From af979fe398d1a4cf65bcdc0dd194ce31bbf6a161 Mon Sep 17 00:00:00 2001 From: Dane LeBlanc Date: Mon, 18 Oct 2021 18:33:00 -0400 Subject: [PATCH] Update dev environment to work on CyberArk NG laptops On CyberArk dev laptops, golang module dependencies are downloaded with a corporate proxy in the middle. For these connections to succeed we need to configure the proxy CA certificate in build containers. To allow build script to also work on non-CyberArk laptops where the CA certificate is not available, we copy the (potentially empty) directory into the build containers, and update container certificates based on that directory, rather than relying on the CA file itself. --- .gitignore | 4 + Dockerfile | 11 ++ Dockerfile.debug | 11 ++ Dockerfile.dev | 11 ++ Dockerfile.test | 11 ++ bin/build | 111 ++++++++++++++------- bin/juxtaposer/Dockerfile | 11 ++ bin/juxtaposer/deploy/build_and_push_image | 66 +++++++++--- 8 files changed, 185 insertions(+), 51 deletions(-) diff --git a/.gitignore b/.gitignore index 7d7f3eff3..90f2111a1 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,7 @@ github.com/cyberark/ # Image scan files scan_results-*.json scan_results-*.xml + +# Temporary directories to store the CyberArk proxy CA certificate +build_ca_certificate/ +bin/juxtaposer/build_ca_certificate diff --git a/Dockerfile b/Dockerfile index 353f299db..e2ae4042b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder MAINTAINER CyberArk Software Ltd. LABEL builder="secretless-builder" +# On CyberArk dev laptops, golang module dependencies are downloaded with a +# corporate proxy in the middle. For these connections to succeed we need to +# configure the proxy CA certificate in build containers. +# +# To allow this script to also work on non-CyberArk laptops where the CA +# certificate is not available, we copy the (potentially empty) directory +# and update container certificates based on that, rather than rely on the +# CA file itself. +ADD build_ca_certificate /usr/local/share/ca-certificates/ +RUN update-ca-certificates + WORKDIR /secretless # TODO: Expand this with build args when we support other arches diff --git a/Dockerfile.debug b/Dockerfile.debug index f07409413..15e866929 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -2,6 +2,17 @@ FROM golang:1.15-buster as secretless-builder MAINTAINER CyberArk Software Ltd. LABEL builder="secretless-builder" +# On CyberArk dev laptops, golang module dependencies are downloaded with a +# corporate proxy in the middle. For these connections to succeed we need to +# configure the proxy CA certificate in build containers. +# +# To allow this script to also work on non-CyberArk laptops where the CA +# certificate is not available, we copy the (potentially empty) directory +# and update container certificates based on that, rather than rely on the +# CA file itself. +ADD build_ca_certificate /usr/local/share/ca-certificates/ +RUN update-ca-certificates + WORKDIR /secretless # TODO: Expand this with build args when we support other arches diff --git a/Dockerfile.dev b/Dockerfile.dev index 67a490af0..7f3d4d4e6 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,6 +1,17 @@ FROM golang:1.15-buster MAINTAINER CyberArk Software Ltd. +# On CyberArk dev laptops, golang module dependencies are downloaded with a +# corporate proxy in the middle. For these connections to succeed we need to +# configure the proxy CA certificate in build containers. +# +# To allow this script to also work on non-CyberArk laptops where the CA +# certificate is not available, we copy the (potentially empty) directory +# and update container certificates based on that, rather than rely on the +# CA file itself. +ADD build_ca_certificate /usr/local/share/ca-certificates/ +RUN update-ca-certificates + RUN apt-get update && \ apt-get install -y curl \ jq \ diff --git a/Dockerfile.test b/Dockerfile.test index 4770c1493..c280708b3 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -2,6 +2,17 @@ FROM golang:1.15-alpine MAINTAINER CyberArk Software Ltd. LABEL id="secretless-test-runner" +# On CyberArk dev laptops, golang module dependencies