This change adds remote debug capability for the secretless broker.

WIth this change, a Delve-capable IDE such as Intellij/Goland can attach
to a running secretless broker container, allowing breakpoints to be set,
single-step debugging, etc.

The remote debug capability will be helpful for debugging integration tests.
(Unit tests, on the other hand, can already be easily debugged directly from
the source code without remotely connecting to into a container).

This change includes a new "debug" image for the secretless broker that
adds a Delve binary (to allow remote debug connections between the secretless
broker and an IDE), and compiles the secretless broker with code optimizations
disabled (for better debugging experience).

To use remote debugging on the secretless broker, follow instructions
in the 'Debugging Secretless Broker as it is Running in a Container'
section of the test/connector/mssql/README.md file.

Dockerfile.debug

@@ -0,0 +1,75 @@
+FROM golang:1.13-stretch as secretless-builder
+MAINTAINER Conjur Inc.
+LABEL builder="secretless-builder"
+
+WORKDIR /secretless
+
+# TODO: Expand this with build args when we support other arches
+ENV GOOS=linux \
+    GOARCH=amd64 \
+    CGO_ENABLED=1
+
+COPY go.mod go.sum /secretless/
+COPY third_party/ /secretless/third_party
+
+RUN go mod download
+
+# Compile Delve (for debugging)
+RUN go get github.com/go-delve/delve/cmd/dlv
+
+# secretless source files
+COPY ./cmd /secretless/cmd
+COPY ./internal /secretless/internal
+COPY ./pkg /secretless/pkg
+COPY ./resource-definitions /secretless/resource-definitions
+
+ARG TAG="dev"
+
+# The `Tag` override is there to provide the git commit information in the
+# final binary. See `Static long version tags` in the `Building` section
+# of `CONTRIBUTING.md` for more information.
+RUN go build -ldflags="-X github.com/cyberark/secretless-broker/pkg/secretless.Tag=$TAG" \
+             -gcflags="all=-N -l" \
+             -o dist/$GOOS/$GOARCH/secretless-broker ./cmd/secretless-broker && \
+    go build -o dist/$GOOS/$GOARCH/summon2 ./cmd/summon2
+
+
+# =================== MAIN CONTAINER ===================
+FROM alpine:3.8 as secretless-broker
+MAINTAINER CyberArk Software, Inc.
+
+RUN apk add -u shadow libc6-compat && \
+    # Add Limited user
+    groupadd -r secretless \
+             -g 777 && \
+    useradd -c "secretless runner account" \
+            -g secretless \
+            -u 777 \
+            -m \
+            -r \
+            secretless && \
+    # Ensure plugin dir is owned by secretless user
+    mkdir -p /usr/local/lib/secretless && \
+    # Make and setup a directory for sockets at /sock
+    mkdir /sock && \
+    # Make and setup a directory for the Conjur client certificate/access token
+    mkdir -p /etc/conjur/ssl && \
+    mkdir -p /run/conjur && \
+    # Use GID of 0 since that is what OpenShift will want to be able to read things
+    chown secretless:0 /usr/local/lib/secretless \
+                       /sock \
+                       /etc/conjur/ssl \
+                       /run/conjur && \
+    # We need open group permissions in these directories since OpenShift won't
+    # match our UID when we try to write files to them
+    chmod 770 /sock \
+              /etc/conjur/ssl \
+              /run/conjur
+
+USER secretless
+
+ENTRYPOINT [ "/usr/local/bin/dlv", "exec", "/usr/local/bin/secretless-broker", "--headless", "--listen=:40000", "--api-version=2", "--accept-multiclient", "--continue" ]
+
+COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
+                               /go/bin/dlv \
+                               /secretless/dist/linux/amd64/summon2 /usr/local/bin/

