Merge pull request #1429 from cyberark/adds-CA-for-NG-laptops

Update dev environment to work on CyberArk NG laptops

.gitignore

@@ -47,3 +47,7 @@ github.com/cyberark/
 # Image scan files
 scan_results-*.json
 scan_results-*.xml
+
+# Temporary directories to store the CyberArk proxy CA certificate
+build_ca_certificate/
+bin/juxtaposer/build_ca_certificate

Dockerfile

@@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder
 MAINTAINER CyberArk Software Ltd.
 LABEL builder="secretless-builder"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 # TODO: Expand this with build args when we support other arches

Dockerfile.debug

@@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder
 MAINTAINER CyberArk Software Ltd.
 LABEL builder="secretless-builder"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 # TODO: Expand this with build args when we support other arches

Dockerfile.dev

@@ -1,6 +1,17 @@
 FROM golang:1.15-buster
 MAINTAINER CyberArk Software Ltd.
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 RUN apt-get update && \
     apt-get install -y curl \
                        jq \

Dockerfile.test

@@ -2,6 +2,17 @@ FROM golang:1.15-alpine
 MAINTAINER CyberArk Software Ltd.
 LABEL id="secretless-test-runner"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 RUN apk add -u curl \

bin/build

@@ -24,43 +24,52 @@ else
   DOCKER_FLAGS="${DOCKER_FLAGS} --force-rm"
 fi
 
-echo "Building secretless-broker:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \
-             --tag "secretless-broker:latest" \
-             --target "secretless-broker" \
-             $DOCKER_FLAGS \
-             --file "$TOPLEVEL_DIR/Dockerfile" \
-             "$TOPLEVEL_DIR"
+function main() {
+  retrieve_cyberark_ca_cert
+  build_docker_images
+}
 
-echo "Building secretless-dev:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \
-             --tag "secretless-dev:latest" \
-             $DOCKER_FLAGS \
-             --file "$TOPLEVEL_DIR/Dockerfile.dev" \
-             "$TOPLEVEL_DIR"
+function build_docker_images() {
+  echo "Building secretless-broker:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \
+               --tag "secretless-broker:latest" \
+               --target "secretless-broker" \
+               $DOCKER_FLAGS \
+               --file "$TOPLEVEL_DIR/Dockerfile" \
+               "$TOPLEVEL_DIR"
 
-echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \
-             --tag "secretless-broker-quickstart:latest" \
-             $DOCKER_FLAGS \
-             --file "$QUICK_START_DIR/Dockerfile" \
-             "$QUICK_START_DIR"
+  echo "Building secretless-dev:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \
+               --tag "secretless-dev:latest" \
+               $DOCKER_FLAGS \
+               --file "$TOPLEVEL_DIR/Dockerfile.dev" \
+               "$TOPLEVEL_DIR"
 
-echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image"
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \
-             --target "secretless-broker-redhat" \
-             --build-arg VERSION="${FULL_VERSION_TAG}" \
-             $DOCKER_FLAGS \
-              --file "$TOPLEVEL_DIR/Dockerfile" \
-             "$TOPLEVEL_DIR"
+  echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \
+               --tag "secretless-broker-quickstart:latest" \
+               $DOCKER_FLAGS \
+               --file "$QUICK_START_DIR/Dockerfile" \
+               "$QUICK_START_DIR"
+
+  echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image"
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \
+               --target "secretless-broker-redhat" \
+               --build-arg VERSION="${FULL_VERSION_TAG}" \
+               $DOCKER_FLAGS \
+                --file "$TOPLEVEL_DIR/Dockerfile" \
+               "$TOPLEVEL_DIR"
+}
+
+main

bin/build_utils

@@ -29,3 +29,31 @@ function gen_versions() {
     echo $version
   done
 }
+
+function retrieve_cyberark_ca_cert() {
+  # On CyberArk dev laptops, golang module dependencies are downloaded with a
+  # corporate proxy in the middle. For these connections to succeed we need to
+  # configure the proxy CA certificate in build containers.
+  #
+  # To allow this script to also work on non-CyberArk laptops where the CA
+  # certificate is not available, we update container certificates based on
+  # a (potentially empty) certificate directory, rather than relying on the
+  # CA file itself.
+  mkdir -p "$(repo_root)/build_ca_certificate"
+
+  # Only attempt to extract the certificate if the security
+  # command is available.
+  #
+  # The certificate file must have the .crt extension to be imported
+  # by `update-ca-certificates`.
+  if command -v security &> /dev/null
+  then
+    security find-certificate \
+      -a -c "CyberArk Enterprise Root CA" \
+      -p > build_ca_certificate/cyberark_root.crt
+  fi
+}
+
+repo_root() {
+  git rev-parse --show-toplevel
+}

bin/juxtaposer/Dockerfile

@@ -1,5 +1,16 @@
 FROM golang:1.12.5-alpine as perftool-builder
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /perftool
 ENV CGO_ENABLED=0
 

bin/juxtaposer/deploy/build_and_push_image

@@ -1,23 +1,61 @@
 #!/bin/bash
 set -euo pipefail
 
-CURRENT_DIR=$(dirname "${BASH_SOURCE[0]}")
+CURRENT_DIR="$(dirname "${BASH_SOURCE[0]}")"
 
-if ! oc whoami &> /dev/null; then
-  oc login
-fi
-docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH"
+function main() {
+  retrieve_cyberark_ca_cert
+  oc_login
+  build_docker_images
+}
 
-test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME"
+function retrieve_cyberark_ca_cert() {
+  pushd "$CURRENT_DIR/.."
+    # On CyberArk dev laptops, golang module dependencies are downloaded with
+    # a corporate proxy in the middle. For these connections to succeed we
+    # need to configure the proxy CA certificate in build containers.
+    #
+    # To allow this script to also work on non-CyberArk laptops where the CA
+    # certificate is not available, we update container certificates based on
+    # a (potentially empty) certificate directory, rather than relying on the
+    # CA file itself.
+    mkdir -p build_ca_certificate
 
-echo "Building and pushing image..."
+    # Only attempt to extract the certificate if the security
+    # command is available.
+    #
+    # The certificate file must have the .crt extension to be imported
+    # by `update-ca-certificates`.
+    if command -v security &> /dev/null
+    then
+      security find-certificate \
+        -a -c "CyberArk Enterprise Root CA" \
+        -p > build_ca_certificate/cyberark_root.crt
+    fi
+  popd
+}
 
-echo "Building $APP_NAME image"
-pushd "$CURRENT_DIR/.."
-  docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" .
-popd
+function oc_login() {
+  if ! oc whoami &> /dev/null; then
+    oc login
+  fi
+  docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH"
+}
 
-docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image"
+function build_docker_images() {
+  test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME"
 
-echo "Pushing $test_app_image to OpenShift..."
-docker push "$test_app_image"
+  echo "Building and pushing image..."
+
+  echo "Building $APP_NAME image"
+  pushd "$CURRENT_DIR/.."
+    docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" .
+  popd
+
+  docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image"
+
+  echo "Pushing $test_app_image to OpenShift..."
+  docker push "$test_app_image"
+}
+
+main