are downloaded with a +# corporate proxy in the middle. For these connections to succeed we need to +# configure the proxy CA certificate in build containers. +# +# To allow this script to also work on non-CyberArk laptops where the CA +# certificate is not available, we copy the (potentially empty) directory +# and update container certificates based on that, rather than rely on the +# CA file itself. +ADD build_ca_certificate /usr/local/share/ca-certificates/ +RUN update-ca-certificates + WORKDIR /secretless RUN apk add -u curl \ diff --git a/bin/build b/bin/build index bc1e09d5b..ebc2123b9 100755 --- a/bin/build +++ b/bin/build @@ -24,43 +24,80 @@ else DOCKER_FLAGS="${DOCKER_FLAGS} --force-rm" fi -echo "Building secretless-broker:$FULL_VERSION_TAG Docker image" -# NOTE: the latest tag is required by downstream pipeline stages -# (we want the flags to be word split here) -# shellcheck disable=SC2086 -docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \ - --tag "secretless-broker:latest" \ - --target "secretless-broker" \ - $DOCKER_FLAGS \ - --file "$TOPLEVEL_DIR/Dockerfile" \ - "$TOPLEVEL_DIR" +function main() { + retrieve_cyberark_ca_cert + build_docker_images +} -echo "Building secretless-dev:$FULL_VERSION_TAG Docker image" -# NOTE: the latest tag is required by downstream pipeline stages -# (we want the flags to be word split here) -# shellcheck disable=SC2086 -docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \ - --tag "secretless-dev:latest" \ - $DOCKER_FLAGS \ - --file "$TOPLEVEL_DIR/Dockerfile.dev" \ - "$TOPLEVEL_DIR" +function retrieve_cyberark_ca_cert() { + # On CyberArk dev laptops, golang module dependencies are downloaded with a + # corporate proxy in the middle. For these connections to succeed we need to + # configure the proxy CA certificate in build containers. + # + # To allow this script to also work on non-CyberArk laptops where the CA + # certificate is not available, we update container certificates based on + # a (potentially empty) certificate directory, rather than relying on the + # CA file itself. + mkdir -p "$(repo_root)/build_ca_certificate" -echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image" -# NOTE: the latest tag is required by downstream pipeline stages -# (we want the flags to be word split here) -# shellcheck disable=SC2086 -docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \ - --tag "secretless-broker-quickstart:latest" \ - $DOCKER_FLAGS \ - --file "$QUICK_START_DIR/Dockerfile" \ - "$QUICK_START_DIR" + # Only attempt to extract the certificate if the security + # command is available. + # + # The certificate file must have the .crt extension to be imported + # by `update-ca-certificates`. + if command -v security &> /dev/null + then + security find-certificate \ + -a -c "CyberArk Enterprise Root CA" \ + -p > build_ca_certificate/cyberark_root.crt + fi +} -echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image" -# (we want the flags to be word split here) -# shellcheck disable=SC2086 -docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \ - --target "secretless-broker-redhat" \ - --build-arg VERSION="${FULL_VERSION_TAG}" \ - $DOCKER_FLAGS \ - --file "$TOPLEVEL_DIR/Dockerfile" \ - "$TOPLEVEL_DIR" +function build_docker_images() { + echo "Building secretless-broker:$FULL_VERSION_TAG Docker image" + # NOTE: the latest tag is required by downstream pipeline stages + # (we want the flags to be word split here) + # shellcheck disable=SC2086 + docker build --tag "secretless-broker:${FULL_VERSION_TAG}" \ + --tag "secretless-broker:latest" \ + --target "secretless-broker" \ + $DOCKER_FLAGS \ + --file "$TOPLEVEL_DIR/Dockerfile" \ + "$TOPLEVEL_DIR" + + echo "Building secretless-dev:$FULL_VERSION_TAG Docker image" + # NOTE: the latest tag is required by downstream pipeline stages + # (we want the flags to be word split here) + # shellcheck disable=SC2086 + docker build --tag "secretless-dev:${FULL_VERSION_TAG}" \ + --tag "secretless-dev:latest" \ + $DOCKER_FLAGS \ + --file "$TOPLEVEL_DIR/Dockerfile.dev" \ + "$TOPLEVEL_DIR" + + echo "Building secretless-broker-quickstart:$FULL_VERSION_TAG