Update dev environment to work on CyberArk NG laptops

On CyberArk dev laptops, golang module dependencies are downloaded with a
corporate proxy in the middle. For these connections to succeed we need to
configure the proxy CA certificate in build containers.

To allow build script to also work on non-CyberArk laptops where the CA
certificate is not available, we copy the (potentially empty) directory
into the build containers, and update container certificates based on that
directory, rather than relying on the CA file itself.

.gitignore

@@ -47,3 +47,7 @@ github.com/cyberark/
 # Image scan files
 scan_results-*.json
 scan_results-*.xml
+
+# Temporary directories to store the CyberArk proxy CA certificate
+build_ca_certificate/
+bin/juxtaposer/build_ca_certificate

Dockerfile

@@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder
 MAINTAINER CyberArk Software Ltd.
 LABEL builder="secretless-builder"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 # TODO: Expand this with build args when we support other arches

Dockerfile.debug

@@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder
 MAINTAINER CyberArk Software Ltd.
 LABEL builder="secretless-builder"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 # TODO: Expand this with build args when we support other arches

Dockerfile.dev

@@ -1,6 +1,17 @@
 FROM golang:1.15-buster
 MAINTAINER CyberArk Software Ltd.
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 RUN apt-get update && \
     apt-get install -y curl \
                        jq \

Dockerfile.test

@@ -2,6 +2,17 @@ FROM golang:1.15-alpine
 MAINTAINER CyberArk Software Ltd.
 LABEL id="secretless-test-runner"
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /secretless
 
 RUN apk add -u curl \

bin/build

@@ -24,43 +24,52 @@ else
   DOCKER_FLAGS="${DOCKER_FLAGS} --force-rm"
 fi
 
-echo "Building secretless-broker:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \
-             --tag "secretless-broker:latest" \
-             --target "secretless-broker" \
-             $DOCKER_FLAGS \
-             --file "$TOPLEVEL_DIR/Dockerfile" \
-             "$TOPLEVEL_DIR"
+function main() {
+  retrieve_cyberark_ca_cert
+  build_docker_images
+}
 
-echo "Building secretless-dev:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \
-             --tag "secretless-dev:latest" \
-             $DOCKER_FLAGS \
-             --file "$TOPLEVEL_DIR/Dockerfile.dev" \
-             "$TOPLEVEL_DIR"
+function build_docker_images() {
+  echo "Building secretless-broker:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \
+               --tag "secretless-broker:latest" \
+               --target "secretless-broker" \
+               $DOCKER_FLAGS \
+               --file "$TOPLEVEL_DIR/Dockerfile" \
+               "$TOPLEVEL_DIR"
 
-echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image"
-# NOTE: the latest tag is required by downstream pipeline stages
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \
-             --tag "secretless-broker-quickstart:latest" \
-             $DOCKER_FLAGS \
-             --file "$QUICK_START_DIR/Dockerfile" \
-             "$QUICK_START_DIR"
+  echo "Building secretless-dev:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \
+               --tag "secretless-dev:latest" \
+               $DOCKER_FLAGS \
+               --file "$TOPLEVEL_DIR/Dockerfile.dev" \
+               "$TOPLEVEL_DIR"
 
-echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image"
-# (we want the flags to be word split here)
-# shellcheck disable=SC2086
-docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \
-             --target "secretless-broker-redhat" \
-             --build-arg VERSION="${FULL_VERSION_TAG}" \
-             $DOCKER_FLAGS \
-              --file "$TOPLEVEL_DIR/Dockerfile" \
-             "$TOPLEVEL_DIR"
+  echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image"
+  # NOTE: the latest tag is required by downstream pipeline stages
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \
+               --tag "secretless-broker-quickstart:latest" \
+               $DOCKER_FLAGS \
+               --file "$QUICK_START_DIR/Dockerfile" \
+               "$QUICK_START_DIR"
+
+  echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image"
+  # (we want the flags to be word split here)
+  # shellcheck disable=SC2086
+  docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \
+               --target "secretless-broker-redhat" \
+               --build-arg VERSION="${FULL_VERSION_TAG}" \
+               $DOCKER_FLAGS \
+                --file "$TOPLEVEL_DIR/Dockerfile" \
+               "$TOPLEVEL_DIR"
+}
+
+main

