conjur-debify 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f76a5ea0e2c4fc01e0666594176690174cf1894f478570118056908c03c5e81
-  data.tar.gz: ebdb065547d044394079979326f759118e264a640a5feb41341fdba6386de661
+  metadata.gz: 2f1513a687cde9e9f2079436b6c9b290748d22a66ebd890c957e4dd1e9200592
+  data.tar.gz: bdbc0f7c3ce085d8ac9ad012b51c07498efcd21218896eb73e6bd4ef12806391
 SHA512:
-  metadata.gz: ed14d2fecc7c4229f8c3c59d289acd39b7defd6c046b5417d332d7adfe6b921cdc5dc16b81f95825b07e9d595f92ecc7924508fc0529f6ccce00bd182e0d8f65
-  data.tar.gz: 9c8aaaa932d2971d549a2db859c2e47c16f26890fc25ed6491c5cd854fb4d363af289312947e5f9deb950d55b044a6bc32158472445c391241bd19604d7a5725
+  metadata.gz: 77413aeaa1c6e74e293522012375671357a265d25d7e9d70cae42df8218b265a12cdfe5612bcab58b569fc9cb07ba30a44ee595f962239322b4871849f8b3b69
+  data.tar.gz: dc986fbd9bb73204846c8a39ed791432c4d668ac9c1facb51863765e67c81d5ebe004152440ff67b963a5b69abb931924f984c980cd70208c83566d9c6fabcea

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## [Unreleased]
 
+# 2.1.0
+### Changed
+
+- Refine bundler related steps in `debify package` flow: only `package.sh` file configures
+  and invokes bundler. `Dockerfile.fpm` only copies files and adjusts folder structure.
+- Remove bundler 1.* support 
+
 # 2.0.0
 ### Changed
 - Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this 

data/Dockerfile

@@ -19,14 +19,15 @@ WORKDIR /debify
 
 COPY . ./
 
+RUN gem install bundler:2.2.30
 RUN gem build debify.gemspec
 
 ARG VERSION
 RUN gem install -N conjur-debify-${VERSION}.gem
 
 ARG CONJUR_APPLIANCE_URL
-ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjur-master-v2.itp.conjur.net/api}
+ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjurops.itp.conjur.net}
 ENV CONJUR_ACCOUNT ${CONJUR_ACCOUNT:-conjur}
-ENV CONJUR_VERSION ${CONJUR_VERSION:-4}
+ENV CONJUR_VERSION ${CONJUR_VERSION:-5}
 
 ENTRYPOINT ["/debify/distrib/entrypoint.sh"]

data/Jenkinsfile

@@ -42,10 +42,14 @@ pipeline {
             scanAndReport("debify:${VERSION}", "HIGH", false)
           }
         }
-        // No all report generated because it currently adds 10-12 minutes of
-        // build time just to write the trivy report. It'll be added once we've
-        // cleaned up and/or ignored enough issues to reduce the impact
-        // on build time.
+        stage('Scan Docker image for all issues') {
+          steps{
+            script {
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
+            }
+            scanAndReport("debify:${VERSION}", "NONE", true)
+          }
+        }
       }
     }
 
@@ -89,7 +93,6 @@ pipeline {
       steps {
         checkout scm
         sh './publish-rubygem.sh'
-        deleteDir()
       }
     }
   }

