Thanks for your interest in the CyberArk Secrets Provider for Kubernetes. We welcome contributions!
- Contributing to the CyberArk Secrets Provider for Kubernetes
To work in this codebase, you will want to have Go version 1.12+ installed.
The full documentation for the Cyberark Secrets Provider for Kubernetes can be found here for Conjur Enterprise and here for Conjur Open Source.
Before you can start contributing to the CyberArk Secrets Provider for Kubernetes project, you must:
-
Setup your environment.
a. For detailed instructions on how to setup a Conjur Enterprise env, see Conjur Enterprise Setup.
b. For detailed instructions on how to setup a Conjur Open Source env, see Conjur Open Source Setup.
-
Setup the CyberArk Secrets Provider for Kubernetes
a. For detailed setup instructions for Conjur Enterprise, see CyberArk Secrets Provider for Kubernetes for Conjur Enterprise.
b. For detailed setup instructions for Conjur Open Source, see CyberArk Secrets Provider for Kubernetes for Conjur Open Source.
You can now deploy a local development environment for Kubernetes using Docker Desktop. Docker Desktop provides a convenient way to deploy and develop from your machine against a locally deployed cluster.
-
Docker Desktop installed
-
Kubernetes enabled in Docker Desktop
-
Navigate to Docker Preferences
-
Click on the Kubernetes tab and "Enable Kubernetes"
-
-
The Secrets Provider for K8s uses the Kubernetes Conjur deploy repository to deploy Conjur Enterprise / Conjur Open Source on Kubernetes. By default, 2.0 Gib of memory is allocated to Docker on your computer.
To successfully deploy a Conjur Enterprise cluster (Leader + Followers + Standbys), you will need to increase the memory limit to 6 Gib. To do so, perform the following:
-
Navigate to Docker preferences
-
Click on "Resources" and slide the "Memory" bar to 6
-
-
If you intend to deploy the Secrets Provider via Helm, you will need to install the Helm CLI. See here for instructions on how to do so.
To deploy a local development environment, perform the following:
-
Run
./bin/buildto build the Secrets Provider image locally -
Ensure you are in the proper local context. Otherwise, the deployment will not run successfully
Run kubectl config current-context to verify which context you are currently in so if needed, you can switch back to it easily
Run kubectl config use-context docker-desktop to switch to a local context. This is the context you will need to run the development environment
-
Navigate to
bootstrap.envand uncomment theLocal DEV Envsection, ensuring thatDEV=true. Additionally, you can deploy the Secrets Provider locally using HELM. To do so, also uncommentDEV_HELM -
Run
./bin/start --dev, appending--ossor--dapaccording to the environment that needs to be deployed -
To view the pod(s) that were deployed and the Secrets Provider logs, run
kubectl get podsandkubectl logs <pod-name> -c cyberark-secrets-provider-for-k8srespectively. You can also view Conjur Enterprise / Conjur Open Source pod logs by runningkubectl get pods -n local-conjurandkubectl logs <conjur-pod-name> -n local-conjur -
If a cluster is already locally deployed run
./bin/start --dev --reloadto build your local changes and redeploy them to the local Secrets Provider K8s cluster
To remove K8s resources from your local environment perform the following:
-
Run
kubectl get all --all-namespacesto list all resources across all namespaces in your cluster -
Run
kubectl delete <resource-type> <name-of-resource> --namespace <namespace>
Note that for Deployments, you must first delete the Deployment and then the Pod. Otherwise the Pod will terminate and another will start it its place.
-
Currently, deploying a local dev environment only works against a local K8s cluster and not an Openshift one
-
At current, we cannot run our integration tests locally, only against a remote cluster
-
Search our open issues in GitHub to see what features are planned.
-
Select an existing issue or open a new issue to propose changes or fixes.
-
Add the
implementinglabel to the issue that you open or modify. -
Run existing tests locally and ensure they pass.
-
Create a branch and add your changes. Include appropriate tests and ensure that they pass.
-
Submit a pull request, linking the issue in the description (e.g. Connected to #123).
-
Add the
implementedlabel to the issue and request that a Cyberark engineer reviews and merges your code.
From here your pull request is reviewed. Once you have implemented all reviewer feedback, your code is merged into the project. Congratulations, you're a contributor!
To run existing unit tests, run ./bin/test_unit
When contributing to the CyberArk Secrets Provider for Kubernetes project, be sure to add the appropriate unit tests to either already existing test files or create new ones.
To follow Go testing conventions when creating a new test file, perform the following:
-
Create a new test file that matches the file naming pattern "*_test.go" in the proper
pkgfolder, close to the source code. -
Add the following to the import statement at the beginning of the file
import ( "testing" )
-
Create tests.
-
Run test suite,
./bin/test_unit
Our integration tests can be run against either a GKE / Openshift remote cluster. To do so, run ./bin/start and add the proper flags.
To deploy Conjur Enterprise / Conjur Open Source, add the --oss / --dap flags to the above command. By default, the integration tests run Conjur Enterprise, so no flag is required.
To deploy on GKE, add --gke. For Openshift, use --oldest / --current / --next. By default, the integration tests run on a GKE cluster,
so no flag is required.
For example:
- Deploy Conjur Open Source on GKE, run
./bin/start --oss --gke - Deploy Conjur Enterprise on Openshift, run
./bin/start --dap --current
It is also possible to run a single test instead of the full suite. This can be done by running ./bin/start with the
flag --test-prefix=<prefix>. For example, running with the flag --test-prefix=TEST_ID_18 will run only the test
TEST_ID_18_helm_multiple_provider_multiple_secrets.sh, or run with the flag --test-prefix=*1[789] to run tests 17,18,19.
When contributing new integration tests, perform the following:
-
Navigate to the
test/test_casefolder -
Create a new test file with filename prefix
TEST_ID_<HIGHEST_NUMBER>_<TEST_NAME>
If your tests follow the above instructions, our scripts should grab your test additions and run it as our test suite.
That's it!
To view tracing output from Secrets Provider, you can enable Jaeger tracing.
-
Create a local Jaeger instance.
kubectl create namespace jaeger kubectl config set-context --current --namespace=jaeger helm repo add jaegertracing https://jaegertracing.github.io/helm-charts helm install jaeger jaegertracing/jaeger \ --set provisionDataStore.cassandra=false \ --set provisionDataStore.elasticsearch=true \ --set storage.type=elasticsearch \ --set elasticsearch.replicas=1 \ --set elasticsearch.minimumMasterNodes=1
Wait a few minutes for the Jaeger instance to be ready. Then run the following commands to expose the Jaeger UI on localhost:8080.
pod_name=$(kubectl get pods --namespace jaeger -l "app.kubernetes.io/instance=jaeger,app.kubernetes.io/component=query" -o jsonpath="{.items[0].metadata.name}") kubectl port-forward --namespace jaeger $pod_name 8080:16686
-
Clone the cyberark/conjur-authn-k8s-client repository which contains the E2E tests. Edit the template file for the tests. For example, you can add the following to the
annotationssection ofhelm/conjur-app-deploy/charts/app-secrets-provider-p2f/templates/test_app_secrets_provider_p2f.yamlfor the push to file E2E test:conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
Now run the tests as usual with
cd bin/test-workflow && ./start -a secrets-provider-p2f.
Releases should be created by maintainers only. To create a tag and release, follow the instructions in this section.
- Review the git log and ensure the changelog contains all relevant recent changes with references to GitHub issues or PRs, if possible.
- Review the changes since the last tag, and if the dependencies have changed revise the NOTICES to correctly capture the included dependencies and their licenses / copyrights.
- Ensure that all documentation that needs to be written has been written by TW, approved by PO/Engineer, and pushed to the forward-facing documentation.
- Scan the project for vulnerabilities
- Create a new branch for the version bump.
- Based on the changelog content, determine the new version number.
- Update this version in the following files:
- Commit these changes -
Bump version to x.y.zis an acceptable commit message - and open a PR for review.
- Every build packages the Secrets Provider Helm chart for us. The package can be found under the 'Artifacts' tab of the Jenkins build and will resemble
secrets-provider-<version>.tgz. Navigate to the 'Artifacts' tab of the tagged version build and save this file. You will need it for the next step. - Clone the repo helm-charts and do the following:
- Move the Helm package file created in the previous step to the docs folder in the
helm-chartsrepo. - Go to the
helm-chartsrepo root folder and execute thereindex.shscript file located there. - Create a PR with those changes.
- Move the Helm package file created in the previous step to the docs folder in the
- Merging into main/master branches will automatically trigger a release. If successful, this release can be promoted at a later time.
- Jenkins build parameters can be utilized to promote a successful release or manually trigger aditional releases as needed.
- Reference the internal automated release doc for releasing and promoting.
- Visit the Red Hat project page once the images have been pushed and manually choose to publish the latest release.