Buildpack is converted to a supply buildpack #19
Conversation
This commit is the first step toward converting toward a supply buildpack. Known issues: - Running cf create-buildpack fails because the bin/compile script is missing, but it's not clear what this (deprecated) script is supposed to do - The bin/supply script is actually only allowed to modify the deps and index directories, and it's now set to modify the build directory. That will have to be updated, and we will need to determine how the retrieve secrets script will get run by the app. We may also need to update how the bp-supplied scripts / conjur-env look for secrets.yml, if they are no longer working from the same directory as the app dir.
ghost
assigned 
|
Notes on the work remaining:
|
jtuttle
force-pushed
the
supply-buildpack
branch
from
e0b9cd6
to
be53ec3
Compare
jtuttle
changed the title
There was a problem hiding this comment.
@jtuttle, this looks good from reading the changes. I just had a couple of small comments, and it looks like this needs README and CHANGELOG updates still.
This is probably an issue for the future and not this PR, but it would probably be worth eventually adding a live integration test to this repo as well to verify the behavior in PCF as part of the CI.
bin/compile
Outdated
| cp ${BUILDPACK_DIR}/vendor/conjur-env ./vendor/conjur-env | ||
| cp ${BUILDPACK_DIR}/lib/0001_retrieve-secrets.sh ./.profile.d/0001_retrieve-secrets.sh | ||
| popd | ||
| exit |
There was a problem hiding this comment.
Would you mind adding the newline here at the end?
| #!/bin/bash -e | ||
| # bin/supply <build-dir> <cache-dir> <deps-dir> <index> | ||
|
|
||
| BUILD_DIR=$1 |
There was a problem hiding this comment.
It would be helpful to add a quick comment for each of the directories and their purpose/role, either here or in the README.
|
Added #20 for adding automated tests to run against the live PCF instance |
ci/features/buildpackless.feature
Outdated
| Given the compile script is run against the app's root folder | ||
| Given the build directory has a secrets.yml file | ||
| And VCAP_SERVICES contains cyberark-conjur credentials | ||
| And the supply script is run against the app's root folder |
There was a problem hiding this comment.
Should we also have two tests that validate what happens when
- the build dir does not have secrets.yml, and/or
- VCAP_SERVICES does not contain cyberark-conjur creds?
There was a problem hiding this comment.
These conditions are already tested in the supply.feature so I think we're okay.
| @@ -1,9 +0,0 @@ | |||
| Feature: Compile script | |||
There was a problem hiding this comment.
Should we leave a test here that validates that this script exits for now? I could go either way.
There was a problem hiding this comment.
I'd say let's just leave it out. It's such a simple script that if anything goes wrong it'd probably be something not covered by the test we would right.
| Given the 'compile' script is run | ||
| Given the build directory has a secrets.yml file | ||
| And VCAP_SERVICES contains cyberark-conjur credentials | ||
| And the supply script is run against the app's root folder |
There was a problem hiding this comment.
Same comment here, should we test when the conditions are not right?
There was a problem hiding this comment.
Hm this feature appears to be identical to the buildpackless one. They use different step definitions on master, but they essentially boil down to the same thing. I think we should probably just remove the buildpackless one.
| @@ -1,17 +1,10 @@ | |||
| When(/^the retrieve secrets \.profile\.d script is sourced$/) do | |||
| @commands ||= [] | |||
| @commands << <<EOL | |||
| . #{@BUILD_DIR}/.profile.d/0001_retrieve-secrets.sh #{@BUILD_DIR} | |||
| HOME=#{@BUILD_DIR} DEPS_DIR=#{@DEPS_DIR} . #{@DEPS_DIR}/#{@INDEX_DIR}/.profile.d/0001_retrieve-secrets.sh | |||
There was a problem hiding this comment.
Can we add a comment here explaining the reason for passing in HOME / DEPS_DIR and the syntax being used?
| # inject secrets into environment | ||
| pushd $1 | ||
| eval "$(./vendor/conjur-env)" | ||
| # $HOME points to the app directory, which should contains a secrets.yml file. |
There was a problem hiding this comment.
Is there documentation we can link to that will share how we know HOME and DEPS_DIR will be set when this script is run?
There was a problem hiding this comment.
