adding Java SDK client example and scripts to run it on openshift #46
Conversation
| } | ||
|
|
||
| validate_app git | ||
| validate_app mvn |
There was a problem hiding this comment.
How about we use the Maven container to compile: https://hub.docker.com/_/maven. This reduces the dependencies a user needs on their machine.
There was a problem hiding this comment.
does it mean to run script from docker ?
There was a problem hiding this comment.
I have thought about it a little bit more - it is a very good idea - but if I will do it it will mean that after running my script in docker the JAVA API SDK will be installed only in maven repository inside that docker container, and thus will not be usable for another developers. The intention was to solve the problem JFC was facing with - and it means to have Java API SDK be installed in local maven repo after running the script.
There was a problem hiding this comment.
This project is intended to be demo tool, not a build tool. Could we move this build specific functionality into the cyberark/conjur-api-java project instead?
The goal for this project is to minimize dependencies required by the user, hence the push to use Docker images. It's not intended to replicate a development environment. Each project should enable development within it's scope.
There was a problem hiding this comment.
conjur-java-api build specific functionality should be added to conjur-java-api by US Team (please inform me if it your team going to do it) - and this build should be a part of pipeline and put conjur-java-api FAT JAR to global maven repository.
As soon as it will be done I will remove conjur-java-api building part from my build script - and I will leave there only build of Java Conjur API client because it is an example for Demos
There was a problem hiding this comment.
Regarding adding docker to the project: I was told that there is explicit requirement from customers not to add docker because many of them are not going to use docker in their developments and thus example using docker is less relevant to them
There was a problem hiding this comment.
Once again. This is not a developer project. This is a project for to demonstrate scenarios. Development tools should be part of the original project (cyberark/conjur-api-java in this case).
| @@ -0,0 +1,68 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Mind adding an -x flag? Scripts like this should exit if there are any issues during the run to make it obvious there is a problem.
There was a problem hiding this comment.
it should not stop on any error. For example if we have some error in prune images - it does not have to be a problem. Thus I have added exit conditions related to specific commands
There was a problem hiding this comment.
If you have commands that you don't mind failing, I think you should prevent an error message from appearing or add a message that explains that it's ok. Otherwise, the user won't have high confidence that the run was successful. With oc commands, you can add the flag --ignore-not-found to prevent these errors.
| echo "$COMMAND" | ||
| suffix="/build.sh"; | ||
| HOME_DIR=${COMMAND%$suffix}; | ||
| pushd $HOME_DIR |
There was a problem hiding this comment.
I'd never heard of pushd. Neat!
| validate_app docker-compose | ||
| validate_app awk | ||
| validate_app openssl | ||
| validate_app keytool |
There was a problem hiding this comment.
It feels like Docker (and Docker-Compose) are standard. What do you think about adding a container with Helm, OC, awk, openssl, and keytool so that a user doesn't need to have all these locally?
There was a problem hiding this comment.
It is a good idea, but I would prefer to do it in a separate phase and to keep both ways of activation available for customers. What do you think ?
There was a problem hiding this comment.
This project is intended to empower non-developers run some of these more complex workflows easily. If we put additional requirements of our uses, we limit our audience.
There was a problem hiding this comment.
agree, but the tradeoff is between putting additional requirements and mandating docker usage as part of example
| echo "Create certificate" | ||
| oc exec -it "$CONJUR_CLI_POD" ./conjur_scripts/cert_script.sh $ACCOUNT_NAME $AUTHENTICATOR | ||
| oc exec -it "$CONJUR_CLI_POD" cat /root/conjur-$ACCOUNT_NAME.pem > conjur-cert.pem | ||
| } &> /dev/null |
There was a problem hiding this comment.
Don't we want errors visible to the user?
There was a problem hiding this comment.
improved error visibility for user
|
|
||
| usage() | ||
| { | ||
| echo "usage: installer [[[--ocp-url url ] [--docker-url url ] [--project-name project] [--account-name account] [--authenticator authenticator]] | [-h]]" |
There was a problem hiding this comment.
