Update the Kubernetes demo to use cyberark/demo-app (#18)

* Update the Kubernetes demo to use cyberark/demo-app - Remove old test apps - Build/deploy a PostgreSQL instance when apps are built/deployed - Store DB username and URL in Conjur policy as well as password - Update naming to use "summon" instead of "api" - Update validation test to POST and GET to the API of the demo apps - Expose apps over port 8080 - Update app manifests to enable them to work with Summon * Add minishift to `is_minienv` check in utils * fix typo
conjurdemos · Aug 30, 2018 · 51eb365 · 51eb365
1 parent 1bd8045
commit 51eb365
Show file tree

Hide file tree

Showing 32 changed files with 297 additions and 245 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
-policy/policy.yml
 policy/generated/*
 webapp/summon*.gz
+pg/schema.sql
diff --git a/2_load_conjur_policies.sh b/2_load_conjur_policies.sh
@@ -11,14 +11,10 @@ pushd policy
   sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/cluster-authn-svc-def.template.yml > ./generated/cluster-authn-svc.yml
 
   sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/project-authn-def.template.yml |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ TEST_APP_NAME }}#$TEST_APP_NAME#g" > ./generated/project-authn.yml
+    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/project-authn.yml
 
   sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identity-def.template.yml |
-    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
-    sed -e "s#{{ TEST_APP_NAME }}#$TEST_APP_NAME#g" > ./generated/app-identity.yml
-
-  sed -e "s#{{ TEST_APP_NAME }}#$TEST_APP_NAME#g" ./templates/app-access-def.template.yml > ./generated/app-access.yml
+    sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/app-identity.yml
 popd
 
 
@@ -37,7 +33,7 @@ POLICY_FILE_LIST="policy/users.yml
 policy/generated/project-authn.yml
 policy/generated/cluster-authn-svc.yml
 policy/generated/app-identity.yml
-policy/generated/app-access.yml"
+policy/app-access.yml"
 
 for i in $POLICY_FILE_LIST; do
   echo "Loading policy $i..."
@@ -54,7 +50,14 @@ echo "Conjur policy loaded."
 
 password=$(openssl rand -hex 12)
 
-$cli exec $conjur_cli_pod -- conjur variable values add "secrets/db-password" $password
+$cli exec $conjur_cli_pod -- conjur variable values add "test-app-db/password" $password
+$cli exec $conjur_cli_pod -- conjur variable values add "test-app-db/url" "postgresql://test-app-backend.$TEST_APP_NAMESPACE_NAME.svc.cluster.local:5432/postgres"
+$cli exec $conjur_cli_pod -- conjur variable values add "test-app-db/username" "test_app"
+
+# Set DB password in DB schema
+pushd pg
+  sed -e "s#{{ TEST_APP_PG_PASSWORD }}#$password#g" ./schema.template.sql > ./schema.sql
+popd
 
 announce "Added DB password value: $password"
 

diff --git a/5_build_and_push_containers.sh b/5_build_and_push_containers.sh
@@ -7,14 +7,42 @@ if [ $PLATFORM = 'openshift' ]; then
     docker login -u _ -p $(oc whoami -t) $DOCKER_REGISTRY_PATH
 fi
 
-announce "Building and pushing test app image."
+announce "Building and pushing test app images."
 
-pushd $TEST_APP_NAME
-  ./build.sh
-popd
+# Kubernetes and OpenShift currently run different apps in the demo
+if [[ "$PLATFORM" = "kubernetes" ]]; then
+
+  pushd test_app
+    docker build -t test-app:$CONJUR_NAMESPACE_NAME .
+
+    test_app_image=$(platform_image test-app)
+    docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image
+
+    if [[ is_minienv != true ]]; then
+      docker push $test_app_image
+    fi
+  popd
+
+  pushd pg
+    docker build -t test-app-pg:$CONJUR_NAMESPACE_NAME .
+
+    test_app_pg_image=$(platform_image test-app-pg)
+    docker tag test-app-pg:$CONJUR_NAMESPACE_NAME $test_app_pg_image
+
+    if [[ is_minienv != true ]]; then
+      docker push $test_app_pg_image
+    fi
+  popd
+
+else
+
+  pushd webapp
+    ./build.sh
+    test_app_image=$(platform_image test-app)
+    docker tag test-app:$CONJUR_NAMESPACE_NAME $test_app_image
+    if [[ is_minienv != true ]]; then
+      docker push $test_app_image
+    fi
+  popd
 
-test_app_image=$(platform_image $TEST_APP_NAME)
-docker tag $TEST_APP_NAME:$TEST_APP_NAMESPACE_NAME $test_app_image
-if [[ $MINIKUBE != true ]]; then
-  docker push $test_app_image
 fi
diff --git a/6_deploy_test_app.sh b/6_deploy_test_app.sh
@@ -15,7 +15,12 @@ main() {
   else
     IMAGE_PULL_POLICY='Always'
   fi
-
+
+  # The Kubernetes app has a PG backend that also needs to be deployed
+  if [[ "$PLATFORM" = "kubernetes" ]]; then
+    deploy_app_backend
+  fi
+
   deploy_sidecar_app
   deploy_init_container_app
   sleep 10  # allow time for containers to initialize
@@ -52,7 +57,7 @@ init_registry_creds() {
 