Unfortunately no. This is knowledge I gained from the examples linked to in Slack conversations (and the conversations themselves). This seems to be quite poorly documented.
|
@jtuttle can you revise the PR description so that it has more info about what the changes contain? might be helpful if looking back at this PR in the future |
|
@izgeri PR description updated. |
README.md
Outdated
| @@ -1,4 +1,4 @@ | |||
| The CyberArk Conjur Buildpack is a [decorator buildpack](https://github.com/cf-platform-eng/meta-buildpack#what-is-a-decorator) that provides convenient and secure access to secrets stored in Conjur. | |||
| The CyberArk Conjur Buildpack is a [supply buildpack](https://docs.cloudfoundry.org/buildpacks/custom.html#contract) that provides convenient and secure access to secrets stored in Conjur. | |||
|
|
|||
| The buildpack carries out the following: | |||
There was a problem hiding this comment.
I think more accurately the buildpack installs some scripts that do the following
README.md
Outdated
| ### Lifecycle scripts | ||
|
|
||
| The buildpack is comprised of the [3 lifecycle scripts](https://github.com/cf-platform-eng/meta-buildpack#how-to-write-a-decorator) that are required for decorator buildpacks. | ||
| The buildpack uses a [supply script](https://docs.cloudfoundry.org/buildpacks/custom.html#contract) to copy files into the application's dependency directory under a subdirectory corresponding to the buildpack's index. The `lib/0001_retrieve-secrets.sh` script is copied into a `.profile.d` subdirectory so that it will run automatically when the app starts and the `conjur-env` binary is copied to a `vendor` subdirectory. In other words, your application will end up with the following two files: |
There was a problem hiding this comment.
https://docs.cloudfoundry.org/buildpacks/understand-buildpacks.html#supply-script is a better link here
|
|
||
| The `.profile.d` script is responsible for retrieving secrets and injecting them into the session environment variables at the start of the app. | ||
| The `.profile.d` script is run automatically when the application starts and is responsible for retrieving secrets and injecting them into the app's session environment variables. | ||
|
|
There was a problem hiding this comment.
Maybe worth adding something here about how the conjur-env binary leverages Conjur's Go API to open a connection to Conjur and retrieve secrets
|
|
||
| + copy the contents of the `./lib` directory in a release to the `./.profile.d` directory relative to your app's root directory. | ||
| + copy the contents of the `./vendor` directory in a release to the `./vendor` directory relative to your app's root directory. | ||
|
|
||
| When your application starts the secrets specified in the `secrets.yml` file will now be available in the session environment variables at the start of the app. | ||
|
|
There was a problem hiding this comment.
We may still have users who need to use the decorator buildpack functionality, and they can do so using the 1.0.0 release of the buildpack. I feel pretty strongly that we should continue to include those instructions somewhere - can we either do that here, or log an issue in the conjur-docs to add documentation for using the original meta-buildpack functionality to the (non-existent yet) CF buildpack documentation?
There was a problem hiding this comment.
Issue #21 will address this
- Describe new supply buildpack functionality - Organize / improve usage information - Organize / improve development information
izgeri
force-pushed
the
supply-buildpack
branch
2 times, most recently
from
6be89d7
to
23f5f99
Compare
izgeri
changed the title
CONTRIBUTING.md
Outdated
|
|
||
| ## Prerequisites | ||
|
|
||
| Before getting started, you should install some developer tools. These are not required to deploy the Conjur Service Broker but they will let you develop using a standardized, expertly configured environment. |
CONTRIBUTING.md
Outdated
|
|
||
| ### Releasing | ||
|
|
||
| 1. Based on the unreleased content, determine the new version number and update the [VERSION](VERSION) file. |
There was a problem hiding this comment.
Should there be a mention here about semver, or what it means to determine the new version number?
izgeri
force-pushed
the
supply-buildpack
branch
2 times, most recently
from
3b0c2f8
to
e1b3036
Compare
- Update the conjur-api-go and summon versions - Convert to go modules
izgeri
force-pushed
the
supply-buildpack
branch
from
e1b3036
to
120b145
Compare
Connected to #17
In order to convert our buildpacker to a supply buildpack, this PR moves the buildpack installation logic into a single
supplyscript and changes the directories in which dependencies are installed, along with a few other changes to support this shift. It also cleans up tests a bit and adds comments where useful, and updates theconjur-envbinary to use updated dependencies and Go modules.