Spike: There is a plan for the end-to-end test framework for testing simplified Kubernetes Conjur configuration management

[izgeri]

There is an initial draft in #2062.

The goal of this spike is to complete the draft in #2062 that describes the test plan we'll use for the improved Conjur configuration management project. The outcome of the spike is a thorough draft described in #2062 and broken out into small (1-3 day) issues.

Once written, the test plan will be reviewed by the quality architect.

[diverdane]

Prerequisites / Assumptions / Separate Work

Required Helm charts

The E2E scripts that are being developed as described in Issue #2062 depend upon the
availability of three Helm charts that are being developed in separate issues:

• Cluster prep Helm chart (There is a helm chart to prepare a cluster for Conjur Kubernetes Authentication conjur-authn-k8s-client#227)
• Namespace prep Helm chart (There is a helm chart to prepare a namespace in a cluster for Conjur Kubernetes authenticationi conjur-authn-k8s-client#236)

Conjur deployments are assumed available

For the E2E workflow described below, it's assumed that a Conjur instance has been deployed and is available
at the time that the E2E workflow scripts / Helm deployments are invoked. The "front end" work of deploying
Conjur instances will be developed in these CI-centric issues:

• Conjur OSS CI (There are end-to-end tests for Kubernetes sidecars with Conjur OSS in Kubernetes conjur-authn-k8s-client#242)
• Conjur Enterprise with follower inside Kubernetes (There are end-to-end tests for Kubernetes sidecars with Conjur Enterprise and follower(s) in Kubernetes conjur-authn-k8s-client#243)
• Conjur Enterprise with follower outside Kubernetes (There are end-to-end tests for Kubernetes sidecars with Conjur Enterprise and follower outside Kubernetes conjur-authn-k8s-client#244)
• Conjur Enterprise with follower outside OpenShift (There are end-to-end tests for Kubernetes sidecars with Conjur Enterprise and follower outside OpenShift conjur-authn-k8s-client#245)

Required Workflow

The test setup should support the following workflow:

• Kubernetes cluster prep using new Cluster Prep helm chart
• Deployment of a Conjur CLI pod if one is not present
• Loading of authenticator Conjur policy using Conjur CLI pod
• Application namespace prep using new Application Namespace prep Helm chart
• Loading of application Conjur policy using Conjur CLI pod
• Deployment of a Pod that contains one of the following authenticator containers and an application (e.g. debian or Pet Store)
  • Secrets Provider init container
  • Secrets Provider standalone app container
  • Secretless Broker
  • authn-k8s sidecar
• Validation that the application can access Conjur secrets

Issues Which will Accomplish the Creation of an E2E framework

=========================================================

• There is a helm chart for deploying a sample app with a Conjur sidecar conjur-authn-k8s-client#238:
  There is a helm chart for deploying a sample app with a Conjur sidecar

=========================================================

• There are reusable scripts for development environments and automated testing conjur-authn-k8s-client#239:
  There are reusable scripts for development environments and automated testing

  NOTE: These scripts skip the addition of support for Secrets Provider init/app containers.
  This support will be added incrementally and separately (see Issue #xxxxxx)

  This issue involves basically making a copy or fork of conjurdemos/kubernetes-conjur-demo
  scripts and modifying these scripts to use Helm chart installs (for cluster prep, Namespace
  prep, and application deploy), rather than using bash/sed/kubectl to do deployments.

  The scripts for Issue There are reusable scripts for development environments and automated testing conjur-authn-k8s-client#239 can be developed as follows:

  • Start with a clone/fork of the conjurdemos/kubernetes-conjur-demo script repository
  • Modify the set_env_vars.sh script to define & set environment variables that will be used
    as --set <key>=<value> command line settings for all chart values in each Helm chart
    (cluster prep, Namespace prep, and application deploy). (See the values.yaml files in
    each Helm chart to see what values are needed).
  • Delete the 0_prep_check_dependencies.sh file, and remove its invocation from the start
    script. The Helm charts should now provide the required checking for required settings.
  • Modify the 4_app_create_namespace.sh to:
    • Eliminate the creation of the RoleBinding
    • Add invocation of helm install ... for cluster prep helm chart (could be a separate bash script)
    • Add invocation of helm install ... for Namespace prep helm chart (could be a separate bash script)
  • Delete the 5_app_store_conjur_cert.sh script and remove its invocation from start
  • Modify the 7_app_deploy.sh to use new sample Application deploy Helm chart

=========================================================

• Deployment scripts include support for Secrets Provider init and standalone app containers conjur-authn-k8s-client#247:
  Add support for Secrets Provider init/app container to reusable scripts
  • Modify the policy templates in the policy subdirectory to include application policies for
    Secrets Provider init container and Secrets Provider standalone "app" container.
  • Modify the 7_app_deploy.sh to include Helm install of applications that use
    Secrets Provider init container and Secrets Provider standalone "app" container.
  • Modify 8_app_verify_authentication to add verification that applications using
    Secrets Provider can access Conjur secrets.

=========================================================

• Conjur OSS install on OpenShift conjur-authn-k8s-client#248:
  Deployment scripts include support for OpenShift
  • In the policy subdirectory, add Conjur policy host definitions for sample applications that will
    be run on OpenShift.
  • Using the conjurdemos/kubernetes-conjur-demo scripts as a reference, make sure that the
    calls to the oc CLI that appear in the kubernetes-conjur-demo scripts are also
    included in the scripts created by Issue Update Installation docs #239:
  • Modify the 7_app_deploy.sh to include deployment of applications using the Secrets Provider
    init and app container authenticators (i.e. by passing the necessary chart values to the
    application deployment Helm chart.

=========================================================