From fd288d79677984487f9e98aefc7606d3334b2d55 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Wed, 11 Apr 2018 23:22:05 +0100 Subject: [PATCH 01/21] initial attempt working end to end in GKE --- demo/.gitignore | 2 + demo/0_check_dependencies.sh | 40 +++++++ demo/1_initialize_conjur.sh | 18 +++ demo/2_load_conjur_policies.sh | 39 +++++++ demo/3_init_conjur_cert_authority.sh | 14 +++ demo/4_create_test_app_project.sh | 23 ++++ demo/5_store_conjur_cert.sh | 24 ++++ demo/6_build_and_push_containers.sh | 14 +++ demo/7_deploy_test_app.sh | 48 ++++++++ demo/8_retrieve_secret.sh | 12 ++ demo/README.md | 46 ++++++++ ...app-conjur-authenticator-role-binding.yaml | 14 +++ demo/policy/apps.template.yml | 17 +++ demo/policy/authn-k8s.template.yml | 65 +++++++++++ demo/policy/conjur.yml | 3 + demo/policy/users.yml | 17 +++ demo/rotate | 17 +++ demo/start | 15 +++ demo/stop | 26 +++++ demo/test_app/build/Dockerfile | 10 ++ demo/test_app/build/build.sh | 4 + demo/test_app/build/secrets.yml | 1 + demo/test_app/build/test_app.rb | 36 ++++++ demo/test_app/test_app.yaml | 84 ++++++++++++++ demo/utils.sh | 67 +++++++++++ deploy/.gitignore | 2 + deploy/0_check_dependencies.sh | 50 ++++++++ deploy/1_create_kubernetes_project.sh | 28 +++++ deploy/2_build_and_push_containers.sh | 16 +++ deploy/3_deploy_conjur_cluster.sh | 30 +++++ deploy/4_configure_master.sh | 25 ++++ deploy/5_create_load_balancer.sh | 22 ++++ deploy/6_configure_standbys.sh | 39 +++++++ deploy/7_configure_followers.sh | 32 ++++++ deploy/8_print_config.sh | 23 ++++ deploy/README.md | 95 +++++++++++++++ deploy/build/conjur_server/Dockerfile | 4 + deploy/build/conjur_server/build.sh | 5 + deploy/build/conjur_server/conjur.json | 5 + deploy/build/haproxy/Dockerfile | 12 ++ deploy/build/haproxy/build.sh | 4 + deploy/build/haproxy/conjur-health-check.sh | 8 ++ deploy/build/haproxy/start.sh | 10 ++ deploy/haproxy/haproxy.template.cfg | 23 ++++ deploy/haproxy/update_haproxy.sh | 95 +++++++++++++++ .../manifests/conjur-authenticator-role.yaml | 12 ++ deploy/manifests/conjur-cluster.yaml | 34 ++++++ deploy/manifests/conjur-follower.yaml | 48 ++++++++ deploy/manifests/haproxy-conjur-master.yaml | 40 +++++++ deploy/start | 15 +++ deploy/stop | 26 +++++ deploy/utils.sh | 108 ++++++++++++++++++ 52 files changed, 1467 insertions(+) create mode 100644 demo/.gitignore create mode 100755 demo/0_check_dependencies.sh create mode 100755 demo/1_initialize_conjur.sh create mode 100755 demo/2_load_conjur_policies.sh create mode 100755 demo/3_init_conjur_cert_authority.sh create mode 100755 demo/4_create_test_app_project.sh create mode 100755 demo/5_store_conjur_cert.sh create mode 100755 demo/6_build_and_push_containers.sh create mode 100755 demo/7_deploy_test_app.sh create mode 100755 demo/8_retrieve_secret.sh create mode 100644 demo/README.md create mode 100644 demo/manifests/test-app-conjur-authenticator-role-binding.yaml create mode 100644 demo/policy/apps.template.yml create mode 100644 demo/policy/authn-k8s.template.yml create mode 100644 demo/policy/conjur.yml create mode 100644 demo/policy/users.yml create mode 100755 demo/rotate create mode 100755 demo/start create mode 100755 demo/stop create mode 100644 demo/test_app/build/Dockerfile create mode 100755 demo/test_app/build/build.sh create mode 100644 demo/test_app/build/secrets.yml create mode 100644 demo/test_app/build/test_app.rb create mode 100644 demo/test_app/test_app.yaml create mode 100755 demo/utils.sh create mode 100644 deploy/.gitignore create mode 100755 deploy/0_check_dependencies.sh create mode 100755 deploy/1_create_kubernetes_project.sh create mode 100755 deploy/2_build_and_push_containers.sh create mode 100755 deploy/3_deploy_conjur_cluster.sh create mode 100755 deploy/4_configure_master.sh create mode 100755 deploy/5_create_load_balancer.sh create mode 100755 deploy/6_configure_standbys.sh create mode 100755 deploy/7_configure_followers.sh create mode 100755 deploy/8_print_config.sh create mode 100644 deploy/README.md create mode 100644 deploy/build/conjur_server/Dockerfile create mode 100755 deploy/build/conjur_server/build.sh create mode 100644 deploy/build/conjur_server/conjur.json create mode 100644 deploy/build/haproxy/Dockerfile create mode 100755 deploy/build/haproxy/build.sh create mode 100755 deploy/build/haproxy/conjur-health-check.sh create mode 100755 deploy/build/haproxy/start.sh create mode 100644 deploy/haproxy/haproxy.template.cfg create mode 100755 deploy/haproxy/update_haproxy.sh create mode 100644 deploy/manifests/conjur-authenticator-role.yaml create mode 100644 deploy/manifests/conjur-cluster.yaml create mode 100644 deploy/manifests/conjur-follower.yaml create mode 100644 deploy/manifests/haproxy-conjur-master.yaml create mode 100755 deploy/start create mode 100755 deploy/stop create mode 100755 deploy/utils.sh diff --git a/demo/.gitignore b/demo/.gitignore new file mode 100644 index 0000000..6bdcbdd --- /dev/null +++ b/demo/.gitignore @@ -0,0 +1,2 @@ +policy/authn-k8s.yml +policy/apps.yml diff --git a/demo/0_check_dependencies.sh b/demo/0_check_dependencies.sh new file mode 100755 index 0000000..d725312 --- /dev/null +++ b/demo/0_check_dependencies.sh @@ -0,0 +1,40 @@ +#!/bin/bash +set -eo pipefail + +# Confirm logged into Kubernetes. +read -p "Before we proceed... +Are you logged in to a Kubernetes cluster (yes/no)? " choice +case "$choice" in + yes ) echo "Great! Let's go.";; + * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; +esac + +# Confirm Conjur project name is configured. +if [ "$CONJUR_PROJECT_NAME" = "" ]; then + echo "You must set CONJUR_PROJECT_NAME before running this script." + exit 1 +fi + +# Confirm docker registry is configured. +if [ "$DOCKER_REGISTRY_PATH" = "" ]; then + echo "You must set DOCKER_REGISTRY_PATH before running this script." + exit 1 +fi + +# Confirm Conjur account is configured. +if [ "$CONJUR_ACCOUNT" = "" ]; then + echo "You must set CONJUR_ACCOUNT before running this script." + exit 1 +fi + +# Confirm Conjur admin password is configured. +if [ "$CONJUR_ADMIN_PASSWORD" = "" ]; then + echo "You must set CONJUR_ADMIN_PASSWORD before running this script." + exit 1 +fi + +# Confirm test app project name is configured. +if [ "$TEST_APP_PROJECT_NAME" = "" ]; then + echo "You must set TEST_APP_PROJECT_NAME before running this script." + exit 1 +fi diff --git a/demo/1_initialize_conjur.sh b/demo/1_initialize_conjur.sh new file mode 100755 index 0000000..339d968 --- /dev/null +++ b/demo/1_initialize_conjur.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Initializing Conjur." + +set_project $CONJUR_PROJECT_NAME + +conjur_master=$(get_master_pod_name) + +kubectl exec $conjur_master -- rm -f ./conjurrc "./conjur-${CONJUR_ACCOUNT}.pem" +kubectl exec $conjur_master -- bash -c 'yes yes | conjur init -h localhost' +kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD +kubectl exec $conjur_master -- conjur bootstrap +kubectl exec $conjur_master -- conjur authn logout + +echo "Conjur initialized." diff --git a/demo/2_load_conjur_policies.sh b/demo/2_load_conjur_policies.sh new file mode 100755 index 0000000..a1cf047 --- /dev/null +++ b/demo/2_load_conjur_policies.sh @@ -0,0 +1,39 @@ +#!/bin/bash +set -xeou pipefail + +. utils.sh + +announce "Loading Conjur policy." + +set_project $CONJUR_PROJECT_NAME + +conjur_master=$(get_master_pod_name) + +# (re)install Conjur policy plugin +kubectl exec $conjur_master -- touch /opt/conjur/etc/plugins.yml +kubectl exec $conjur_master -- conjur plugin uninstall policy +kubectl exec $conjur_master -- conjur plugin install policy + +pushd policy + sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" ./authn-k8s.template.yml | + sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" > ./authn-k8s.yml + + sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" ./apps.template.yml > ./apps.yml +popd + +kubectl cp ./policy conjur-cluster-1396572337-c7265:/policy + +kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD +kubectl exec $conjur_master -- conjur policy load --as-group security_admin "policy/conjur.yml" + +kubectl exec $conjur_master -- rm -rf ./policy + +echo "Conjur policy loaded." + +password=$(openssl rand -hex 12) + +kubectl exec $conjur_master -- conjur variable values add test-app-db/password $password + +announce "Added DB password value: $password" + +kubectl exec $conjur_master -- conjur authn logout diff --git a/demo/3_init_conjur_cert_authority.sh b/demo/3_init_conjur_cert_authority.sh new file mode 100755 index 0000000..4c47525 --- /dev/null +++ b/demo/3_init_conjur_cert_authority.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Initializing Conjur certificate authority." + +set_project $CONJUR_PROJECT_NAME + +conjur_master=$(get_master_pod_name) + +kubectl exec $conjur_master -- conjur-plugin-service authn-k8s rake ca:initialize["conjur/authn-k8s/$AUTHENTICATOR_SERVICE_ID"] > /dev/null + +echo "Certificate authority initialized." diff --git a/demo/4_create_test_app_project.sh b/demo/4_create_test_app_project.sh new file mode 100755 index 0000000..e280235 --- /dev/null +++ b/demo/4_create_test_app_project.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Test App project." + +set_project default + +if has_project "$TEST_APP_PROJECT_NAME"; then + echo "Project '$TEST_APP_PROJECT_NAME' exists, not going to create it." + set_project $TEST_APP_PROJECT_NAME +else + echo "Creating '$TEST_APP_PROJECT_NAME' project." + kubectl create namespace $TEST_APP_PROJECT_NAME + set_project $TEST_APP_PROJECT_NAME +fi + +kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding + +sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | + sed -e "s#{{ CONJUR_PROJECT_NAME }}#$CONJUR_PROJECT_NAME#g" | + kubectl create -f - diff --git a/demo/5_store_conjur_cert.sh b/demo/5_store_conjur_cert.sh new file mode 100755 index 0000000..a6d8803 --- /dev/null +++ b/demo/5_store_conjur_cert.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Storing Conjur cert for test app configuration." + +set_project $CONJUR_PROJECT_NAME + +echo "Retrieving Conjur certificate." + +follower_pod_name=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1) +ssl_cert=$(kubectl exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) + +set_project $TEST_APP_PROJECT_NAME + +echo "Storing non-secret conjur cert as test app configuration data" + +kubectl delete --ignore-not-found=true configmap $TEST_APP_PROJECT_NAME + +# Store the Conjur cert in a ConfigMap. +kubectl create configmap $TEST_APP_PROJECT_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") + +echo "Conjur cert stored." diff --git a/demo/6_build_and_push_containers.sh b/demo/6_build_and_push_containers.sh new file mode 100755 index 0000000..7679bad --- /dev/null +++ b/demo/6_build_and_push_containers.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Building and pushing test app image." + +docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" $DOCKER_REGISTRY_URL + +pushd test_app/build + ./build.sh +popd + +docker_tag_and_push test-app diff --git a/demo/7_deploy_test_app.sh b/demo/7_deploy_test_app.sh new file mode 100755 index 0000000..8816659 --- /dev/null +++ b/demo/7_deploy_test_app.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Deploying test app." + +set_project $TEST_APP_PROJECT_NAME + +# TODO Set credentials for Docker registry that isn't GKE. + +kubectl delete --ignore-not-found deployment test-app +kubectl delete --ignore-not-found service test-app + +sleep 5 + +test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_PROJECT_NAME + +sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./test_app/test_app.yaml | + sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | + sed -e "s#{{ CONJUR_PROJECT_NAME }}#$CONJUR_PROJECT_NAME#g" | + sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" | + sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | + sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_PROJECT_NAME#g" | + kubectl create -f - + +sleep 20 + +echo "Test app deployed." + +announce " +Test app is ready. + +Addresses for the Test App service: + + Inside the cluster: + test-app.$CONJUR_PROJECT_NAME.svc.cluster.local + + Outside the cluster: + For now you have to port forward the service using kubectl, because HTTPS :) + Run: + + kubectl port-forward svc/test-app 1234:80 + + Then head over to: + + http://127.0.0.1:1234 +" diff --git a/demo/8_retrieve_secret.sh b/demo/8_retrieve_secret.sh new file mode 100755 index 0000000..c89104a --- /dev/null +++ b/demo/8_retrieve_secret.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Retrieving secret using Conjur access token." + +set_project $TEST_APP_PROJECT_NAME + +test_app_pod=$(kubectl get pods --no-headers | awk '{ print $1 }') + +kubectl exec -c test-app $test_app_pod -- curl -s localhost diff --git a/demo/README.md b/demo/README.md new file mode 100644 index 0000000..2a4aa5d --- /dev/null +++ b/demo/README.md @@ -0,0 +1,46 @@ +# kubernetes-conjur-demo + +This repo demonstrates an app retrieving secrets from a Conjur cluster using the +[Kubernetes authenticator](https://github.com/conjurinc/authn-k8s). The numbered +scripts perform the same setps that a user will have to go through when setting +up their own applications. + +# Setup + +### Deploying Conjur + +Before running this demo you will need to [set up a Conjur cluster](https://github.com/conjurinc/kubernetes-conjur-deploy) +in your kubernetes environment. It is recommended that you **set up a separate +Conjur cluster** purely for the purpose of running this demo as it loads Conjur +policy that you would not want to be present in your production environment. + +### Script Configuration + +You will need to provide a name for the kubernetes project in which your test app +will be deployed: + +``` +export TEST_APP_PROJECT_NAME=test-app +``` + +You will also need to set several environment variables to match the values used +when configuring your Conjur deployment. Note that if you may already have these +variables set if you're using the same shell to run the demo: + +``` +export CONJUR_PROJECT_NAME= +export DOCKER_REGISTRY_PATH=docker-registry-. +export CONJUR_ACCOUNT= +export CONJUR_ADMIN_PASSWORD= +export AUTHENTICATOR_SERVICE_ID= +``` + +# Usage + +Run `./start` to execute the numbered scripts, which will step through the +process of configuring Conjur and deploying a test app. The test app uses the +Conjur Ruby API, configured with the access token provided by the authenticator +sidecar, to retrieve a secret value from Conjur. + +You can run the `./rotate` script to rotate the secret value and then run the +final numbered script again to retrieve and print the new value. \ No newline at end of file diff --git a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml new file mode 100644 index 0000000..984f867 --- /dev/null +++ b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml @@ -0,0 +1,14 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 # TODO: change this to match your k8s version +metadata: + name: test-app-conjur-authenticator-role-binding + namespace: {{ TEST_APP_PROJECT_NAME }} +subjects: + - kind: ServiceAccount + name: default + namespace: {{ CONJUR_PROJECT_NAME }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: conjur-authenticator diff --git a/demo/policy/apps.template.yml b/demo/policy/apps.template.yml new file mode 100644 index 0000000..2523f8a --- /dev/null +++ b/demo/policy/apps.template.yml @@ -0,0 +1,17 @@ +- !policy + id: test-app + owner: !group developers + body: + - !layer + +- !policy + id: test-app-db + owner: !group operations + body: + - &variables + - !variable password + + - !permit + resources: *variables + privilege: [ read, execute ] + role: !layer /test-app diff --git a/demo/policy/authn-k8s.template.yml b/demo/policy/authn-k8s.template.yml new file mode 100644 index 0000000..46e197c --- /dev/null +++ b/demo/policy/authn-k8s.template.yml @@ -0,0 +1,65 @@ +- !policy + id: conjur/authn-k8s/{{ SERVICE_ID }} + body: + - !webservice + annotations: + description: Authentication service for the Conjur OpenShift demo. + + - !policy + id: ca + body: + - !variable + id: cert + annotations: + description: CA cert for Kubernetes Pods. + + - !variable + id: key + annotations: + description: CA key for Kubernetes Pods. + + - !group + id: clients + annotations: + description: > + Members of this group can use the authn-k8s service. This group + typically has one member, which is a layer containing the enrolled + applications. + + - !permit + resource: !webservice + privilege: [ read, authenticate ] + role: !group clients + + - !policy + id: apps + annotations: + description: Apps and services in the OpenShift cluster. + body: + - !layer + + - &hosts + - !host + id: {{ TEST_APP_PROJECT_NAME }}/*/* + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "true" + - !host + id: {{ TEST_APP_PROJECT_NAME }}/serviceaccount/default + annotations: + kubernetes/authentication-container-name: authenticator + kubernetes: "true" + + - !grant + role: !layer /test-app + members: + - !host {{ TEST_APP_PROJECT_NAME }}/*/* + - !host {{ TEST_APP_PROJECT_NAME }}/serviceaccount/default + + - !grant + role: !layer + members: *hosts + + - !grant + role: !group clients + member: !layer apps diff --git a/demo/policy/conjur.yml b/demo/policy/conjur.yml new file mode 100644 index 0000000..36d571a --- /dev/null +++ b/demo/policy/conjur.yml @@ -0,0 +1,3 @@ +- !include users.yml +- !include apps.yml +- !include authn-k8s.yml diff --git a/demo/policy/users.yml b/demo/policy/users.yml new file mode 100644 index 0000000..e00a81f --- /dev/null +++ b/demo/policy/users.yml @@ -0,0 +1,17 @@ +- !group developers + +- !group operations + +- !user dan + +- !user otto + +- !grant + role: !group developers + members: + - !user dan + - !group operations + +- !grant + role: !group operations + member: !user otto diff --git a/demo/rotate b/demo/rotate new file mode 100755 index 0000000..1dc5ba4 --- /dev/null +++ b/demo/rotate @@ -0,0 +1,17 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Rotating password." + +set_project $CONJUR_PROJECT_NAME + +conjur_master=$(get_master_pod_name) +new_pwd=$(openssl rand -hex 12) + +kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD +kubectl exec $conjur_master -- conjur variable values add test-app-db/password $new_pwd +kubectl exec $conjur_master -- conjur authn logout + +echo "New db password is:" $new_pwd diff --git a/demo/start b/demo/start new file mode 100755 index 0000000..c09638f --- /dev/null +++ b/demo/start @@ -0,0 +1,15 @@ +#!/bin/bash +set -eou pipefail + +0_check_dependencies.sh + +stop + +1_initialize_conjur.sh +2_load_conjur_policies.sh +3_init_conjur_cert_authority.sh +4_create_test_app_project.sh +5_store_conjur_cert.sh +6_build_and_push_containers.sh +7_deploy_test_app.sh +8_retrieve_secret.sh diff --git a/demo/stop b/demo/stop new file mode 100755 index 0000000..03fce07 --- /dev/null +++ b/demo/stop @@ -0,0 +1,26 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +set_project default + +if has_project $TEST_APP_PROJECT_NAME; then + kubectl delete namespace $TEST_APP_PROJECT_NAME + + printf "Waiting for $TEST_APP_PROJECT_NAME project deletion to complete" + + while : ; do + printf "..." + + if has_project "$TEST_APP_PROJECT_NAME"; then + sleep 5 + else + break + fi + done + + echo "" +fi + +echo "Test app environment purged." diff --git a/demo/test_app/build/Dockerfile b/demo/test_app/build/Dockerfile new file mode 100644 index 0000000..11c2279 --- /dev/null +++ b/demo/test_app/build/Dockerfile @@ -0,0 +1,10 @@ +FROM ruby:2.3 + +RUN gem install -N activesupport --version 4.2.7.1 +RUN gem install -N conjur-api:"< 5.0" conjur-cli:"< 6.0" sinatra + +COPY test_app.rb usr/src/test_app.rb + +env PORT 80 + +CMD [ "ruby", "/usr/src/test_app.rb" ] \ No newline at end of file diff --git a/demo/test_app/build/build.sh b/demo/test_app/build/build.sh new file mode 100755 index 0000000..2c5ad1c --- /dev/null +++ b/demo/test_app/build/build.sh @@ -0,0 +1,4 @@ +#!/bin/bash -e +set -eou pipefail + +docker build -t test-app:$CONJUR_PROJECT_NAME . diff --git a/demo/test_app/build/secrets.yml b/demo/test_app/build/secrets.yml new file mode 100644 index 0000000..127ec69 --- /dev/null +++ b/demo/test_app/build/secrets.yml @@ -0,0 +1 @@ +DB_PASSWORD: !var db/password diff --git a/demo/test_app/build/test_app.rb b/demo/test_app/build/test_app.rb new file mode 100644 index 0000000..ae1cc6f --- /dev/null +++ b/demo/test_app/build/test_app.rb @@ -0,0 +1,36 @@ +#!/usr/bin/env ruby + +require 'sinatra' +require 'conjur-api' +require 'cgi' +require 'json' + +enable :logging + +helpers do + def username + raise "Expecting CONJUR_AUTHN_API_KEY to be blank" if ENV['CONJUR_AUTHN_API_KEY'] + ENV['CONJUR_AUTHN_LOGIN'] or raise "No CONJUR_AUTHN_LOGIN" + end + + def conjur_api + # Ideally this would be done only once. + # But for testing, it means that if the login fails, the pod is stuck in a bad state + # and the tests can't be performed. + Conjur.configuration.apply_cert_config! + + token = JSON.parse(File.read("/run/conjur/access-token")) + Conjur::API.new_from_token(token) + end +end + +get '/' do + begin + password = conjur_api.variable("test-app-db/password").value + "test-app-db password: #{password}" + rescue + $stderr.puts $! + $stderr.puts $!.backtrace.join("\n") + halt 500, "Error: #{$!}" + end +end diff --git a/demo/test_app/test_app.yaml b/demo/test_app/test_app.yaml new file mode 100644 index 0000000..6f3b168 --- /dev/null +++ b/demo/test_app/test_app.yaml @@ -0,0 +1,84 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-app + labels: + app: test-app +spec: + ports: + - protocol: TCP + port: 80 + selector: + app: test-app + type: LoadBalancer +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + app: test-app + name: test-app +spec: + replicas: 1 + selector: + matchLabels: + app: test-app + template: + metadata: + labels: + app: test-app + spec: + containers: + - image: {{ TEST_APP_DOCKER_IMAGE }} + imagePullPolicy: Always + name: test-app + env: + - name: CONJUR_APPLIANCE_URL + value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + readOnly: true + - image: cyberark/conjur-openshift-authenticator + imagePullPolicy: Always + name: authenticator + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONJUR_APPLIANCE_URL + value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api + - name: CONJUR_AUTHN_URL + value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} + - name: CONJUR_ACCOUNT + value: {{ CONJUR_ACCOUNT }} + - name: CONJUR_AUTHN_LOGIN + value: {{ TEST_APP_PROJECT_NAME }}/*/* + - name: CONJUR_SSL_CERTIFICATE + valueFrom: + configMapKeyRef: + name: {{ CONFIG_MAP_NAME }} + key: ssl-certificate + volumeMounts: + - mountPath: /run/conjur + name: conjur-access-token + volumes: + - name: conjur-access-token + emptyDir: + medium: Memory diff --git a/demo/utils.sh b/demo/utils.sh new file mode 100755 index 0000000..dbbb627 --- /dev/null +++ b/demo/utils.