Adds standalone container image for v4 CLI (#211)

ryanprior · apotterri · commit 0749681abeba · 2018-03-29T12:07:47.000-04:00
* Adds standalone container image for v4 CLI

* Updates standalone Dockerfile to set the appropriate Conjur version

* Adds "push-image" script and adds build, push stages to Jenkinsfile

* Push on 'v4' instead of 'master'

* When creating a new Dockerfile, exclude it from Git

* Consolidates instructions in Dockerfile.standalone

* Adds Docker usage notes to README.md

* Adds `VERSION` and updates CHANGELOG.md

* Fixes jank Dockerfile exclude logic in test.sh

* Tags standalone images `cyberark/conjur-cli:4-*` instead of `-cli4`

* Updates `build-standalone` script (cli4 -&gt; cli)

* Only push to dockerhub on 'v4' branch

* Installs gem in standalone container instead of using release

* Removes Emacs mode specification

* Adds explanation and whitespace to Dockerfile.standalone

* Updates instructions to recommend ephemeral container

* Bumps version to 5.6.6

* Completes security warning

* Fixes references to "cli4" or "cli:latest"
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
-Dockerfile.*
 .DS_Store
 *.swp
 *.deb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 5.6.6
+
+* Adds standalone Docker image (`cyberark/conjur-cli:4`)
+
 # 5.6.5
 
 * Fix init cert check when Conjur behind a SNI
diff --git a/Dockerfile.standalone b/Dockerfile.standalone
@@ -0,0 +1,33 @@
+FROM ruby:2.2.9
+
+#---install useful tools and dependencies---#
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      jq curl vim nano sudo openssh-client
+# as per https://hub.docker.com/r/conjurinc/cli5/~/dockerfile/
+
+#---install summon and summon-conjur---#
+ENV CONJUR_MAJOR_VERSION=4
+ENV CONJUR_VERSION=4
+RUN curl -sSL https://raw.githubusercontent.com/cyberark/summon/master/install.sh \
+      | env TMPDIR=$(mktemp -d) bash && \
+    curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh \
+      | env TMPDIR=$(mktemp -d) bash
+# as per https://github.com/cyberark/summon#linux
+# and    https://github.com/cyberark/summon-conjur#install
+
+# Note: these install scripts^^ conflict with one another if they are not given
+# different TMPDIRs.
+
+#---install Conjur 4 CLI---#
+WORKDIR /src
+COPY . .
+RUN gem build conjur-cli.gemspec && \
+    gem install conjur-cli && \
+    cd /root && \
+    rm -rf /src
+
+#---set defaults---#
+WORKDIR /root
+COPY standalone.entrypoint /bin/entry
+ENTRYPOINT ["/bin/entry"]
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -55,6 +55,18 @@ pipeline {
       }
     }
 
+    stage('Build standalone Docker image') {
+      steps {
+        sh './build-standalone'
+      }
+    }
+
+    stage('Publish standalone Docker image to DockerHub') {
+      steps {
+        sh './push-image'
+      }
+    }
+
     // Only publish to RubyGems if the HEAD is
     // tagged with the same version as in version.rb
     stage('Publish to RubyGems') {
diff --git a/README.md b/README.md
@@ -20,6 +20,60 @@ Or install it yourself as:
 