Can we expand the --help flag output to be multi-line? Although these flags are all well named, it would help the user better understand what each flag does. An example of what I mean is here: https://github.com/conjurinc/appliance/blob/master/release#L3
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
|
|
||
| public class JavaClient { | ||
|
|
||
| public static void main(String args[]) { |
There was a problem hiding this comment.
Method main has 33 lines of code (exceeds 25 allowed). Consider refactoring.
demos/open-shift-install/README.txt
Outdated
| Having github user | ||
| Maven - Apache Maven 3.6.3 | ||
| Java SDK / JRE - openjdk version "1.8.0_232" | ||
| MAC OS Catalina - Version 10.15.1 (19076) |
There was a problem hiding this comment.
Is this really a hard requirement? Can we reduce these requirements by moving the libraries into containers?
There was a problem hiding this comment.
we could eliminate these requirements if we would use docker - but then docker would become mandatory on inseparable element of this demo
|
@oburstein-hub, although I'd like to see us go a bit further, I think there is a ton of value in this PR. I'm comfortable getting this merged. If you do merge, please use a squash merge. The Git comments don't convey much in the way of a story. |
There was a problem hiding this comment.
@oburstein-hub I haven't finished the review yet, but I would love for you to take a look at what I commented so far. I hope I'll be able to finish it tomorrow.
| function install { | ||
|
|
||
| oc login $OPENSHIFT_URL | ||
| oc adm prune images |
There was a problem hiding this comment.
Isn't this command dangerous? Since you don't prune specific images, can't it accidentally delete images that are unrelated to this demo?
There was a problem hiding this comment.
oc adm prune images deletes only unreferenced images. It not it safe enough ?
There was a problem hiding this comment.
How do you know that your user wants to delete unreferenced images? And what benefit does the command give to your script?
| oc delete ClusterRoleBinding conjur-oss-conjur-authenticator | ||
| } &> /dev/null | ||
|
|
||
| ACTUAL_DATA_KEY=$( echo "${DATA_KEY/\//\\\/}" ) |
There was a problem hiding this comment.
Why do we need this variable? Couldn't we create the actual data key above, and set DATA_KEY with this value?
There was a problem hiding this comment.
this code does not appear any more - you looked on old version
| @@ -0,0 +1,15 @@ | |||
| authenticators: "authn-k8s/AUTHENTICATOR,authn" | |||
| dataKey: "DATA_KEY" | |||
There was a problem hiding this comment.
Since this is our standards in other repos, would you mind changing the syntax of placeholders to: {{ NAME }}
| @@ -0,0 +1,68 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
If you have commands that you don't mind failing, I think you should prevent an error message from appearing or add a message that explains that it's ok. Otherwise, the user won't have high confidence that the run was successful. With oc commands, you can add the flag --ignore-not-found to prevent these errors.
demos/java-api-client/build.sh
Outdated
|
|
||
| rm -rf target | ||
|
|
||
| echo "Cloning Conjur Java SDK repository from GIT" |
There was a problem hiding this comment.
| echo "Cloning Conjur Java SDK repository from GIT" | |
| echo "Cloning Conjur Java SDK repository from GitHub" |
demos/open-shift-install/README.txt
Outdated
| The purpose of this demo is to install Conjur on existing OpenShift environment and then run Java Client on top of it | ||
| The environent contains 4 pods each with up to 2 containers inside | ||
| Pod #1: Postgres | ||
| Pod #2: Conjur + Ngnx |
There was a problem hiding this comment.
| Pod #2: Conjur + Ngnx | |
| Pod #2: Conjur + Nginx |
demos/open-shift-install/README.txt
Outdated
| Pod #1: Postgres | ||
| Pod #2: Conjur + Ngnx | ||
| Pod #3: Conjur CLI | ||
| Pod #4: Authenticator + Java Client |
There was a problem hiding this comment.
| Pod #4: Authenticator + Java Client | |
| Pod #4: Conjur authenticator client + Java client |
demos/open-shift-install/README.txt
Outdated
| Prerequisites: | ||
| -------------- | ||
| Git - git version 2.24.1 | ||
| Having github user |
There was a problem hiding this comment.
| Having github user | |
| A GitHub user |
demos/open-shift-install/README.txt
Outdated
| Having github user | ||
| Maven - Apache Maven 3.6.3 | ||
| Java SDK / JRE - openjdk version "1.8.0_232" | ||
| MAC OS Catalina - Version 10.15.1 (19076) |
There was a problem hiding this comment.