 ###########################
 init_connection_specs() {
-  test_app_docker_image=$(platform_image $TEST_APP_NAME)
+  test_app_docker_image=$(platform_image test-app)
 
   conjur_appliance_url=https://conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api
   conjur_authenticator_url=https://conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local/api/authn-k8s/$AUTHENTICATOR_ID
@@ -67,27 +72,38 @@ init_connection_specs() {
   fi
 }
 
+###########################
+deploy_app_backend() {
+  $cli delete --ignore-not-found \
+     service/test-app-backend \
+     statefulset/pg
+
+  echo "Deploying test app backend"
+  test_app_pg_docker_image=$(platform_image test-app-pg)
+  sed -e "s#{{ TEST_APP_PG_DOCKER_IMAGE }}#$test_app_pg_docker_image#g" ./$PLATFORM/postgres.yml |
+    $cli create -f -
+}
+
 ###########################
 deploy_sidecar_app() {
   $cli delete --ignore-not-found \
-    deployment/test-app-api-sidecar \
-    service/test-app-api-sidecar \
-    serviceaccount/test-app-api-sidecar
+    deployment/test-app-summon-sidecar \
+    service/test-app-summon-sidecar \
+    serviceaccount/test-app-summon-sidecar
 
   if [ $PLATFORM = 'openshift' ]; then
-    oc delete --ignore-not-found deploymentconfig/test-app-api-sidecar
+    oc delete --ignore-not-found deploymentconfig/test-app-summon-sidecar
   fi
 
   sleep 5
 
-  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./$PLATFORM/test-app-api-sidecar.yml |
+  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./$PLATFORM/test-app-summon-sidecar.yml |
     sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
     sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
     sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
     sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
     sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
     sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
-    sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
     sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
     sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
     sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
@@ -100,24 +116,23 @@ deploy_sidecar_app() {
 ###########################
 deploy_init_container_app() {
   $cli delete --ignore-not-found \
-    deployment/test-app-api-init \
-    service/test-app-api-init \
-    serviceaccount/test-app-api-init
+    deployment/test-app-summon-init \
+    service/test-app-summon-init \
+    serviceaccount/test-app-summon-init
 
   if [ $PLATFORM = 'openshift' ]; then
-    oc delete --ignore-not-found deploymentconfig/test-app-api-init
+    oc delete --ignore-not-found deploymentconfig/test-app-summon-init
   fi
 
   sleep 5
 
-  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./$PLATFORM/test-app-api-init.yml |
+  sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./$PLATFORM/test-app-summon-init.yml |
     sed -e "s#{{ IMAGE_PULL_POLICY }}#$IMAGE_PULL_POLICY#g" |
     sed -e "s#{{ CONJUR_VERSION }}#$CONJUR_VERSION#g" |
     sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" |
     sed -e "s#{{ CONJUR_AUTHN_LOGIN_PREFIX }}#$conjur_authn_login_prefix#g" |
     sed -e "s#{{ CONJUR_APPLIANCE_URL }}#$conjur_appliance_url#g" |
     sed -e "s#{{ CONJUR_AUTHN_URL }}#$conjur_authenticator_url#g" |
-    sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" |
     sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |
     sed -e "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" |
     sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" |