data/README.md

@@ -289,7 +289,7 @@ Start a sandbox, see that it can resolve the hostname `mydb`:
 
 ```sh-session
 
-example $ debify sandbox -t 4.9-stable --net testnet
+example $ debify sandbox -t 5.0-stable --net testnet
 example $ docker exec -it example-sandbox /bin/bash
 root@7d4217655332:/src/example# getent hosts mydb
 172.19.0.2      mydb

data/VERSION

@@ -1 +1 @@
-2.0.0
+2.1.0

data/debify.gemspec

@@ -18,20 +18,20 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   
   spec.add_dependency "gli"
-  spec.add_dependency "docker-api", "~> 1.33"
+  spec.add_dependency "docker-api", "~> 2.0"
   spec.add_dependency "conjur-cli" , "~> 6"
   spec.add_dependency "conjur-api", "~> 5"
 
-  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "bundler", ">= 2.2.30"
   spec.add_development_dependency "fakefs", "~> 0"
-  spec.add_development_dependency "rake", "~> 12.3.3"
+  spec.add_development_dependency "rake", "~> 13.0"
   
   # Pin to cucumbe v2. cucumber v3 changes (breaks) the behavior of
   # unmatched capture groups with \(d+). In v3, the value of such a
   # group is 0 instead of nil, which breaks aruba's "I successfully
   # run...." steps.
   spec.add_development_dependency "cucumber", '~> 2'
-  spec.add_development_dependency "aruba", "~> 0.14"
+  spec.add_development_dependency "aruba", "~> 1.0"
   spec.add_development_dependency 'rspec', '~> 3'
   spec.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 end

data/example/Gemfile.lock

@@ -29,4 +29,4 @@ DEPENDENCIES
   rspec
 
 BUNDLED WITH
-   1.16.1
+   2.1.4

data/example/net-test.sh

@@ -2,6 +2,6 @@
 
 cid=$1
 
-docker exec $cid ping -c1 other_host
+docker exec $cid curl -s http://other_host > /dev/null
 
 echo Test succeeded

data/features/package.feature

@@ -1,4 +1,3 @@
-@skip
 @announce-output
 Feature: Packaging
 
@@ -6,6 +5,7 @@ Feature: Packaging
     # We use version 0.0.1-suffix to verify that RPM converts dashes to underscores
     # in the version as we expect
     Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1-suffix example -- --post-install /distrib/postinstall.sh`
+    And I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example --output rpm  -v 0.0.1-suffix example  -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be packaged successfully
     Then the stdout should contain "conjur-example_0.0.1-suffix_amd64.deb"
@@ -20,4 +20,4 @@ Feature: Packaging
     And the stdout from "find ../../example" should not contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
 
   Scenario: 'example' project can be published
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 4.9 example`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 5.0 example`

data/features/sandbox.feature

@@ -1,23 +1,23 @@
 @announce-output
 Feature: Running a sandbox
   Background:
-    Given I successfully run `docker pull registry.tld/conjur-appliance-cuke-master:4.9-stable`
+    Given I successfully run `docker pull registry.tld/conjur-appliance-cuke-master:5.0-stable`
     # The extra containers will use the `alpine` image, so we need to pull it first on the
     # host to use the authenticated DockerHub connection. This avoids hitting DockerHub
     # rate limits.
-    And I successfully run `docker pull alpine`
+    And I successfully run `docker pull nginx`
 
   Scenario: sandbox for 'example' project be started
-    Given I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull"
+    Given I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull"
 
   Scenario: sandbox for 'example' project be started linked to another container
     Given I start a container named "other_host"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --link other_host -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --link other_host -c 'curl -s http://other_host > /dev/null'"
 
   Scenario: sandbox for 'example' project be started on a network other than the default
     Given I start a container named "other_host" on network "test-net"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --net test-net -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --net test-net -c 'curl -s http://other_host > /dev/null'"
 
   Scenario: sandbox for 'example' project be started on a network other than the default with a host aliased