bin/build_utils

@@ -29,3 +29,31 @@ function gen_versions() {
     echo $version
   done
 }
+
+function retrieve_cyberark_ca_cert() {
+  # On CyberArk dev laptops, golang module dependencies are downloaded with a
+  # corporate proxy in the middle. For these connections to succeed we need to
+  # configure the proxy CA certificate in build containers.
+  #
+  # To allow this script to also work on non-CyberArk laptops where the CA
+  # certificate is not available, we update container certificates based on
+  # a (potentially empty) certificate directory, rather than relying on the
+  # CA file itself.
+  mkdir -p "$(repo_root)/build_ca_certificate"
+
+  # Only attempt to extract the certificate if the security
+  # command is available.
+  #
+  # The certificate file must have the .crt extension to be imported
+  # by `update-ca-certificates`.
+  if command -v security &> /dev/null
+  then
+    security find-certificate \
+      -a -c "CyberArk Enterprise Root CA" \
+      -p > build_ca_certificate/cyberark_root.crt
+  fi
+}
+
+repo_root() {
+  git rev-parse --show-toplevel
+}

bin/juxtaposer/Dockerfile

@@ -1,5 +1,16 @@
 FROM golang:1.12.5-alpine as perftool-builder
 
+# On CyberArk dev laptops, golang module dependencies are downloaded with a
+# corporate proxy in the middle. For these connections to succeed we need to
+# configure the proxy CA certificate in build containers.
+#
+# To allow this script to also work on non-CyberArk laptops where the CA
+# certificate is not available, we copy the (potentially empty) directory
+# and update container certificates based on that, rather than rely on the
+# CA file itself.
+ADD build_ca_certificate /usr/local/share/ca-certificates/
+RUN update-ca-certificates
+
 WORKDIR /perftool
 ENV CGO_ENABLED=0
 

bin/juxtaposer/deploy/build_and_push_image

@@ -1,23 +1,61 @@
 #!/bin/bash
 set -euo pipefail
 
-CURRENT_DIR=$(dirname "${BASH_SOURCE[0]}")
+CURRENT_DIR="$(dirname "${BASH_SOURCE[0]}")"
 
-if ! oc whoami &> /dev/null; then
-  oc login
-fi
-docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH"
+function main() {
+  retrieve_cyberark_ca_cert
+  oc_login
+  build_docker_images
+}
 
-test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME"
+function retrieve_cyberark_ca_cert() {
+  pushd "$CURRENT_DIR/.."
+    # On CyberArk dev laptops, golang module dependencies are downloaded with
+    # a corporate proxy in the middle. For these connections to succeed we
+    # need to configure the proxy CA certificate in build containers.
+    #
+    # To allow this script to also work on non-CyberArk laptops where the CA
+    # certificate is not available, we update container certificates based on
+    # a (potentially empty) certificate directory, rather than relying on the
+    # CA file itself.
+    mkdir -p build_ca_certificate
 
-echo "Building and pushing image..."
+    # Only attempt to extract the certificate if the security
+    # command is available.
+    #
+    # The certificate file must have the .crt extension to be imported
+    # by `update-ca-certificates`.
+    if command -v security &> /dev/null
+    then
+      security find-certificate \
+        -a -c "CyberArk Enterprise Root CA" \
+        -p > build_ca_certificate/cyberark_root.crt
+    fi
+  popd
+}
 
-echo "Building $APP_NAME image"
-pushd "$CURRENT_DIR/.."
-  docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" .
-popd
+function oc_login() {
+  if ! oc whoami &> /dev/null; then
+    oc login
+  fi
+  docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH"
+}
 
-docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image"
+function build_docker_images() {
+  test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME"
 
-echo "Pushing $test_app_image to OpenShift..."
-docker push "$test_app_image"
+  echo "Building and pushing image..."
+
+  echo "Building $APP_NAME image"
+  pushd "$CURRENT_DIR/.."
+    docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" .
+  popd
+
+  docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image"
+
+  echo "Pushing $test_app_image to OpenShift..."
+  docker push "$test_app_image"
+}
+
+main