Thanks for your interest in the CyberArk Secrets Provider for Kubernetes. We welcome contributions!
- Contributing to the CyberArk Secrets Provider for Kubernetes
To work in this codebase, you will want to have Go version 1.12+ installed.
The full documentation for the Cyberark Secrets Provider for Kubernetes can be found here for Conjur Enterprise and here for Conjur Open Source.
Before you can start contributing to the CyberArk Secrets Provider for Kubernetes project, you must:
-
Setup your environment.
a. For detailed instructions on how to setup a Conjur Enterprise env, see Conjur Enterprise Setup.
b. For detailed instructions on how to setup a Conjur Open Source env, see Conjur Open Source Setup.
-
Setup the CyberArk Secrets Provider for Kubernetes
a. For detailed setup instructions for Conjur Enterprise, see CyberArk Secrets Provider for Kubernetes for Conjur Enterprise.
b. For detailed setup instructions for Conjur Open Source, see CyberArk Secrets Provider for Kubernetes for Conjur Open Source.
You can now deploy a local development environment for Kubernetes using Docker Desktop. Docker Desktop provides a convenient way to deploy and develop from your machine against a locally deployed cluster.
-
Docker Desktop installed
-
Kubernetes enabled in Docker Desktop
-
Navigate to Docker Preferences
-
Click on the Kubernetes tab and "Enable Kubernetes"
-
-
The Secrets Provider for K8s uses the Kubernetes Conjur deploy repository to deploy Conjur Enterprise / Conjur Open Source on Kubernetes. By default, 2.0 Gib of memory is allocated to Docker on your computer.
To successfully deploy a Conjur Enterprise cluster (Leader + Followers + Standbys), you will need to increase the memory limit to 6 Gib. To do so, perform the following:
-
Navigate to Docker preferences
-
Click on "Resources" and slide the "Memory" bar to 6
-
-
If you intend to deploy the Secrets Provider via Helm, you will need to install the Helm CLI. See here for instructions on how to do so.
To deploy a local development environment, perform the following:
-
Run
./bin/build
to build the Secrets Provider image locally -
Ensure you are in the proper local context. Otherwise, the deployment will not run successfully
Run kubectl config current-context
to verify which context you are currently in so if needed, you can switch back to it easily
Run kubectl config use-context docker-desktop
to switch to a local context. This is the context you will need to run the development environment
-
Navigate to
bootstrap.env
and uncomment theLocal DEV Env
section, ensuring thatDEV=true
. Additionally, you can deploy the Secrets Provider locally using HELM. To do so, also uncommentDEV_HELM
-
Run
./bin/start --dev
, appending--oss
or--dap
according to the environment that needs to be deployed -
To view the pod(s) that were deployed and the Secrets Provider logs, run
kubectl get pods
andkubectl logs <pod-name> -c cyberark-secrets-provider-for-k8s
respectively. You can also view Conjur Enterprise / Conjur Open Source pod logs by runningkubectl get pods -n local-conjur
andkubectl logs <conjur-pod-name> -n local-conjur
-
If a cluster is already locally deployed run
./bin/start --dev --reload
to build your local changes and redeploy them to the local Secrets Provider K8s cluster
Assuming you have a running local cluster per the previous section and a valid kubeconfig, you can run the Golang-based integration tests by simply running go test -timeout 0 -v ./e2e --tags=e2e
from the project root folder. This will execute the tests against the local cluster.
NOTE: This assumes that the cluster is running with the default values in bootstrap.env
for local DEV clusters.
To remove K8s resources from your local environment perform the following:
-
Run
kubectl get all --all-namespaces
to list all resources across all namespaces in your cluster -
Run
kubectl delete <resource-type> <name-of-resource> --namespace <namespace>
Note that for Deployments, you must first delete the Deployment and then the Pod. Otherwise the Pod will terminate and another will start it its place.
- Currently, deploying a local dev environment only works against a local K8s cluster and not an Openshift one
-
Search our open issues in GitHub to see what features are planned.
-
Select an existing issue or open a new issue to propose changes or fixes.
-
Add the
implementing
label to the issue that you open or modify. -
Run existing tests locally and ensure they pass.