test/connector/tcp/mssql/README.md

@@ -0,0 +1,55 @@
+## Debugging Secretless Broker as it is Running in a Container 
+Using a specially built "remote-debug" image for the Secretless Broker, it
+is possible to connect a Delve-capable debugger such as Intellij or Goland
+to a Secretless Broker process that is running inside a Docker container.
+Once connected, you may debug Secretless Broker functionality, e.g. using
+breakpoints, single-stepping, and examination of Golang data structures, etc.
+
+The steps for starting the Secretless Broker and attaching a debugger are
+described in the sections that follow.
+
+### Start your MSSQL server and Secretless Broker Debug Image
+From this directory, call
+```
+./start -D
+```
+or alternatively:
+```
+./remote_debug
+```
+This will automatically start a MSSQL server in a Docker container serving
+at `localhost:1433`, and a remote-debug mode Secretless Broker serving
+at `localhost:2223`.
+
+The debug-mode Secretless Broker will be running a version of the secretless
+broker binary that is compiled with optimization turned off (to enable
+the best debugging experience). This secretless broker binary will be run
+via Delve, which provides a debug link with Delve-capable debug IDEs
+(e.g. Intellij and Goland).
+
+### Configure Your Intellij / Goland IDE
+
+Reference: [Debugging Containerized Go Applications](https://blog.jetbrains.com/go/2018/04/30/debugging-containerized-go-applications/)
+
+#### Create a `Go Remote` Run Configuration
+* In your IDE, select <Run> <Edit Configurations...> <`+`> <Go Remote>
+* In the `Name:` box, enter `secretless-broker`
+* In the `Port` box, enter `40000`
+* Select <OK>
+
+#### Add Breakpoint(s)
+* In your IDE, navigate to a place in the source code where you would like
+* Left-mouse-click in the column between the line number and the line of
+  code, and you should see a red dot, indicating that a breakpoint has
+  been added.
+
+### Run an `sqlcmd` To Start Debugging
+When running the `sqlcmd` manually for testing with the remote debugging,
+use the `-t` and '-l` flags to disable timeouts on MSSQL transactions
+and MSSQL handshakes, respectively:
+```
+sqlcmd -S "127.0.0.1,2223" -U "x" -P "x" -Q "SELECT 1+1" -t 0 -l 0
+```
+
+If all goes right, your IDE should hit your chosen breakpoint, indicated by
+the line of code having a blue background.

test/connector/tcp/mssql/docker-compose.yml

@@ -31,6 +31,23 @@ services:
     depends_on:
       - mssql
 
+  secretless-debug:
+    build:
+      context: ../../../..
+      dockerfile: Dockerfile.debug
+    ports:
+      - 2223:2223
+      - 40000:40000
+    security_opt:
+      - apparmor:unconfined
+      - seccomp:unconfined
+    cap_add:
+      - SYS_PTRACE
+    volumes:
+      - ./secretless.yml:/secretless.yml
+    depends_on:
+      - mssql
+
   test:
     build:
       context: .

test/connector/tcp/mssql/remote_debug

@@ -0,0 +1,9 @@
+#!/bin/bash -ex
+
+# Start with a secretless image that allows remote debugging. Remote
+# debugging allows a Delve-enabled debugger (e.g. Intellij or Goland) to
+# attach to a running secretless container for debugging Secretless Broker
+# functionality, e.g. with breakpoints, single-step, etc. For details,
+# see the "Debugging Secretless Broker as it is Running in a Container"
+# section in the README.md file that is in the current directory.
+./start -D

test/connector/tcp/mssql/start

@@ -3,9 +3,10 @@
 mssql_host=mssql
 secretless_host=secretless
 mssql_edition=Developer # can also be Express, Standard, Enterprise, EnterpriseCore
-while getopts :dm:s:e: opt; do
+while getopts :dDm:s:e: opt; do
     case $opt in
         d) dev_mode=true;;
+        D) secretless_host=secretless-debug;;
         m) mssql_host=${OPTARG};;
         s) secretless_host=${OPTARG};;
         e) mssql_edition=${OPTARG};;