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +announce() { + echo "++++++++++++++++++++++++++++++++++++++" + echo "" + echo "$@" + echo "" + echo "++++++++++++++++++++++++++++++++++++++" +} + +has_project() { + if kubectl get namespace "$1" 2> /dev/null; then + true + else + false + fi +} + +docker_tag_and_push() { + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_PROJECT_NAME" + docker tag $1:$CONJUR_PROJECT_NAME $docker_tag + docker push $docker_tag +} + +get_master_pod_name() { + pod_list=$(kubectl get pods -l app=conjur-node,role=master --no-headers | awk '{ print $1 }') + echo $pod_list | awk '{print $1}' +} + +run_conjur_cmd_as_admin() { + local command=$(cat $@) + + conjur authn logout > /dev/null + conjur authn login -u admin -p "$CONJUR_ADMIN_PASSWORD" > /dev/null + + local output=$(eval "$command") + + conjur authn logout > /dev/null + echo "$output" +} + +set_project() { + # general utility for switching projects/namespaces/contexts in kubernetes + # expects exactly 1 argument, a project name. + if [[ $# != 1 ]]; then + printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 + exit -1 + fi + + kubectl config set-context $(kubectl config current-context) --namespace="$1" > /dev/null +} + +load_policy() { + local POLICY_FILE=$1 + + run_conjur_cmd_as_admin < /dev/null)" == "" ]]; then + echo "You must have the Conjur v4 Appliance tagged as $conjur_appliance_image in your Docker engine to run this script." + exit 1 +fi diff --git a/deploy/1_create_kubernetes_project.sh b/deploy/1_create_kubernetes_project.sh new file mode 100755 index 0000000..4c370b7 --- /dev/null +++ b/deploy/1_create_kubernetes_project.sh @@ -0,0 +1,28 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Conjur project." + +set_project default + +if has_project "$CONJUR_PROJECT_NAME"; then + echo "Project '$CONJUR_PROJECT_NAME' exists, not going to create it." + set_project $CONJUR_PROJECT_NAME +else + echo "Creating '$CONJUR_PROJECT_NAME' project." + kubectl create namespace "$CONJUR_PROJECT_NAME" + set_project $CONJUR_PROJECT_NAME +fi + +# Must run as root to unpack Conjur seed files on standbys for high availability. +# TODO: replace this overprivileging with a service account + role + role binding + +# TODO: perhaps clusterroles should be defined independent of these scripts. for one this could delete an important clusterrole for user, unwittingly +kubectl delete --ignore-not-found clusterrole conjur-authenticator + +# Grant default service account permissions it needs for authn-k8s to: +# 1) get + list pods (to verify pod names) +# 2) create + get pods/exec (to inject cert into app sidecar) +kubectl create -f ./manifests/conjur-authenticator-role.yaml diff --git a/deploy/2_build_and_push_containers.sh b/deploy/2_build_and_push_containers.sh new file mode 100755 index 0000000..7b3883f --- /dev/null +++ b/deploy/2_build_and_push_containers.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" $DOCKER_REGISTRY_URL + +announce "Building and pushing haproxy image." + +pushd build/haproxy + ./build.sh +popd + +docker_tag_and_push "haproxy" + +echo "Docker images pushed." diff --git a/deploy/3_deploy_conjur_cluster.sh b/deploy/3_deploy_conjur_cluster.sh new file mode 100755 index 0000000..d3a4dc4 --- /dev/null +++ b/deploy/3_deploy_conjur_cluster.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Conjur cluster." + +set_project $CONJUR_PROJECT_NAME + +kubectl delete --ignore-not-found secrets conjurregcred +# Set credentials for Docker registry. +kubectl create secret docker-registry conjurregcred --docker-server="registry2.itci.conjur.net" --docker-username="kumbirai.tanekha" --docker-password=$(conjur user rotate_api_key) --docker-email="kumbirai.tanekha@gmail.com" + +conjur_appliance_image=registry2.itci.conjur.net/conjur-appliance:4.9-stable + +echo "deploying main cluster" +sed -e "s#{{ CONJUR_APPLIANCE_IMAGE }}#$conjur_appliance_image#g" ./manifests/conjur-cluster.yaml | + kubectl create -f - + +echo "deploying followers" +sed -e "s#{{ CONJUR_APPLIANCE_IMAGE }}#$conjur_appliance_image#g" ./manifests/conjur-follower.yaml | + sed -e "s#{{ AUTHENTICATOR_SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | + kubectl create -f - + +sleep 10 + +echo "Waiting for Conjur pods to launch..." +wait_for_node $(get_master_pod_name) + +echo "Cluster created." diff --git a/deploy/4_configure_master.sh b/deploy/4_configure_master.sh new file mode 100755 index 0000000..5b7b052 --- /dev/null +++ b/deploy/4_configure_master.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Configuring master pod." + +set_project $CONJUR_PROJECT_NAME + +master_pod_name=$(get_master_pod_name) + +kubectl label --overwrite pod $master_pod_name role=master + +# Configure Conjur master server using evoke. +# TODO: do we need to add some environment url to the master altnames ? +kubectl cp build/conjur_server/conjur.json $master_pod_name:/etc/conjur.json +kubectl exec $master_pod_name -- evoke configure master \ + -j /etc/conjur.json \ + -h conjur-master \ + --master-altnames localhost,conjur-master.$CONJUR_PROJECT_NAME.svc.cluster.local \ + --follower-altnames conjur-follower,conjur-follower.$CONJUR_PROJECT_NAME.svc.cluster.local \ + -p $CONJUR_ADMIN_PASSWORD \ + $CONJUR_ACCOUNT + +echo "Master pod configured." diff --git a/deploy/5_create_load_balancer.sh b/deploy/5_create_load_balancer.sh new file mode 100755 index 0000000..5dee806 --- /dev/null +++ b/deploy/5_create_load_balancer.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating load balancer for master and standbys." + +set_project $CONJUR_PROJECT_NAME + +docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_PROJECT_NAME + +sed -e "s#{{ DOCKER_IMAGE }}#$docker_image#g" ./manifests/haproxy-conjur-master.yaml | + kubectl create -f - + +sleep 5 + +echo "Configuring load balancer..." + +# Update HAProxy config to reflect Conjur cluster and restart daemon. +haproxy/update_haproxy.sh haproxy-conjur-master + +echo "Load balancer created and configured." diff --git a/deploy/6_configure_standbys.sh b/deploy/6_configure_standbys.sh new file mode 100755 index 0000000..9483002 --- /dev/null +++ b/deploy/6_configure_standbys.sh @@ -0,0 +1,39 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Configuring standbys." + +set_project $CONJUR_PROJECT_NAME + +master_pod_name=$(get_master_pod_name) + +echo "Preparing standby seed files..." + +mkdir -p tmp +kubectl exec $master_pod_name evoke seed standby conjur-standby > ./tmp/standby-seed.tar + +master_pod_ip=$(kubectl describe pod $master_pod_name | awk '/IP:/ { print $2 }') +pod_list=$(kubectl get pods -l role=unset --no-headers | awk '{ print $1 }') + +for pod_name in $pod_list; do + printf "Configuring standby %s...\n" $pod_name + + kubectl label --overwrite pod $pod_name role=standby + + copy_file_to_container "./tmp/standby-seed.tar" "/tmp/standby-seed.tar" "$pod_name" + copy_file_to_container "build/conjur_server/conjur.json" "/etc/conjur.json" "$pod_name" + + kubectl exec $pod_name evoke unpack seed /tmp/standby-seed.tar + kubectl exec $pod_name -- evoke configure standby -j /etc/conjur.json -i $master_pod_ip +done + +rm -rf tmp + +echo "Standbys configured." +echo "Starting synchronous replication..." + +mastercmd evoke replication sync + +echo "Standbys configured." diff --git a/deploy/7_configure_followers.sh b/deploy/7_configure_followers.sh new file mode 100755 index 0000000..86c2aa0 --- /dev/null +++ b/deploy/7_configure_followers.sh @@ -0,0 +1,32 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Configuring followers." + +set_project $CONJUR_PROJECT_NAME + +master_pod_name=$(get_master_pod_name) + +echo "Preparing follower seed files..." + +mkdir -p tmp +kubectl exec $master_pod_name evoke seed follower conjur-follower > ./tmp/follower-seed.tar + +master_pod_ip=$(kubectl describe pod $master_pod_name | awk '/IP:/ { print $2 }') +pod_list=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }') + +for pod_name in $pod_list; do + printf "Configuring follower %s...\n" $pod_name + + copy_file_to_container "build/conjur_server/conjur.json" "/etc/conjur.json" "$pod_name" + copy_file_to_container "./tmp/follower-seed.tar" "/tmp/follower-seed.tar" "$pod_name" + + kubectl exec $pod_name evoke unpack seed /tmp/follower-seed.tar + kubectl exec $pod_name -- evoke configure follower -j /etc/conjur.json +done + +rm -rf tmp + +echo "Followers configured." diff --git a/deploy/8_print_config.sh b/deploy/8_print_config.sh new file mode 100755 index 0000000..8a4e28a --- /dev/null +++ b/deploy/8_print_config.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +set_project $CONJUR_PROJECT_NAME + +api_key=$(rotate_api_key) + +announce " +Conjur cluster is ready. + +Addresses for the Conjur Master service: + + Inside the cluster: + conjur-master.$CONJUR_PROJECT_NAME.svc.cluster.local + + Outside the cluster: + kubectl port-forward svc/test-app 1234:80 + +Conjur login credentials: + admin / $api_key +" diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 0000000..4403c0c --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,95 @@ +# kubernetes-conjur-deploy + +This repository contains scripts for deploying a Conjur v4 cluster to a +Kubernetes environment. + +# Setup + +The Conjur deployment scripts pick up configuration details from local +environment variables. The setup instructions below will walk you through the +necessary steps for configuring your Kubernetes environment and show you which +variables need to be set before deploying. + +### Kubernetes + +To deploy Conjur, you will first need access to a Kubernetes +deployment and must be conneceted to it using `kubectl`, +with a user that has sufficient privileges to create Kubernetes projects: + +``` +oc login https://: -u +``` + +Finally, you must specify a name for the Kubernetes project in which you'd like +to deploy the Conjur cluster: + +``` +export CONJUR_PROJECT_NAME=conjur +``` + +### Docker + +You will need to [install Docker](https://www.docker.com/get-docker) on your +local machine if you do not already have it. + +### Conjur + +#### Appliance Image + +You will need to obtain a Docker image of the Conjur v4 appliance and tag it in +your local registry as `conjur-appliance:4.9-stable`. The deploy scripts will +look for this tag when pushing the applance image to your Kubernetes Docker +registry. + +#### Appliance Configuration + +When setting up a new Conjur installation, you must provide an account name and +a password for the admin account: + +``` +export CONJUR_ACCOUNT= +export CONJUR_ADMIN_PASSWORD= +``` + +Conjur uses [declarative policy](https://developer.conjur.net/policy) to control +access to secrets. After deploying Conjur, you will need to load a policy that +defines a `webservice` to represent the Kubernetes authenticator: + +``` +- !policy +id: conjur/authn-k8s/{{ SERVICE_ID }} +``` + +The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster +resides. For example, it might be something like `kubernetes/prod`. For Conjur +configuration purposes, you will need to provide this value to the Conjur deploy +scripts like so: + +``` +export AUTHENTICATOR_SERVICE_ID= +``` + +This `service_id` can be anything you like, but it's important to make sure +that it matches the value that you intend to use in Conjur Policy. + +# Usage + +Run `./start` to deploy Conjur. This will execute the numbered scripts in +sequence to create and configure a Conjur cluster comprised of one Master, two +Standbys, and two read-only Followers. + +Please note that the deploy scripts grant the `anyuid` SCC to the `default` +service account in the project that contains Conjur as configuring standbys and +followers requires root access. + +When the deploy scripts finish, they will print out the URL and credentials that +you need to access Conjur from outside the Kubernetes environment. You can access +the Conjur UI by visiting this URL in a browser or use it to interact with Conjur +through the [Conjur CLI](https://developer.conjur.net/cli). + +# Test App Demo + +The [kubernetes-conjur-demo repo](https://github.com/conjurdemos/kubernetes-conjur-demo) +can be used to set up a test application that retrieves secrets from Conjur +using our Ruby API. It can be used as a reference when setting up your own +applications to integrate with Conjur. diff --git a/deploy/build/conjur_server/Dockerfile b/deploy/build/conjur_server/Dockerfile new file mode 100644 index 0000000..467bbf6 --- /dev/null +++ b/deploy/build/conjur_server/Dockerfile @@ -0,0 +1,4 @@ +FROM conjur-appliance:4.9-stable + +# Memory allocation for postgres. +COPY conjur.json /etc/ diff --git a/deploy/build/conjur_server/build.sh b/deploy/build/conjur_server/build.sh new file mode 100755 index 0000000..db74d56 --- /dev/null +++ b/deploy/build/conjur_server/build.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -eou pipefail + +# builds Conjur Appliance with /etc/conjur.json (contains memory allocation config for pg) +docker build -t conjur-appliance:$CONJUR_PROJECT_NAME -f Dockerfile . diff --git a/deploy/build/conjur_server/conjur.json b/deploy/build/conjur_server/conjur.json new file mode 100644 index 0000000..6d18e7e --- /dev/null +++ b/deploy/build/conjur_server/conjur.json @@ -0,0 +1,5 @@ +{ + "postgresql": { + "allocated_memory_kb": 100000 + } +} diff --git a/deploy/build/haproxy/Dockerfile b/deploy/build/haproxy/Dockerfile new file mode 100644 index 0000000..cc727d2 --- /dev/null +++ b/deploy/build/haproxy/Dockerfile @@ -0,0 +1,12 @@ +FROM haproxy:1.7 + +RUN apt-get clean +RUN apt-get update +RUN apt-get install -y \ + curl \ + jq \ + vim + +COPY conjur-health-check.sh /root/ +COPY start.sh / +ENTRYPOINT sleep infinity diff --git a/deploy/build/haproxy/build.sh b/deploy/build/haproxy/build.sh new file mode 100755 index 0000000..f919bb4 --- /dev/null +++ b/deploy/build/haproxy/build.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -eou pipefail + +docker build -t haproxy:$CONJUR_PROJECT_NAME . diff --git a/deploy/build/haproxy/conjur-health-check.sh b/deploy/build/haproxy/conjur-health-check.sh new file mode 100755 index 0000000..438a7bb --- /dev/null +++ b/deploy/build/haproxy/conjur-health-check.sh @@ -0,0 +1,8 @@ +#!/bin/bash +server_address=$3 + +conjur_ok=$(curl -k -s https://$server_address/health | jq '.ok') +if [[ "$conjur_ok" == "true" ]]; then + exit 0 +fi +exit -1 diff --git a/deploy/build/haproxy/start.sh b/deploy/build/haproxy/start.sh new file mode 100755 index 0000000..ae1f7f2 --- /dev/null +++ b/deploy/build/haproxy/start.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# kill running haproxy daemon if any +haproxy_pid=$(ps aux | grep haproxy | grep -v grep | awk '{print $2}') +if [[ "$haproxy_pid" != "" ]]; then + kill -9 $haproxy_pid +fi + +# haproxy.cfg is created and updated by update_haproxy.sh script in $DEMO_ROOT/etc +haproxy -D -f /usr/local/etc/haproxy/haproxy.cfg diff --git a/deploy/haproxy/haproxy.template.cfg b/deploy/haproxy/haproxy.template.cfg new file mode 100644 index 0000000..00eaf20 --- /dev/null +++ b/deploy/haproxy/haproxy.template.cfg @@ -0,0 +1,23 @@ +global + maxconn 256 + external-check + +defaults + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +frontend f_conjur_master_http + mode tcp + bind *:443 + default_backend b_conjur_master_http + +frontend f_conjur_master_pg + mode tcp + bind *:5432 + default_backend b_conjur_master_pg + +frontend f_conjur_master_ldap + mode tcp + bind *:636 + default_backend b_conjur_master_ldap diff --git a/deploy/haproxy/update_haproxy.sh b/deploy/haproxy/update_haproxy.sh new file mode 100755 index 0000000..db8488e --- /dev/null +++ b/deploy/haproxy/update_haproxy.sh @@ -0,0 +1,95 @@ +#!/bin/bash +set -eo pipefail + +# This script updates the HAProxy configuration for currently running Conjur containers +# and restarts the proxy daemon + +. ./utils.sh + +declare template_file="./haproxy/haproxy.template.cfg" +declare destination_file="./haproxy/haproxy.cfg" + +# takes one argument: the name of the HAProxy container to update +main() { + haproxy_pod_name=$1 + + echo "# This file is generated by $0 in $(pwd)." > $destination_file + cp $template_file $destination_file + update_http_servers + update_pg_servers + update_ldap_servers + + copy_file_to_container "$destination_file" "/usr/local/etc/haproxy/haproxy.cfg" "$haproxy_pod_name" + kubectl exec $haproxy_pod_name /start.sh +} + +# Appends Conjur HTTP server info in HAProxy format to haproxy.cfg. +update_http_servers() { + cat <> $destination_file + +# HTTP backend info +# Generated by $0 in $(pwd) +backend b_conjur_master_http + mode tcp + balance static-rr + option external-check + default-server inter 5s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" +CONFIG + + pod_list=$(kubectl get pods -l app=conjur-node --no-headers | awk '{print $1}') + + for pname in $pod_list; do + pod_ip=$(kubectl describe pod $pname | grep "IP:" | awk '{print $2}') + echo -e '\t' server $pname $pod_ip:443 check >> $destination_file + done +} + +# Appends Conjur PostgreSQL server info in HAProxy format to haproxy.cfg. +update_pg_servers() { + cat <> $destination_file + +# PG backend info +# Generated by $0 in $(pwd) +backend b_conjur_master_pg + mode tcp + balance static-rr + option external-check + default-server inter 5s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" +CONFIG + + pod_list=$(kubectl get pods -l app=conjur-node --no-headers | awk '{print $1}') + + for pname in $pod_list; do + pod_ip=$(kubectl describe pod $pname | grep "IP:" | awk '{print $2}') + echo -e '\t' server $pname $pod_ip:5432 check >> $destination_file + done +} + +# Appends Conjur LDAP server info in HAProxy format to haproxy.cfg. +update_ldap_servers() { + cat <> $destination_file + +# LDAP backend info +# Generated by $0 in $(pwd) +backend b_conjur_master_ldap + mode tcp + balance static-rr + option external-check + default-server inter 30s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" +CONFIG + + pod_list=$(kubectl get pods -l app=conjur-node --no-headers | awk '{print $1}') + + for pname in $pod_list; do + pod_ip=$(kubectl describe pod $pname | grep "IP:" | awk '{print $2}') + echo -e '\t' server $pname $pod_ip:636 check >> $destination_file + done +} + +main "$@" diff --git a/deploy/manifests/conjur-authenticator-role.yaml b/deploy/manifests/conjur-authenticator-role.yaml new file mode 100644 index 0000000..164f544 --- /dev/null +++ b/deploy/manifests/conjur-authenticator-role.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 # TODO: change this to match your k8s version +kind: ClusterRole +metadata: + name: conjur-authenticator +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create", "get"] diff --git a/deploy/manifests/conjur-cluster.yaml b/deploy/manifests/conjur-cluster.yaml new file mode 100644 index 0000000..117f197 --- /dev/null +++ b/deploy/manifests/conjur-cluster.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + app: conjur-cluster + name: conjur-cluster +spec: + replicas: 3 + selector: + matchLabels: + app: conjur-node + template: + metadata: + labels: + app: conjur-node + name: conjur-node + role: unset # set to master or standby when configured + spec: + containers: + - name: conjur-appliance + image: {{ CONJUR_APPLIANCE_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 443 + name: https + - containerPort: 636 + name: ldaps + - containerPort: 5432 + name: pg-main + - containerPort: 5433 + name: pg-audit + imagePullSecrets: + - name: conjurregcred diff --git a/deploy/manifests/conjur-follower.yaml b/deploy/manifests/conjur-follower.yaml new file mode 100644 index 0000000..d9b379e --- /dev/null +++ b/deploy/manifests/conjur-follower.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: conjur-follower + labels: + app: conjur-follower +spec: + ports: + - port: 443 + name: https + - port: 636 + name: ldaps + selector: + app: conjur-follower + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: conjur-follower +spec: + replicas: 2 + template: + metadata: + labels: + app: conjur-follower + name: conjur-follower + role: follower + spec: + containers: + - name: conjur-appliance + image: {{ CONJUR_APPLIANCE_IMAGE }} + imagePullPolicy: Always + env: + - name: CONJUR_AUTHENTICATORS + value: authn-k8s/{{ AUTHENTICATOR_SERVICE_ID }} + ports: + - containerPort: 443 + name: https + - containerPort: 636 + name: ldaps + - containerPort: 5432 + name: pg-main + - containerPort: 5433 + name: pg-audit + imagePullSecrets: + - name: conjurregcred diff --git a/deploy/manifests/haproxy-conjur-master.yaml b/deploy/manifests/haproxy-conjur-master.yaml new file mode 100644 index 0000000..4210269 --- /dev/null +++ b/deploy/manifests/haproxy-conjur-master.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: conjur-master + labels: + app: haproxy-conjur-master +spec: + ports: + - port: 443 + name: https + - port: 636 + name: ldaps + - port: 5432 + name: pg-main + selector: + app: haproxy-conjur-master + type: LoadBalancer + +--- +apiVersion: v1 +kind: Pod +metadata: + name: haproxy-conjur-master + labels: + app: haproxy-conjur-master +spec: + containers: + - name: haproxy + image: {{ DOCKER_IMAGE }} + imagePullPolicy: Always + ports: + - containerPort: 443 + name: https + - containerPort: 636 + name: ldaps + - containerPort: 5432 + name: pg-main + - containerPort: 5433 + name: pg-audit diff --git a/deploy/start b/deploy/start new file mode 100755 index 0000000..680fcf8 --- /dev/null +++ b/deploy/start @@ -0,0 +1,15 @@ +#!/bin/bash +set -eou pipefail + +0_check_dependencies.sh + +stop + +1_create_kubernetes_project.sh +2_build_and_push_containers.sh +3_deploy_conjur_cluster.sh +4_configure_master.sh +5_create_load_balancer.sh +6_configure_standbys.sh +7_configure_followers.sh +8_print_config.sh diff --git a/deploy/stop b/deploy/stop new file mode 100755 index 0000000..c4ee204 --- /dev/null +++ b/deploy/stop @@ -0,0 +1,26 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +set_project default + +if has_project $CONJUR_PROJECT_NAME; then + kubectl delete namespace $CONJUR_PROJECT_NAME + + printf "Waiting for $CONJUR_PROJECT_NAME project deletion to complete" + + while : ; do + printf "..." + + if has_project "$CONJUR_PROJECT_NAME"; then + sleep 5 + else + break + fi + done + + echo "" +fi + +echo "Conjur environment purged." diff --git a/deploy/utils.sh b/deploy/utils.sh new file mode 100755 index 0000000..f23edd2 --- /dev/null +++ b/deploy/utils.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +announce() { + echo "++++++++++++++++++++++++++++++++++++++" + echo "" + echo "$@" + echo "" + echo "++++++++++++++++++++++++++++++++++++++" +} + +environment_domain() { + env_url=$(environment_url) + protocol="$(echo $env_url | grep :// | sed -e's,^\(.