Secretless rotation XA environment is validated

[izgeri]

AC:

• [ ] Validate that you can deploy an app with Secretless to the rotation XA environment
• [ ] Set up namespaces for those running perf tests in the rotation XA environment

[izgeri]

@ismarc please provide @sgnn7 with the following info (there are definitions in the docs here):

• DB_POLICY_BRANCH (branch with pg address of the form url:port, mysql host/port, user/pass for both)
• DAP_SECRET_LAYER (layer/group with read/execute on secrets)
• DAP_FOLLOWER_NAMESPACE
• DAP_FOLLOWER_URL: https://[service name].[namespace].svc.cluster.local/api
• AUTHENTICATOR_NAME
• DAP_ACCOUNT
• conjur.pem

@sgnn7 I created a new namespace for you srdjan-secretless-rotation, but you will still need to:

• load policy to the conjur/authn-k8s/AUTHENTICATOR_NAME/apps branch to add your service account host ID to the right layer in policy

  - !host
  id: srdjan-secretless-rotation/service_account/secretless-rotation
  annotations:
    kubernetes/authentication-container-name: secretless
    openshift: "true"
  
  # grant membership to the conjur/authn-k8s/AUTHENTICATOR_NAME/apps layer
  - !grant
  role: !layer
  member: !host srdjan-secretless-rotation/service_account/secretless-rotation

• load policy to root to grant your hosts access to the secrets

  - !grant
  role: !group DAP_SECRET_LAYER
  member: !host conjur/authn-k8s/AUTHENTICATOR_NAME/apps/srdjan-secretless-rotation/service_account/secretless-rotation

• add a rolebinding to your space so the follower can inject the tokens

  ---
  kind: RoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
  name: test-app-conjur-authenticator-role-binding-FOLLOWER_NAMESPACE
  namespace: srdjan-secretless-rotation
  subjects:
  - kind: ServiceAccount
    name: conjur-cluster
    namespace: FOLLOWER_NAMESPACE
  roleRef:
  kind: ClusterRole
  name: conjur-authenticator-FOLLOWER_NAMESPACE
  apiGroup: rbac.authorization.k8s.io

[ismarc]

MySQL DB info: hostname: conjur/xa-secretless-dual-db/mysql/hostname port: conjur/xa-secretless-dual-db/mysql/port database: conjur/xa-secretless-dual-db/mysql/database admin username: ConjurSync/Dual/Secretless_Dual/Database-MySQL-xa-secretless-dual.cupksrq0shff.us-east-1.rds.amazonaws.com-myadmin/username admin password: ConjurSync/Dual/Secretless_Dual/Database-MySQL-xa-secretless-dual.cupksrq0shff.us-east-1.rds.amazonaws.com-myadmin/password rotated username: ConjurSync/Dual/Secretless_Dual/myadmin_rotate/username rotated password: ConjurSync/Dual/Secretless_Dual/myadmin_rotate/password

DAP_SECRET_LAYER: conjur/xa-secretless-dual-db DAP_FOLLOWER_NAMESPACE: xa-secretless-dual DAP_FOLLOWER_URL: https://conjur-follower.xa-secretless-dual.svc.cluster.local