Why do you need macOS Catalina? Will it not work with Linux or older macOS versions? Same with other prerequisites, we will provide less value if we will tell our users that they must have these exact versions.
There was a problem hiding this comment.
I wanted to mention on which system it was actually tried
Do you still want me to remove it ?
There was a problem hiding this comment.
I don't believe we need there's any reason to be so specific to the OSX version.
demos/open-shift-install/README.txt
Outdated
| OpenShift - oc v3.11.0+0cbc58b | ||
| kubernetes v1.11.0+d4cacc0 | ||
| features: Basic-Auth | ||
| OpenShift client installed on MAC |
There was a problem hiding this comment.
General comment:
What do you think about splitting the prerequisites between what you need to have locally (tools, OS version and so on) and the external prerequisites like the OpenShift environment, user and so on? I think it would be clearer
demos/open-shift-install/README.txt
Outdated
| Pod #3: Conjur CLI | ||
| Pod #4: Authenticator + Java Client | ||
|
|
||
| Prerequisites: |
There was a problem hiding this comment.
It would be really great to turn the README from plaintext to a markdown page. It will look much clearer.
There was a problem hiding this comment.
done - according to definitions of that I have found in google
oburstein-hub
force-pushed
the
OCP_installer_and_java_test
branch
2 times, most recently
from
79743b2 to
6759ff0
Compare
demos/java-api-client/README.txt
Outdated
| Instructions for building java client | ||
| ------------------------------------- | ||
|
|
||
| For compiling java test application please run: ./build.sh |
There was a problem hiding this comment.
Following my previous comment on a markdown format, see this for more information on how you format titles, code, bullets and so on: https://www.markdownguide.org/basic-syntax/
In addition, once you change the file type to md instead of txt, GitHub will show it in a readable format.
There was a problem hiding this comment.
I have used the same manual you sent - The Alternative Syntax part of it
README files changed from txt to md
demos/open-shift-install/cleanup.sh
Outdated
| #set -e | ||
|
|
||
| function validate_app { | ||
| APPNAME=$1 |
There was a problem hiding this comment.
Can you please replaces the indention to 2 spaces? That's how most of our scripts are written, I find it easier to read.
demos/open-shift-install/cleanup.sh
Outdated
|
|
||
| oc delete deployment --all | ||
| helm uninstall conjur-oss | ||
| oc delete project $1 |
There was a problem hiding this comment.
If you delete the project, it deletes all the resources inside it. So you don't need to delete the deployments above, since this line already does it for you.
| @@ -0,0 +1,204 @@ | |||
| #!/bin/bash | |||
|
|
|||
There was a problem hiding this comment.
Sorry for this small comment, but can you please rename the folder from open-shift to openshift? This is how it's written according to Red Hat.
There was a problem hiding this comment.
@oburstein-hub added some additional comments. Except these, I think the only thing left for me to review is the README file, which I will do once you turn it into markdown.
| oc get pods | ||
|
|
||
| if [ "$CONTAINERS_STATUS" != "2/2" ]; then | ||
| echo "Conjur POD did not come up properly - exiting" |
There was a problem hiding this comment.
| echo "Conjur POD did not come up properly - exiting" | |
| echo "Conjur pod did not start properly - exiting" |
| if [ "$CONTAINERS_STATUS" == "2/2" ]; then | ||
| break | ||
| fi | ||
| echo "Waiting for java client pod to be up..." |
There was a problem hiding this comment.
| echo "Waiting for java client pod to be up..." | |
| echo "Waiting for the Java client pod to start..." |
| name: conjur-access-token | ||
| - name: my-conjur-java-client | ||
| image: docker-registry.default.svc:5000/{{ PROJECT_NAME }}/conjur-java-client:latest | ||
| imagePullPolicy: Always |
There was a problem hiding this comment.