*://\).*,\1,g')" + echo ${env_url/$protocol/} +} + +has_project() { + if kubectl get namespace "$1" 2> /dev/null; then + true + else + false + fi +} + +docker_tag_and_push() { + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_PROJECT_NAME" + docker tag $1:$CONJUR_PROJECT_NAME $docker_tag + docker push $docker_tag +} + +copy_file_to_container() { + local from=$1 + local to=$2 + local pod_name=$3 + + kubectl cp "$from" $pod_name:"$to" +} + +get_master_pod_name() { + pod_list=$(kubectl get pods -l app=conjur-node --no-headers | awk '{ print $1 }') + echo $pod_list | awk '{print $1}' +} + +mastercmd() { + local master_pod=$(kubectl get pod -l role=master --no-headers | awk '{ print $1 }') + local interactive=$1 + + if [ $interactive = '-i' ]; then + shift + kubectl exec -i $master_pod -- $@ + else + kubectl exec $master_pod -- $@ + fi +} + +set_project() { + # general utility for switching namespaces/contexts in kubernetes + # expects exactly 1 argument, a project name. + if [[ $# != 1 ]]; then + printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 + exit -1 + fi + + kubectl config set-context $(kubectl config current-context) --namespace="$1" > /dev/null +} + +wait_for_node() { + wait_for_it -1 "kubectl describe pod $1 | grep Status: | grep -q Running" +} + +function wait_for_it() { + local timeout=$1 + local spacer=2 + shift + + if ! [ $timeout = '-1' ]; then + local times_to_run=$((timeout / spacer)) + + echo "Waiting for $@ up to $timeout s" + for i in $(seq $times_to_run); do + eval $@ && echo 'Success!' && break + echo -n . + sleep $spacer + done + + eval $@ + else + echo "Waiting for $@ forever" + + while ! eval $@; do + echo -n . + sleep $spacer + done + echo 'Success!' + fi +} + +rotate_api_key() { + set_project $CONJUR_PROJECT_NAME + + master_pod_name=$(get_master_pod_name) + + kubectl exec $master_pod_name -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD > /dev/null + api_key=$(kubectl exec $master_pod_name -- conjur user rotate_api_key) + kubectl exec $master_pod_name -- conjur authn logout > /dev/null + + echo $api_key +} From 0e871d3ae2e8841d596064cd31c64b2d2a279a0d Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Wed, 11 Apr 2018 23:24:19 +0100 Subject: [PATCH 02/21] check for registry path --- demo/0_check_dependencies.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/demo/0_check_dependencies.sh b/demo/0_check_dependencies.sh index d725312..4a3d42f 100755 --- a/demo/0_check_dependencies.sh +++ b/demo/0_check_dependencies.sh @@ -15,7 +15,13 @@ if [ "$CONJUR_PROJECT_NAME" = "" ]; then exit 1 fi -# Confirm docker registry is configured. +# Confirm docker registry url is configured. +if [ "$DOCKER_REGISTRY_URL" = "" ]; then + echo "You must set DOCKER_REGISTRY_URL before running this script." + exit 1 +fi + +# Confirm docker registry path is configured. if [ "$DOCKER_REGISTRY_PATH" = "" ]; then echo "You must set DOCKER_REGISTRY_PATH before running this script." exit 1 From 0daacc773107eaaa1b24e40c67ff7d32f5e06357 Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Thu, 12 Apr 2018 00:40:18 +0100 Subject: [PATCH 03/21] demonstrate service account scope :) --- demo/policy/authn-k8s.template.yml | 4 ++-- demo/test_app/test_app.yaml | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/demo/policy/authn-k8s.template.yml b/demo/policy/authn-k8s.template.yml index 46e197c..e6d6d2e 100644 --- a/demo/policy/authn-k8s.template.yml +++ b/demo/policy/authn-k8s.template.yml @@ -45,7 +45,7 @@ kubernetes/authentication-container-name: authenticator kubernetes: "true" - !host - id: {{ TEST_APP_PROJECT_NAME }}/serviceaccount/default + id: {{ TEST_APP_PROJECT_NAME }}/service_account/test-app annotations: kubernetes/authentication-container-name: authenticator kubernetes: "true" @@ -54,7 +54,7 @@ role: !layer /test-app members: - !host {{ TEST_APP_PROJECT_NAME }}/*/* - - !host {{ TEST_APP_PROJECT_NAME }}/serviceaccount/default + - !host {{ TEST_APP_PROJECT_NAME }}/service_account/test-app - !grant role: !layer diff --git a/demo/test_app/test_app.yaml b/demo/test_app/test_app.yaml index 6f3b168..f0206bc 100644 --- a/demo/test_app/test_app.yaml +++ b/demo/test_app/test_app.yaml @@ -12,6 +12,11 @@ spec: app: test-app type: LoadBalancer --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-app +--- apiVersion: apps/v1beta1 kind: Deployment metadata: @@ -28,6 +33,7 @@ spec: labels: app: test-app spec: + serviceAccountName: test-app containers: - image: {{ TEST_APP_DOCKER_IMAGE }} imagePullPolicy: Always @@ -69,7 +75,7 @@ spec: - name: CONJUR_ACCOUNT value: {{ CONJUR_ACCOUNT }} - name: CONJUR_AUTHN_LOGIN - value: {{ TEST_APP_PROJECT_NAME }}/*/* + value: {{ TEST_APP_PROJECT_NAME }}/service_account/test-app - name: CONJUR_SSL_CERTIFICATE valueFrom: configMapKeyRef: From 5db46039e1107fcfa7fe0647910402d3fdd06368 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 09:54:44 -0400 Subject: [PATCH 04/21] move over helper for env var checking --- deploy/0_check_dependencies.sh | 34 +++++----------------------------- deploy/utils.sh | 9 +++++++++ 2 files changed, 14 insertions(+), 29 deletions(-) diff --git a/deploy/0_check_dependencies.sh b/deploy/0_check_dependencies.sh index 2046894..c3774c0 100755 --- a/deploy/0_check_dependencies.sh +++ b/deploy/0_check_dependencies.sh @@ -11,35 +11,11 @@ case "$choice" in * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; esac -# Confirm Conjur project name is configured. -if [ "$CONJUR_PROJECT_NAME" = "" ]; then - echo "You must set CONJUR_PROJECT_NAME before running this script." - exit 1 -fi - -# Confirm docker registry url is configured. -if [ "$DOCKER_REGISTRY_URL" = "" ]; then - echo "You must set DOCKER_REGISTRY_URL before running this script." - exit 1 -fi - -# Confirm docker registry path is configured. -if [ "$DOCKER_REGISTRY_PATH" = "" ]; then - echo "You must set DOCKER_REGISTRY_PATH before running this script." - exit 1 -fi - -# Confirm Conjur account is configured. -if [ "$CONJUR_ACCOUNT" = "" ]; then - echo "You must set CONJUR_ACCOUNT before running this script." - exit 1 -fi - -# Confirm Conjur admin password is configured. -if [ "$CONJUR_ADMIN_PASSWORD" = "" ]; then - echo "You must set CONJUR_ADMIN_PASSWORD before running this script." - exit 1 -fi +check_env_var "CONJUR_PROJECT_NAME" +check_env_var "DOCKER_REGISTRY_URL" +check_env_var "DOCKER_REGISTRY_PATH" +check_env_var "CONJUR_ACCOUNT" +check_env_var "CONJUR_ADMIN_PASSWORD" conjur_appliance_image=conjur-appliance:4.9-stable diff --git a/deploy/utils.sh b/deploy/utils.sh index f23edd2..8c9d21f 100755 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -1,5 +1,14 @@ #!/bin/bash +check_env_var() { + var_name=$1 + + if [ "${!var_name}" = "" ]; then + echo "You must set $1 before running these scripts." + exit 1 + fi +} + announce() { echo "++++++++++++++++++++++++++++++++++++++" echo "" From 4d0992c3304cdcd2b324ebe7192cc6391af65069 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 10:05:25 -0400 Subject: [PATCH 05/21] rename all references of project to context --- demo/0_check_dependencies.sh | 41 +++---------------- demo/1_initialize_conjur.sh | 2 +- demo/2_load_conjur_policies.sh | 8 ++-- demo/3_init_conjur_cert_authority.sh | 2 +- demo/4_create_test_app_context.sh | 23 +++++++++++ demo/4_create_test_app_project.sh | 23 ----------- demo/5_store_conjur_cert.sh | 8 ++-- demo/7_deploy_test_app.sh | 12 +++--- demo/8_retrieve_secret.sh | 2 +- demo/README.md | 6 +-- ...app-conjur-authenticator-role-binding.yaml | 4 +- demo/policy/authn-k8s.template.yml | 8 ++-- demo/rotate | 2 +- demo/start | 2 +- demo/stop | 10 ++--- demo/test_app/build/build.sh | 4 +- demo/test_app/test_app.yaml | 8 ++-- demo/utils.sh | 21 +++++++--- deploy/0_check_dependencies.sh | 2 +- ..._project.sh => 1_create_conjur_context.sh} | 16 ++++---- deploy/3_deploy_conjur_cluster.sh | 2 +- deploy/4_configure_master.sh | 6 +-- deploy/5_create_load_balancer.sh | 4 +- deploy/6_configure_standbys.sh | 2 +- deploy/7_configure_followers.sh | 2 +- deploy/8_print_config.sh | 4 +- deploy/README.md | 8 ++-- deploy/build/conjur_server/build.sh | 2 +- deploy/build/haproxy/build.sh | 2 +- deploy/start | 2 +- deploy/stop | 10 ++--- deploy/utils.sh | 12 +++--- 32 files changed, 120 insertions(+), 140 deletions(-) create mode 100755 demo/4_create_test_app_context.sh delete mode 100755 demo/4_create_test_app_project.sh rename deploy/{1_create_kubernetes_project.sh => 1_create_conjur_context.sh} (67%) diff --git a/demo/0_check_dependencies.sh b/demo/0_check_dependencies.sh index 4a3d42f..804ea11 100755 --- a/demo/0_check_dependencies.sh +++ b/demo/0_check_dependencies.sh @@ -9,38 +9,9 @@ case "$choice" in * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; esac -# Confirm Conjur project name is configured. -if [ "$CONJUR_PROJECT_NAME" = "" ]; then - echo "You must set CONJUR_PROJECT_NAME before running this script." - exit 1 -fi - -# Confirm docker registry url is configured. -if [ "$DOCKER_REGISTRY_URL" = "" ]; then - echo "You must set DOCKER_REGISTRY_URL before running this script." - exit 1 -fi - -# Confirm docker registry path is configured. -if [ "$DOCKER_REGISTRY_PATH" = "" ]; then - echo "You must set DOCKER_REGISTRY_PATH before running this script." - exit 1 -fi - -# Confirm Conjur account is configured. -if [ "$CONJUR_ACCOUNT" = "" ]; then - echo "You must set CONJUR_ACCOUNT before running this script." - exit 1 -fi - -# Confirm Conjur admin password is configured. -if [ "$CONJUR_ADMIN_PASSWORD" = "" ]; then - echo "You must set CONJUR_ADMIN_PASSWORD before running this script." - exit 1 -fi - -# Confirm test app project name is configured. -if [ "$TEST_APP_PROJECT_NAME" = "" ]; then - echo "You must set TEST_APP_PROJECT_NAME before running this script." - exit 1 -fi +check_env_var "CONJUR_CONTEXT_NAME" +check_env_var "DOCKER_REGISTRY_URL" +check_env_var "DOCKER_REGISTRY_PATH" +check_env_var "CONJUR_ACCOUNT" +check_env_var "CONJUR_ADMIN_PASSWORD" +check_env_var "TEST_APP_CONTEXT_NAME" diff --git a/demo/1_initialize_conjur.sh b/demo/1_initialize_conjur.sh index 339d968..3ccd654 100755 --- a/demo/1_initialize_conjur.sh +++ b/demo/1_initialize_conjur.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Initializing Conjur." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME conjur_master=$(get_master_pod_name) diff --git a/demo/2_load_conjur_policies.sh b/demo/2_load_conjur_policies.sh index a1cf047..21eb2f2 100755 --- a/demo/2_load_conjur_policies.sh +++ b/demo/2_load_conjur_policies.sh @@ -1,11 +1,11 @@ #!/bin/bash -set -xeou pipefail +set -eou pipefail . utils.sh announce "Loading Conjur policy." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME conjur_master=$(get_master_pod_name) @@ -16,9 +16,9 @@ kubectl exec $conjur_master -- conjur plugin install policy pushd policy sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" ./authn-k8s.template.yml | - sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" > ./authn-k8s.yml + sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" > ./authn-k8s.yml - sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" ./apps.template.yml > ./apps.yml + sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" ./apps.template.yml > ./apps.yml popd kubectl cp ./policy conjur-cluster-1396572337-c7265:/policy diff --git a/demo/3_init_conjur_cert_authority.sh b/demo/3_init_conjur_cert_authority.sh index 4c47525..4c0076e 100755 --- a/demo/3_init_conjur_cert_authority.sh +++ b/demo/3_init_conjur_cert_authority.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Initializing Conjur certificate authority." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME conjur_master=$(get_master_pod_name) diff --git a/demo/4_create_test_app_context.sh b/demo/4_create_test_app_context.sh new file mode 100755 index 0000000..b381c2a --- /dev/null +++ b/demo/4_create_test_app_context.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Test App context." + +set_context default + +if has_context "$TEST_APP_CONTEXT_NAME"; then + echo "Context '$TEST_APP_CONTEXT_NAME' exists, not going to create it." + set_context $TEST_APP_CONTEXT_NAME +else + echo "Creating '$TEST_APP_CONTEXT_NAME' context." + kubectl create namespace $TEST_APP_CONTEXT_NAME + set_context $TEST_APP_CONTEXT_NAME +fi + +kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding + +sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | + sed -e "s#{{ CONJUR_CONTEXT_NAME }}#$CONJUR_CONTEXT_NAME#g" | + kubectl create -f - diff --git a/demo/4_create_test_app_project.sh b/demo/4_create_test_app_project.sh deleted file mode 100755 index e280235..0000000 --- a/demo/4_create_test_app_project.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Creating Test App project." - -set_project default - -if has_project "$TEST_APP_PROJECT_NAME"; then - echo "Project '$TEST_APP_PROJECT_NAME' exists, not going to create it." - set_project $TEST_APP_PROJECT_NAME -else - echo "Creating '$TEST_APP_PROJECT_NAME' project." - kubectl create namespace $TEST_APP_PROJECT_NAME - set_project $TEST_APP_PROJECT_NAME -fi - -kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding - -sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | - sed -e "s#{{ CONJUR_PROJECT_NAME }}#$CONJUR_PROJECT_NAME#g" | - kubectl create -f - diff --git a/demo/5_store_conjur_cert.sh b/demo/5_store_conjur_cert.sh index a6d8803..97608ab 100755 --- a/demo/5_store_conjur_cert.sh +++ b/demo/5_store_conjur_cert.sh @@ -5,20 +5,20 @@ set -eou pipefail announce "Storing Conjur cert for test app configuration." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME echo "Retrieving Conjur certificate." follower_pod_name=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1) ssl_cert=$(kubectl exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) -set_project $TEST_APP_PROJECT_NAME +set_context $TEST_APP_CONTEXT_NAME echo "Storing non-secret conjur cert as test app configuration data" -kubectl delete --ignore-not-found=true configmap $TEST_APP_PROJECT_NAME +kubectl delete --ignore-not-found=true configmap $TEST_APP_CONTEXT_NAME # Store the Conjur cert in a ConfigMap. -kubectl create configmap $TEST_APP_PROJECT_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") +kubectl create configmap $TEST_APP_CONTEXT_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") echo "Conjur cert stored." diff --git a/demo/7_deploy_test_app.sh b/demo/7_deploy_test_app.sh index 8816659..bd5b266 100755 --- a/demo/7_deploy_test_app.sh +++ b/demo/7_deploy_test_app.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Deploying test app." -set_project $TEST_APP_PROJECT_NAME +set_context $TEST_APP_CONTEXT_NAME # TODO Set credentials for Docker registry that isn't GKE. @@ -14,14 +14,14 @@ kubectl delete --ignore-not-found service test-app sleep 5 -test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_PROJECT_NAME +test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_CONTEXT_NAME sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./test_app/test_app.yaml | sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_PROJECT_NAME }}#$CONJUR_PROJECT_NAME#g" | - sed -e "s#{{ TEST_APP_PROJECT_NAME }}#$TEST_APP_PROJECT_NAME#g" | + sed -e "s#{{ CONJUR_CONTEXT_NAME }}#$CONJUR_CONTEXT_NAME#g" | + sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" | sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_PROJECT_NAME#g" | + sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_CONTEXT_NAME#g" | kubectl create -f - sleep 20 @@ -34,7 +34,7 @@ Test app is ready. Addresses for the Test App service: Inside the cluster: - test-app.$CONJUR_PROJECT_NAME.svc.cluster.local + test-app.$CONJUR_CONTEXT_NAME.svc.cluster.local Outside the cluster: For now you have to port forward the service using kubectl, because HTTPS :) diff --git a/demo/8_retrieve_secret.sh b/demo/8_retrieve_secret.sh index c89104a..6dd2f15 100755 --- a/demo/8_retrieve_secret.sh +++ b/demo/8_retrieve_secret.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Retrieving secret using Conjur access token." -set_project $TEST_APP_PROJECT_NAME +set_context $TEST_APP_CONTEXT_NAME test_app_pod=$(kubectl get pods --no-headers | awk '{ print $1 }') diff --git a/demo/README.md b/demo/README.md index 2a4aa5d..daf4a7e 100644 --- a/demo/README.md +++ b/demo/README.md @@ -16,11 +16,11 @@ policy that you would not want to be present in your production environment. ### Script Configuration -You will need to provide a name for the kubernetes project in which your test app +You will need to provide a name for the kubernetes context in which your test app will be deployed: ``` -export TEST_APP_PROJECT_NAME=test-app +export TEST_APP_CONTEXT_NAME=test-app ``` You will also need to set several environment variables to match the values used @@ -28,7 +28,7 @@ when configuring your Conjur deployment. Note that if you may already have these variables set if you're using the same shell to run the demo: ``` -export CONJUR_PROJECT_NAME= +export CONJUR_CONTEXT_NAME= export DOCKER_REGISTRY_PATH=docker-registry-. export CONJUR_ACCOUNT= export CONJUR_ADMIN_PASSWORD= diff --git a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml index 984f867..4741bc1 100644 --- a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml +++ b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml @@ -3,11 +3,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 # TODO: change this to match your k8s version metadata: name: test-app-conjur-authenticator-role-binding - namespace: {{ TEST_APP_PROJECT_NAME }} + namespace: {{ TEST_APP_CONTEXT_NAME }} subjects: - kind: ServiceAccount name: default - namespace: {{ CONJUR_PROJECT_NAME }} + namespace: {{ CONJUR_CONTEXT_NAME }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/demo/policy/authn-k8s.template.yml b/demo/policy/authn-k8s.template.yml index e6d6d2e..3d51b17 100644 --- a/demo/policy/authn-k8s.template.yml +++ b/demo/policy/authn-k8s.template.yml @@ -40,12 +40,12 @@ - &hosts - !host - id: {{ TEST_APP_PROJECT_NAME }}/*/* + id: {{ TEST_APP_CONTEXT_NAME }}/*/* annotations: kubernetes/authentication-container-name: authenticator kubernetes: "true" - !host - id: {{ TEST_APP_PROJECT_NAME }}/service_account/test-app + id: {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app annotations: kubernetes/authentication-container-name: authenticator kubernetes: "true" @@ -53,8 +53,8 @@ - !grant role: !layer /test-app members: - - !host {{ TEST_APP_PROJECT_NAME }}/*/* - - !host {{ TEST_APP_PROJECT_NAME }}/service_account/test-app + - !host {{ TEST_APP_CONTEXT_NAME }}/*/* + - !host {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app - !grant role: !layer diff --git a/demo/rotate b/demo/rotate index 1dc5ba4..bcdbc8a 100755 --- a/demo/rotate +++ b/demo/rotate @@ -5,7 +5,7 @@ set -eou pipefail announce "Rotating password." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME conjur_master=$(get_master_pod_name) new_pwd=$(openssl rand -hex 12) diff --git a/demo/start b/demo/start index c09638f..1a5e837 100755 --- a/demo/start +++ b/demo/start @@ -8,7 +8,7 @@ stop 1_initialize_conjur.sh 2_load_conjur_policies.sh 3_init_conjur_cert_authority.sh -4_create_test_app_project.sh +4_create_test_app_context.sh 5_store_conjur_cert.sh 6_build_and_push_containers.sh 7_deploy_test_app.sh diff --git a/demo/stop b/demo/stop index 03fce07..c5b5a83 100755 --- a/demo/stop +++ b/demo/stop @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -set_project default +set_context default -if has_project $TEST_APP_PROJECT_NAME; then - kubectl delete namespace $TEST_APP_PROJECT_NAME +if has_context $TEST_APP_CONTEXT_NAME; then + kubectl delete namespace $TEST_APP_CONTEXT_NAME - printf "Waiting for $TEST_APP_PROJECT_NAME project deletion to complete" + printf "Waiting for $TEST_APP_CONTEXT_NAME context deletion to complete" while : ; do printf "..." - if has_project "$TEST_APP_PROJECT_NAME"; then + if has_context "$TEST_APP_CONTEXT_NAME"; then sleep 5 else break diff --git a/demo/test_app/build/build.sh b/demo/test_app/build/build.sh index 2c5ad1c..39a39dc 100755 --- a/demo/test_app/build/build.sh +++ b/demo/test_app/build/build.sh @@ -1,4 +1,4 @@ -#!/bin/bash -e +#!/bin/bash set -eou pipefail -docker build -t test-app:$CONJUR_PROJECT_NAME . +docker build -t test-app:$CONJUR_CONTEXT_NAME . diff --git a/demo/test_app/test_app.yaml b/demo/test_app/test_app.yaml index f0206bc..5fde7bc 100644 --- a/demo/test_app/test_app.yaml +++ b/demo/test_app/test_app.yaml @@ -40,7 +40,7 @@ spec: name: test-app env: - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api + value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api - name: CONJUR_ACCOUNT value: {{ CONJUR_ACCOUNT }} - name: CONJUR_SSL_CERTIFICATE @@ -69,13 +69,13 @@ spec: fieldRef: fieldPath: status.podIP - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api + value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api - name: CONJUR_AUTHN_URL - value: https://conjur-follower.{{ CONJUR_PROJECT_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} + value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} - name: CONJUR_ACCOUNT value: {{ CONJUR_ACCOUNT }} - name: CONJUR_AUTHN_LOGIN - value: {{ TEST_APP_PROJECT_NAME }}/service_account/test-app + value: {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app - name: CONJUR_SSL_CERTIFICATE valueFrom: configMapKeyRef: diff --git a/demo/utils.sh b/demo/utils.sh index dbbb627..239ac72 100755 --- a/demo/utils.sh +++ b/demo/utils.sh @@ -1,5 +1,14 @@ #!