diff --git a/7_retrieve_secret.sh b/7_retrieve_secret.sh
diff --git a/7_verify_authentication.sh b/7_verify_authentication.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+. utils.sh
+
+announce "Validating that the deployments are functioning as expected."
+
+set_namespace $TEST_APP_NAMESPACE_NAME
+
+# Kubernetes and OpenShift currently deploy different apps; verify differently
+if [[ "$PLATFORM" = "kubernetes" ]]; then
+
+  init_url=$($cli describe service test-app-summon-init |
+    grep 'LoadBalancer Ingress' | awk '{ print $3 }'):8080
+  sidecar_url=$($cli describe service test-app-summon-sidecar |
+    grep 'LoadBalancer Ingress' | awk '{ print $3 }'):8080
+
+  echo -e "Adding entry to the init app\n"
+  curl \
+    -d '{"name": "Mr. Init"}' \
+    -H "Content-Type: application/json" \
+    $init_url/pet
+
+  echo -e "Adding entry to the sidecar app\n"
+  curl \
+    -d '{"name": "Mr. Sidecar"}' \
+    -H "Content-Type: application/json" \
+    $sidecar_url/pet
+
+  echo -e "Remember that they are both using the same DB backend...\n"
+
+  echo -e "Querying init app\n"
+  curl $init_url/pets
+
+  echo -e "\n\nQuerying sidecar app\n"
+  curl $sidecar_url/pets
+
+else
+
+  sidecar_api_pod=$($cli get pods --no-headers -l app=test-app-summon-sidecar | awk '{ print $1 }')
+  if [[ "$sidecar_api_pod" != "" ]]; then
+    echo "Sidecar + REST API: $($cli exec -c $TEST_APP_NAMESPACE_NAME-app $sidecar_api_pod -- /webapp_v$CONJUR_VERSION.sh)"
+    echo "Sidecar + Summon: $($cli exec -c $TEST_APP_NAMESPACE_NAME-app $sidecar_api_pod -- summon /webapp_summon.sh)"
+  fi
+
+  init_api_pod=$($cli get pods --no-headers -l app=test-app-summon-init | awk '{ print $1 }')
+  if [[ "$init_api_pod" != "" ]]; then
+    echo "Init Container + REST API: $($cli exec -c $TEST_APP_NAMESPACE_NAME-app $init_api_pod -- /webapp_v$CONJUR_VERSION.sh)"
+    echo "Init Container + Summon: $($cli exec -c $TEST_APP_NAMESPACE_NAME-app $init_api_pod -- summon /webapp_summon.sh)"
+  fi
+
+fi
diff --git a/bootstrap.env b/bootstrap.env
@@ -1,4 +1,2 @@
 # These values augment those set in ...-deploy bootstrap.env
 export TEST_APP_NAMESPACE_NAME=amex
-# TEST_APP_NAME must be the same as the application build directory name
-export TEST_APP_NAME=webapp
diff --git a/kubernetes/postgres.yml b/kubernetes/postgres.yml
@@ -0,0 +1,35 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: test-app-backend
+spec:
+  selector:
+    app: test-app-backend
+  ports:
+    - port: 5432
+      targetPort: 5432
+
+---
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+  name: pg
+  labels:
+    app: test-app-backend
+spec:
+  serviceName: test-app-backend
+  selector:
+    matchLabels:
+      app: test-app-backend
+  template:
+    metadata:
+      labels:
+        app: test-app-backend
+    spec:
+      containers:
+      - name: test-app-backend
+        image: {{ TEST_APP_PG_DOCKER_IMAGE }}
+        imagePullPolicy: Always
+        ports:
+          - containerPort: 5432
diff --git a/kubernetes/test-app-api-init.yml → kubernetes/test-app-summon-init.yml b/kubernetes/test-app-api-init.yml → kubernetes/test-app-summon-init.yml
@@ -1,57 +1,60 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: test-app-api-init
+  name: test-app-summon-init
   labels:
-    app: test-app-api-init
+    app: test-app-summon-init
 spec:
   ports:
   - protocol: TCP
-    port: 80
+    port: 8080
+    targetPort: 8080
   selector:
-    app: test-app-api-init
+    app: test-app-summon-init
   type: LoadBalancer
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: test-app-api-init
+  name: test-app-summon-init
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
 metadata:
   labels:
-    app: test-app-api-init
-  name: test-app-api-init
+    app: test-app-summon-init
+  name: test-app-summon-init
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: test-app-api-init
+      app: test-app-summon-init
   template:
     metadata:
       labels:
-        app: test-app-api-init
+        app: test-app-summon-init
     spec:
-      serviceAccountName: test-app-api-init
+      serviceAccountName: test-app-summon-init
       containers:
       - image: {{ TEST_APP_DOCKER_IMAGE }}
         imagePullPolicy: {{ IMAGE_PULL_POLICY }}
-        name: {{ TEST_APP_NAMESPACE_NAME }}-app
+        name: test-app
+        ports:
+        - containerPort: 8080
         env:
+          - name: CONJUR_VERSION
+            value: '{{ CONJUR_VERSION }}'
           - name: CONJUR_APPLIANCE_URL
             value: "{{ CONJUR_APPLIANCE_URL }}"
           - name: CONJUR_ACCOUNT
             value: {{ CONJUR_ACCOUNT }}
+          - name: CONJUR_AUTHN_TOKEN_FILE
+            value: /run/conjur/access-token
           - name: CONJUR_SSL_CERTIFICATE
             valueFrom:
               configMapKeyRef:
                 name: {{ CONFIG_MAP_NAME }}
                 key: ssl-certificate
-          - name: CONJUR_AUTHN_TOKEN_FILE
-            value: /run/conjur/access-token
-          - name: CONJUR_VERSION
-            value: "{{ CONJUR_VERSION }}"
         volumeMounts:
           - mountPath: /run/conjur
             name: conjur-access-token
@@ -82,7 +85,7 @@ spec:
           - name: CONJUR_ACCOUNT
             value: {{ CONJUR_ACCOUNT }}
           - name: CONJUR_AUTHN_LOGIN
-            value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-api-init"
+            value: "{{ CONJUR_AUTHN_LOGIN_PREFIX }}/test-app-summon-init"
           - name: CONJUR_SSL_CERTIFICATE
             valueFrom:
               configMapKeyRef: