Conjur outside K8s: load K8s access values into policy

cyberark · Aug 4, 2021 · bd17032 · bd17032
1 parent dd41674
commit bd17032
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 6 deletions.
diff --git a/bin/test-workflow/Dockerfile b/bin/test-workflow/Dockerfile
@@ -5,7 +5,7 @@ WORKDIR /src
 
 # Install Docker client
 RUN apt-get update -y && \
-    apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common wget && \
+    apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common wget jq && \
     curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add - && \
     add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" && \
     apt-get update && \

diff --git a/bin/test-workflow/conjur_outside_k8s_vars.sh b/bin/test-workflow/conjur_outside_k8s_vars.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# When running Conjur outside of a Kubernetes cluster where
+# an application is deployed, it requires extra variables to
+# connect to the cluster. These are defined in the
+# conjur/authn-k8s/<authenticator-id>/kubernetes policy branch.
+
+# This script uses the container with K8s platform tools to
+# write these values to files, and uses Conjur CLI to load the
+# values into Conjur.
+
+source ./utils.sh
+
+announce "Loading policy values for Conjur-outside-K8s connection."
+
+run_command_with_platform "$cli config view --minify -o json | jq -r '.clusters[0].cluster.server' > kubernetes/api-url"
+run_command_with_platform "$cli get secrets -n \"\$TEST_APP_NAMESPACE_NAME\" | grep 'conjur.*service-account-token' | head -n1 | awk '{print \$1}' > kubernetes/token-name"
+run_command_with_platform "$cli get secret -n \"\$TEST_APP_NAMESPACE_NAME\" $(cat kubernetes/token-name) -o json | jq -r .data.token | base64 --decode > kubernetes/service-account-token"
+
+host="$(cat kubernetes/api-url | sed 's/https:\/\///')"
+echo -n \
+  | openssl s_client -connect "$host:443" -servername "$host" -showcerts 2>/dev/null \
+  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > kubernetes/api-ca.pem
+run_command_with_platform "$cli get secret -n \"\$TEST_APP_NAMESPACE_NAME\" $(cat kubernetes/token-name) -o json | jq -r '.data[\"ca.crt\"]' | base64 --decode >> kubernetes/api-ca.pem"
+
+# conjur variable values add conjur/authn-k8s/<authenticator>/kubernetes/<var> "<value>"
+docker-compose -f "temp/conjur-intro-$UNIQUE_TEST_ID/docker-compose.yml" \
+  run --rm \
+  -v "${PWD}/kubernetes":/k8s-resources \
+  -w /src/cli \
+  --entrypoint /bin/bash \
+  client -c "
+    yes yes | conjur init -u $CONJUR_APPLIANCE_URL -a $CONJUR_ACCOUNT
+    conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
+    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/ca-cert < /k8s-resources/api-ca.pem
+    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/service-account-token < /k8s-resources/service-account-token
+    conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/kubernetes/api-url \"\$(cat /k8s-resources/api-url | tr -d '\n')\"
+  "
+
+pushd kubernetes > /dev/null
+  rm -f api-url token-name service-account-token api-ca.pem
+popd > /dev/null
diff --git a/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml b/bin/test-workflow/policy/templates/cluster-authn-svc-def.template.yml
@@ -38,6 +38,22 @@
       annotations:
         description: CA key for Kubernetes Pods.
 
+  - !policy
+    id: kubernetes
+    body:
+    - !variable
+      id: service-account-token
+      annotations:
+        description: Kubernetes Service Account token
+    - !variable
+      id: ca-cert
+      annotations:
+        description: Kubernetes API Server CA certificate
+    - !variable
+      id: api-url
+      annotations:
+        description: Kubernetes API Server URL
+
   # define layer of whitelisted authn ids permitted to call authn service
   - !layer users
 

diff --git a/bin/test-workflow/start b/bin/test-workflow/start
@@ -93,24 +93,26 @@ source ./0_prep_env.sh
 
 conjur_prep="
 ./2_admin_load_conjur_policies.sh &&
-./3_admin_init_conjur_cert_authority.sh
-"
+./3_admin_init_conjur_cert_authority.sh"
+cluster_prep="./4_admin_cluster_prep.sh"
 test_app_workflow="
-./4_admin_cluster_prep.sh &&
 ./5_app_namespace_prep.sh &&
 ./6_app_build_and_push_containers.sh &&
 ./7_app_deploy_backend.sh &&
 ./8_app_deploy.sh &&
-./9_app_verify_authentication.sh
-"
+./9_app_verify_authentication.sh"
 
 if [[ "$CONJUR_OSS_HELM_INSTALLED" == "true" ]]; then
   eval "$conjur_prep"
+  eval "$cluster_prep"
   eval "$test_app_workflow"
 elif [[ "$CONJUR_PLATFORM" == "gke" ]]; then
   run_command_with_platform "$conjur_prep"
+  run_command_with_platform "$cluster_prep"
   run_command_with_platform "$test_app_workflow"
 elif [[ "$CONJUR_PLATFORM" == "jenkins" && "$APP_PLATFORM" == "gke" ]]; then
   eval "$conjur_prep"
+  run_command_with_platform "$cluster_prep"
+  ./conjur_outside_k8s_vars.sh
   run_command_with_platform "$test_app_workflow"
 fi