/bin/bash +check_env_var() { + var_name=$1 + + if [ "${!var_name}" = "" ]; then + echo "You must set $1 before running these scripts." + exit 1 + fi +} + announce() { echo "++++++++++++++++++++++++++++++++++++++" echo "" @@ -8,7 +17,7 @@ announce() { echo "++++++++++++++++++++++++++++++++++++++" } -has_project() { +has_context() { if kubectl get namespace "$1" 2> /dev/null; then true else @@ -17,8 +26,8 @@ has_project() { } docker_tag_and_push() { - docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_PROJECT_NAME" - docker tag $1:$CONJUR_PROJECT_NAME $docker_tag + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_CONTEXT_NAME" + docker tag $1:$CONJUR_CONTEXT_NAME $docker_tag docker push $docker_tag } @@ -39,9 +48,9 @@ run_conjur_cmd_as_admin() { echo "$output" } -set_project() { - # general utility for switching projects/namespaces/contexts in kubernetes - # expects exactly 1 argument, a project name. +set_context() { + # general utility for switching contexts in kubernetes + # expects exactly 1 argument, a context name. if [[ $# != 1 ]]; then printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 exit -1 diff --git a/deploy/0_check_dependencies.sh b/deploy/0_check_dependencies.sh index c3774c0..9cf02f8 100755 --- a/deploy/0_check_dependencies.sh +++ b/deploy/0_check_dependencies.sh @@ -11,7 +11,7 @@ case "$choice" in * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; esac -check_env_var "CONJUR_PROJECT_NAME" +check_env_var "CONJUR_CONTEXT_NAME" check_env_var "DOCKER_REGISTRY_URL" check_env_var "DOCKER_REGISTRY_PATH" check_env_var "CONJUR_ACCOUNT" diff --git a/deploy/1_create_kubernetes_project.sh b/deploy/1_create_conjur_context.sh similarity index 67% rename from deploy/1_create_kubernetes_project.sh rename to deploy/1_create_conjur_context.sh index 4c370b7..db7583c 100755 --- a/deploy/1_create_kubernetes_project.sh +++ b/deploy/1_create_conjur_context.sh @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -announce "Creating Conjur project." +announce "Creating Conjur context." -set_project default +set_context default -if has_project "$CONJUR_PROJECT_NAME"; then - echo "Project '$CONJUR_PROJECT_NAME' exists, not going to create it." - set_project $CONJUR_PROJECT_NAME +if has_context "$CONJUR_CONTEXT_NAME"; then + echo "Context '$CONJUR_CONTEXT_NAME' exists, not going to create it." + set_context $CONJUR_CONTEXT_NAME else - echo "Creating '$CONJUR_PROJECT_NAME' project." - kubectl create namespace "$CONJUR_PROJECT_NAME" - set_project $CONJUR_PROJECT_NAME + echo "Creating '$CONJUR_CONTEXT_NAME' context." + kubectl create namespace "$CONJUR_CONTEXT_NAME" + set_context $CONJUR_CONTEXT_NAME fi # Must run as root to unpack Conjur seed files on standbys for high availability. diff --git a/deploy/3_deploy_conjur_cluster.sh b/deploy/3_deploy_conjur_cluster.sh index d3a4dc4..9ec7497 100755 --- a/deploy/3_deploy_conjur_cluster.sh +++ b/deploy/3_deploy_conjur_cluster.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Creating Conjur cluster." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME kubectl delete --ignore-not-found secrets conjurregcred # Set credentials for Docker registry. diff --git a/deploy/4_configure_master.sh b/deploy/4_configure_master.sh index 5b7b052..b99888d 100755 --- a/deploy/4_configure_master.sh +++ b/deploy/4_configure_master.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring master pod." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME master_pod_name=$(get_master_pod_name) @@ -17,8 +17,8 @@ kubectl cp build/conjur_server/conjur.json $master_pod_name:/etc/conjur.json kubectl exec $master_pod_name -- evoke configure master \ -j /etc/conjur.json \ -h conjur-master \ - --master-altnames localhost,conjur-master.$CONJUR_PROJECT_NAME.svc.cluster.local \ - --follower-altnames conjur-follower,conjur-follower.$CONJUR_PROJECT_NAME.svc.cluster.local \ + --master-altnames localhost,conjur-master.$CONJUR_CONTEXT_NAME.svc.cluster.local \ + --follower-altnames conjur-follower,conjur-follower.$CONJUR_CONTEXT_NAME.svc.cluster.local \ -p $CONJUR_ADMIN_PASSWORD \ $CONJUR_ACCOUNT diff --git a/deploy/5_create_load_balancer.sh b/deploy/5_create_load_balancer.sh index 5dee806..7a9236b 100755 --- a/deploy/5_create_load_balancer.sh +++ b/deploy/5_create_load_balancer.sh @@ -5,9 +5,9 @@ set -eou pipefail announce "Creating load balancer for master and standbys." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME -docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_PROJECT_NAME +docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_CONTEXT_NAME sed -e "s#{{ DOCKER_IMAGE }}#$docker_image#g" ./manifests/haproxy-conjur-master.yaml | kubectl create -f - diff --git a/deploy/6_configure_standbys.sh b/deploy/6_configure_standbys.sh index 9483002..588c0ae 100755 --- a/deploy/6_configure_standbys.sh +++ b/deploy/6_configure_standbys.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring standbys." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME master_pod_name=$(get_master_pod_name) diff --git a/deploy/7_configure_followers.sh b/deploy/7_configure_followers.sh index 86c2aa0..5a5c975 100755 --- a/deploy/7_configure_followers.sh +++ b/deploy/7_configure_followers.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring followers." -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME master_pod_name=$(get_master_pod_name) diff --git a/deploy/8_print_config.sh b/deploy/8_print_config.sh index 8a4e28a..173f878 100755 --- a/deploy/8_print_config.sh +++ b/deploy/8_print_config.sh @@ -3,7 +3,7 @@ set -eou pipefail . utils.sh -set_project $CONJUR_PROJECT_NAME +set_context $CONJUR_CONTEXT_NAME api_key=$(rotate_api_key) @@ -13,7 +13,7 @@ Conjur cluster is ready. Addresses for the Conjur Master service: Inside the cluster: - conjur-master.$CONJUR_PROJECT_NAME.svc.cluster.local + conjur-master.$CONJUR_CONTEXT_NAME.svc.cluster.local Outside the cluster: kubectl port-forward svc/test-app 1234:80 diff --git a/deploy/README.md b/deploy/README.md index 4403c0c..808ee16 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -14,17 +14,17 @@ variables need to be set before deploying. To deploy Conjur, you will first need access to a Kubernetes deployment and must be conneceted to it using `kubectl`, -with a user that has sufficient privileges to create Kubernetes projects: +with a user that has sufficient privileges to create Kubernetes contexts: ``` oc login https://: -u ``` -Finally, you must specify a name for the Kubernetes project in which you'd like +Finally, you must specify a name for the Kubernetes context in which you'd like to deploy the Conjur cluster: ``` -export CONJUR_PROJECT_NAME=conjur +export CONJUR_CONTEXT_NAME=conjur ``` ### Docker @@ -79,7 +79,7 @@ sequence to create and configure a Conjur cluster comprised of one Master, two Standbys, and two read-only Followers. Please note that the deploy scripts grant the `anyuid` SCC to the `default` -service account in the project that contains Conjur as configuring standbys and +service account in the context that contains Conjur as configuring standbys and followers requires root access. When the deploy scripts finish, they will print out the URL and credentials that diff --git a/deploy/build/conjur_server/build.sh b/deploy/build/conjur_server/build.sh index db74d56..54eec29 100755 --- a/deploy/build/conjur_server/build.sh +++ b/deploy/build/conjur_server/build.sh @@ -2,4 +2,4 @@ set -eou pipefail # builds Conjur Appliance with /etc/conjur.json (contains memory allocation config for pg) -docker build -t conjur-appliance:$CONJUR_PROJECT_NAME -f Dockerfile . +docker build -t conjur-appliance:$CONJUR_CONTEXT_NAME -f Dockerfile . diff --git a/deploy/build/haproxy/build.sh b/deploy/build/haproxy/build.sh index f919bb4..e89e568 100755 --- a/deploy/build/haproxy/build.sh +++ b/deploy/build/haproxy/build.sh @@ -1,4 +1,4 @@ #!/bin/bash set -eou pipefail -docker build -t haproxy:$CONJUR_PROJECT_NAME . +docker build -t haproxy:$CONJUR_CONTEXT_NAME . diff --git a/deploy/start b/deploy/start index 680fcf8..af51c04 100755 --- a/deploy/start +++ b/deploy/start @@ -5,7 +5,7 @@ set -eou pipefail stop -1_create_kubernetes_project.sh +1_create_conjur_context.sh 2_build_and_push_containers.sh 3_deploy_conjur_cluster.sh 4_configure_master.sh diff --git a/deploy/stop b/deploy/stop index c4ee204..cac3c45 100755 --- a/deploy/stop +++ b/deploy/stop @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -set_project default +set_context default -if has_project $CONJUR_PROJECT_NAME; then - kubectl delete namespace $CONJUR_PROJECT_NAME +if has_context $CONJUR_CONTEXT_NAME; then + kubectl delete namespace $CONJUR_CONTEXT_NAME - printf "Waiting for $CONJUR_PROJECT_NAME project deletion to complete" + printf "Waiting for $CONJUR_CONTEXT_NAME context deletion to complete" while : ; do printf "..." - if has_project "$CONJUR_PROJECT_NAME"; then + if has_context "$CONJUR_CONTEXT_NAME"; then sleep 5 else break diff --git a/deploy/utils.sh b/deploy/utils.sh index 8c9d21f..c6a5e2f 100755 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -23,7 +23,7 @@ environment_domain() { echo ${env_url/$protocol/} } -has_project() { +has_context() { if kubectl get namespace "$1" 2> /dev/null; then true else @@ -32,8 +32,8 @@ has_project() { } docker_tag_and_push() { - docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_PROJECT_NAME" - docker tag $1:$CONJUR_PROJECT_NAME $docker_tag + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_CONTEXT_NAME" + docker tag $1:$CONJUR_CONTEXT_NAME $docker_tag docker push $docker_tag } @@ -62,9 +62,9 @@ mastercmd() { fi } -set_project() { +set_context() { # general utility for switching namespaces/contexts in kubernetes - # expects exactly 1 argument, a project name. + # expects exactly 1 argument, a context name. if [[ $# != 1 ]]; then printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 exit -1 @@ -105,7 +105,7 @@ function wait_for_it() { } rotate_api_key() { - set_project $CONJUR_PROJECT_NAME + set_context $CONJUR_CONTEXT_NAME master_pod_name=$(get_master_pod_name) From 02a27b61a676f33e122b7cd089fce5d2b0e6d224 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 10:24:22 -0400 Subject: [PATCH 06/21] rename context to namespace --- demo/0_check_dependencies.sh | 4 ++-- demo/1_initialize_conjur.sh | 2 +- demo/2_load_conjur_policies.sh | 6 ++--- demo/3_init_conjur_cert_authority.sh | 2 +- demo/4_create_test_app_context.sh | 23 ------------------- demo/4_create_test_app_namespace.sh | 23 +++++++++++++++++++ demo/5_store_conjur_cert.sh | 8 +++---- demo/7_deploy_test_app.sh | 12 +++++----- demo/8_retrieve_secret.sh | 2 +- demo/README.md | 6 ++--- ...app-conjur-authenticator-role-binding.yaml | 4 ++-- demo/policy/authn-k8s.template.yml | 8 +++---- demo/rotate | 2 +- demo/start | 2 +- demo/stop | 10 ++++---- demo/test_app/build/build.sh | 2 +- demo/test_app/test_app.yaml | 8 +++---- demo/utils.sh | 12 +++++----- deploy/0_check_dependencies.sh | 2 +- ...ontext.sh => 1_create_conjur_namespace.sh} | 16 ++++++------- deploy/3_deploy_conjur_cluster.sh | 2 +- deploy/4_configure_master.sh | 6 ++--- deploy/5_create_load_balancer.sh | 4 ++-- deploy/6_configure_standbys.sh | 2 +- deploy/7_configure_followers.sh | 2 +- deploy/8_print_config.sh | 4 ++-- deploy/README.md | 8 +++---- deploy/build/conjur_server/build.sh | 2 +- deploy/build/haproxy/build.sh | 2 +- deploy/start | 2 +- deploy/stop | 10 ++++---- deploy/utils.sh | 14 +++++------ 32 files changed, 106 insertions(+), 106 deletions(-) delete mode 100755 demo/4_create_test_app_context.sh create mode 100755 demo/4_create_test_app_namespace.sh rename deploy/{1_create_conjur_context.sh => 1_create_conjur_namespace.sh} (64%) diff --git a/demo/0_check_dependencies.sh b/demo/0_check_dependencies.sh index 804ea11..c17de63 100755 --- a/demo/0_check_dependencies.sh +++ b/demo/0_check_dependencies.sh @@ -9,9 +9,9 @@ case "$choice" in * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; esac -check_env_var "CONJUR_CONTEXT_NAME" +check_env_var "CONJUR_NAMESPACE_NAME" check_env_var "DOCKER_REGISTRY_URL" check_env_var "DOCKER_REGISTRY_PATH" check_env_var "CONJUR_ACCOUNT" check_env_var "CONJUR_ADMIN_PASSWORD" -check_env_var "TEST_APP_CONTEXT_NAME" +check_env_var "TEST_APP_NAMESPACE_NAME" diff --git a/demo/1_initialize_conjur.sh b/demo/1_initialize_conjur.sh index 3ccd654..2bc7c01 100755 --- a/demo/1_initialize_conjur.sh +++ b/demo/1_initialize_conjur.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Initializing Conjur." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME conjur_master=$(get_master_pod_name) diff --git a/demo/2_load_conjur_policies.sh b/demo/2_load_conjur_policies.sh index 21eb2f2..b5e23e9 100755 --- a/demo/2_load_conjur_policies.sh +++ b/demo/2_load_conjur_policies.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Loading Conjur policy." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME conjur_master=$(get_master_pod_name) @@ -16,9 +16,9 @@ kubectl exec $conjur_master -- conjur plugin install policy pushd policy sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" ./authn-k8s.template.yml | - sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" > ./authn-k8s.yml + sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./authn-k8s.yml - sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" ./apps.template.yml > ./apps.yml + sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./apps.template.yml > ./apps.yml popd kubectl cp ./policy conjur-cluster-1396572337-c7265:/policy diff --git a/demo/3_init_conjur_cert_authority.sh b/demo/3_init_conjur_cert_authority.sh index 4c0076e..b6e603f 100755 --- a/demo/3_init_conjur_cert_authority.sh +++ b/demo/3_init_conjur_cert_authority.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Initializing Conjur certificate authority." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME conjur_master=$(get_master_pod_name) diff --git a/demo/4_create_test_app_context.sh b/demo/4_create_test_app_context.sh deleted file mode 100755 index b381c2a..0000000 --- a/demo/4_create_test_app_context.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Creating Test App context." - -set_context default - -if has_context "$TEST_APP_CONTEXT_NAME"; then - echo "Context '$TEST_APP_CONTEXT_NAME' exists, not going to create it." - set_context $TEST_APP_CONTEXT_NAME -else - echo "Creating '$TEST_APP_CONTEXT_NAME' context." - kubectl create namespace $TEST_APP_CONTEXT_NAME - set_context $TEST_APP_CONTEXT_NAME -fi - -kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding - -sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | - sed -e "s#{{ CONJUR_CONTEXT_NAME }}#$CONJUR_CONTEXT_NAME#g" | - kubectl create -f - diff --git a/demo/4_create_test_app_namespace.sh b/demo/4_create_test_app_namespace.sh new file mode 100755 index 0000000..6162701 --- /dev/null +++ b/demo/4_create_test_app_namespace.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Test App namespace." + +set_namespace default + +if has_namespace "$TEST_APP_NAMESPACE_NAME"; then + echo "Namespace '$TEST_APP_NAMESPACE_NAME' exists, not going to create it." + set_namespace $TEST_APP_NAMESPACE_NAME +else + echo "Creating '$TEST_APP_NAMESPACE_NAME' namespace." + kubectl create namespace $TEST_APP_NAMESPACE_NAME + set_namespace $TEST_APP_NAMESPACE_NAME +fi + +kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding + +sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | + sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | + kubectl create -f - diff --git a/demo/5_store_conjur_cert.sh b/demo/5_store_conjur_cert.sh index 97608ab..0194273 100755 --- a/demo/5_store_conjur_cert.sh +++ b/demo/5_store_conjur_cert.sh @@ -5,20 +5,20 @@ set -eou pipefail announce "Storing Conjur cert for test app configuration." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME echo "Retrieving Conjur certificate." follower_pod_name=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1) ssl_cert=$(kubectl exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) -set_context $TEST_APP_CONTEXT_NAME +set_namespace $TEST_APP_NAMESPACE_NAME echo "Storing non-secret conjur cert as test app configuration data" -kubectl delete --ignore-not-found=true configmap $TEST_APP_CONTEXT_NAME +kubectl delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME # Store the Conjur cert in a ConfigMap. -kubectl create configmap $TEST_APP_CONTEXT_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") +kubectl create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") echo "Conjur cert stored." diff --git a/demo/7_deploy_test_app.sh b/demo/7_deploy_test_app.sh index bd5b266..097381f 100755 --- a/demo/7_deploy_test_app.sh +++ b/demo/7_deploy_test_app.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Deploying test app." -set_context $TEST_APP_CONTEXT_NAME +set_namespace $TEST_APP_NAMESPACE_NAME # TODO Set credentials for Docker registry that isn't GKE. @@ -14,14 +14,14 @@ kubectl delete --ignore-not-found service test-app sleep 5 -test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_CONTEXT_NAME +test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_NAMESPACE_NAME sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./test_app/test_app.yaml | sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_CONTEXT_NAME }}#$CONJUR_CONTEXT_NAME#g" | - sed -e "s#{{ TEST_APP_CONTEXT_NAME }}#$TEST_APP_CONTEXT_NAME#g" | + sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | + sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_CONTEXT_NAME#g" | + sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | kubectl create -f - sleep 20 @@ -34,7 +34,7 @@ Test app is ready. Addresses for the Test App service: Inside the cluster: - test-app.$CONJUR_CONTEXT_NAME.svc.cluster.local + test-app.$CONJUR_NAMESPACE_NAME.svc.cluster.local Outside the cluster: For now you have to port forward the service using kubectl, because HTTPS :) diff --git a/demo/8_retrieve_secret.sh b/demo/8_retrieve_secret.sh index 6dd2f15..0f5dfd1 100755 --- a/demo/8_retrieve_secret.sh +++ b/demo/8_retrieve_secret.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Retrieving secret using Conjur access token." -set_context $TEST_APP_CONTEXT_NAME +set_namespace $TEST_APP_NAMESPACE_NAME test_app_pod=$(kubectl get pods --no-headers | awk '{ print $1 }') diff --git a/demo/README.md b/demo/README.md index daf4a7e..2376d6e 100644 --- a/demo/README.md +++ b/demo/README.md @@ -16,11 +16,11 @@ policy that you would not want to be present in your production environment. ### Script Configuration -You will need to provide a name for the kubernetes context in which your test app +You will need to provide a name for the kubernetes namespace in which your test app will be deployed: ``` -export TEST_APP_CONTEXT_NAME=test-app +export TEST_APP_NAMESPACE_NAME=test-app ``` You will also need to set several environment variables to match the values used @@ -28,7 +28,7 @@ when configuring your Conjur deployment. Note that if you may already have these variables set if you're using the same shell to run the demo: ``` -export CONJUR_CONTEXT_NAME= +export CONJUR_NAMESPACE_NAME= export DOCKER_REGISTRY_PATH=docker-registry-. export CONJUR_ACCOUNT= export CONJUR_ADMIN_PASSWORD= diff --git a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml index 4741bc1..6d3d54c 100644 --- a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml +++ b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml @@ -3,11 +3,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 # TODO: change this to match your k8s version metadata: name: test-app-conjur-authenticator-role-binding - namespace: {{ TEST_APP_CONTEXT_NAME }} + namespace: {{ TEST_APP_NAMESPACE_NAME }} subjects: - kind: ServiceAccount name: default - namespace: {{ CONJUR_CONTEXT_NAME }} + namespace: {{ CONJUR_NAMESPACE_NAME }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/demo/policy/authn-k8s.template.yml b/demo/policy/authn-k8s.template.yml index 3d51b17..b165267 100644 --- a/demo/policy/authn-k8s.template.yml +++ b/demo/policy/authn-k8s.template.yml @@ -40,12 +40,12 @@ - &hosts - !host - id: {{ TEST_APP_CONTEXT_NAME }}/*/* + id: {{ TEST_APP_NAMESPACE_NAME }}/*/* annotations: kubernetes/authentication-container-name: authenticator kubernetes: "true" - !host - id: {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app + id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app annotations: kubernetes/authentication-container-name: authenticator kubernetes: "true" @@ -53,8 +53,8 @@ - !grant role: !layer /test-app members: - - !host {{ TEST_APP_CONTEXT_NAME }}/*/* - - !host {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app + - !host {{ TEST_APP_NAMESPACE_NAME }}/*/* + - !host {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app - !grant role: !layer diff --git a/demo/rotate b/demo/rotate index bcdbc8a..70495e4 100755 --- a/demo/rotate +++ b/demo/rotate @@ -5,7 +5,7 @@ set -eou pipefail announce "Rotating password." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME conjur_master=$(get_master_pod_name) new_pwd=$(openssl rand -hex 12) diff --git a/demo/start b/demo/start index 1a5e837..7f9e6ae 100755 --- a/demo/start +++ b/demo/start @@ -8,7 +8,7 @@ stop 1_initialize_conjur.sh 2_load_conjur_policies.sh 3_init_conjur_cert_authority.sh -4_create_test_app_context.sh +4_create_test_app_namespace.sh 5_store_conjur_cert.sh 6_build_and_push_containers.sh 7_deploy_test_app.sh diff --git a/demo/stop b/demo/stop index c5b5a83..edc8f83 100755 --- a/demo/stop +++ b/demo/stop @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -set_context default +set_namespace default -if has_context $TEST_APP_CONTEXT_NAME; then - kubectl delete namespace $TEST_APP_CONTEXT_NAME +if has_namespace $TEST_APP_NAMESPACE_NAME; then + kubectl delete namespace $TEST_APP_NAMESPACE_NAME - printf "Waiting for $TEST_APP_CONTEXT_NAME context deletion to complete" + printf "Waiting for $TEST_APP_NAMESPACE_NAME namespace deletion to complete" while : ; do printf "..." - if has_context "$TEST_APP_CONTEXT_NAME"; then + if has_namespace "$TEST_APP_NAMESPACE_NAME"; then sleep 5 else break diff --git a/demo/test_app/build/build.sh b/demo/test_app/build/build.sh index 39a39dc..2560156 100755 --- a/demo/test_app/build/build.sh +++ b/demo/test_app/build/build.sh @@ -1,4 +1,4 @@ #!/bin/bash set -eou pipefail -docker build -t test-app:$CONJUR_CONTEXT_NAME . +docker build -t test-app:$CONJUR_NAMESPACE_NAME . diff --git a/demo/test_app/test_app.yaml b/demo/test_app/test_app.yaml index 5fde7bc..b666217 100644 --- a/demo/test_app/test_app.yaml +++ b/demo/test_app/test_app.yaml @@ -40,7 +40,7 @@ spec: name: test-app env: - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api + value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api - name: CONJUR_ACCOUNT value: {{ CONJUR_ACCOUNT }} - name: CONJUR_SSL_CERTIFICATE @@ -69,13 +69,13 @@ spec: fieldRef: fieldPath: status.podIP - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api + value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api - name: CONJUR_AUTHN_URL - value: https://conjur-follower.