     Given I start a container named "another_host" on network "test-net"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --net test-net --link another_host:other_host -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --net test-net --link another_host:other_host -c 'curl -s http://other_host > /dev/null'"

data/features/step_definitions/debify_steps.rb

@@ -14,8 +14,7 @@ When /^I start a container named "(.*?)"(?: on network "(.*?)")*$/ do |name, net
   
   options = {
     'name' => name,
-    'Cmd' => [ "sh", "-c", "while true; do sleep 1; done" ],
-    'Image' => 'alpine'
+    'Image' => 'nginx'
   }
   options['HostConfig'] = { 'NetworkMode' => net_name } if net_name
     

data/features/support/env.rb

@@ -6,5 +6,7 @@ LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
 
 Aruba.configure do |config|
   config.exit_timeout = 1200
+  # not a best practice from aruba's point of view
+  # but the only solution I've found to have docker credentials context
+  config.home_directory = ENV['HOME']
 end
-

data/features/test.feature

@@ -5,20 +5,20 @@ Feature: Testing
     Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1 example -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be tested successfully
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested when linked to another container
     Given I start a container named "other_host"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --link other_host example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --link other_host example net-test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested on a network other than the default
     Given I start a container named "other_host" on network "test-net"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --net test-net example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --net test-net example net-test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested on a network other than the default with a host aliased
     Given I start a container named "another_host" on network "test-net"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --link another_host:other_host --net test-net example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --link another_host:other_host --net test-net example net-test.sh`
     Then the stderr should contain "Test succeeded"

data/lib/conjur/debify/Dockerfile.fpm

@@ -7,10 +7,6 @@ WORKDIR /src/opt/conjur/project
 COPY Gemfile ./
 COPY Gemfile.lock ./
 
-RUN bundle --deployment
-RUN mkdir -p .bundle
-RUN cp /usr/local/bundle/config .bundle/config
-
 COPY . .
 ADD debify.sh /
 

data/lib/conjur/debify/utils.rb

@@ -6,7 +6,7 @@ module Conjur::Debify::Utils
   # copy a file from container to the current working directory
   def copy_from_container container, path
     tar = StringIO.new
-    container.copy(path) { |chunk| tar.write chunk }
+    container.archive_out(path) { |chunk| tar.write chunk }
     tar.rewind
     Gem::Package::TarReader.new(tar).each do |entry|
       File.write entry.full_name, entry.read

data/lib/conjur/debify.rb

@@ -91,7 +91,13 @@ def detect_version
 end
 
 def git_files
-  (`git ls-files -z`.split("\x0") + ['Gemfile.lock']).uniq
+  files = (`git ls-files -z`.split("\x0") + ['Gemfile.lock']).uniq
+  # Since submodule directories are listed, but are not files, we remove them.
+  # Currently, `conjur-project-config` is the only submodule in Conjur, and it
+  # can safely be removed because it's a developer-only tool.  If we add another
+  # submodule in the future needed for production, we'll need to update this
+  # code.  But YAGNI for now.
+  files.select { |f| File.file?(f) }
 end
 
 def login_to_registry(appliance_image_id)
@@ -266,7 +272,17 @@ command "package" do |c|
       additional_files = cmd_options[:'additional-files'].split(',').map(&:strip)
     end
 
-    fpm_image = Docker::Image.build_from_dir File.expand_path('fpm', File.dirname(__FILE__)), tag: "debify-fpm", &DebugMixin::DOCKER
+    begin
+      tries ||= 2
+      fpm_image = Docker::Image.build_from_dir File.expand_path('fpm', File.dirname(__FILE__)), tag: "debify-fpm", &DebugMixin::DOCKER
+    rescue
+      image_id = File.readlines(File.expand_path('fpm/Dockerfile', File.dirname(__FILE__)))
+                     .find { | line | line =~ /^FROM/ }
