Remove support for Conjur v4; Use CLI v8

cyberark · Mar 17, 2023 · 43254d2 · 43254d2
1 parent 4f56cfb
commit 43254d2
Show file tree

Hide file tree

Showing 20 changed files with 92 additions and 199 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,13 +6,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
-## [0.24.2] - 2023-03-09
+## [0.25.0] - 2023-03-15
+
+### Removed
+- Removed support for Conjur v4 and the `CONJUR_VERSION` env variable
+  [cyberark/conjur-authn-k8s-client#505](https://github.com/cyberark/conjur-authn-k8s-client/pull/505)
+
 ### Changed
 - Upgrade base image in Dockerfiles to 1.19 and necessary dependencies
   [cyberark/conjur-authn-k8s-client#502ß](https://github.com/cyberark/conjur-authn-k8s-client/pull/502)
-
-## [0.24.1] - 2023-01-27
-### Changed
 - Add a wait for the master before provisioning the follower in the CI tests.
   [cyberark/conjur-authn-k8s-client#499](https://github.com/cyberark/conjur-authn-k8s-client/pull/499)
 

diff --git a/Dockerfile b/Dockerfile
@@ -148,6 +148,12 @@ RUN git clone https://github.com/ztombol/bats-support /bats/bats-support && \
 RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && \
     chmod +x /usr/bin/yq
 
+# Temporarily update go.mod due to CVE-2022-41723
+# This script will fail when the version of golang.org/x/net changes and this section
+# will need to be updated or removed.
+RUN grep v0.4.1-0.20230214201333-88ed8ca3307d /usr/local/go/src/go.mod
+RUN sed -i "s|v0.4.1-0.20230214201333-88ed8ca3307d|v0.7.0|g" /usr/local/go/src/go.mod
+
 RUN mkdir -p /tests
 WORKDIR /tests
 

diff --git a/README.md b/README.md
@@ -33,7 +33,6 @@ questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/
 - `CONTAINER_MODE`: Set this to `init` to run as an init container that will exit after performing authentication. All other values (including blank) will cause the container to run as a sidecar.
 
 ## Conjur
-- `CONJUR_VERSION`: Conjur version ('4' or '5', defaults to '5'). Must use a string value in the manifest due to YAML parsing not handling integer values well.
 - `CONJUR_ACCOUNT`: Conjur account name
 - `CONJUR_AUTHN_URL`: URL pointing to authenticator service endpoint
 - `CONJUR_AUTHN_LOGIN`: Host login for pod e.g. `namespace/service_account/some_service_account`

diff --git a/bin/test-workflow/0_prep_env.sh b/bin/test-workflow/0_prep_env.sh
@@ -53,7 +53,6 @@ export CONJUR_ACCOUNT="${CONJUR_ACCOUNT:-myConjurAccount}"
 export AUTHENTICATOR_ID="${AUTHENTICATOR_ID:-my-authenticator-id}"
 export CONJUR_AUTHN_LOGIN_RESOURCE="${CONJUR_AUTHN_LOGIN_RESOURCE:-service_account}"
 export CONJUR_AUTHN_LOGIN_PREFIX="${CONJUR_AUTHN_LOGIN_PREFIX:-host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps}"
-export CONJUR_VERSION="${CONJUR_VERSION:-5}"
 export TEST_APP_DATABASE="${TEST_APP_DATABASE:-postgres}"
 export TEST_APP_REPO="${TEST_APP_REPO:-cyberark/demo-app}"
 export TEST_APP_TAG="${TEST_APP_TAG:-latest}"

diff --git a/bin/test-workflow/1_deploy_conjur.sh b/bin/test-workflow/1_deploy_conjur.sh
@@ -33,8 +33,8 @@ function setup_conjur_enterprise {
     check_env_var HOST_IP
 
     pushd temp > /dev/null
-      # TODO - once these changes are merged, this branch has to be updated to main
-      git clone --single-branch --branch custom-port-follower [email protected]:conjurdemos/conjur-intro.git "conjur-intro-$UNIQUE_TEST_ID"
+      # TODO - once https://github.com/conjurdemos/conjur-intro/pull/113 is merged, this branch has to be updated to 'main'
+      git clone --single-branch --branch cli8 [email protected]:conjurdemos/conjur-intro.git "conjur-intro-$UNIQUE_TEST_ID"
       git clone --single-branch --branch main https://github.com/cyberark/sidecar-injector.git "sidecar-injector-$UNIQUE_TEST_ID"
 
       pushd "conjur-intro-$UNIQUE_TEST_ID" > /dev/null

diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh
@@ -16,7 +16,6 @@ fi
 
 check_env_var TEST_APP_NAMESPACE_NAME
 check_env_var TEST_APP_NAMESPACE_LABEL
-check_env_var CONJUR_VERSION
 check_env_var CONJUR_ACCOUNT
 check_env_var CONJUR_APPLIANCE_URL
 check_env_var CONJUR_ADMIN_PASSWORD
@@ -31,10 +30,10 @@ announce "Generating Conjur policy."
 prepare_conjur_cli_image() {
   announce "Pulling and pushing Conjur CLI image."
 
-  docker pull cyberark/conjur-cli:"$CONJUR_VERSION"-latest
+  docker pull cyberark/conjur-cli:8
 
   cli_app_image="$(platform_image_for_push conjur-cli $CONJUR_NAMESPACE_NAME)"
-  docker tag cyberark/conjur-cli:"$CONJUR_VERSION"-latest "$cli_app_image"
+  docker tag cyberark/conjur-cli:8 "$cli_app_image"
 
   docker push "$cli_app_image"
 }
@@ -59,9 +58,9 @@ deploy_conjur_cli() {
 ensure_conjur_cli_initialized() {
   announce "Ensure that Conjur CLI pod has a connection with Conjur initialized."
 