{{ CONJUR_CONTEXT_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} + value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} - name: CONJUR_ACCOUNT value: {{ CONJUR_ACCOUNT }} - name: CONJUR_AUTHN_LOGIN - value: {{ TEST_APP_CONTEXT_NAME }}/service_account/test-app + value: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app - name: CONJUR_SSL_CERTIFICATE valueFrom: configMapKeyRef: diff --git a/demo/utils.sh b/demo/utils.sh index 239ac72..0b7cf9a 100755 --- a/demo/utils.sh +++ b/demo/utils.sh @@ -17,7 +17,7 @@ announce() { echo "++++++++++++++++++++++++++++++++++++++" } -has_context() { +has_namespace() { if kubectl get namespace "$1" 2> /dev/null; then true else @@ -26,8 +26,8 @@ has_context() { } docker_tag_and_push() { - docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_CONTEXT_NAME" - docker tag $1:$CONJUR_CONTEXT_NAME $docker_tag + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + docker tag $1:$CONJUR_NAMESPACE_NAME $docker_tag docker push $docker_tag } @@ -48,9 +48,9 @@ run_conjur_cmd_as_admin() { echo "$output" } -set_context() { - # general utility for switching contexts in kubernetes - # expects exactly 1 argument, a context name. +set_namespace() { + # general utility for switching namespaces in kubernetes + # expects exactly 1 argument, a namespace name. if [[ $# != 1 ]]; then printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 exit -1 diff --git a/deploy/0_check_dependencies.sh b/deploy/0_check_dependencies.sh index 9cf02f8..03b6373 100755 --- a/deploy/0_check_dependencies.sh +++ b/deploy/0_check_dependencies.sh @@ -11,7 +11,7 @@ case "$choice" in * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; esac -check_env_var "CONJUR_CONTEXT_NAME" +check_env_var "CONJUR_NAMESPACE_NAME" check_env_var "DOCKER_REGISTRY_URL" check_env_var "DOCKER_REGISTRY_PATH" check_env_var "CONJUR_ACCOUNT" diff --git a/deploy/1_create_conjur_context.sh b/deploy/1_create_conjur_namespace.sh similarity index 64% rename from deploy/1_create_conjur_context.sh rename to deploy/1_create_conjur_namespace.sh index db7583c..e454aec 100755 --- a/deploy/1_create_conjur_context.sh +++ b/deploy/1_create_conjur_namespace.sh @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -announce "Creating Conjur context." +announce "Creating Conjur namespace." -set_context default +set_namespace default -if has_context "$CONJUR_CONTEXT_NAME"; then - echo "Context '$CONJUR_CONTEXT_NAME' exists, not going to create it." - set_context $CONJUR_CONTEXT_NAME +if has_namespace "$CONJUR_NAMESPACE_NAME"; then + echo "Namespace '$CONJUR_NAMESPACE_NAME' exists, not going to create it." + set_namespace $CONJUR_NAMESPACE_NAME else - echo "Creating '$CONJUR_CONTEXT_NAME' context." - kubectl create namespace "$CONJUR_CONTEXT_NAME" - set_context $CONJUR_CONTEXT_NAME + echo "Creating '$CONJUR_NAMESPACE_NAME' namespace." + kubectl create namespace "$CONJUR_NAMESPACE_NAME" + set_namespace $CONJUR_NAMESPACE_NAME fi # Must run as root to unpack Conjur seed files on standbys for high availability. diff --git a/deploy/3_deploy_conjur_cluster.sh b/deploy/3_deploy_conjur_cluster.sh index 9ec7497..d3c3cb8 100755 --- a/deploy/3_deploy_conjur_cluster.sh +++ b/deploy/3_deploy_conjur_cluster.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Creating Conjur cluster." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME kubectl delete --ignore-not-found secrets conjurregcred # Set credentials for Docker registry. diff --git a/deploy/4_configure_master.sh b/deploy/4_configure_master.sh index b99888d..cb1856e 100755 --- a/deploy/4_configure_master.sh +++ b/deploy/4_configure_master.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring master pod." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME master_pod_name=$(get_master_pod_name) @@ -17,8 +17,8 @@ kubectl cp build/conjur_server/conjur.json $master_pod_name:/etc/conjur.json kubectl exec $master_pod_name -- evoke configure master \ -j /etc/conjur.json \ -h conjur-master \ - --master-altnames localhost,conjur-master.$CONJUR_CONTEXT_NAME.svc.cluster.local \ - --follower-altnames conjur-follower,conjur-follower.$CONJUR_CONTEXT_NAME.svc.cluster.local \ + --master-altnames localhost,conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ + --follower-altnames conjur-follower,conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ -p $CONJUR_ADMIN_PASSWORD \ $CONJUR_ACCOUNT diff --git a/deploy/5_create_load_balancer.sh b/deploy/5_create_load_balancer.sh index 7a9236b..615e439 100755 --- a/deploy/5_create_load_balancer.sh +++ b/deploy/5_create_load_balancer.sh @@ -5,9 +5,9 @@ set -eou pipefail announce "Creating load balancer for master and standbys." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME -docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_CONTEXT_NAME +docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_NAMESPACE_NAME sed -e "s#{{ DOCKER_IMAGE }}#$docker_image#g" ./manifests/haproxy-conjur-master.yaml | kubectl create -f - diff --git a/deploy/6_configure_standbys.sh b/deploy/6_configure_standbys.sh index 588c0ae..4592c2f 100755 --- a/deploy/6_configure_standbys.sh +++ b/deploy/6_configure_standbys.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring standbys." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME master_pod_name=$(get_master_pod_name) diff --git a/deploy/7_configure_followers.sh b/deploy/7_configure_followers.sh index 5a5c975..f6026cb 100755 --- a/deploy/7_configure_followers.sh +++ b/deploy/7_configure_followers.sh @@ -5,7 +5,7 @@ set -eou pipefail announce "Configuring followers." -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME master_pod_name=$(get_master_pod_name) diff --git a/deploy/8_print_config.sh b/deploy/8_print_config.sh index 173f878..2675812 100755 --- a/deploy/8_print_config.sh +++ b/deploy/8_print_config.sh @@ -3,7 +3,7 @@ set -eou pipefail . utils.sh -set_context $CONJUR_CONTEXT_NAME +set_namespace $CONJUR_NAMESPACE_NAME api_key=$(rotate_api_key) @@ -13,7 +13,7 @@ Conjur cluster is ready. Addresses for the Conjur Master service: Inside the cluster: - conjur-master.$CONJUR_CONTEXT_NAME.svc.cluster.local + conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local Outside the cluster: kubectl port-forward svc/test-app 1234:80 diff --git a/deploy/README.md b/deploy/README.md index 808ee16..ee54818 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -14,17 +14,17 @@ variables need to be set before deploying. To deploy Conjur, you will first need access to a Kubernetes deployment and must be conneceted to it using `kubectl`, -with a user that has sufficient privileges to create Kubernetes contexts: +with a user that has sufficient privileges to create Kubernetes namespaces: ``` oc login https://: -u ``` -Finally, you must specify a name for the Kubernetes context in which you'd like +Finally, you must specify a name for the Kubernetes namespace in which you'd like to deploy the Conjur cluster: ``` -export CONJUR_CONTEXT_NAME=conjur +export CONJUR_NAMESPACE_NAME=conjur ``` ### Docker @@ -79,7 +79,7 @@ sequence to create and configure a Conjur cluster comprised of one Master, two Standbys, and two read-only Followers. Please note that the deploy scripts grant the `anyuid` SCC to the `default` -service account in the context that contains Conjur as configuring standbys and +service account in the namespace that contains Conjur as configuring standbys and followers requires root access. When the deploy scripts finish, they will print out the URL and credentials that diff --git a/deploy/build/conjur_server/build.sh b/deploy/build/conjur_server/build.sh index 54eec29..ba6fa4c 100755 --- a/deploy/build/conjur_server/build.sh +++ b/deploy/build/conjur_server/build.sh @@ -2,4 +2,4 @@ set -eou pipefail # builds Conjur Appliance with /etc/conjur.json (contains memory allocation config for pg) -docker build -t conjur-appliance:$CONJUR_CONTEXT_NAME -f Dockerfile . +docker build -t conjur-appliance:$CONJUR_NAMESPACE_NAME -f Dockerfile . diff --git a/deploy/build/haproxy/build.sh b/deploy/build/haproxy/build.sh index e89e568..24a2744 100755 --- a/deploy/build/haproxy/build.sh +++ b/deploy/build/haproxy/build.sh @@ -1,4 +1,4 @@ #!/bin/bash set -eou pipefail -docker build -t haproxy:$CONJUR_CONTEXT_NAME . +docker build -t haproxy:$CONJUR_NAMESPACE_NAME . diff --git a/deploy/start b/deploy/start index af51c04..f8ad0f8 100755 --- a/deploy/start +++ b/deploy/start @@ -5,7 +5,7 @@ set -eou pipefail stop -1_create_conjur_context.sh +1_create_conjur_namespace.sh 2_build_and_push_containers.sh 3_deploy_conjur_cluster.sh 4_configure_master.sh diff --git a/deploy/stop b/deploy/stop index cac3c45..2bfd270 100755 --- a/deploy/stop +++ b/deploy/stop @@ -3,17 +3,17 @@ set -eou pipefail . utils.sh -set_context default +set_namespace default -if has_context $CONJUR_CONTEXT_NAME; then - kubectl delete namespace $CONJUR_CONTEXT_NAME +if has_namespace $CONJUR_NAMESPACE_NAME; then + kubectl delete namespace $CONJUR_NAMESPACE_NAME - printf "Waiting for $CONJUR_CONTEXT_NAME context deletion to complete" + printf "Waiting for $CONJUR_NAMESPACE_NAME namespace deletion to complete" while : ; do printf "..." - if has_context "$CONJUR_CONTEXT_NAME"; then + if has_namespace "$CONJUR_NAMESPACE_NAME"; then sleep 5 else break diff --git a/deploy/utils.sh b/deploy/utils.sh index c6a5e2f..5e6590c 100755 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -23,7 +23,7 @@ environment_domain() { echo ${env_url/$protocol/} } -has_context() { +has_namespace() { if kubectl get namespace "$1" 2> /dev/null; then true else @@ -32,8 +32,8 @@ has_context() { } docker_tag_and_push() { - docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_CONTEXT_NAME" - docker tag $1:$CONJUR_CONTEXT_NAME $docker_tag + docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" + docker tag $1:$CONJUR_NAMESPACE_NAME $docker_tag docker push $docker_tag } @@ -62,9 +62,9 @@ mastercmd() { fi } -set_context() { - # general utility for switching namespaces/contexts in kubernetes - # expects exactly 1 argument, a context name. +set_namespace() { + # general utility for switching namespaces in kubernetes + # expects exactly 1 argument, a namespace name. if [[ $# != 1 ]]; then printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 exit -1 @@ -105,7 +105,7 @@ function wait_for_it() { } rotate_api_key() { - set_context $CONJUR_CONTEXT_NAME + set_namespace $CONJUR_NAMESPACE_NAME master_pod_name=$(get_master_pod_name) From 445b6a7d605198efb3e0307460af4827d02c36b9 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 17:05:39 -0400 Subject: [PATCH 07/21] use internal docker registry for conjur appliance, use external IP for master access --- deploy/2_build_and_push_containers.sh | 8 +++++++- deploy/3_deploy_conjur_cluster.sh | 6 +----- deploy/8_print_config.sh | 4 +++- deploy/manifests/conjur-cluster.yaml | 2 -- deploy/manifests/conjur-follower.yaml | 2 -- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/deploy/2_build_and_push_containers.sh b/deploy/2_build_and_push_containers.sh index 7b3883f..3766fe6 100755 --- a/deploy/2_build_and_push_containers.sh +++ b/deploy/2_build_and_push_containers.sh @@ -3,13 +3,19 @@ set -eou pipefail . utils.sh +announce "Pushing conjur-appliance image." + docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" $DOCKER_REGISTRY_URL +appliance_tag="$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME" +docker tag conjur-appliance:4.9-stable $appliance_tag +docker push $appliance_tag + announce "Building and pushing haproxy image." pushd build/haproxy ./build.sh -popd +popd docker_tag_and_push "haproxy" diff --git a/deploy/3_deploy_conjur_cluster.sh b/deploy/3_deploy_conjur_cluster.sh index d3c3cb8..6556346 100755 --- a/deploy/3_deploy_conjur_cluster.sh +++ b/deploy/3_deploy_conjur_cluster.sh @@ -7,11 +7,7 @@ announce "Creating Conjur cluster." set_namespace $CONJUR_NAMESPACE_NAME -kubectl delete --ignore-not-found secrets conjurregcred -# Set credentials for Docker registry. -kubectl create secret docker-registry conjurregcred --docker-server="registry2.itci.conjur.net" --docker-username="kumbirai.tanekha" --docker-password=$(conjur user rotate_api_key) --docker-email="kumbirai.tanekha@gmail.com" - -conjur_appliance_image=registry2.itci.conjur.net/conjur-appliance:4.9-stable +conjur_appliance_image=$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME echo "deploying main cluster" sed -e "s#{{ CONJUR_APPLIANCE_IMAGE }}#$conjur_appliance_image#g" ./manifests/conjur-cluster.yaml | diff --git a/deploy/8_print_config.sh b/deploy/8_print_config.sh index 2675812..da869e6 100755 --- a/deploy/8_print_config.sh +++ b/deploy/8_print_config.sh @@ -7,6 +7,8 @@ set_namespace $CONJUR_NAMESPACE_NAME api_key=$(rotate_api_key) +conjur_master_ip=$(kubectl get services | grep conjur-master | awk '{ print $4 }') + announce " Conjur cluster is ready. @@ -16,7 +18,7 @@ Addresses for the Conjur Master service: conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local Outside the cluster: - kubectl port-forward svc/test-app 1234:80 + https://$conjur_master_ip:443 Conjur login credentials: admin / $api_key diff --git a/deploy/manifests/conjur-cluster.yaml b/deploy/manifests/conjur-cluster.yaml index 117f197..d3e66a1 100644 --- a/deploy/manifests/conjur-cluster.yaml +++ b/deploy/manifests/conjur-cluster.yaml @@ -30,5 +30,3 @@ spec: name: pg-main - containerPort: 5433 name: pg-audit - imagePullSecrets: - - name: conjurregcred diff --git a/deploy/manifests/conjur-follower.yaml b/deploy/manifests/conjur-follower.yaml index d9b379e..6278333 100644 --- a/deploy/manifests/conjur-follower.yaml +++ b/deploy/manifests/conjur-follower.yaml @@ -44,5 +44,3 @@ spec: name: pg-main - containerPort: 5433 name: pg-audit - imagePullSecrets: - - name: conjurregcred From 1918a4a24e3cdb0071e20e4a423276bdc5fd098d Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 17:17:46 -0400 Subject: [PATCH 08/21] remove demo, move deploy scripts to top folder --- ...dependencies.sh => 0_check_dependencies.sh | 0 ...mespace.sh => 1_create_conjur_namespace.sh | 0 ...iners.sh => 2_build_and_push_containers.sh | 0 ...r_cluster.sh => 3_deploy_conjur_cluster.sh | 0 ...nfigure_master.sh => 4_configure_master.sh | 0 ...d_balancer.sh => 5_create_load_balancer.sh | 0 ...ure_standbys.sh => 6_configure_standbys.sh | 0 ...e_followers.sh => 7_configure_followers.sh | 0 deploy/8_print_config.sh => 8_print_config.sh | 0 README.md | 95 ++++++++++++++++++- .../build => build}/conjur_server/Dockerfile | 0 .../build => build}/conjur_server/build.sh | 0 .../build => build}/conjur_server/conjur.json | 0 {deploy/build => build}/haproxy/Dockerfile | 0 {deploy/build => build}/haproxy/build.sh | 0 .../haproxy/conjur-health-check.sh | 0 {deploy/build => build}/haproxy/start.sh | 0 demo/.gitignore | 2 - demo/0_check_dependencies.sh | 17 ---- demo/1_initialize_conjur.sh | 18 ---- demo/2_load_conjur_policies.sh | 39 -------- demo/3_init_conjur_cert_authority.sh | 14 --- demo/4_create_test_app_namespace.sh | 23 ----- demo/5_store_conjur_cert.sh | 24 ----- demo/6_build_and_push_containers.sh | 14 --- demo/7_deploy_test_app.sh | 48 ---------- demo/8_retrieve_secret.sh | 12 --- demo/README.md | 46 --------- ...app-conjur-authenticator-role-binding.yaml | 14 --- demo/policy/apps.template.yml | 17 ---- demo/policy/authn-k8s.template.yml | 65 ------------- demo/policy/conjur.yml | 3 - demo/policy/users.yml | 17 ---- demo/rotate | 17 ---- demo/start | 15 --- demo/stop | 26 ----- demo/test_app/build/Dockerfile | 10 -- demo/test_app/build/build.sh | 4 - demo/test_app/build/secrets.yml | 1 - demo/test_app/build/test_app.rb | 36 ------- demo/test_app/test_app.yaml | 90 ------------------ demo/utils.sh | 76 --------------- deploy/.gitignore | 2 - deploy/README.md | 95 ------------------- haproxy/haproxy.cfg | 62 ++++++++++++ .../haproxy => haproxy}/haproxy.template.cfg | 0 {deploy/haproxy => haproxy}/update_haproxy.sh | 0 .../conjur-authenticator-role.yaml | 0 .../conjur-cluster.yaml | 0 .../conjur-follower.yaml | 0 .../haproxy-conjur-master.yaml | 0 deploy/start => start | 0 deploy/stop => stop | 0 deploy/utils.sh => utils.sh | 0 54 files changed, 156 insertions(+), 746 deletions(-) rename deploy/0_check_dependencies.sh => 0_check_dependencies.sh (100%) rename deploy/1_create_conjur_namespace.sh => 1_create_conjur_namespace.sh (100%) rename deploy/2_build_and_push_containers.sh => 2_build_and_push_containers.sh (100%) rename deploy/3_deploy_conjur_cluster.sh => 3_deploy_conjur_cluster.sh (100%) rename deploy/4_configure_master.sh => 4_configure_master.sh (100%) rename deploy/5_create_load_balancer.sh => 5_create_load_balancer.sh (100%) rename deploy/6_configure_standbys.sh => 6_configure_standbys.sh (100%) rename deploy/7_configure_followers.sh => 7_configure_followers.sh (100%) rename deploy/8_print_config.sh => 8_print_config.sh (100%) rename {deploy/build => build}/conjur_server/Dockerfile (100%) rename {deploy/build => build}/conjur_server/build.sh (100%) rename {deploy/build => build}/conjur_server/conjur.json (100%) rename {deploy/build => build}/haproxy/Dockerfile (100%) rename {deploy/build => build}/haproxy/build.sh (100%) rename {deploy/build => build}/haproxy/conjur-health-check.sh (100%) rename {deploy/build => build}/haproxy/start.sh (100%) delete mode 100644 demo/.gitignore delete mode 100755 demo/0_check_dependencies.sh delete mode 100755 demo/1_initialize_conjur.sh delete mode 100755 demo/2_load_conjur_policies.sh delete mode 100755 demo/3_init_conjur_cert_authority.sh delete mode 100755 demo/4_create_test_app_namespace.sh delete mode 100755 demo/5_store_conjur_cert.sh delete mode 100755 demo/6_build_and_push_containers.sh delete mode 100755 demo/7_deploy_test_app.sh delete mode 100755 demo/8_retrieve_secret.sh delete mode 100644 demo/README.md delete mode 100644 demo/manifests/test-app-conjur-authenticator-role-binding.yaml delete mode 100644 demo/policy/apps.template.yml delete mode 100644 demo/policy/authn-k8s.template.yml delete mode 100644 demo/policy/conjur.yml delete mode 100644 demo/policy/users.yml delete mode 100755 demo/rotate delete mode 100755 demo/start delete mode 100755 demo/stop delete mode 100644 demo/test_app/build/Dockerfile delete mode 100755 demo/test_app/build/build.sh delete mode 100644 demo/test_app/build/secrets.yml delete mode 100644 demo/test_app/build/test_app.rb delete mode 100644 demo/test_app/test_app.yaml delete mode 100755 demo/utils.sh delete mode 100644 deploy/.gitignore delete mode 100644 deploy/README.md create mode 100644 haproxy/haproxy.cfg rename {deploy/haproxy => haproxy}/haproxy.template.cfg (100%) rename {deploy/haproxy => haproxy}/update_haproxy.sh (100%) rename {deploy/manifests => manifests}/conjur-authenticator-role.yaml (100%) rename {deploy/manifests => manifests}/conjur-cluster.yaml (100%) rename {deploy/manifests => manifests}/conjur-follower.yaml (100%) rename {deploy/manifests => manifests}/haproxy-conjur-master.yaml (100%) rename deploy/start => start (100%) rename deploy/stop => stop (100%) rename deploy/utils.sh => utils.sh (100%) diff --git a/deploy/0_check_dependencies.sh b/0_check_dependencies.sh similarity index 100% rename from deploy/0_check_dependencies.sh rename to 0_check_dependencies.sh diff --git a/deploy/1_create_conjur_namespace.sh b/1_create_conjur_namespace.sh similarity index 100% rename from deploy/1_create_conjur_namespace.sh rename to 1_create_conjur_namespace.sh diff --git a/deploy/2_build_and_push_containers.sh b/2_build_and_push_containers.sh similarity index 100% rename from deploy/2_build_and_push_containers.sh rename to 2_build_and_push_containers.sh diff --git a/deploy/3_deploy_conjur_cluster.sh b/3_deploy_conjur_cluster.sh similarity index 100% rename from deploy/3_deploy_conjur_cluster.sh rename to 3_deploy_conjur_cluster.sh diff --git a/deploy/4_configure_master.sh b/4_configure_master.sh similarity index 100% rename from deploy/4_configure_master.sh rename to 4_configure_master.sh diff --git a/deploy/5_create_load_balancer.sh b/5_create_load_balancer.sh similarity index 100% rename from deploy/5_create_load_balancer.sh rename to 5_create_load_balancer.sh diff --git a/deploy/6_configure_standbys.sh b/6_configure_standbys.sh similarity index 100% rename from deploy/6_configure_standbys.sh rename to 6_configure_standbys.sh diff --git a/deploy/7_configure_followers.sh b/7_configure_followers.sh similarity index 100% rename from deploy/7_configure_followers.sh rename to 7_configure_followers.sh diff --git a/deploy/8_print_config.sh b/8_print_config.sh similarity index 100% rename from deploy/8_print_config.sh rename to 8_print_config.sh diff --git a/README.md b/README.md index dfd3cf6..ee54818 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,95 @@ # kubernetes-conjur-deploy -Scripts for deploying Conjur to Kubernetes + +This repository contains scripts for deploying a Conjur v4 cluster to a +Kubernetes environment. + +# Setup + +The Conjur deployment scripts pick up configuration details from local +environment variables. The setup instructions below will walk you through the +necessary steps for configuring your Kubernetes environment and show you which +variables need to be set before deploying. + +### Kubernetes + +To deploy Conjur, you will first need access to a Kubernetes +deployment and must be conneceted to it using `kubectl`, +with a user that has sufficient privileges to create Kubernetes namespaces: + +``` +oc login https://: -u +``` + +Finally, you must specify a name for the Kubernetes namespace in which you'd like +to deploy the Conjur cluster: + +``` +export CONJUR_NAMESPACE_NAME=conjur +``` + +### Docker + +You will need to [install Docker](https://www.docker.com/get-docker) on your +local machine if you do not already have it. + +### Conjur + +#### Appliance Image + +You will need to obtain a Docker image of the Conjur v4 appliance and tag it in +your local registry as `conjur-appliance:4.9-stable`. The deploy scripts will +look for this tag when pushing the applance image to your Kubernetes Docker +registry. + +#### Appliance Configuration + +When setting up a new Conjur installation, you must provide an account name and +a password for the admin account: + +``` +export CONJUR_ACCOUNT= +export CONJUR_ADMIN_PASSWORD= +``` + +Conjur uses [declarative policy](https://developer.conjur.net/policy) to control +access to secrets. After deploying Conjur, you will need to load a policy that +defines a `webservice` to represent the Kubernetes authenticator: + +``` +- !policy +id: conjur/authn-k8s/{{ SERVICE_ID }} +``` + +The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster +resides. For example, it might be something like `kubernetes/prod`. For Conjur +configuration purposes, you will need to provide this value to the Conjur deploy +scripts like so: + +``` +export AUTHENTICATOR_SERVICE_ID= +``` + +This `service_id` can be anything you like, but it's important to make sure +that it matches the value that you intend to use in Conjur Policy. + +# Usage + +Run `./start` to deploy Conjur. This will execute the numbered scripts in +sequence to create and configure a Conjur cluster comprised of one Master, two +Standbys, and two read-only Followers. + +Please note that the deploy scripts grant the `anyuid` SCC to the `default` +service account in the namespace that contains Conjur as configuring standbys and +followers requires root access. + +When the deploy scripts finish, they will print out the URL and credentials that +you need to access Conjur from outside the Kubernetes environment. You can access +the Conjur UI by visiting this URL in a browser or use it to interact with Conjur +through the [Conjur CLI](https://developer.conjur.net/cli). + +# Test App Demo + +The [kubernetes-conjur-demo repo](https://github.com/conjurdemos/kubernetes-conjur-demo) +can be used to set up a test application that retrieves secrets from Conjur +using our Ruby API. It can be used as a reference when setting up your own +applications to integrate with Conjur. diff --git a/deploy/build/conjur_server/Dockerfile b/build/conjur_server/Dockerfile similarity index 100% rename from deploy/build/conjur_server/Dockerfile rename to build/conjur_server/Dockerfile diff --git a/deploy/build/conjur_server/build.sh b/build/conjur_server/build.sh similarity index 100% rename from deploy/build/conjur_server/build.sh rename to build/conjur_server/build.sh diff --git a/deploy/build/conjur_server/conjur.json b/build/conjur_server/conjur.json similarity index 100% rename from deploy/build/conjur_server/conjur.json rename to build/conjur_server/conjur.json diff --git a/deploy/build/haproxy/Dockerfile b/build/haproxy/Dockerfile similarity index 100% rename from deploy/build/haproxy/Dockerfile rename to build/haproxy/Dockerfile diff --git a/deploy/build/haproxy/build.sh b/build/haproxy/build.sh similarity index 100% rename from deploy/build/haproxy/build.sh rename to build/haproxy/build.sh diff --git a/deploy/build/haproxy/conjur-health-check.sh b/build/haproxy/conjur-health-check.sh similarity index 100% rename from deploy/build/haproxy/conjur-health-check.sh rename to build/haproxy/conjur-health-check.sh diff --git a/deploy/build/haproxy/start.sh b/build/haproxy/start.sh similarity index 100% rename from deploy/build/haproxy/start.sh rename to build/haproxy/start.sh diff --git a/demo/.gitignore b/demo/.gitignore deleted file mode 100644 index 6bdcbdd..0000000 --- a/demo/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -policy/authn-k8s.yml -policy/apps.yml diff --git a/demo/0_check_dependencies.sh b/demo/0_check_dependencies.sh deleted file mode 100755 index c17de63..0000000 --- a/demo/0_check_dependencies.