Deployment scripts include support for Secrets Provider init and standalone app containers

[diverdane]

Is your feature request related to a problem? Please describe.

For purposes of splitting out tasks into more manageable development chunks, the demo deployment scripts that are implemented in Issue #239 do not include support for Secrets Provider init and application containers.
This issue incrementally adds support for Secrets Provider init container into those scripts.

Out of Scope

• This issue does not include adding support for the Secrets Provider running as a standalone "app" container.
  Support for a standalone "app" container will be added with Issue Provide documentation for using non-default user on non-OpenShift #282.
• This issue will not include testing on an OpenShift platform. Testing on OpenShift will be performed in Issue Conjur OSS install on OpenShift #248.

Describe the solution you would like

• Copy the summit-sidecar application deployment
  Helm subchart as a starting point for a new Secrets Provider init container application Helm chart.

• Modify the Pet-Store application manifest to mount a
  database username/password via a Kubernetes Secrets volume mount.

• Port the
  Secrets Provider Helm chart deployment manifest
  as an init container for the Pet Store app manifest in the new Helm subchart.

  • Modify the Secrets Provider init container manifest that was created in the previous
    step as follows:

    • Replace references to the following environment variables:
      • CONJUR_APPLIANCE_URL
      • CONJUR_AUTHN_URL
      • CONJUR_ACCOUNT
      • CONJUR_SSL_CERTIFICATE
        With an envFrom reference to a Conjur Connect ConfigMap

  • Replace the CONJUR_AUTHN_LOGIN setting with either:

    • Reference to a Conjur authentication ConfigMap... OR...
    • Annotation for the authn login URL, using a Chart value for the annotation value

  • Add chart values for the following settings:

    • SECRETS_DESTINATION
    • CONTAINER_MODE
    • K8S_SECRETS
    • RETRY_INTERVAL_SEC
    • RETRY_COUNT_LIMIT
    • DEBUG

• Create a manifest for secrets that the Secrets Provider will mutate

• Mofify the scripts that were created for Issue There are reusable scripts for development environments and automated testing #239 for the new Secrets Provider init container support
  as follows:

  • Modify the 0_prep_check_dependencies.sh file to require the existence of environment variable
    settings that correspond to required Secrets Provider authenticator settings in the application
    deployment Helm chart.

  • In the policy subdirectory, add Conjur policy host definitions for sample applications that use the Secrets
    Provider init or app containers.

  • Modify the 7_app_deploy.sh to include deployment of applications using the Secrets Provider
    init container authenticator (i.e. by passing the necessary chart values to the
    application deployment Helm chart.)

  • Add any other charts values as needed to sync up the Secrets Provider subchart with other
    application deployment subcharts.

Describe alternatives you have considered

Additional context

DoD

-[ ] Summon-Sidecar application deployment subchart copied as a starting point for a Secrets Provider
init container deployment Helm subchart (#299)
-[ ] Pet Store application modified so mount Kubernetes secrets for database username and password
-[ ] Secrets provider Helm chart is ported as an application deployment subchart
-[ ] Modify the Secrets Provider init container manifest that was created in the previous
step as follows
-[ ] Replace references to the following environment variables with an "envFrom" reference to a Conjur Connect ConfigMap:
- CONJUR_APPLIANCE_URL
- CONJUR_AUTHN_URL
- CONJUR_ACCOUNT
- CONJUR_SSL_CERTIFICATE
-[ ] Replace the "CONJUR_AUTHN_LOGIN" setting with either:
- Reference to a Conjur authentication ConfigMap... OR...
- Annotation for the authn login URL, using a Chart value for the annotation value
-[ ] Add chart values for the following settings:
- SECRETS_DESTINATION
- CONTAINER_MODE
- K8S_SECRETS
- RETRY_INTERVAL_SEC
- RETRY_COUNT_LIMIT
- DEBUG
-[ ] Create a manifest for Kubernetes Secrets that the Secrets Provider will mutate
-[ ] Modify the scripts that were created for Issue #239 for the new Secrets Provider init container support
as follows:
-[ ] Modify the 0_prep_check_dependencies.sh file to require the existence of environment variable
settings that correspond to required Secrets Provider authenticator settings in the application
deployment Helm chart.
-[ ] In the policy subdirectory, add Conjur policy host definitions for sample applications that use the Secrets
Provider init or app containers.
-[ ] Modify the 7_app_deploy.sh to include deployment of applications using the Secrets Provider
init container authenticator (i.e. by passing the necessary chart values to the
application deployment Helm chart.)
-[ ] Add any other charts values as needed to sync up the Secrets Provider subchart with other
application deployment subcharts.
-[ ] Scripts are tested in a Kubernetes cluster, Secrets Provider mutates Kubernetes Secrets
-[ ] Pet Store application can use mutated Kubernetes Secrets

[izgeri]

closing as duplicate of #272 and #292