Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Namespace prep helm test uses validator Host ID to validate the Kubernetes authenticator is functional #291

Open
diverdane opened this issue May 3, 2021 · 0 comments
Open

The Namespace prep helm test uses validator Host ID to validate the Kubernetes authenticator is functional #291

diverdane opened this issue May 3, 2021 · 0 comments
Labels
component/k8s kind/enhancement

Comments

@diverdane
Copy link
Contributor

Is your feature request related to a problem? Please describe.

This issue adds a deeper validation of the CONJUR_AUTHN_URL and CONJUR_ACCOUNT
in the Conjur Connect ConfigMap as compared to the validation performed in Issue #290. The intent is to validate
the configure authenticator ID in the Golden ConfigMap by doing a very basic
authentication of a configured validator host ID.

This testing depends upon the existence of a Conjur security policy for the
special host ID that enables basic authentication only, i.e. access to secrets is not required.

This must be an opt-in feature, since not all users of the Namespace Prep Helm chart will want to
configure a special validator host ID for testing purposes.

Most of the work for this task can be mostly ported from the implementation for Issue #231,
with some minor modifications for field names.

Describe the solution you would like

Addition of an test.validatorHostID to chart values

  • If this value is not explicitly set, or it is set to a null string, then this will signify
    that the target Conjur instance has not been programmed with a special "test Host" ID,
    so that testing basic authentication should be skipped.
  • If this value is explicitly set to a non-null string, then this will be used as
    a host ID for a basic authentication test.

Addition of an authn-k8s sidecar to the Helm test Pod manifest

The authn-k8s sidecar will mount the Conjur Connect Configmap, and will attempt
to authenticate with Conjur using those connection details and the special validator host ID
when this test is enabled (i.e. validator host ID is provided via chart values).

Validation of Connection

The tester container in the Helm test Pod will be able to validate whether authentication
is successful or not by checking for an API token in a volume that is shared with
the authn-k8s container.

DoD

-[ ] test.validatorHostID has been added to the chart
-[ ] There is a JSON schema validation test added for this new value in values.schema.json
-[ ] An example Conjur policy adding permissions for authn-k8s authentication using
a test host ID is created and documented in a templates/tests/README.md file
-[ ] Basic authentication test case is added to Namespace prep Helm chart test
-[ ] Basic authentication test not performed when test.validatorHostID is not set or is null string.
-[ ] Basic authentication test passes for "happy path"
-[ ] Basic authentication test fails when test.validatorHostID does not point to a configured
test host ID, and the authentication failure is clear on the helm test ... command line
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/k8s kind/enhancement
Milestone
No milestone
Development

No branches or pull requests
1 participant
@diverdane