Docker image" + # NOTE: the latest tag is required by downstream pipeline stages + # (we want the flags to be word split here) + # shellcheck disable=SC2086 + docker build --tag "secretless-broker-quickstart:${FULL_VERSION_TAG}" \ + --tag "secretless-broker-quickstart:latest" \ + $DOCKER_FLAGS \ + --file "$QUICK_START_DIR/Dockerfile" \ + "$QUICK_START_DIR" + + echo "Building secretless-broker-redhat:$FULL_VERSION_TAG Docker image" + # (we want the flags to be word split here) + # shellcheck disable=SC2086 + docker build --tag "secretless-broker-redhat:${FULL_VERSION_TAG}" \ + --target "secretless-broker-redhat" \ + --build-arg VERSION="${FULL_VERSION_TAG}" \ + $DOCKER_FLAGS \ + --file "$TOPLEVEL_DIR/Dockerfile" \ + "$TOPLEVEL_DIR" +} + +repo_root() { + git rev-parse --show-toplevel +} + +main diff --git a/bin/juxtaposer/Dockerfile b/bin/juxtaposer/Dockerfile index 21b8802a1..aa0968465 100644 --- a/bin/juxtaposer/Dockerfile +++ b/bin/juxtaposer/Dockerfile @@ -1,5 +1,16 @@ FROM golang:1.12.5-alpine as perftool-builder +# On CyberArk dev laptops, golang module dependencies are downloaded with a +# corporate proxy in the middle. For these connections to succeed we need to +# configure the proxy CA certificate in build containers. +# +# To allow this script to also work on non-CyberArk laptops where the CA +# certificate is not available, we copy the (potentially empty) directory +# and update container certificates based on that, rather than rely on the +# CA file itself. +ADD build_ca_certificate /usr/local/share/ca-certificates/ +RUN update-ca-certificates + WORKDIR /perftool ENV CGO_ENABLED=0 diff --git a/bin/juxtaposer/deploy/build_and_push_image b/bin/juxtaposer/deploy/build_and_push_image index a6d1b5f19..6f99f7311 100755 --- a/bin/juxtaposer/deploy/build_and_push_image +++ b/bin/juxtaposer/deploy/build_and_push_image @@ -1,23 +1,61 @@ #!/bin/bash set -euo pipefail -CURRENT_DIR=$(dirname "${BASH_SOURCE[0]}") +CURRENT_DIR="$(dirname "${BASH_SOURCE[0]}")" -if ! oc whoami &> /dev/null; then - oc login -fi -docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH" +function main() { + retrieve_cyberark_ca_cert + oc_login + build_docker_images +} -test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME" +function retrieve_cyberark_ca_cert() { + pushd "$CURRENT_DIR/.." + # On CyberArk dev laptops, golang module dependencies are downloaded with + # a corporate proxy in the middle. For these connections to succeed we + # need to configure the proxy CA certificate in build containers. + # + # To allow this script to also work on non-CyberArk laptops where the CA + # certificate is not available, we update container certificates based on + # a (potentially empty) certificate directory, rather than relying on the + # CA file itself. + mkdir -p build_ca_certificate -echo "Building and pushing image..." + # Only attempt to extract the certificate if the security + # command is available. + # + # The certificate file must have the .crt extension to be imported + # by `update-ca-certificates`. + if command -v security &> /dev/null + then + security find-certificate \ + -a -c "CyberArk Enterprise Root CA" \ + -p > build_ca_certificate/cyberark_root.crt + fi + popd +} -echo "Building $APP_NAME image" -pushd "$CURRENT_DIR/.." - docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" . -popd +function oc_login() { + if ! oc whoami &> /dev/null; then + oc login + fi + docker login -u _ -p "$(oc whoami -t)" "$DOCKER_REGISTRY_PATH" +} -docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image" +function build_docker_images() { + test_app_image="$DOCKER_REGISTRY_PATH/$TEST_APP_NAMESPACE_NAME/$APP_NAME:$TEST_APP_NAMESPACE_NAME" -echo "Pushing $test_app_image to OpenShift..." -docker push "$test_app_image" + echo "Building and pushing image..." + + echo "Building $APP_NAME image" + pushd "$CURRENT_DIR/.." + docker build -t "$APP_NAME:$TEST_APP_NAMESPACE_NAME" . + popd + + docker tag "$APP_NAME:$TEST_APP_NAMESPACE_NAME" "$test_app_image" + + echo "Pushing $test_app_image to OpenShift..." + docker push "$test_app_image" +} + +main