-
Create a branch and add your changes. Include appropriate tests and ensure that they pass.
-
Submit a pull request, linking the issue in the description (e.g. Connected to #123).
-
Add the
implemented
label to the issue and request that a Cyberark engineer reviews and merges your code.
From here your pull request is reviewed. Once you have implemented all reviewer feedback, your code is merged into the project. Congratulations, you're a contributor!
To run existing unit tests, run ./bin/test_unit
When contributing to the CyberArk Secrets Provider for Kubernetes project, be sure to add the appropriate unit tests to either already existing test files or create new ones.
To follow Go testing conventions when creating a new test file, perform the following:
-
Create a new test file that matches the file naming pattern "*_test.go" in the proper
pkg
folder, close to the source code. -
Add the following to the import statement at the beginning of the file
import ( "testing" )
-
Create tests.
-
Run test suite,
./bin/test_unit
Our integration tests can be run against either a GKE / Openshift remote cluster. To do so, run ./bin/start
and add the proper flags.
To deploy Conjur Enterprise / Conjur Open Source, add the --oss
/ --dap
flags to the above command. By default, the integration tests run Conjur Enterprise, so no flag is required.
To deploy on GKE, add --gke
. For Openshift, use --oldest
/ --current
/ --next
. By default, the integration tests run on a GKE cluster,
so no flag is required.
For example:
- Deploy Conjur Open Source on GKE, run
./bin/start --oss --gke
- Deploy Conjur Enterprise on Openshift, run
./bin/start --dap --current
To view tracing output from Secrets Provider, you can enable Jaeger tracing.
-
Create a local Jaeger instance.
kubectl create namespace jaeger kubectl config set-context --current --namespace=jaeger helm repo add jaegertracing https://jaegertracing.github.io/helm-charts helm install jaeger jaegertracing/jaeger
Wait about 5 minutes for the Jaeger instance to be ready (you can check the status with
kubectl get pods -n jaeger
). Then run the following commands to expose the Jaeger UI on localhost:8080:pod_name=$(kubectl get pods --namespace jaeger -l "app.kubernetes.io/instance=jaeger,app.kubernetes.io/component=query" -o jsonpath="{.items[0].metadata.name}") kubectl port-forward --namespace jaeger $pod_name 8080:16686
-
Uncomment the following line in the template for the environment you are using in
bootstrap.env
, for example, if usingSECRETS_MODE="p2f-rotation"
then you'll need to update deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml:conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
Now reload the dev environment with
./bin/start --dev --reload
and optionally run the e2e tests withgo test -timeout 0 -v ./e2e --tags=e2e
.
Releases should be created by maintainers only. To create a tag and release, follow the instructions in this section.
- Review the git log and ensure the changelog contains all relevant recent changes with references to GitHub issues or PRs, if possible.
- Review the changes since the last tag, and if the dependencies have changed revise the NOTICES to correctly capture the included dependencies and their licenses / copyrights.
- Ensure that all documentation that needs to be written has been written by TW, approved by PO/Engineer, and pushed to the forward-facing documentation.
- Scan the project for vulnerabilities
- Create a new branch for the version bump.
- Based on the changelog content, determine the new version number.
- Update this version in the following files:
- Commit these changes -
Bump version to x.y.z
is an acceptable commit message - and open a PR for review.
- Every build packages the Secrets Provider Helm chart for us. The package can be found under the 'Artifacts' tab of the Jenkins build and will resemble
secrets-provider-<version>.tgz
. Navigate to the 'Artifacts' tab of the tagged version build and save this file. You will need it for the next step. - Clone the repo helm-charts and do the following:
- Move the Helm package file created in the previous step to the docs folder in the
helm-charts
repo. - Go to the
helm-charts
repo root folder and execute thereindex.sh
script file located there. - Create a PR with those changes.
- Move the Helm package file created in the previous step to the docs folder in the
- Merging into main/master branches will automatically trigger a release. If successful, this release can be promoted at a later time.
- Jenkins build parameters can be utilized to promote a successful release or manually trigger aditional releases as needed.
- Reference the internal automated release doc for releasing and promoting.
- Visit the Red Hat project page once the images have been pushed and manually choose to publish the latest release.