Created
November 10, 2022 21:10
-
-
Save telday/2d47aa1d5f2bbf75bb9a7f323dbe9d9b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -ex | |
echo 'MyP@ssword1!!!' > admin_password | |
git clone git@github.com:conjurinc/appliance.git | |
pushd appliance | |
summon --environment artifactory ./bin/build-appliance-image | |
popd | |
CONJUR_IMAGE="$(<appliance/NAME):$(<appliance/TAG)" | |
rm -rf appliance | |
mkdir policy | |
cat <<APP > policy/app.yaml | |
- !variable us-only | |
- !host us-based-app | |
- !permit | |
resource: !variable us-only | |
role: !host us-based-app | |
privileges: [ read, execute ] | |
APP | |
cat <<-USREPLICATION > policy/permit-us-replication.yaml | |
- !permit | |
resource: !variable us-only | |
role: !group | |
account: system | |
id: conjur/replication-sets/us/replicated-data | |
privileges: [ read, execute ] | |
USREPLICATION | |
setup(){ | |
docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json | |
docker network create conjur | |
mkdir -p seed | |
docker run \ | |
--name conjur-leader \ | |
--network conjur \ | |
--detach \ | |
--restart=unless-stopped \ | |
--security-opt seccomp=seccomp.json \ | |
--volume "$PWD/seed:/seed" \ | |
$CONJUR_IMAGE | |
docker run \ | |
--name conjur-follower-us \ | |
--network conjur \ | |
--detach \ | |
--restart=unless-stopped \ | |
--security-opt seccomp=seccomp.json \ | |
--volume "$PWD/seed:/seed" \ | |
$CONJUR_IMAGE | |
docker exec conjur-leader evoke configure master \ | |
--hostname=conjur-leader \ | |
--accept-eula \ | |
--admin-password="$(<admin_password)" \ | |
my-org | |
docker exec conjur-leader evoke replication-set list | |
docker exec conjur-leader curl -k https://localhost/health | jq | |
# CLI container | |
docker run -it --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-leader:/root" \ | |
cyberark/conjur-cli:5 \ | |
init \ | |
--account=my-org \ | |
--url=https://conjur-leader | |
docker run --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-leader:/root" \ | |
cyberark/conjur-cli:5 \ | |
authn login \ | |
--username=admin \ | |
--password="$(<admin_password)" | |
docker run --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-leader:/root" \ | |
--volume "$PWD/policy:/policy" \ | |
cyberark/conjur-cli:5 \ | |
policy load root /policy/app.yaml | |
} | |
create_replication_sets(){ | |
docker exec conjur-leader evoke replication-set create us | |
docker exec conjur-leader evoke replication-set list | |
docker exec conjur-leader curl -k https://localhost/health | jq | |
docker run --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-leader:/root" \ | |
--volume "$PWD/policy:/policy" \ | |
cyberark/conjur-cli:5 \ | |
policy load root /policy/permit-us-replication.yaml | |
# This will list resources that will replicate | |
docker exec conjur-leader bash -c $' | |
chpst -u conjur psql -c " | |
SELECT resource_id | |
FROM resources | |
WHERE is_role_allowed_to( | |
\'system:group:conjur/replication-sets/us/replicated-data\', | |
\'read\', | |
resource_id | |
);" | |
' | |
} | |
create_us_replication_follower(){ | |
docker exec conjur-leader bash -c 'evoke seed follower --replication-set us conjur-follower-us > /seed/follower-us.tar' | |
docker exec conjur-follower-us evoke unpack seed /seed/follower-us.tar | |
docker exec conjur-follower-us evoke configure follower | |
docker exec conjur-follower-us curl -k https://localhost/health | jq | |
} | |
init_follower_cli_container(){ | |
# Init follower cli container | |
docker run -it --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-us:/root" \ | |
cyberark/conjur-cli:5 \ | |
init \ | |
--account=my-org \ | |
--url=https://conjur-follower-us | |
docker run --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-us:/root" \ | |
cyberark/conjur-cli:5 \ | |
authn login \ | |
--username=admin \ | |
--password="$(<admin_password)" | |
} | |
follower_cli_exec(){ | |
docker run -it --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-us:/root" \ | |
cyberark/conjur-cli:5 $1 | |
} | |
set_secret_values(){ | |
docker run --rm \ | |
--network conjur \ | |
--volume "$PWD/cli-leader:/root" \ | |
cyberark/conjur-cli:5 \ | |
variable values add \ | |
us-only \ | |
'us-data' | |
# Retrieve the secret value from follower | |
follower_cli_exec 'variable value us-only' | |
} | |
setup | |
create_replication_sets | |
create_us_replication_follower | |
init_follower_cli_container | |
set_secret_values | |
docker exec conjur-leader evoke replication-set delete -f us | |
follower_cli_exec 'variable value us-only' | |
sleep 300 | |
follower_cli_exec 'variable value us-only' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment