Modify the policy templates in the
policysubdirectory to include application policies for Secrets Provider init container and Secrets Provider standalone "app" container. - Modify the
7_app_deploy.shto include Helm install of applications that use Secrets Provider init container and Secrets Provider standalone "app" container. - Modify
8_app_verify_authenticationto add verification that applications using Secrets Provider can access Conjur secrets.
- Modify the policy templates in the
=========================================================
- https://github.com/cyberark/conjur-authn-k8s-client/issues/248:
Deployment scripts include support for OpenShift
- In the policy subdirectory, add Conjur policy host definitions for sample applications that will be run on OpenShift.
- Using the conjurdemos/kubernetes-conjur-demo scripts as a reference, make sure that the
calls to the
ocCLI that appear in the kubernetes-conjur-demo scripts are also included in the scripts created by Issue #239: - Modify the
7_app_deploy.shto include deployment of applications using the Secrets Provider init and app container authenticators (i.e. by passing the necessary chart values to the application deployment Helm chart.
=========================================================
There is an initial draft in #2062.
The goal of this spike is to complete the draft in #2062 that describes the test plan we'll use for the improved Conjur configuration management project. The outcome of the spike is a thorough draft described in #2062 and broken out into small (1-3 day) issues.
Once written, the test plan will be reviewed by the quality architect.