From 86a91cd2836a177e8f6632ab8d88bcf45b17fd64 Mon Sep 17 00:00:00 2001 From: John ODonnell Date: Wed, 10 Aug 2022 14:15:06 -0400 Subject: [PATCH] Update summon-sidecar E2E test to use namespace-label authn-k8s --- bin/test-workflow/0_prep_env.sh | 4 ++++ bin/test-workflow/2_admin_load_conjur_policies.sh | 4 +++- bin/test-workflow/4_admin_cluster_prep.sh | 2 +- bin/test-workflow/5_app_namespace_prep.sh | 4 ++++ .../policy/templates/app-identities-policy.template.yml | 4 +++- helm/conjur-config-cluster-prep/templates/clusterrole.yaml | 3 +++ 6 files changed, 18 insertions(+), 3 deletions(-) diff --git a/bin/test-workflow/0_prep_env.sh b/bin/test-workflow/0_prep_env.sh index 522a68ec..2023f1f6 100755 --- a/bin/test-workflow/0_prep_env.sh +++ b/bin/test-workflow/0_prep_env.sh @@ -61,6 +61,10 @@ export INSTALL_APPS="${INSTALL_APPS:-summon-sidecar,secretless-broker,secrets-pr export SECRETS_PROVIDER_TAG="${SECRETS_PROVIDER_TAG:-edge}" export SECRETLESS_BROKER_TAG="${SECRETLESS_BROKER_TAG:-latest}" +# Used to test namespace-label identity scope end-to-end against live K8s infra +# See design document: https://github.com/cyberark/conjur/pull/2603 +export TEST_APP_NAMESPACE_LABEL="${TEST_APP_NAMESPACE_LABEL:-conjur.org/project=authn-k8s-e2e}" + if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then conjur_service="conjur-oss" if [[ "$PLATFORM" == "openshift" ]]; then diff --git a/bin/test-workflow/2_admin_load_conjur_policies.sh b/bin/test-workflow/2_admin_load_conjur_policies.sh index 0c81d165..8cd078d5 100755 --- a/bin/test-workflow/2_admin_load_conjur_policies.sh +++ b/bin/test-workflow/2_admin_load_conjur_policies.sh @@ -15,6 +15,7 @@ if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then fi check_env_var TEST_APP_NAMESPACE_NAME +check_env_var TEST_APP_NAMESPACE_LABEL check_env_var CONJUR_VERSION check_env_var CONJUR_ACCOUNT check_env_var CONJUR_APPLIANCE_URL @@ -94,7 +95,8 @@ pushd policy > /dev/null sed "s#{{ APP_VALIDATOR_NAMESPACE_NAME }}#$app_validator_namespace#g" | sed "s#{{ IS_OPENSHIFT }}#$is_openshift#g" | sed "s#{{ IS_KUBERNETES }}#$is_kubernetes#g" | - sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".app-identities-policy.yml + sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" | + sed "s#{{ TEST_APP_NAMESPACE_LABEL }}#$TEST_APP_NAMESPACE_LABEL#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".app-identities-policy.yml sed "s#{{ AUTHENTICATOR_ID }}#$AUTHENTICATOR_ID#g" ./templates/app-identities-policy-jwt.template.yml | sed "s#{{ TEST_APP_NAMESPACE_NAME }}#$TEST_APP_NAMESPACE_NAME#g" > ./generated/"$TEST_APP_NAMESPACE_NAME".app-identities-policy-jwt.yml diff --git a/bin/test-workflow/4_admin_cluster_prep.sh b/bin/test-workflow/4_admin_cluster_prep.sh index 774ed430..a3d960f1 100755 --- a/bin/test-workflow/4_admin_cluster_prep.sh +++ b/bin/test-workflow/4_admin_cluster_prep.sh @@ -28,7 +28,7 @@ pushd ../../helm/conjur-config-cluster-prep > /dev/null if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then conjur_url="$CONJUR_APPLIANCE_URL" get_cert_options="-v -i -s -u" - additional_options="" + additional_options="--set authnK8s.serviceAccount.create=false --set authnK8s.serviceAccount.name=conjur-oss" else conjur_url="$CONJUR_FOLLOWER_URL" if [[ "$CONJUR_PLATFORM" == "gke" ]]; then diff --git a/bin/test-workflow/5_app_namespace_prep.sh b/bin/test-workflow/5_app_namespace_prep.sh index d2277864..74975c66 100755 --- a/bin/test-workflow/5_app_namespace_prep.sh +++ b/bin/test-workflow/5_app_namespace_prep.sh @@ -6,6 +6,7 @@ cd "$(dirname "$0")" || ( echo "cannot cd into dir" && exit 1 ) source utils.sh check_env_var TEST_APP_NAMESPACE_NAME +check_env_var TEST_APP_NAMESPACE_LABEL check_env_var CONJUR_NAMESPACE_NAME TIMEOUT="${TIMEOUT:-5m0s}" @@ -31,4 +32,7 @@ pushd ../../helm/conjur-config-namespace-prep > /dev/null --set authnK8s.namespace="$CONJUR_NAMESPACE_NAME" \ --set conjurConfigMap.authnMethod=$AUTHN_STRATEGY + # Used to test namespace-label identity scope end-to-end against live K8s infra + # See design document: https://github.com/cyberark/conjur/pull/2603 + $cli label namespace "$TEST_APP_NAMESPACE_NAME" "$TEST_APP_NAMESPACE_LABEL" popd > /dev/null diff --git a/bin/test-workflow/policy/templates/app-identities-policy.template.yml b/bin/test-workflow/policy/templates/app-identities-policy.template.yml index da0f697a..a77b3702 100644 --- a/bin/test-workflow/policy/templates/app-identities-policy.template.yml +++ b/bin/test-workflow/policy/templates/app-identities-policy.template.yml @@ -40,7 +40,9 @@ - !host id: test-app-summon-sidecar annotations: - authn-k8s/namespace: {{ TEST_APP_NAMESPACE_NAME }} + # Used to test namespace-label identity scope end-to-end against live K8s infra + # See design document: https://github.com/cyberark/conjur/pull/2603 + authn-k8s/namespace-label-selector: {{ TEST_APP_NAMESPACE_LABEL }} authn-k8s/service-account: test-app-summon-sidecar authn-k8s/deployment: test-app-summon-sidecar authn-k8s/authentication-container-name: authenticator diff --git a/helm/conjur-config-cluster-prep/templates/clusterrole.yaml b/helm/conjur-config-cluster-prep/templates/clusterrole.yaml index 61b51d0b..bc4f69f3 100644 --- a/helm/conjur-config-cluster-prep/templates/clusterrole.yaml +++ b/helm/conjur-config-cluster-prep/templates/clusterrole.yaml @@ -19,6 +19,9 @@ rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods", "serviceaccounts"] verbs: ["get", "list"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get"] - apiGroups: ["extensions"] resources: [ "deployments", "replicasets"] verbs: ["get", "list"]