     $ gem install conjur-cli
 
+### Using Docker
+
+This software is included in the standalone `cyberark/conjur-cli:4` Docker
+image. Docker containers are designed to be ephemeral, which means they don't
+store state after the container exits.
+
+You can start an ephemeral session with the Conjur CLI software like so:
+
+```sh-session
+$ docker run --rm -it cyberark/conjur-cli:4
+root@b27a95721e7d:~# 
+```
+
+Any initialization you do or files you create in that session will be discarded
+(permanently lost) when you exit the shell. Changes that you make to the Conjur
+server will remain.
+
+You can also use a folder on your filesystem to persist the data that the Conjur
+CLI uses to connect. For example:
+
+```sh-session
+$ mkdir mydata
+$ chmod 700 mydata
+$ docker run --rm -it -v $(PWD)/mydata:/root cyberark/conjur-cli:4 init -h https://conjur.myorg.com
+SHA1 Fingerprint=16:C8:F8:AC:7B:57:BD:5B:58:B4:13:27:22:8E:3F:A2:12:01:DB:68
+
+Please verify this certificate on the appliance using command:
+                openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem
+
+Trust this certificate (yes/no): yes
+Wrote certificate to /root/conjur-conjur.pem
+Wrote configuration to /root/.conjurrc
+$ ls -lA mydata
+total 8
+drwxr-xr-x 2 you staff   64 Mar 28 19:30 .cache
+-rw-r--r-- 1 you staff  128 Mar 28 19:30 .conjurrc
+-rw-r--r-- 1 you staff 2665 Mar 28 19:30 conjur-conjur.pem
+$ docker run --rm -it -v $(PWD)/mydata:/root cyberark/conjur-cli:4 authn login -u your-user-name
+Please enter your password (it will not be echoed): 
+Logged in
+$ ls -lA mydata
+total 12
+drwxr-xr-x 2 you staff   64 Mar 28 19:26 .cache
+-rw-r--r-- 1 you staff  128 Mar 28 19:20 .conjurrc
+-rw------- 1 you staff  143 Mar 28 19:27 .netrc
+-rw-r--r-- 1 you staff 2665 Mar 28 19:20 conjur-conjur.pem
+$ 
+```
+
+*Security notice:* the file `.netrc`, created or updated by `conjur authn
+login`, contains a user identity credential that can be used to access the
+Conjur API. You should remove it after use or otherwise secure it like you would
+another netrc file.
+
 ### Bash completion
 
 To enable bash completions, run this command:
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+5.6.6
diff --git a/build-standalone b/build-standalone
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+# build the cli standalone container image
+docker build . \
+       -f Dockerfile.standalone \
+       -t cyberark/conjur-cli
diff --git a/push-image b/push-image
@@ -0,0 +1,29 @@
+#!/bin/bash -e
+
+# Push the 'cli:4' image to Dockerhub when on the 'v4' branch
+
+cd "$(git rev-parse --show-toplevel)"
+
+TAG="4-${1:-$(cat VERSION)-$(git rev-parse --short HEAD)}"
+IMAGE='cyberark/conjur-cli'
+
+function tag_and_push() {
+    local image="$1"
+    local tag="$2"
+    local description="$3"
+
+    echo "TAG = $tag, $description"
+
+    docker tag "$image" "$image:$tag"
+    docker push "$image:$tag"
+}
+
+if [[ "$BRANCH_NAME" == 'v4' ]]; then
+    bare_tag='4'
+    latest_tag='4-latest'
+    stable_tag="4-$(cat VERSION)-stable"
+
+    tag_and_push $IMAGE $bare_tag   'latest image (bare)'
+    tag_and_push $IMAGE $latest_tag 'latest image'
+    tag_and_push $IMAGE $stable_tag 'stable image'
+fi
diff --git a/standalone.entrypoint b/standalone.entrypoint
@@ -0,0 +1,17 @@
+#!/bin/sh -e
+
+# A tool container entrypoint that tries to do the right thing whether you want
+# an interactive shell environment or run a command directly.
+#
+# It starts bash if
+#   - there is a tty (ie. docker was run with -t),
+#   - there are no arguments.
+#
+# Otherwise it runs the tool.
+
+TOOL=conjur
+
+[ -t 1 -a $# -eq 0 ] && exec bash
+
+# else
+exec $TOOL "$@"
diff --git a/test.sh b/test.sh
@@ -12,6 +12,9 @@ RUBY_VERSION=${1-${RUBY_VERSION_DEFAULT}}
 function dockerfile_path {
     echo "Setting Ruby version as ${RUBY_VERSION}" >&2
     cp "Dockerfile" "Dockerfile.${RUBY_VERSION}"
+    if ! grep "Dockerfile.${RUBY_VERSION}" .git/info/exclude >/dev/null; then
+        echo "Dockerfile.${RUBY_VERSION}*" >>.git/info/exclude
+    fi
     sed -i -e "s/${RUBY_VERSION_DEFAULT}/${RUBY_VERSION}/g" Dockerfile.${RUBY_VERSION}
 
     echo "Dockerfile.${RUBY_VERSION}"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-Dockerfile.*`
`2`	`1`	`.DS_Store`
`3`	`2`	`*.swp`
`4`	`3`	`*.deb`
-Original file line number
+Diff line change
@@ @@ -1,3 +1,7 @@ @@
 +# 5.6.6
++
 +* Adds standalone Docker image (`cyberark/conjur-cli:4`)
++
 # 5.6.5
 * Fix init cert check when Conjur behind a SNI