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -eo pipefail - -# Confirm logged into Kubernetes. -read -p "Before we proceed... -Are you logged in to a Kubernetes cluster (yes/no)? " choice -case "$choice" in - yes ) echo "Great! Let's go.";; - * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; -esac - -check_env_var "CONJUR_NAMESPACE_NAME" -check_env_var "DOCKER_REGISTRY_URL" -check_env_var "DOCKER_REGISTRY_PATH" -check_env_var "CONJUR_ACCOUNT" -check_env_var "CONJUR_ADMIN_PASSWORD" -check_env_var "TEST_APP_NAMESPACE_NAME" diff --git a/demo/1_initialize_conjur.sh b/demo/1_initialize_conjur.sh deleted file mode 100755 index 2bc7c01..0000000 --- a/demo/1_initialize_conjur.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Initializing Conjur." - -set_namespace $CONJUR_NAMESPACE_NAME - -conjur_master=$(get_master_pod_name) - -kubectl exec $conjur_master -- rm -f ./conjurrc "./conjur-${CONJUR_ACCOUNT}.pem" -kubectl exec $conjur_master -- bash -c 'yes yes | conjur init -h localhost' -kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD -kubectl exec $conjur_master -- conjur bootstrap -kubectl exec $conjur_master -- conjur authn logout - -echo "Conjur initialized." diff --git a/demo/2_load_conjur_policies.sh b/demo/2_load_conjur_policies.sh deleted file mode 100755 index b5e23e9..0000000 --- a/demo/2_load_conjur_policies.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Loading Conjur policy." - -set_namespace $CONJUR_NAMESPACE_NAME - -conjur_master=$(get_master_pod_name) - -# (re)install Conjur policy plugin -kubectl exec $conjur_master -- touch /opt/conjur/etc/plugins.yml -kubectl exec $conjur_master -- conjur plugin uninstall policy -kubectl exec $conjur_master -- conjur plugin install policy - -pushd policy - sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" ./authn-k8s.template.yml | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./authn-k8s.yml - - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./apps.template.yml > ./apps.yml -popd - -kubectl cp ./policy conjur-cluster-1396572337-c7265:/policy - -kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD -kubectl exec $conjur_master -- conjur policy load --as-group security_admin "policy/conjur.yml" - -kubectl exec $conjur_master -- rm -rf ./policy - -echo "Conjur policy loaded." - -password=$(openssl rand -hex 12) - -kubectl exec $conjur_master -- conjur variable values add test-app-db/password $password - -announce "Added DB password value: $password" - -kubectl exec $conjur_master -- conjur authn logout diff --git a/demo/3_init_conjur_cert_authority.sh b/demo/3_init_conjur_cert_authority.sh deleted file mode 100755 index b6e603f..0000000 --- a/demo/3_init_conjur_cert_authority.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Initializing Conjur certificate authority." - -set_namespace $CONJUR_NAMESPACE_NAME - -conjur_master=$(get_master_pod_name) - -kubectl exec $conjur_master -- conjur-plugin-service authn-k8s rake ca:initialize["conjur/authn-k8s/$AUTHENTICATOR_SERVICE_ID"] > /dev/null - -echo "Certificate authority initialized." diff --git a/demo/4_create_test_app_namespace.sh b/demo/4_create_test_app_namespace.sh deleted file mode 100755 index 6162701..0000000 --- a/demo/4_create_test_app_namespace.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Creating Test App namespace." - -set_namespace default - -if has_namespace "$TEST_APP_NAMESPACE_NAME"; then - echo "Namespace '$TEST_APP_NAMESPACE_NAME' exists, not going to create it." - set_namespace $TEST_APP_NAMESPACE_NAME -else - echo "Creating '$TEST_APP_NAMESPACE_NAME' namespace." - kubectl create namespace $TEST_APP_NAMESPACE_NAME - set_namespace $TEST_APP_NAMESPACE_NAME -fi - -kubectl delete --ignore-not-found rolebinding test-app-conjur-authenticator-role-binding - -sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" ./manifests/test-app-conjur-authenticator-role-binding.yaml | - sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | - kubectl create -f - diff --git a/demo/5_store_conjur_cert.sh b/demo/5_store_conjur_cert.sh deleted file mode 100755 index 0194273..0000000 --- a/demo/5_store_conjur_cert.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Storing Conjur cert for test app configuration." - -set_namespace $CONJUR_NAMESPACE_NAME - -echo "Retrieving Conjur certificate." - -follower_pod_name=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }' | head -1) -ssl_cert=$(kubectl exec $follower_pod_name -- cat /opt/conjur/etc/ssl/conjur.pem) - -set_namespace $TEST_APP_NAMESPACE_NAME - -echo "Storing non-secret conjur cert as test app configuration data" - -kubectl delete --ignore-not-found=true configmap $TEST_APP_NAMESPACE_NAME - -# Store the Conjur cert in a ConfigMap. -kubectl create configmap $TEST_APP_NAMESPACE_NAME --from-file=ssl-certificate=<(echo "$ssl_cert") - -echo "Conjur cert stored." diff --git a/demo/6_build_and_push_containers.sh b/demo/6_build_and_push_containers.sh deleted file mode 100755 index 7679bad..0000000 --- a/demo/6_build_and_push_containers.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Building and pushing test app image." - -docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" $DOCKER_REGISTRY_URL - -pushd test_app/build - ./build.sh -popd - -docker_tag_and_push test-app diff --git a/demo/7_deploy_test_app.sh b/demo/7_deploy_test_app.sh deleted file mode 100755 index 097381f..0000000 --- a/demo/7_deploy_test_app.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Deploying test app." - -set_namespace $TEST_APP_NAMESPACE_NAME - -# TODO Set credentials for Docker registry that isn't GKE. - -kubectl delete --ignore-not-found deployment test-app -kubectl delete --ignore-not-found service test-app - -sleep 5 - -test_app_docker_image=$DOCKER_REGISTRY_PATH/test-app:$CONJUR_NAMESPACE_NAME - -sed -e "s#{{ TEST_APP_DOCKER_IMAGE }}#$test_app_docker_image#g" ./test_app/test_app.yaml | - sed -e "s#{{ CONJUR_ACCOUNT }}#$CONJUR_ACCOUNT#g" | - sed -e "s#{{ CONJUR_NAMESPACE_NAME }}#$CONJUR_NAMESPACE_NAME#g" | - sed -e "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - sed -e "s#{{ SERVICE_ID }}#$AUTHENTICATOR_SERVICE_ID#g" | - sed -e "s#{{ CONFIG_MAP_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | - kubectl create -f - - -sleep 20 - -echo "Test app deployed." - -announce " -Test app is ready. - -Addresses for the Test App service: - - Inside the cluster: - test-app.$CONJUR_NAMESPACE_NAME.svc.cluster.local - - Outside the cluster: - For now you have to port forward the service using kubectl, because HTTPS :) - Run: - - kubectl port-forward svc/test-app 1234:80 - - Then head over to: - - http://127.0.0.1:1234 -" diff --git a/demo/8_retrieve_secret.sh b/demo/8_retrieve_secret.sh deleted file mode 100755 index 0f5dfd1..0000000 --- a/demo/8_retrieve_secret.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Retrieving secret using Conjur access token." - -set_namespace $TEST_APP_NAMESPACE_NAME - -test_app_pod=$(kubectl get pods --no-headers | awk '{ print $1 }') - -kubectl exec -c test-app $test_app_pod -- curl -s localhost diff --git a/demo/README.md b/demo/README.md deleted file mode 100644 index 2376d6e..0000000 --- a/demo/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# kubernetes-conjur-demo - -This repo demonstrates an app retrieving secrets from a Conjur cluster using the -[Kubernetes authenticator](https://github.com/conjurinc/authn-k8s). The numbered -scripts perform the same setps that a user will have to go through when setting -up their own applications. - -# Setup - -### Deploying Conjur - -Before running this demo you will need to [set up a Conjur cluster](https://github.com/conjurinc/kubernetes-conjur-deploy) -in your kubernetes environment. It is recommended that you **set up a separate -Conjur cluster** purely for the purpose of running this demo as it loads Conjur -policy that you would not want to be present in your production environment. - -### Script Configuration - -You will need to provide a name for the kubernetes namespace in which your test app -will be deployed: - -``` -export TEST_APP_NAMESPACE_NAME=test-app -``` - -You will also need to set several environment variables to match the values used -when configuring your Conjur deployment. Note that if you may already have these -variables set if you're using the same shell to run the demo: - -``` -export CONJUR_NAMESPACE_NAME= -export DOCKER_REGISTRY_PATH=docker-registry-. -export CONJUR_ACCOUNT= -export CONJUR_ADMIN_PASSWORD= -export AUTHENTICATOR_SERVICE_ID= -``` - -# Usage - -Run `./start` to execute the numbered scripts, which will step through the -process of configuring Conjur and deploying a test app. The test app uses the -Conjur Ruby API, configured with the access token provided by the authenticator -sidecar, to retrieve a secret value from Conjur. - -You can run the `./rotate` script to rotate the secret value and then run the -final numbered script again to retrieve and print the new value. \ No newline at end of file diff --git a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml b/demo/manifests/test-app-conjur-authenticator-role-binding.yaml deleted file mode 100644 index 6d3d54c..0000000 --- a/demo/manifests/test-app-conjur-authenticator-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 # TODO: change this to match your k8s version -metadata: - name: test-app-conjur-authenticator-role-binding - namespace: {{ TEST_APP_NAMESPACE_NAME }} -subjects: - - kind: ServiceAccount - name: default - namespace: {{ CONJUR_NAMESPACE_NAME }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: conjur-authenticator diff --git a/demo/policy/apps.template.yml b/demo/policy/apps.template.yml deleted file mode 100644 index 2523f8a..0000000 --- a/demo/policy/apps.template.yml +++ /dev/null @@ -1,17 +0,0 @@ -- !policy - id: test-app - owner: !group developers - body: - - !layer - -- !policy - id: test-app-db - owner: !group operations - body: - - &variables - - !variable password - - - !permit - resources: *variables - privilege: [ read, execute ] - role: !layer /test-app diff --git a/demo/policy/authn-k8s.template.yml b/demo/policy/authn-k8s.template.yml deleted file mode 100644 index b165267..0000000 --- a/demo/policy/authn-k8s.template.yml +++ /dev/null @@ -1,65 +0,0 @@ -- !policy - id: conjur/authn-k8s/{{ SERVICE_ID }} - body: - - !webservice - annotations: - description: Authentication service for the Conjur OpenShift demo. - - - !policy - id: ca - body: - - !variable - id: cert - annotations: - description: CA cert for Kubernetes Pods. - - - !variable - id: key - annotations: - description: CA key for Kubernetes Pods. - - - !group - id: clients - annotations: - description: > - Members of this group can use the authn-k8s service. This group - typically has one member, which is a layer containing the enrolled - applications. - - - !permit - resource: !webservice - privilege: [ read, authenticate ] - role: !group clients - - - !policy - id: apps - annotations: - description: Apps and services in the OpenShift cluster. - body: - - !layer - - - &hosts - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/*/* - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "true" - - !host - id: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app - annotations: - kubernetes/authentication-container-name: authenticator - kubernetes: "true" - - - !grant - role: !layer /test-app - members: - - !host {{ TEST_APP_NAMESPACE_NAME }}/*/* - - !host {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app - - - !grant - role: !layer - members: *hosts - - - !grant - role: !group clients - member: !layer apps diff --git a/demo/policy/conjur.yml b/demo/policy/conjur.yml deleted file mode 100644 index 36d571a..0000000 --- a/demo/policy/conjur.yml +++ /dev/null @@ -1,3 +0,0 @@ -- !include users.yml -- !include apps.yml -- !include authn-k8s.yml diff --git a/demo/policy/users.yml b/demo/policy/users.yml deleted file mode 100644 index e00a81f..0000000 --- a/demo/policy/users.yml +++ /dev/null @@ -1,17 +0,0 @@ -- !group developers - -- !group operations - -- !user dan - -- !user otto - -- !grant - role: !group developers - members: - - !user dan - - !group operations - -- !grant - role: !group operations - member: !user otto diff --git a/demo/rotate b/demo/rotate deleted file mode 100755 index 70495e4..0000000 --- a/demo/rotate +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Rotating password." - -set_namespace $CONJUR_NAMESPACE_NAME - -conjur_master=$(get_master_pod_name) -new_pwd=$(openssl rand -hex 12) - -kubectl exec $conjur_master -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD -kubectl exec $conjur_master -- conjur variable values add test-app-db/password $new_pwd -kubectl exec $conjur_master -- conjur authn logout - -echo "New db password is:" $new_pwd diff --git a/demo/start b/demo/start deleted file mode 100755 index 7f9e6ae..0000000 --- a/demo/start +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -eou pipefail - -0_check_dependencies.sh - -stop - -1_initialize_conjur.sh -2_load_conjur_policies.sh -3_init_conjur_cert_authority.sh -4_create_test_app_namespace.sh -5_store_conjur_cert.sh -6_build_and_push_containers.sh -7_deploy_test_app.sh -8_retrieve_secret.sh diff --git a/demo/stop b/demo/stop deleted file mode 100755 index edc8f83..0000000 --- a/demo/stop +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -set_namespace default - -if has_namespace $TEST_APP_NAMESPACE_NAME; then - kubectl delete namespace $TEST_APP_NAMESPACE_NAME - - printf "Waiting for $TEST_APP_NAMESPACE_NAME namespace deletion to complete" - - while : ; do - printf "..." - - if has_namespace "$TEST_APP_NAMESPACE_NAME"; then - sleep 5 - else - break - fi - done - - echo "" -fi - -echo "Test app environment purged." diff --git a/demo/test_app/build/Dockerfile b/demo/test_app/build/Dockerfile deleted file mode 100644 index 11c2279..0000000 --- a/demo/test_app/build/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM ruby:2.3 - -RUN gem install -N activesupport --version 4.2.7.1 -RUN gem install -N conjur-api:"< 5.0" conjur-cli:"< 6.0" sinatra - -COPY test_app.rb usr/src/test_app.rb - -env PORT 80 - -CMD [ "ruby", "/usr/src/test_app.rb" ] \ No newline at end of file diff --git a/demo/test_app/build/build.sh b/demo/test_app/build/build.sh deleted file mode 100755 index 2560156..0000000 --- a/demo/test_app/build/build.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -set -eou pipefail - -docker build -t test-app:$CONJUR_NAMESPACE_NAME . diff --git a/demo/test_app/build/secrets.yml b/demo/test_app/build/secrets.yml deleted file mode 100644 index 127ec69..0000000 --- a/demo/test_app/build/secrets.yml +++ /dev/null @@ -1 +0,0 @@ -DB_PASSWORD: !var db/password diff --git a/demo/test_app/build/test_app.rb b/demo/test_app/build/test_app.rb deleted file mode 100644 index ae1cc6f..0000000 --- a/demo/test_app/build/test_app.rb +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env ruby - -require 'sinatra' -require 'conjur-api' -require 'cgi' -require 'json' - -enable :logging - -helpers do - def username - raise "Expecting CONJUR_AUTHN_API_KEY to be blank" if ENV['CONJUR_AUTHN_API_KEY'] - ENV['CONJUR_AUTHN_LOGIN'] or raise "No CONJUR_AUTHN_LOGIN" - end - - def conjur_api - # Ideally this would be done only once. - # But for testing, it means that if the login fails, the pod is stuck in a bad state - # and the tests can't be performed. - Conjur.configuration.apply_cert_config! - - token = JSON.parse(File.read("/run/conjur/access-token")) - Conjur::API.new_from_token(token) - end -end - -get '/' do - begin - password = conjur_api.variable("test-app-db/password").value - "test-app-db password: #{password}" - rescue - $stderr.puts $! - $stderr.puts $!.backtrace.join("\n") - halt 500, "Error: #{$!}" - end -end diff --git a/demo/test_app/test_app.yaml b/demo/test_app/test_app.yaml deleted file mode 100644 index b666217..0000000 --- a/demo/test_app/test_app.yaml +++ /dev/null @@ -1,90 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: test-app - labels: - app: test-app -spec: - ports: - - protocol: TCP - port: 80 - selector: - app: test-app - type: LoadBalancer ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-app ---- -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - labels: - app: test-app - name: test-app -spec: - replicas: 1 - selector: - matchLabels: - app: test-app - template: - metadata: - labels: - app: test-app - spec: - serviceAccountName: test-app - containers: - - image: {{ TEST_APP_DOCKER_IMAGE }} - imagePullPolicy: Always - name: test-app - env: - - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - readOnly: true - - image: cyberark/conjur-openshift-authenticator - imagePullPolicy: Always - name: authenticator - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CONJUR_APPLIANCE_URL - value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api - - name: CONJUR_AUTHN_URL - value: https://conjur-follower.{{ CONJUR_NAMESPACE_NAME }}.svc.cluster.local/api/authn-k8s/{{ SERVICE_ID }} - - name: CONJUR_ACCOUNT - value: {{ CONJUR_ACCOUNT }} - - name: CONJUR_AUTHN_LOGIN - value: {{ TEST_APP_NAMESPACE_NAME }}/service_account/test-app - - name: CONJUR_SSL_CERTIFICATE - valueFrom: - configMapKeyRef: - name: {{ CONFIG_MAP_NAME }} - key: ssl-certificate - volumeMounts: - - mountPath: /run/conjur - name: conjur-access-token - volumes: - - name: conjur-access-token - emptyDir: - medium: Memory diff --git a/demo/utils.sh b/demo/utils.sh deleted file mode 100755 index 0b7cf9a..0000000 --- a/demo/utils.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -check_env_var() { - var_name=$1 - - if [ "${!var_name}" = "" ]; then - echo "You must set $1 before running these scripts." - exit 1 - fi -} - -announce() { - echo "++++++++++++++++++++++++++++++++++++++" - echo "" - echo "$@" - echo "" - echo "++++++++++++++++++++++++++++++++++++++" -} - -has_namespace() { - if kubectl get namespace "$1" 2> /dev/null; then - true - else - false - fi -} - -docker_tag_and_push() { - docker_tag="${DOCKER_REGISTRY_PATH}/$1:$CONJUR_NAMESPACE_NAME" - docker tag $1:$CONJUR_NAMESPACE_NAME $docker_tag - docker push $docker_tag -} - -get_master_pod_name() { - pod_list=$(kubectl get pods -l app=conjur-node,role=master --no-headers | awk '{ print $1 }') - echo $pod_list | awk '{print $1}' -} - -run_conjur_cmd_as_admin() { - local command=$(cat $@) - - conjur authn logout > /dev/null - conjur authn login -u admin -p "$CONJUR_ADMIN_PASSWORD" > /dev/null - - local output=$(eval "$command") - - conjur authn logout > /dev/null - echo "$output" -} - -set_namespace() { - # general utility for switching namespaces in kubernetes - # expects exactly 1 argument, a namespace name. - if [[ $# != 1 ]]; then - printf "Error in %s/%s - expecting 1 arg.