-  "$cli" exec "$1" -- bash -c "yes yes | conjur init -a '$CONJUR_ACCOUNT' -u '$CONJUR_APPLIANCE_URL'"
+  "$cli" exec "$1" -- sh -c "echo y | conjur init -a '$CONJUR_ACCOUNT' -u '$CONJUR_APPLIANCE_URL' --self-signed --force"
   # Flaky with 500 Internal Server Error, mitigate with retry
-  wait_for_it 300 "$cli exec $1 -- conjur authn login -u admin -p '$CONJUR_ADMIN_PASSWORD'"
+  wait_for_it 300 "$cli exec $1 -- conjur login -i admin -p '$CONJUR_ADMIN_PASSWORD'"
 }
 
 pushd policy > /dev/null
@@ -112,7 +111,7 @@ if [[ "$CONJUR_PLATFORM" == "jenkins" ]]; then
     run --rm \
     -v "${PWD}/policy":/policy \
     -w /src/cli \
-    --entrypoint /bin/bash \
+    --entrypoint /bin/sh \
     client -c "
       conjur_appliance_url='${CONJUR_APPLIANCE_URL}' \
       CONJUR_ACCOUNT='${CONJUR_ACCOUNT}' \
@@ -151,7 +150,7 @@ else
   announce "JWKS URI of this cluster is $JWKS_URI and Issuer is $ISSUER"
 
   wait_for_it 300 "$cli exec $conjur_cli_pod -- \
-    bash -c \"
+    sh -c \"
       conjur_appliance_url='${CONJUR_APPLIANCE_URL}' \
       CONJUR_ACCOUNT='${CONJUR_ACCOUNT}' \
       CONJUR_ADMIN_PASSWORD='${CONJUR_ADMIN_PASSWORD}' \

diff --git a/bin/test-workflow/7_app_deploy.sh b/bin/test-workflow/7_app_deploy.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -euox pipefail
 cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 )
 
 TIMEOUT="${TIMEOUT:-5m0s}"
@@ -13,7 +13,7 @@ check_env_var SECRETS_PROVIDER_TAG
 check_env_var SECRETLESS_BROKER_TAG
 
 # Upon error, dump kubernetes resources in the application Namespace
-# trap dump_application_namespace_upon_error EXIT
+trap dump_application_namespace_upon_error EXIT
 
 set_namespace "$TEST_APP_NAMESPACE_NAME"
 

diff --git a/bin/test-workflow/8_app_verify_authentication.sh b/bin/test-workflow/8_app_verify_authentication.sh
@@ -227,9 +227,9 @@ if [[ " ${install_apps[*]} " =~ " secrets-provider-rotation " ]]; then
   # Test secrets rotation
   echo "Testing secrets provider with rotation"
   # Change secret values in conjur
-  "$cli" exec "$(get_conjur_cli_pod_name)" -n "$CONJUR_NAMESPACE_NAME" -- bash -c "\
-    conjur authn login -u admin -p $(get_admin_password) && \
-    conjur variable values add 'test-secrets-provider-rotation-app-db/counter' '1'" > /dev/null
+  "$cli" exec "$(get_conjur_cli_pod_name)" -n "$CONJUR_NAMESPACE_NAME" -- sh -c "\
+    conjur login -i admin -p $(get_admin_password) && \
+    conjur variable set -i 'test-secrets-provider-rotation-app-db/counter' -v '1'" > /dev/null
   # Check if SP picks up the new values
   sleep 10
   pod_name=$(get_pod_name test-app-secrets-provider-rotation)

diff --git a/bin/test-workflow/conjur_outside_k8s_vars.sh b/bin/test-workflow/conjur_outside_k8s_vars.sh
@@ -23,18 +23,18 @@ echo -n \
   | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > kubernetes/api-ca.pem
 run_command_with_platform "$cli get secret -n \"\$CONJUR_NAMESPACE_NAME\" $(cat kubernetes/token-name) -o json | jq -r '.data[\"ca.crt\"]' | base64 --decode >> kubernetes/api-ca.pem"
 
-# conjur variable values add conjur/authn-k8s/<authenticator>/kubernetes/<var> "<value>"
+# conjur variable set -i conjur/authn-k8s/<authenticator>/kubernetes/<var> -v "<value>"
 docker-compose -f "temp/conjur-intro-$UNIQUE_TEST_ID/docker-compose.yml" \
   run --rm \
   -v "${PWD}/kubernetes":/k8s-resources \
   -w /src/cli \
-  --entrypoint /bin/bash \
+  --entrypoint /bin/sh \
   client -c "
-    yes yes | conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT
-    conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
-    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/ca-cert < /k8s-resources/api-ca.pem
-    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/service-account-token < /k8s-resources/service-account-token
-    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/api-url \"\$(cat /k8s-resources/api-url | tr -d '\n')\"
+    echo y | conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT --self-signed --force
+    conjur login -i admin -p $CONJUR_ADMIN_PASSWORD
+    conjur variable set -i conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/ca-cert -v \"\$(cat /k8s-resources/api-ca.pem)\"
+    conjur variable set -i conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/service-account-token -v \"\$(cat /k8s-resources/service-account-token)\"
+    conjur variable set -i conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/api-url -v \"\$(cat /k8s-resources/api-url | tr -d '\n')\"
   "
 
 pushd kubernetes > /dev/null