conjur.pem: -----BEGIN CERTIFICATE----- MIID3DCCAsSgAwIBAgIJAPfjjAHaOxsXMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMMFXhhLWNsdXN0ZXItbWF0dHMtcm9vdDAgFw0xOTA2MTkyMTI2MzVaGA8yOTk5 MDgyMDIxMjYzNVowTzEbMBkGA1UECwwSeGEtc2VjcmV0bGVzcy1kdWFsMTAwLgYD VQQDDCd4YS1zZWNyZXRsZXNzLWR1YWwtbWFzdGVyLnFhLmNvbmp1ci5uZXQwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF9llY+ERA1g306HpO+LLK4Abl NCDWWWu2Dbv7gFrHBuwqloaw6L4cLn9NuFZr7/p5gyoRQfiS8pIHoRoqeOxp/1rH k5pnJvLsamyF1jdXPvVHnzOQSLAa6+epxgN4UsCuQeOYQHORqOv70L7cD/YUDptE Vp2x0TW1Z2p2x/SNVNoRxCM1bP30/fxcieXNWfh9fpY2/eNp1OBZYH/FoPJ1cDi5 m2DKtoRGSB6Uh7DLD8SJKeW3kScUK3ZJzvQU6SSul07Uxeojq5xO0C3wqRqeAtk1 TAYSIFJjOrQUGLimhfCTnHQC7m5hCoo5KhnyyHkY91NIJfGwLFdgDlNpwFy3AgMB AAGjgecwgeQwHwYDVR0jBBgwFoAUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwCQYDVR0T BAIwADALBgNVHQ8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MIGJBgNVHREEgYEwf4IoZWMyLTMtODMtMTkyLTE4MS5jb21wdXRlLTEuYW1hem9u YXdzLmNvbYIpZWMyLTMtMjE1LTE4My0xNTEuY29tcHV0ZS0xLmFtYXpvbmF3cy5j b22CKGVjMi0zLTg1LTI0NS0yNDYuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wDQYJ KoZIhvcNAQELBQADggEBAHYSWnXVjOweARDOgo4nVHv+EB0f3bn+/nDwVTVCY7q+ QQVyw/rIE/bIuJW/47tax4NB5gNGdE/y4iKxrCD+v+fOvhwrhDaBB7hTf3x8f/9V ckvtHaOFmgLQ1Q85iE+JmchdwX6bzgNy1SYRdHKI2HX+pdKjsx6hmnsYfzFbmB37 juNv+j5cM98eR9sxzJBewghTqvELrcMYTOUNSSWi91+iR0fq/Wi+5gI1sRULoi31 rHogfQCsRk5qlQnjGOZVCSCZ0Dv6CT8Z0L0cmvYXakj80cFl3SjGHLG8NXN84njl zgKiSWK3R79nBSu8ktnkhBR8fFa7d4bOUWqoEGyd2Js= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDGDCCAgCgAwIBAgIJAI1WX4QpjEBBMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMMFXhhLWNsdXN0ZXItbWF0dHMtcm9vdDAgFw0xOTA0MjkxNTIxMjhaGA8yOTk5 MDYzMDE1MjEyOFowIDEeMBwGA1UEAwwVeGEtY2x1c3Rlci1tYXR0cy1yb290MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn9uzg3BW5nsBtRiPpceeofND EmRhHgKEc+32e4LaROALgySMjIcI4rzLal7FNbDJzFlHEFfa9EtsSTL/GoPVQawd 22xO9XW8GVrlTF96hRUCz9AcphOMV3ZJ8mYUdirZ4ondvatBi+u2nHxNm0+p2uFB CAp9cRhyvrcubVylI3bEhQxwDh5AmQIIAmxnWGS13lQNZOKMaN6KTAly3UecAMmH Vy3qftRaVzAxsEVJy6I9yvU589qu+nGQvdYoQ5WQw0wLpQBRLBp1GQn310cEiSga PBmRHfTMbXqgkCBgYFdOX6biqhCuAI+ndEY79/2Hbv/G+MbTpw+r/PbEK9ACTwID AQABo1MwUTAdBgNVHQ4EFgQUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwHwYDVR0jBBgw FoAUwYl2d6nJ7jnTDEZBqAxiKe6ljbMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQsFAAOCAQEAH8PJT8vwWr9ZNVUOeis1R2kL8ZKKmOt0jqSx8+LxiNEiO9eK 6vfakAVD7TaU0kOlw0rAcgrYIZ24TMNDjOZjehCgjdjIY0xRqSbvZRsCDYsCFlDT T/vANk1e2mywtHpTzrONQzhCUUjomF8OLOu9vAKw3oNtAd50KP2JNgbXoDOyQtJb GbLcstw1DGRkXRL0NB7muCEpDHVGvU68V69KLHa7AFNoERHSspnUtzwxv3NQ4A5N F3pXRn7WIc7b4KjzqGYDjWB1gW+lmDcX2iUMHObZiaU8DbWf/ZXxIGsVfj5xDeyu 2WltqnV2V8Y/UTDgvziPvA9FlfU0ijt6Xrwqvw== -----END CERTIFICATE-----

[ismarc]

Cluster info: ID of K8s authenticator: openshift/xa-secretless-dual Conjur account: xa

UI: https://xa-secretless-dual.qa.conjur.net Master LB: xa-secretless-dual.qa.conjur.net Follower LB: xa-secretless-dual-follower.qa.conjur.net Master: 3.83.192.181 Sync standby: 3.85.245.246 Async standby: 3.215.183.151 Follower: 18.207.241.184

[sgnn7]

• 4 day, 2 threads, recreate:true test is running. should be done on Tue at about 2:30 PM EST

https://<cluster>/console/project/srdjan-secretless-rotation/browse/pods/juxtaposer-mysql-84c9f49958-kfhcq?tab=logs

• 4 day, 2 threads, recreate:false test is running. should be done on Tue at about 2:45 PM EST

https://<cluster>/console/project/srdjan-secretless-rotation/browse/pods/juxtaposer-mysql2-7f4cc89fb4-58s55?tab=logs