Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Namespace helm test queries the /info endpoint for validation #290

Open
diverdane opened this issue May 3, 2021 · 0 comments
Open

The Namespace helm test queries the /info endpoint for validation #290

diverdane opened this issue May 3, 2021 · 0 comments
Labels
component/k8s kind/enhancement

Comments

@diverdane
Copy link
Contributor

Is your feature request related to a problem? Please describe.

It would be very helpful for users of the Application Namespace Helm chart to
validate that the values configured for

  • CONJUR_ACCOUNT
  • CONJUR_AUTHN_URL
    in the Conjur Connect ConfigMap are valid and can be trusted when applications mount
    this ConfigMap and subsequently try to connect with Conjur.

This will allow for quick isolation of misconfigurations.

This issue builds on the framework created in Issue #289. For an overview of the Namespace prep
Helm chart Helm test framework, refer to Issue #289.

Validation can be done by comparing configured values with corresponding values
that can be read from the /info Conjur API endpoint. Since this endpoint is currently only available for
Conjur Enterprise, this feature will only work with Conjur Enterprise instances.

Describe the solution you would like

Addition of conjur.type (can be "oss" or "enterprise") to chart values

A conjur.type field should be added to the chart's values.yaml file.
The default setting for this value will be "oss".

Expecting /info access vs. "best effort"

  • When conjur.type is explicitly set to "enterprise", this will signify that the /info
    endpoint is expected to work, and a lack of response is a failure.
  • When conjur.type is not explicitly set to "enterprise", then access to /info
    endpoint will be "best effort".     That is, an attempt will be made to to access the
    /info endpoint. Failure to access this endpoint will not be considered a
    test failure.

Parsing /info endpoint data and validating

When access to the /info endpoint is successful, the returned data
will be parsed for:

  • Conjur account
  • Enabled authn-k8s authenticator IDs

If the actual Conjur account does not match the conjurAccount value in the Golden ConfigMap,
then a test failure is declared.

If the enabled authn-k8s authenticator IDs do not contain the authnK8sAuthenticatorID
value in the Golden ConfigMap, then a test failure is declared.

Test results

Test failures must appear in the command line output of the helm test ... command.
The output should be clear about which value has been misconfigured.

Test environments

Testing must be done both with Conjur OSS instance and a Conjur Enterprise instance.

DoD

-[ ] conjur.type added to chart values, defaulting to "oss"
-[ ] A JSON schema validation is added to values.schema.json for this new field
-[ ] Test cases added to Namespace prep Helm chart test
-[ ] Testing performed on both Conjur OSS and Conjur Enterprise setup
-[ ] Helm test passes for "happy path" valid values
-[ ] Helm test fails for incorrect CONJUR_ACCOUNT, and failure is clear on command line output
-[ ] Helm test fails for incorrect CONJUR_AUTHN_URL, and failure is clear on command line output
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/k8s kind/enhancement
Milestone
No milestone
Development

No branches or pull requests
1 participant
@diverdane