\n" $(pwd) $0 - exit -1 - fi - - kubectl config set-context $(kubectl config current-context) --namespace="$1" > /dev/null -} - -load_policy() { - local POLICY_FILE=$1 - - run_conjur_cmd_as_admin <: -u -``` - -Finally, you must specify a name for the Kubernetes namespace in which you'd like -to deploy the Conjur cluster: - -``` -export CONJUR_NAMESPACE_NAME=conjur -``` - -### Docker - -You will need to [install Docker](https://www.docker.com/get-docker) on your -local machine if you do not already have it. - -### Conjur - -#### Appliance Image - -You will need to obtain a Docker image of the Conjur v4 appliance and tag it in -your local registry as `conjur-appliance:4.9-stable`. The deploy scripts will -look for this tag when pushing the applance image to your Kubernetes Docker -registry. - -#### Appliance Configuration - -When setting up a new Conjur installation, you must provide an account name and -a password for the admin account: - -``` -export CONJUR_ACCOUNT= -export CONJUR_ADMIN_PASSWORD= -``` - -Conjur uses [declarative policy](https://developer.conjur.net/policy) to control -access to secrets. After deploying Conjur, you will need to load a policy that -defines a `webservice` to represent the Kubernetes authenticator: - -``` -- !policy -id: conjur/authn-k8s/{{ SERVICE_ID }} -``` - -The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster -resides. For example, it might be something like `kubernetes/prod`. For Conjur -configuration purposes, you will need to provide this value to the Conjur deploy -scripts like so: - -``` -export AUTHENTICATOR_SERVICE_ID= -``` - -This `service_id` can be anything you like, but it's important to make sure -that it matches the value that you intend to use in Conjur Policy. - -# Usage - -Run `./start` to deploy Conjur. This will execute the numbered scripts in -sequence to create and configure a Conjur cluster comprised of one Master, two -Standbys, and two read-only Followers. - -Please note that the deploy scripts grant the `anyuid` SCC to the `default` -service account in the namespace that contains Conjur as configuring standbys and -followers requires root access. - -When the deploy scripts finish, they will print out the URL and credentials that -you need to access Conjur from outside the Kubernetes environment. You can access -the Conjur UI by visiting this URL in a browser or use it to interact with Conjur -through the [Conjur CLI](https://developer.conjur.net/cli). - -# Test App Demo - -The [kubernetes-conjur-demo repo](https://github.com/conjurdemos/kubernetes-conjur-demo) -can be used to set up a test application that retrieves secrets from Conjur -using our Ruby API. It can be used as a reference when setting up your own -applications to integrate with Conjur. diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg new file mode 100644 index 0000000..35d40c5 --- /dev/null +++ b/haproxy/haproxy.cfg @@ -0,0 +1,62 @@ +global + maxconn 256 + external-check + +defaults + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +frontend f_conjur_master_http + mode tcp + bind *:443 + default_backend b_conjur_master_http + +frontend f_conjur_master_pg + mode tcp + bind *:5432 + default_backend b_conjur_master_pg + +frontend f_conjur_master_ldap + mode tcp + bind *:636 + default_backend b_conjur_master_ldap + +# HTTP backend info +# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy +backend b_conjur_master_http + mode tcp + balance static-rr + option external-check + default-server inter 5s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" + server conjur-cluster-2336141628-fd2lm 10.40.0.234:443 check + server conjur-cluster-2336141628-kbfcs 10.40.1.35:443 check + server conjur-cluster-2336141628-pv770 10.40.1.36:443 check + +# PG backend info +# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy +backend b_conjur_master_pg + mode tcp + balance static-rr + option external-check + default-server inter 5s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" + server conjur-cluster-2336141628-fd2lm 10.40.0.234:5432 check + server conjur-cluster-2336141628-kbfcs 10.40.1.35:5432 check + server conjur-cluster-2336141628-pv770 10.40.1.36:5432 check + +# LDAP backend info +# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy +backend b_conjur_master_ldap + mode tcp + balance static-rr + option external-check + default-server inter 30s fall 3 rise 2 + external-check path "/usr/bin:/usr/local/bin" + external-check command "/root/conjur-health-check.sh" + server conjur-cluster-2336141628-fd2lm 10.40.0.234:636 check + server conjur-cluster-2336141628-kbfcs 10.40.1.35:636 check + server conjur-cluster-2336141628-pv770 10.40.1.36:636 check diff --git a/deploy/haproxy/haproxy.template.cfg b/haproxy/haproxy.template.cfg similarity index 100% rename from deploy/haproxy/haproxy.template.cfg rename to haproxy/haproxy.template.cfg diff --git a/deploy/haproxy/update_haproxy.sh b/haproxy/update_haproxy.sh similarity index 100% rename from deploy/haproxy/update_haproxy.sh rename to haproxy/update_haproxy.sh diff --git a/deploy/manifests/conjur-authenticator-role.yaml b/manifests/conjur-authenticator-role.yaml similarity index 100% rename from deploy/manifests/conjur-authenticator-role.yaml rename to manifests/conjur-authenticator-role.yaml diff --git a/deploy/manifests/conjur-cluster.yaml b/manifests/conjur-cluster.yaml similarity index 100% rename from deploy/manifests/conjur-cluster.yaml rename to manifests/conjur-cluster.yaml diff --git a/deploy/manifests/conjur-follower.yaml b/manifests/conjur-follower.yaml similarity index 100% rename from deploy/manifests/conjur-follower.yaml rename to manifests/conjur-follower.yaml diff --git a/deploy/manifests/haproxy-conjur-master.yaml b/manifests/haproxy-conjur-master.yaml similarity index 100% rename from deploy/manifests/haproxy-conjur-master.yaml rename to manifests/haproxy-conjur-master.yaml diff --git a/deploy/start b/start similarity index 100% rename from deploy/start rename to start diff --git a/deploy/stop b/stop similarity index 100% rename from deploy/stop rename to stop diff --git a/deploy/utils.sh b/utils.sh similarity index 100% rename from deploy/utils.sh rename to utils.sh From f025d7562ba64463c640de2f91269d62eeaf669d Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Fri, 13 Apr 2018 17:33:31 -0400 Subject: [PATCH 09/21] start fixing readme --- README.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ee54818..fb10c29 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,12 @@ variables need to be set before deploying. ### Kubernetes -To deploy Conjur, you will first need access to a Kubernetes -deployment and must be conneceted to it using `kubectl`, -with a user that has sufficient privileges to create Kubernetes namespaces: +To deploy Conjur, you will first need access to a Kubernetes deployment and must +connect to it using `kubectl` with a user that has sufficient privileges to +create namespaces. -``` -oc login https://: -u -``` - -Finally, you must specify a name for the Kubernetes namespace in which you'd like -to deploy the Conjur cluster: +Finally, you must specify a name for the namespace in which you'd like to deploy +the Conjur cluster: ``` export CONJUR_NAMESPACE_NAME=conjur From 1887d78e75ebfc7631ef4d929d1b85bcbae71d7b Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Mon, 16 Apr 2018 12:22:15 -0400 Subject: [PATCH 10/21] add docker login instructs to readme, other minor fixes --- .gitignore | 2 ++ 0_check_dependencies.sh | 25 +++++++++----- 2_build_and_push_containers.sh | 8 ----- README.md | 32 +++++++++++++++--- haproxy/haproxy.cfg | 62 ---------------------------------- manifests/conjur-cluster.yaml | 2 ++ manifests/conjur-follower.yaml | 2 ++ start | 20 +++++------ utils.sh | 2 +- 9 files changed, 61 insertions(+), 94 deletions(-) create mode 100644 .gitignore delete mode 100644 haproxy/haproxy.cfg diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0facc40 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +standby-seed.tar +haproxy.cfg \ No newline at end of file diff --git a/0_check_dependencies.sh b/0_check_dependencies.sh index 03b6373..7e868f3 100755 --- a/0_check_dependencies.sh +++ b/0_check_dependencies.sh @@ -3,21 +3,28 @@ set -eo pipefail . utils.sh -# Confirm logged into Kubernetes. -read -p "Before we proceed... -Are you logged in to a Kubernetes cluster (yes/no)? " choice -case "$choice" in - yes ) echo "Great! Let's go.";; - * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; -esac - check_env_var "CONJUR_NAMESPACE_NAME" check_env_var "DOCKER_REGISTRY_URL" check_env_var "DOCKER_REGISTRY_PATH" check_env_var "CONJUR_ACCOUNT" check_env_var "CONJUR_ADMIN_PASSWORD" -conjur_appliance_image=conjur-appliance:4.9-stable +echo "Before we proceed..." + +# Confirm logged into Kubernetes. +read -p "Are you logged in to a Kubernetes cluster (yes/no)? " choice +case "$choice" in + yes ) ;; + * ) echo "You must login to a Kubernetes cluster before running this demo." && exit 1;; +esac + +read -p "Are you logged into the $DOCKER_REGISTRY_URL Docker registry (yes/no)? " choice +case "$choice" in + yes ) echo "Great! Let's go.";; + * ) echo "You must login to your Docker registry before running this demo." && exit 1;; +esac + +conjur_appliance_image=$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME # Confirms Conjur image is present. if [[ "$(docker images -q $conjur_appliance_image 2> /dev/null)" == "" ]]; then diff --git a/2_build_and_push_containers.sh b/2_build_and_push_containers.sh index 3766fe6..f8efeee 100755 --- a/2_build_and_push_containers.sh +++ b/2_build_and_push_containers.sh @@ -3,14 +3,6 @@ set -eou pipefail . utils.sh -announce "Pushing conjur-appliance image." - -docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" $DOCKER_REGISTRY_URL - -appliance_tag="$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME" -docker tag conjur-appliance:4.9-stable $appliance_tag -docker push $appliance_tag - announce "Building and pushing haproxy image." pushd build/haproxy diff --git a/README.md b/README.md index fb10c29..7cd4ec3 100644 --- a/README.md +++ b/README.md @@ -28,14 +28,38 @@ export CONJUR_NAMESPACE_NAME=conjur You will need to [install Docker](https://www.docker.com/get-docker) on your local machine if you do not already have it. +You will also need access to a Docker registry to which you are able to push. +Provide the URL and full path you wish to use for this registry: + +``` +export DOCKER_REGISTRY_URL=us.gcr.io +export DOCKER_REGISTRY_PATH=us.gcr.io/gke-dev +``` + +Please login to the registry before running the deploy scripts. + ### Conjur #### Appliance Image -You will need to obtain a Docker image of the Conjur v4 appliance and tag it in -your local registry as `conjur-appliance:4.9-stable`. The deploy scripts will -look for this tag when pushing the applance image to your Kubernetes Docker -registry. +You will need to obtain a Docker image of the Conjur v4 appliance and push it +to your Docker registry with the tag: + +``` +$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME +``` + +Finally, you will need to create an image pull secret called `conjurregcred` +in your Kubernetes environment to allow the deploy scripts to retrieve the +Conjur image from your registry: + +``` +kubectl create secret docker-registry conjurregcred \ + --docker-server=$DOCKER_REGISTRY_URL \ + --docker-username= \ + --docker-password= \ + --docker-email= +``` #### Appliance Configuration diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg deleted file mode 100644 index 35d40c5..0000000 --- a/haproxy/haproxy.cfg +++ /dev/null @@ -1,62 +0,0 @@ -global - maxconn 256 - external-check - -defaults - timeout connect 5000ms - timeout client 50000ms - timeout server 50000ms - -frontend f_conjur_master_http - mode tcp - bind *:443 - default_backend b_conjur_master_http - -frontend f_conjur_master_pg - mode tcp - bind *:5432 - default_backend b_conjur_master_pg - -frontend f_conjur_master_ldap - mode tcp - bind *:636 - default_backend b_conjur_master_ldap - -# HTTP backend info -# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy -backend b_conjur_master_http - mode tcp - balance static-rr - option external-check - default-server inter 5s fall 3 rise 2 - external-check path "/usr/bin:/usr/local/bin" - external-check command "/root/conjur-health-check.sh" - server conjur-cluster-2336141628-fd2lm 10.40.0.234:443 check - server conjur-cluster-2336141628-kbfcs 10.40.1.35:443 check - server conjur-cluster-2336141628-pv770 10.40.1.36:443 check - -# PG backend info -# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy -backend b_conjur_master_pg - mode tcp - balance static-rr - option external-check - default-server inter 5s fall 3 rise 2 - external-check path "/usr/bin:/usr/local/bin" - external-check command "/root/conjur-health-check.sh" - server conjur-cluster-2336141628-fd2lm 10.40.0.234:5432 check - server conjur-cluster-2336141628-kbfcs 10.40.1.35:5432 check - server conjur-cluster-2336141628-pv770 10.40.1.36:5432 check - -# LDAP backend info -# Generated by haproxy/update_haproxy.sh in /Users/jtuttle/work/kubernetes-conjur-deploy/deploy -backend b_conjur_master_ldap - mode tcp - balance static-rr - option external-check - default-server inter 30s fall 3 rise 2 - external-check path "/usr/bin:/usr/local/bin" - external-check command "/root/conjur-health-check.sh" - server conjur-cluster-2336141628-fd2lm 10.40.0.234:636 check - server conjur-cluster-2336141628-kbfcs 10.40.1.35:636 check - server conjur-cluster-2336141628-pv770 10.40.1.36:636 check diff --git a/manifests/conjur-cluster.yaml b/manifests/conjur-cluster.yaml index d3e66a1..117f197 100644 --- a/manifests/conjur-cluster.yaml +++ b/manifests/conjur-cluster.yaml @@ -30,3 +30,5 @@ spec: name: pg-main - containerPort: 5433 name: pg-audit + imagePullSecrets: + - name: conjurregcred diff --git a/manifests/conjur-follower.yaml b/manifests/conjur-follower.yaml index 6278333..d9b379e 100644 --- a/manifests/conjur-follower.yaml +++ b/manifests/conjur-follower.yaml @@ -44,3 +44,5 @@ spec: name: pg-main - containerPort: 5433 name: pg-audit + imagePullSecrets: + - name: conjurregcred diff --git a/start b/start index f8ad0f8..d0c4f95 100755 --- a/start +++ b/start @@ -1,15 +1,15 @@ #!/bin/bash set -eou pipefail -0_check_dependencies.sh +./0_check_dependencies.sh -stop +./stop -1_create_conjur_namespace.sh -2_build_and_push_containers.sh -3_deploy_conjur_cluster.sh -4_configure_master.sh -5_create_load_balancer.sh -6_configure_standbys.sh -7_configure_followers.sh -8_print_config.sh +./1_create_conjur_namespace.sh +./2_build_and_push_containers.sh +./3_deploy_conjur_cluster.sh +./4_configure_master.sh +./5_create_load_balancer.sh +./6_configure_standbys.sh +./7_configure_followers.sh +./8_print_config.sh diff --git a/utils.sh b/utils.sh index 5e6590c..866493c 100755 --- a/utils.sh +++ b/utils.sh @@ -24,7 +24,7 @@ environment_domain() { } has_namespace() { - if kubectl get namespace "$1" 2> /dev/null; then + if kubectl get namespace "$1" > /dev/null; then true else false From 9177e24e3a352234a65ab6973fd432d76a7c573a Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Mon, 16 Apr 2018 14:39:41 -0400 Subject: [PATCH 11/21] make docker vars generic --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7cd4ec3..e39ac97 100644 --- a/README.md +++ b/README.md @@ -32,8 +32,8 @@ You will also need access to a Docker registry to which you are able to push. Provide the URL and full path you wish to use for this registry: ``` -export DOCKER_REGISTRY_URL=us.gcr.io -export DOCKER_REGISTRY_PATH=us.gcr.io/gke-dev +export DOCKER_REGISTRY_URL= +export DOCKER_REGISTRY_PATH=/ ``` Please login to the registry before running the deploy scripts. From 2179f74738c1f7cd2165fde5370fa016423efef4 Mon Sep 17 00:00:00 2001 From: Dustin Collins Date: Mon, 16 Apr 2018 14:46:25 -0500 Subject: [PATCH 12/21] Fixes from my run-through --- .gitignore | 3 ++- 5_create_load_balancer.sh | 2 +- 8_print_config.sh | 2 +- manifests/haproxy-conjur-master.yaml | 2 ++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0facc40..d0165f3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ standby-seed.tar -haproxy.cfg \ No newline at end of file +haproxy.cfg +tmp/ diff --git a/5_create_load_balancer.sh b/5_create_load_balancer.sh index 615e439..fece78d 100755 --- a/5_create_load_balancer.sh +++ b/5_create_load_balancer.sh @@ -12,7 +12,7 @@ docker_image=${DOCKER_REGISTRY_PATH}/haproxy:$CONJUR_NAMESPACE_NAME sed -e "s#{{ DOCKER_IMAGE }}#$docker_image#g" ./manifests/haproxy-conjur-master.yaml | kubectl create -f - -sleep 5 +wait_for_node 'haproxy-conjur-master' echo "Configuring load balancer..." diff --git a/8_print_config.sh b/8_print_config.sh index da869e6..dc9a471 100755 --- a/8_print_config.sh +++ b/8_print_config.sh @@ -7,7 +7,7 @@ set_namespace $CONJUR_NAMESPACE_NAME api_key=$(rotate_api_key) -conjur_master_ip=$(kubectl get services | grep conjur-master | awk '{ print $4 }') +conjur_master_ip=$(kubectl get services | grep conjur-master | awk '{ print $3 }') announce " Conjur cluster is ready. diff --git a/manifests/haproxy-conjur-master.yaml b/manifests/haproxy-conjur-master.yaml index 4210269..9f174b0 100644 --- a/manifests/haproxy-conjur-master.yaml +++ b/manifests/haproxy-conjur-master.yaml @@ -38,3 +38,5 @@ spec: name: pg-main - containerPort: 5433 name: pg-audit + imagePullSecrets: + - name: conjurregcred From 5867730989208f01bfabf054f64eb7d7f7a88152 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Mon, 16 Apr 2018 17:30:28 -0400 Subject: [PATCH 13/21] move namespace creation into readme, reorder setup steps --- ...iners.sh => 1_build_and_push_containers.sh | 0 1_create_conjur_namespace.sh | 28 -------- ...r_cluster.sh => 2_deploy_conjur_cluster.sh | 0 ...nfigure_master.sh => 3_configure_master.sh | 0 ...d_balancer.sh => 4_create_load_balancer.sh | 0 ...ure_standbys.sh => 5_configure_standbys.sh | 0 ...e_followers.sh => 6_configure_followers.sh | 0 8_print_config.sh => 7_print_config.sh | 0 README.md | 70 +++++++++++-------- start | 15 ++-- 10 files changed, 46 insertions(+), 67 deletions(-) rename 2_build_and_push_containers.sh => 1_build_and_push_containers.sh (100%) delete mode 100755 1_create_conjur_namespace.sh rename 3_deploy_conjur_cluster.sh => 2_deploy_conjur_cluster.sh (100%) rename 4_configure_master.sh => 3_configure_master.sh (100%) rename 5_create_load_balancer.sh => 4_create_load_balancer.sh (100%) rename 6_configure_standbys.sh => 5_configure_standbys.sh (100%) rename 7_configure_followers.sh => 6_configure_followers.sh (100%) rename 8_print_config.sh => 7_print_config.sh (100%) diff --git a/2_build_and_push_containers.sh b/1_build_and_push_containers.sh similarity index 100% rename from 2_build_and_push_containers.sh rename to 1_build_and_push_containers.sh diff --git a/1_create_conjur_namespace.sh b/1_create_conjur_namespace.sh deleted file mode 100755 index e454aec..0000000 --- a/1_create_conjur_namespace.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -set -eou pipefail - -. utils.sh - -announce "Creating Conjur namespace." - -set_namespace default - -if has_namespace "$CONJUR_NAMESPACE_NAME"; then - echo "Namespace '$CONJUR_NAMESPACE_NAME' exists, not going to create it." - set_namespace $CONJUR_NAMESPACE_NAME -else - echo "Creating '$CONJUR_NAMESPACE_NAME' namespace." - kubectl create namespace "$CONJUR_NAMESPACE_NAME" - set_namespace $CONJUR_NAMESPACE_NAME -fi - -# Must run as root to unpack Conjur seed files on standbys for high availability. -# TODO: replace this overprivileging with a service account + role + role binding - -# TODO: perhaps clusterroles should be defined independent of these scripts. for one this could delete an important clusterrole for user, unwittingly -kubectl delete --ignore-not-found clusterrole conjur-authenticator - -# Grant default service account permissions it needs for authn-k8s to: -# 1) get + list pods (to verify pod names) -# 2) create + get pods/exec (to inject cert into app sidecar) -kubectl create -f ./manifests/conjur-authenticator-role.yaml diff --git a/3_deploy_conjur_cluster.sh b/2_deploy_conjur_cluster.sh similarity index 100% rename from 3_deploy_conjur_cluster.sh rename to 2_deploy_conjur_cluster.sh diff --git a/4_configure_master.sh b/3_configure_master.sh similarity index 100% rename from 4_configure_master.sh rename to 3_configure_master.sh diff --git a/5_create_load_balancer.sh b/4_create_load_balancer.sh similarity index 100% rename from 5_create_load_balancer.sh rename to 4_create_load_balancer.sh diff --git a/6_configure_standbys.sh b/5_configure_standbys.sh similarity index 100% rename from 6_configure_standbys.sh rename to 5_configure_standbys.sh diff --git a/7_configure_followers.sh b/6_configure_followers.sh similarity index 100% rename from 7_configure_followers.sh rename to 6_configure_followers.sh diff --git a/8_print_config.sh b/7_print_config.sh similarity index 100% rename from 8_print_config.sh rename to 7_print_config.sh diff --git a/README.md b/README.md index e39ac97..0a94732 100644 --- a/README.md +++ b/README.md @@ -6,30 +6,17 @@ Kubernetes environment. # Setup The Conjur deployment scripts pick up configuration details from local -environment variables. The setup instructions below will walk you through the +environment variables. The setup instructions below walk you through the necessary steps for configuring your Kubernetes environment and show you which variables need to be set before deploying. -### Kubernetes - -To deploy Conjur, you will first need access to a Kubernetes deployment and must -connect to it using `kubectl` with a user that has sufficient privileges to -create namespaces. - -Finally, you must specify a name for the namespace in which you'd like to deploy -the Conjur cluster: - -``` -export CONJUR_NAMESPACE_NAME=conjur -``` - ### Docker -You will need to [install Docker](https://www.docker.com/get-docker) on your -local machine if you do not already have it. +[Install Docker](https://www.docker.com/get-docker) on your local machine if you +do not already have it. -You will also need access to a Docker registry to which you are able to push. -Provide the URL and full path you wish to use for this registry: +You need access to a Docker registry to which you are able to push. Provide the +URL and full path you wish to use for this registry: ``` export DOCKER_REGISTRY_URL= @@ -38,20 +25,30 @@ export DOCKER_REGISTRY_PATH=/ Please login to the registry before running the deploy scripts. -### Conjur +### Kubernetes -#### Appliance Image +To deploy Conjur, you need access to a Kubernetes deployment and must connect to +it using `kubectl` with a user that has sufficient privileges to create +namespaces. -You will need to obtain a Docker image of the Conjur v4 appliance and push it -to your Docker registry with the tag: +#### Conjur Namespace + +First, create a namespace in which to deploy your Conjur cluster: ``` -$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME +kubectl create namespace +``` + +Provide this namespace to the deploy scripts as follows: + ``` +export CONJUR_NAMESPACE_NAME= +``` + +#### Image Pull Secret -Finally, you will need to create an image pull secret called `conjurregcred` -in your Kubernetes environment to allow the deploy scripts to retrieve the -Conjur image from your registry: +Create an image pull secret called `conjurregcred` in your Conjur namespace to +allow the deploy scripts to retrieve the Conjur image from your Docker registry: ``` kubectl create secret docker-registry conjurregcred \ @@ -61,6 +58,17 @@ kubectl create secret docker-registry conjurregcred \ --docker-email= ``` +### Conjur + +#### Appliance Image + +You need to obtain a Docker image of the Conjur v4 appliance and push it to your +Docker registry with the tag: + +``` +$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME +``` + #### Appliance Configuration When setting up a new Conjur installation, you must provide an account name and @@ -72,7 +80,7 @@ export CONJUR_ADMIN_PASSWORD= ``` Conjur uses [declarative policy](https://developer.conjur.net/policy) to control -access to secrets. After deploying Conjur, you will need to load a policy that +access to secrets. After deploying Conjur, you need to load a policy that defines a `webservice` to represent the Kubernetes authenticator: ``` @@ -82,7 +90,7 @@ id: conjur/authn-k8s/{{ SERVICE_ID }} The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster resides. For example, it might be something like `kubernetes/prod`. For Conjur -configuration purposes, you will need to provide this value to the Conjur deploy +configuration purposes, you need to provide this value to the Conjur deploy scripts like so: ``` @@ -94,9 +102,9 @@ that it matches the value that you intend to use in Conjur Policy. # Usage -Run `./start` to deploy Conjur. This will execute the numbered scripts in -sequence to create and configure a Conjur cluster comprised of one Master, two -Standbys, and two read-only Followers. +Run `./start` to deploy Conjur. This executes the numbered scripts in sequence +to create and configure a Conjur cluster comprised