+                     .split(' ')
+                     .last
+      login_to_registry image_id
+      retry unless (tries -= 1).zero?
+    end
     DebugMixin.debug_write "Built base fpm image '#{fpm_image.id}'\n"
     dir = File.expand_path(dir)
 

data/lib/conjur/fpm/Dockerfile

@@ -1,5 +1,5 @@
 # Build from the same version of ubuntu as phusion/baseimage
-FROM cyberark/phusion-ruby-fips:0.11-latest
+FROM cyberark/phusion-ruby-fips:latest
 
 RUN apt-get update -y && \
     apt-get dist-upgrade -y && \
@@ -8,14 +8,12 @@ RUN apt-get update -y && \
                        libffi-dev \
                        rpm
 
-RUN gem install --no-document bundler:1.17.3 \
-                              fpm
+RUN gem install --no-document fpm
 
 ENV GEM_HOME /usr/local/bundle
 ENV BUNDLE_PATH="$GEM_HOME" \
     BUNDLE_BIN="$GEM_HOME/bin" \
-    BUNDLE_SILENCE_ROOT_WARNING=1 \
-    BUNDLE_APP_CONFIG="$GEM_HOME"
+    BUNDLE_SILENCE_ROOT_WARNING=1
 ENV PATH $BUNDLE_BIN:$PATH
 RUN mkdir -p "$GEM_HOME" "$BUNDLE_BIN" && \
     chmod 777 "$GEM_HOME" "$BUNDLE_BIN"

data/lib/conjur/fpm/package.sh

@@ -37,11 +37,13 @@ echo params at the end are $@
 
 # Build dev package first
 prefix=/src/opt/conjur/project
-cp -al $prefix /dev-pkg
 cd $prefix
-bundle --without development test
+bundle config set --local deployment 'true' && \
+bundle config set --local path 'vendor/bundle' && \
+bundle
+cp -al $prefix /dev-pkg
+bundle config set --local without 'development test'
 bundle clean
-cp /usr/local/bundle/config .bundle/config # bundler for some reason stores config there...
 cd /dev-pkg
 remove_matching $prefix
 bundle_clean
@@ -83,7 +85,7 @@ mkdir -p opt/conjur/etc
 
 [ -d opt/conjur/"$project_name"/distrib ] && mv opt/conjur/"$project_name"/distrib /
 
-echo "Building conjur-$project_name-dev $file_type package"
+echo "Building conjur-$project_name $file_type package"
 
 fpm \
   -s dir \

data/lib/conjur/publish/Dockerfile

@@ -1,11 +1,5 @@
-FROM buildpack-deps:curl
+FROM releases-docker.jfrog.io/jfrog/jfrog-cli:1.52.0
 
 ENV JFROG_CLI_OFFER_CONFIG=false
-ENV JFROG_VERSION=1.13.1
-
-RUN curl -kL \
-    -o /usr/bin/jfrog \
-    https://bintray.com/jfrog/jfrog-cli-go/download_file?file_path=${JFROG_VERSION}%2Fjfrog-cli-linux-amd64%2Fjfrog && \
-    chmod +x /usr/bin/jfrog
 
 WORKDIR /src

data/spec/debify_utils_spec.rb

@@ -30,7 +30,7 @@ describe "remove_matching()", type: :aruba do
   end
 
   def remove_matching
-    run_simple "bash -c 'source #{DEBIFY_UTILS_PATH}; cd #{herepath}; remove_matching #{therepath}'"
+    run_command_and_stop "bash -c 'source #{DEBIFY_UTILS_PATH}; cd #{herepath}; remove_matching #{therepath}'"
   end
   
   def here files

data/spec/utils_spec.rb

@@ -6,7 +6,7 @@ describe 'Conjur::Debify::Utils.copy_from_container' do
   it "copies a file from the container to the current directory" do
     tar = File.read "#{__dir__}/data/test.tar"
     container = instance_double Docker::Container
-    allow(container).to receive(:copy).with "/tmp/test.tar" do |&b|
+    allow(container).to receive(:archive_out).with "/tmp/test.tar" do |&b|
       StringIO.new(tar).each(nil, 512) do |c|
         # docker api sends three arguments, so emulate that
         b[c, nil, nil]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-debify
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - CyberArk Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-16 00:00:00.000000000 Z
+date: 2021-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.33'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.33'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: conjur-cli
   requirement: !ruby/object:Gem::Requirement
@@ -70,16 +70,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: 2.2.30
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: 2.2.30
 - !ruby/object:Gem::Dependency
   name: fakefs
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.3.3
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.3.3
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.14'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.14'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -250,7 +250,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Utility commands to build and package Conjur services as Debian packages