I recommend that this and the other one to be switched from Always to IfNotPresent
| - name: CONJUR_ACCOUNT | ||
| value: {{ ACCOUNT_NAME }} | ||
| - name: CONJUR_AUTHN_LOGIN | ||
| value: admin |
There was a problem hiding this comment.
Why is this using the admin user? Shouldn't this be using the host you created?
There was a problem hiding this comment.
CONJUR_AUTHN_LOGIN property is required for Conjur Java SDK. Its description is provided in SDK Readme:
CONJUR_AUTHN_LOGIN - user/host identity.
demos/java-api-client/pom.xml
Outdated
| <CONJUR_ACCOUNT>${env.CONJUR_ACCOUNT}</CONJUR_ACCOUNT> | ||
| <CONJUR_APPLIANCE_URL>${env.CONJUR_APPLIANCE_URL}</CONJUR_APPLIANCE_URL> | ||
| <CONJUR_AUTHN_LOGIN>${env.CONJUR_AUTHN_LOGIN}</CONJUR_AUTHN_LOGIN> | ||
| <CONJUR_AUTHN_API_KEY>${env.CONJUR_AUTHN_API_KEY}</CONJUR_AUTHN_API_KEY> |
There was a problem hiding this comment.
Why does the Java app need the admin API key? It is supposed to connect with the host and go through the Kubernetes authentication process, right?
|
|
||
| echo "Load conjur policy" | ||
|
|
||
| oc rsync policy "$CONJUR_CLI_POD":/ |
There was a problem hiding this comment.
Have you considered adding these into the container as a ConfigMap? This way, your app doesn't have to wait for the file to appear, it will be mounted from the beginning. See more details here: https://docs.openshift.com/container-platform/3.11/dev_guide/configmaps.html
There was a problem hiding this comment.
I don't wait to the policy files to appear anyway - they are copied before conjur init
| spec: | ||
| serviceAccountName: default | ||
| containers: | ||
| - image: cyberark/conjur-authn-k8s-client:latest |
There was a problem hiding this comment.
Please use this image instead: cyberark/conjur-kubernetes-authenticator
It should work the same. We had a duplication which we have just recently deprecated.
oburstein-hub
force-pushed
the
OCP_installer_and_java_test
branch
from
adedb3e to
ca0d27e
Compare
demos/java-api-client/build.sh
Outdated
| exit 1 | ||
| fi | ||
|
|
||
| BRANCH_NAME=$( git branch | grep "*" | awk '{print $2}' ) |
There was a problem hiding this comment.
alternatively, you could use git rev-parse --abbrev-ref HEAD, which provides the current branch (which should be master).
oburstein-hub
force-pushed
the
OCP_installer_and_java_test
branch
from
202e2f4 to
0d7e9f9
Compare
oburstein-hub
force-pushed
the
OCP_installer_and_java_test
branch
from
0d7e9f9 to
5c40b8d
Compare
|
Code Climate has analyzed commit 5c40b8d and detected 0 issues on this pull request. View more on Code Climate. |
Change pg version to 10.16
What does this PR do? Is there any background context you want to provide?
This PR provides Conjur Java SDK Client Sample application along with scripts for building a docker image for it and then installing the above on existing OpenShift System.
In addition this PR provides script which installs Conjur OSS and Conjur CLI with some basic configuration (running it is a precondition for a steps above).
The script installing Conjur OSS and CLI can be usefull for any basic automatic installation of Conjur on OpenShift
What ticket does this PR close?
Connects to [relevant GitHub issues, eg #76]
NA
Where should the reviewer start? How should this functionality be validated?
The reviewer should start at Java Client source code and pom.xml, then contirue to the build.sh and then to installer.sh and java-client-installer.sh
Screenshots (if appropriate)
Links to open issues for related documentation (in READMEs, docs, etc)
Connects to [relevant GitHub issues, eg cyberark/conjur-docs#76]
NA