of one Master, two Standbys, +and two read-only Followers. Please note that the deploy scripts grant the `anyuid` SCC to the `default` service account in the namespace that contains Conjur as configuring standbys and diff --git a/start b/start index d0c4f95..3a370ef 100755 --- a/start +++ b/start @@ -5,11 +5,10 @@ set -eou pipefail ./stop -./1_create_conjur_namespace.sh -./2_build_and_push_containers.sh -./3_deploy_conjur_cluster.sh -./4_configure_master.sh -./5_create_load_balancer.sh -./6_configure_standbys.sh -./7_configure_followers.sh -./8_print_config.sh +./1_build_and_push_containers.sh +./2_deploy_conjur_cluster.sh +./3_configure_master.sh +./4_create_load_balancer.sh +./5_configure_standbys.sh +./6_configure_followers.sh +./7_print_config.sh From d8d0211ca3c939a120da8c87210988081f5beddf Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 09:58:53 -0400 Subject: [PATCH 14/21] readme updates --- README.md | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0a94732..5826fe7 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,9 @@ Please login to the registry before running the deploy scripts. ### Kubernetes -To deploy Conjur, you need access to a Kubernetes deployment and must connect to -it using `kubectl` with a user that has sufficient privileges to create -namespaces. +Before deploying Conjur, you must first use `kubectl` to connect to your +Kubernetes environment with a user that has the `cluster-admin` role. The user +must be able to create namespaces and cluster roles. #### Conjur Namespace @@ -58,6 +58,21 @@ kubectl create secret docker-registry conjurregcred \ --docker-email= ``` +#### The `conjur-authenticator` Cluster Role + +Conjur's Kubernetes authenticator requires the following privileges: + +- [`"get"`, `"list"`] on `"pods"` for confirming a pod's namespace membership +- [`"create"`, `"get"`] on "pods/exec" for injecting a certificate into a pod + +The deploy scripts include a manifest that defines the `conjur-authenticator` +cluster role, which grants these privileges. Create the role now (note that +your user will need to have the `cluster-admin` role to do so): + +``` +kubectl create -f ./manifests/conjur-authenticator-role.yaml +``` + ### Conjur #### Appliance Image @@ -88,10 +103,10 @@ defines a `webservice` to represent the Kubernetes authenticator: id: conjur/authn-k8s/{{ SERVICE_ID }} ``` -The `SERVICE_ID` should describe the Kubernetes node in which your Conjur cluster -resides. For example, it might be something like `kubernetes/prod`. For Conjur -configuration purposes, you need to provide this value to the Conjur deploy -scripts like so: +The `SERVICE_ID` should describe the Kubernetes cluster in which your Conjur +deployment resides. For example, it might be something like `kubernetes/prod`. +For Conjur configuration purposes, you need to provide this value to the Conjur +deploy scripts like so: ``` export AUTHENTICATOR_SERVICE_ID= From ebfb13d51ab3a5ef8bc075f3a6eea87c30a4d232 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 13:20:15 -0400 Subject: [PATCH 15/21] remove psql memory config, move namespace creation to manual step --- 3_configure_master.sh | 3 --- 5_configure_standbys.sh | 3 +-- 6_configure_followers.sh | 3 +-- 7_print_config.sh | 18 +++++------------- build/conjur_server/Dockerfile | 4 ---- build/conjur_server/build.sh | 5 ----- build/conjur_server/conjur.json | 5 ----- start | 3 --- utils.sh | 4 ++++ 9 files changed, 11 insertions(+), 37 deletions(-) delete mode 100644 build/conjur_server/Dockerfile delete mode 100755 build/conjur_server/build.sh delete mode 100644 build/conjur_server/conjur.json diff --git a/3_configure_master.sh b/3_configure_master.sh index cb1856e..2031e77 100755 --- a/3_configure_master.sh +++ b/3_configure_master.sh @@ -12,10 +12,7 @@ master_pod_name=$(get_master_pod_name) kubectl label --overwrite pod $master_pod_name role=master # Configure Conjur master server using evoke. -# TODO: do we need to add some environment url to the master altnames ? -kubectl cp build/conjur_server/conjur.json $master_pod_name:/etc/conjur.json kubectl exec $master_pod_name -- evoke configure master \ - -j /etc/conjur.json \ -h conjur-master \ --master-altnames localhost,conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ --follower-altnames conjur-follower,conjur-follower.$CONJUR_NAMESPACE_NAME.svc.cluster.local \ diff --git a/5_configure_standbys.sh b/5_configure_standbys.sh index 4592c2f..e58e2e7 100755 --- a/5_configure_standbys.sh +++ b/5_configure_standbys.sh @@ -23,10 +23,9 @@ for pod_name in $pod_list; do kubectl label --overwrite pod $pod_name role=standby copy_file_to_container "./tmp/standby-seed.tar" "/tmp/standby-seed.tar" "$pod_name" - copy_file_to_container "build/conjur_server/conjur.json" "/etc/conjur.json" "$pod_name" kubectl exec $pod_name evoke unpack seed /tmp/standby-seed.tar - kubectl exec $pod_name -- evoke configure standby -j /etc/conjur.json -i $master_pod_ip + kubectl exec $pod_name -- evoke configure standby -i $master_pod_ip done rm -rf tmp diff --git a/6_configure_followers.sh b/6_configure_followers.sh index f6026cb..045c42d 100755 --- a/6_configure_followers.sh +++ b/6_configure_followers.sh @@ -20,11 +20,10 @@ pod_list=$(kubectl get pods -l role=follower --no-headers | awk '{ print $1 }') for pod_name in $pod_list; do printf "Configuring follower %s...\n" $pod_name - copy_file_to_container "build/conjur_server/conjur.json" "/etc/conjur.json" "$pod_name" copy_file_to_container "./tmp/follower-seed.tar" "/tmp/follower-seed.tar" "$pod_name" kubectl exec $pod_name evoke unpack seed /tmp/follower-seed.tar - kubectl exec $pod_name -- evoke configure follower -j /etc/conjur.json + kubectl exec $pod_name -- evoke configure follower done rm -rf tmp diff --git a/7_print_config.sh b/7_print_config.sh index dc9a471..d96c295 100755 --- a/7_print_config.sh +++ b/7_print_config.sh @@ -5,21 +5,13 @@ set -eou pipefail set_namespace $CONJUR_NAMESPACE_NAME -api_key=$(rotate_api_key) - -conjur_master_ip=$(kubectl get services | grep conjur-master | awk '{ print $3 }') - announce " Conjur cluster is ready. -Addresses for the Conjur Master service: - - Inside the cluster: - conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local +Conjur UI address: + https://$(get_master_service_ip):443 - Outside the cluster: - https://$conjur_master_ip:443 - -Conjur login credentials: - admin / $api_key +Conjur admin credentials: + admin / $(rotate_api_key) " + diff --git a/build/conjur_server/Dockerfile b/build/conjur_server/Dockerfile deleted file mode 100644 index 467bbf6..0000000 --- a/build/conjur_server/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM conjur-appliance:4.9-stable - -# Memory allocation for postgres. -COPY conjur.json /etc/ diff --git a/build/conjur_server/build.sh b/build/conjur_server/build.sh deleted file mode 100755 index ba6fa4c..0000000 --- a/build/conjur_server/build.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -eou pipefail - -# builds Conjur Appliance with /etc/conjur.json (contains memory allocation config for pg) -docker build -t conjur-appliance:$CONJUR_NAMESPACE_NAME -f Dockerfile . diff --git a/build/conjur_server/conjur.json b/build/conjur_server/conjur.json deleted file mode 100644 index 6d18e7e..0000000 --- a/build/conjur_server/conjur.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "postgresql": { - "allocated_memory_kb": 100000 - } -} diff --git a/start b/start index 3a370ef..17c6796 100755 --- a/start +++ b/start @@ -2,9 +2,6 @@ set -eou pipefail ./0_check_dependencies.sh - -./stop - ./1_build_and_push_containers.sh ./2_deploy_conjur_cluster.sh ./3_configure_master.sh diff --git a/utils.sh b/utils.sh index 866493c..4045c1f 100755 --- a/utils.sh +++ b/utils.sh @@ -50,6 +50,10 @@ get_master_pod_name() { echo $pod_list | awk '{print $1}' } +get_master_service_ip() { + echo $(kubectl get service conjur-master -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +} + mastercmd() { local master_pod=$(kubectl get pod -l role=master --no-headers | awk '{ print $1 }') local interactive=$1 From 5ed5fed2784a4ba69a608c3a47555b06338aa1d6 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 13:24:44 -0400 Subject: [PATCH 16/21] add service address back to readme --- 7_print_config.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/7_print_config.sh b/7_print_config.sh index d96c295..480049b 100755 --- a/7_print_config.sh +++ b/7_print_config.sh @@ -8,10 +8,12 @@ set_namespace $CONJUR_NAMESPACE_NAME announce " Conjur cluster is ready. +Conjur master service: + conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local + Conjur UI address: https://$(get_master_service_ip):443 Conjur admin credentials: admin / $(rotate_api_key) " - From 9c74db11cd3c6fad1661856f3fe435e9aef39eca Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 13:58:38 -0400 Subject: [PATCH 17/21] provide CLI container manifest and instructions for using it --- 7_print_config.sh | 3 --- README.md | 35 ++++++++++++++++++++++++----------- manifests/conjur-cli.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 14 deletions(-) create mode 100644 manifests/conjur-cli.yaml diff --git a/7_print_config.sh b/7_print_config.sh index 480049b..8bc764c 100755 --- a/7_print_config.sh +++ b/7_print_config.sh @@ -8,9 +8,6 @@ set_namespace $CONJUR_NAMESPACE_NAME announce " Conjur cluster is ready. -Conjur master service: - conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local - Conjur UI address: https://$(get_master_service_ip):443 diff --git a/README.md b/README.md index 5826fe7..c2cdeb1 100644 --- a/README.md +++ b/README.md @@ -117,22 +117,35 @@ that it matches the value that you intend to use in Conjur Policy. # Usage +### Deploying Conjur + Run `./start` to deploy Conjur. This executes the numbered scripts in sequence to create and configure a Conjur cluster comprised of one Master, two Standbys, -and two read-only Followers. +and two read-only Followers. The final step will print out the necessary info +for interacting with Conjur through the CLI or UI. + +### Conjur CLI + +The deploy scripts include a manifest for creating a Conjur CLI container within +the Kubernetes environment that can then be used to interact with Conjur. Deploy +the CLI pod and SSH into it: + +``` +kubectl create -f ./manifests/conjur-cli.yaml +kubectl exec -it [cli-pod-name] bash +``` + +Follow our [CLI instructions](https://developer.conjur.net/cli#quickstart) +to get started with the Conjur CLI. The hostname is `conjur-master`, which is a +service that can be used to access the Conjur Master. -Please note that the deploy scripts grant the `anyuid` SCC to the `default` -service account in the namespace that contains Conjur as configuring standbys and -followers requires root access. +### Conjur UI -When the deploy scripts finish, they will print out the URL and credentials that -you need to access Conjur from outside the Kubernetes environment. You can access -the Conjur UI by visiting this URL in a browser or use it to interact with Conjur -through the [Conjur CLI](https://developer.conjur.net/cli). +Visit the Conjur UI URL in your browser and login with the admin credentials to +access the Conjur UI. # Test App Demo The [kubernetes-conjur-demo repo](https://github.com/conjurdemos/kubernetes-conjur-demo) -can be used to set up a test application that retrieves secrets from Conjur -using our Ruby API. It can be used as a reference when setting up your own -applications to integrate with Conjur. +sets up test applications that retrieve secrets from Conjur and serves as a +useful reference when setting up your own applications to integrate with Conjur. diff --git a/manifests/conjur-cli.yaml b/manifests/conjur-cli.yaml new file mode 100644 index 0000000..0edad0d --- /dev/null +++ b/manifests/conjur-cli.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + app: conjur-cli + name: conjur-cli +spec: + replicas: 1 + selector: + matchLabels: + app: conjur-cli + template: + metadata: + labels: + app: conjur-cli + name: conjur-cli + spec: + containers: + - name: conjur-cli + image: cyberark/conjur-cli:4 + imagePullPolicy: Always + command: ["sleep"] + args: ["infinity"] + From 3df264cd9b35daad8efdc6681c8f8b1ec92a1194 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 14:53:21 -0400 Subject: [PATCH 18/21] add namespace creation back in --- 1_create_conjur_namespace.sh | 17 +++++++++ ...iners.sh => 2_build_and_push_containers.sh | 0 ...r_cluster.sh => 3_deploy_conjur_cluster.sh | 14 ++++++- ...nfigure_master.sh => 4_configure_master.sh | 0 ...d_balancer.sh => 5_create_load_balancer.sh | 0 ...ure_standbys.sh => 6_configure_standbys.sh | 0 ...e_followers.sh => 7_configure_followers.sh | 0 7_print_config.sh => 8_print_config.sh | 0 README.md | 37 +++++++------------ start | 19 ++++++---- 10 files changed, 56 insertions(+), 31 deletions(-) create mode 100755 1_create_conjur_namespace.sh rename 1_build_and_push_containers.sh => 2_build_and_push_containers.sh (100%) rename 2_deploy_conjur_cluster.sh => 3_deploy_conjur_cluster.sh (64%) rename 3_configure_master.sh => 4_configure_master.sh (100%) rename 4_create_load_balancer.sh => 5_create_load_balancer.sh (100%) rename 5_configure_standbys.sh => 6_configure_standbys.sh (100%) rename 6_configure_followers.sh => 7_configure_followers.sh (100%) rename 7_print_config.sh => 8_print_config.sh (100%) diff --git a/1_create_conjur_namespace.sh b/1_create_conjur_namespace.sh new file mode 100755 index 0000000..e244b4f --- /dev/null +++ b/1_create_conjur_namespace.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -eou pipefail + +. utils.sh + +announce "Creating Conjur namespace." + +set_namespace default + +if has_namespace "$CONJUR_NAMESPACE_NAME"; then + echo "Namespace '$CONJUR_NAMESPACE_NAME' exists, not going to create it." + set_namespace $CONJUR_NAMESPACE_NAME +else + echo "Creating '$CONJUR_NAMESPACE_NAME' namespace." + kubectl create namespace "$CONJUR_NAMESPACE_NAME" + set_namespace $CONJUR_NAMESPACE_NAME +fi diff --git a/1_build_and_push_containers.sh b/2_build_and_push_containers.sh similarity index 100% rename from 1_build_and_push_containers.sh rename to 2_build_and_push_containers.sh diff --git a/2_deploy_conjur_cluster.sh b/3_deploy_conjur_cluster.sh similarity index 64% rename from 2_deploy_conjur_cluster.sh rename to 3_deploy_conjur_cluster.sh index 6556346..4f2d25b 100755 --- a/2_deploy_conjur_cluster.sh +++ b/3_deploy_conjur_cluster.sh @@ -1,8 +1,20 @@ #!/bin/bash -set -eou pipefail +set -eox pipefail . utils.sh +if ! [ "${DOCKER_EMAIL}" = "" ]; then + announce "Creating image pull secret." + + kubectl delete --ignore-not-found secret conjurregcred + + kubectl create secret docker-registry conjurregcred \ + --docker-server=$DOCKER_REGISTRY_URL \ + --docker-username=$DOCKER_USERNAME \ + --docker-password=$DOCKER_PASSWORD \ + --docker-email=$DOCKER_EMAIL +fi + announce "Creating Conjur cluster." set_namespace $CONJUR_NAMESPACE_NAME diff --git a/3_configure_master.sh b/4_configure_master.sh similarity index 100% rename from 3_configure_master.sh rename to 4_configure_master.sh diff --git a/4_create_load_balancer.sh b/5_create_load_balancer.sh similarity index 100% rename from 4_create_load_balancer.sh rename to 5_create_load_balancer.sh diff --git a/5_configure_standbys.sh b/6_configure_standbys.sh similarity index 100% rename from 5_configure_standbys.sh rename to 6_configure_standbys.sh diff --git a/6_configure_followers.sh b/7_configure_followers.sh similarity index 100% rename from 6_configure_followers.sh rename to 7_configure_followers.sh diff --git a/7_print_config.sh b/8_print_config.sh similarity index 100% rename from 7_print_config.sh rename to 8_print_config.sh diff --git a/README.md b/README.md index c2cdeb1..be06879 100644 --- a/README.md +++ b/README.md @@ -15,15 +15,25 @@ variables need to be set before deploying. [Install Docker](https://www.docker.com/get-docker) on your local machine if you do not already have it. -You need access to a Docker registry to which you are able to push. Provide the -URL and full path you wish to use for this registry: +You must have push access to a Docker registry in order to run these deploy +scripts. Provide the URL and full path of your registry: ``` export DOCKER_REGISTRY_URL= export DOCKER_REGISTRY_PATH=/ ``` -Please login to the registry before running the deploy scripts. +If you are using a private registry, you will also need to provide login +credentials that are used by the deployment scripts to create a [secret for +pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-in-the-cluster-that-holds-your-authorization-token): + +``` +export DOCKER_USERNAME= +export DOCKER_PASSWORD= +export DOCKER_EMAIL= +``` + +Please make sure that you are logged in to the registry before deploying. ### Kubernetes @@ -33,31 +43,12 @@ must be able to create namespaces and cluster roles. #### Conjur Namespace -First, create a namespace in which to deploy your Conjur cluster: - -``` -kubectl create namespace -``` - -Provide this namespace to the deploy scripts as follows: +Provide the name of a namespace in which to deploy Conjur: ``` export CONJUR_NAMESPACE_NAME= ``` -#### Image Pull Secret - -Create an image pull secret called `conjurregcred` in your Conjur namespace to -allow the deploy scripts to retrieve the Conjur image from your Docker registry: - -``` -kubectl create secret docker-registry conjurregcred \ - --docker-server=$DOCKER_REGISTRY_URL \ - --docker-username= \ - --docker-password= \ - --docker-email= -``` - #### The `conjur-authenticator` Cluster Role Conjur's Kubernetes authenticator requires the following privileges: diff --git a/start b/start index 17c6796..5735c00 100755 --- a/start +++ b/start @@ -2,10 +2,15 @@ set -eou pipefail ./0_check_dependencies.sh -./1_build_and_push_containers.sh -./2_deploy_conjur_cluster.sh -./3_configure_master.sh -./4_create_load_balancer.sh -./5_configure_standbys.sh -./6_configure_followers.sh -./7_print_config.sh + +./stop + +./1_create_conjur_namespace.sh +./2_build_and_push_containers.sh +./3_deploy_conjur_cluster.sh +./4_configure_master.sh +./5_create_load_balancer.sh +./6_configure_standbys.sh +./7_configure_followers.sh +./8_print_config.sh + From 39485215ac5a8f126430b80edfcbc4d209c009c6 Mon Sep 17 00:00:00 2001 From: John Tuttle Date: Tue, 17 Apr 2018 15:02:03 -0400 Subject: [PATCH 19/21] replace link to CLI quickstart with link to usage --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index be06879..30fc50c 100644 --- a/README.md +++ b/README.md @@ -126,9 +126,14 @@ kubectl create -f ./manifests/conjur-cli.yaml kubectl exec -it [cli-pod-name] bash ``` -Follow our [CLI instructions](https://developer.conjur.net/cli#quickstart) -to get started with the Conjur CLI. The hostname is `conjur-master`, which is a -service that can be used to access the Conjur Master. +Once inside the CLI container, use the admin credentials to connect to Conjur: + +``` +conjur init -h conjur-master +``` + +Follow our [CLI usage instructions](https://developer.conjur.net/cli#quickstart) +to get started with the Conjur CLI. ### Conjur UI From 926be7f5cac293bdeecdd067f3b628940fae63b2 Mon Sep 17 00:00:00 2001 From: Dustin Collins Date: Tue, 17 Apr 2018 15:07:37 -0500 Subject: [PATCH 20/21] Ensure image pull secret is created in correct namespace --- 3_deploy_conjur_cluster.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/3_deploy_conjur_cluster.sh b/3_deploy_conjur_cluster.sh index 4f2d25b..5006305 100755 --- a/3_deploy_conjur_cluster.sh +++ b/3_deploy_conjur_cluster.sh @@ -3,6 +3,10 @@ set -eox pipefail . utils.sh +announce "Creating Conjur cluster." + +set_namespace $CONJUR_NAMESPACE_NAME + if ! [ "${DOCKER_EMAIL}" = "" ]; then announce "Creating image pull secret." @@ -15,10 +19,6 @@ if ! [ "${DOCKER_EMAIL}" = "" ]; then --docker-email=$DOCKER_EMAIL fi -announce "Creating Conjur cluster." - -set_namespace $CONJUR_NAMESPACE_NAME - conjur_appliance_image=$DOCKER_REGISTRY_PATH/conjur-appliance:$CONJUR_NAMESPACE_NAME echo "deploying main cluster" From 848b9e341ba40678916f2ca0c8bc391af63d1c7e Mon Sep 17 00:00:00 2001 From: Dustin Collins Date: Tue, 17 Apr 2018 15:09:23 -0500 Subject: [PATCH 21/21] Fix ordering of bash options, -o pipefail is needed --- 1_create_conjur_namespace.sh | 2 +- 2_build_and_push_containers.sh | 2 +- 3_deploy_conjur_cluster.sh | 2 +- 4_configure_master.sh | 2 +- 5_create_load_balancer.sh | 2 +- 6_configure_standbys.sh | 2 +- 7_configure_followers.sh | 2 +- 8_print_config.sh | 2 +- build/haproxy/build.sh | 2 +- start | 2 +- stop | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/1_create_conjur_namespace.sh b/1_create_conjur_namespace.sh index e244b4f..e47cd88 100755 --- a/1_create_conjur_namespace.sh +++ b/1_create_conjur_namespace.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/2_build_and_push_containers.sh b/2_build_and_push_containers.sh index f8efeee..4b384f8 100755 --- a/2_build_and_push_containers.sh +++ b/2_build_and_push_containers.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/3_deploy_conjur_cluster.sh b/3_deploy_conjur_cluster.sh index 5006305..7641123 100755 --- a/3_deploy_conjur_cluster.sh +++ b/3_deploy_conjur_cluster.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eox pipefail +set -euo pipefail . utils.sh diff --git a/4_configure_master.sh b/4_configure_master.sh index 2031e77..14e212a 100755 --- a/4_configure_master.sh +++ b/4_configure_master.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/5_create_load_balancer.sh b/5_create_load_balancer.sh index fece78d..f4f2f20 100755 --- a/5_create_load_balancer.sh +++ b/5_create_load_balancer.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/6_configure_standbys.sh b/6_configure_standbys.sh index e58e2e7..09d75aa 100755 --- a/6_configure_standbys.sh +++ b/6_configure_standbys.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/7_configure_followers.sh b/7_configure_followers.sh index 045c42d..d59c3a2 100755 --- a/7_configure_followers.sh +++ b/7_configure_followers.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/8_print_config.sh b/8_print_config.sh index 8bc764c..6ac2dab 100755 --- a/8_print_config.sh +++ b/8_print_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh diff --git a/build/haproxy/build.sh b/build/haproxy/build.sh index 24a2744..b02fe5e 100755 --- a/build/haproxy/build.sh +++ b/build/haproxy/build.sh @@ -1,4 +1,4 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail docker build -t haproxy:$CONJUR_NAMESPACE_NAME . diff --git a/start b/start index 5735c00..54ccb78 100755 --- a/start +++ b/start @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail ./0_check_dependencies.sh diff --git a/stop b/stop index 2bfd270..4f8272c 100755 --- a/stop +++ b/stop @@ -1,5 +1,5 @@ #!/bin/bash -set -eou pipefail +set -euo pipefail . utils.sh