Adds remote debug capability for secretless broker

Dockerfile.debug

@@ -0,0 +1,75 @@
+FROM golang:1.13-stretch as secretless-builder
+MAINTAINER Conjur Inc.
+LABEL builder="secretless-builder"
+
+WORKDIR /secretless
+
+# TODO: Expand this with build args when we support other arches
+ENV GOOS=linux \
+    GOARCH=amd64 \
+    CGO_ENABLED=1
+
+COPY go.mod go.sum /secretless/
+COPY third_party/ /secretless/third_party
+
+RUN go mod download
+
+# Compile Delve (for debugging)
+RUN go get github.com/go-delve/delve/cmd/dlv
+
+# secretless source files
+COPY ./cmd /secretless/cmd
+COPY ./internal /secretless/internal
+COPY ./pkg /secretless/pkg
+COPY ./resource-definitions /secretless/resource-definitions
+
+ARG TAG="dev"
+
+# The `Tag` override is there to provide the git commit information in the
+# final binary. See `Static long version tags` in the `Building` section
+# of `CONTRIBUTING.md` for more information.
+RUN go build -ldflags="-X github.com/cyberark/secretless-broker/pkg/secretless.Tag=$TAG" \
+             -gcflags="all=-N -l" \
+             -o dist/$GOOS/$GOARCH/secretless-broker ./cmd/secretless-broker && \
+    go build -o dist/$GOOS/$GOARCH/summon2 ./cmd/summon2
+
+
+# =================== MAIN CONTAINER ===================
+FROM alpine:3.8 as secretless-broker
+MAINTAINER CyberArk Software, Inc.
+
+RUN apk add -u shadow libc6-compat && \
+    # Add Limited user
+    groupadd -r secretless \
+             -g 777 && \
+    useradd -c "secretless runner account" \
+            -g secretless \
+            -u 777 \
+            -m \
+            -r \
+            secretless && \
+    # Ensure plugin dir is owned by secretless user
+    mkdir -p /usr/local/lib/secretless && \
+    # Make and setup a directory for sockets at /sock
+    mkdir /sock && \
+    # Make and setup a directory for the Conjur client certificate/access token
+    mkdir -p /etc/conjur/ssl && \
+    mkdir -p /run/conjur && \
+    # Use GID of 0 since that is what OpenShift will want to be able to read things
+    chown secretless:0 /usr/local/lib/secretless \
+                       /sock \
+                       /etc/conjur/ssl \
+                       /run/conjur && \
+    # We need open group permissions in these directories since OpenShift won't
+    # match our UID when we try to write files to them
+    chmod 770 /sock \
+              /etc/conjur/ssl \
+              /run/conjur
+
+USER secretless
+
+ENTRYPOINT [ "/usr/local/bin/dlv", "exec", "/usr/local/bin/secretless-broker", "--headless", "--listen=:40000", "--api-version=2", "--accept-multiclient", "--continue" ]
+
+COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
+                               /go/bin/dlv \
+                               /secretless/dist/linux/amd64/summon2 /usr/local/bin/

test/connector/tcp/mssql/README.md

@@ -0,0 +1,55 @@
+## Debugging Secretless Broker as it is Running in a Container 
+Using a specially built "remote-debug" image for the Secretless Broker, it
+is possible to connect a Delve-capable debugger such as Intellij or Goland
+to a Secretless Broker process that is running inside a Docker container.
+Once connected, you may debug Secretless Broker functionality, e.g. using
+breakpoints, single-stepping, and examination of Golang data structures, etc.
+
+The steps for starting the Secretless Broker and attaching a debugger are
+described in the sections that follow.
+
+### Start your MSSQL server and Secretless Broker Debug Image
+From this directory, call
+```
+./start -D
+```
+or alternatively:
+```
+./remote_debug
+```
+This will automatically start a MSSQL server in a Docker container serving
+at `localhost:1433`, and a remote-debug mode Secretless Broker serving
+at `localhost:2223`.
+
+The debug-mode Secretless Broker will be running a version of the secretless
+broker binary that is compiled with optimization turned off (to enable
+the best debugging experience). This secretless broker binary will be run
+via Delve, which provides a debug link with Delve-capable debug IDEs
+(e.g. Intellij and Goland).
+
+### Configure Your Intellij / Goland IDE
+
+Reference: [Debugging Containerized Go Applications](https://blog.jetbrains.com/go/2018/04/30/debugging-containerized-go-applications/)
+
+#### Create a `Go Remote` Run Configuration
+* In your IDE, select <Run> <Edit Configurations...> <`+`> <Go Remote>
+* In the `Name:` box, enter `secretless-broker`
+* In the `Port` box, enter `40000`
+* Select <OK>
+
+#### Add Breakpoint(s)
+* In your IDE, navigate to a place in the source code where you would like
+* Left-mouse-click in the column between the line number and the line of
+  code, and you should see a red dot, indicating that a breakpoint has
+  been added.
+
+### Run an `sqlcmd` To Start Debugging
+When running the `sqlcmd` manually for testing with the remote debugging,
+use the `-t` and '-l` flags to disable timeouts on MSSQL transactions
+and MSSQL handshakes, respectively:
+```
+sqlcmd -S "127.0.0.1,2223" -U "x" -P "x" -Q "SELECT 1+1" -t 0 -l 0
+```
+
+If all goes right, your IDE should hit your chosen breakpoint, indicated by
+the line of code having a blue background.

test/connector/tcp/mssql/docker-compose.yml

@@ -31,6 +31,23 @@ services:
     depends_on:
       - mssql
 
+  secretless-debug:
+    build:
+      context: ../../../..
+      dockerfile: Dockerfile.debug
+    ports:
+      - 2223:2223
+      - 40000:40000
+    security_opt:
+      - apparmor:unconfined
+      - seccomp:unconfined
+    cap_add:
+      - SYS_PTRACE
+    volumes:
+      - ./secretless.yml:/secretless.yml
+    depends_on:
+      - mssql
+
   test:
     build:
       context: .

test/connector/tcp/mssql/remote_debug

@@ -0,0 +1,9 @@
+#!/bin/bash -ex
+
+# Start with a secretless image that allows remote debugging. Remote
+# debugging allows a Delve-enabled debugger (e.g. Intellij or Goland) to
+# attach to a running secretless container for debugging Secretless Broker
+# functionality, e.g. with breakpoints, single-step, etc. For details,
+# see the "Debugging Secretless Broker as it is Running in a Container"
+# section in the README.md file that is in the current directory.
+./start -D

test/connector/tcp/mssql/start

@@ -3,9 +3,10 @@
 mssql_host=mssql
 secretless_host=secretless
 mssql_edition=Developer # can also be Express, Standard, Enterprise, EnterpriseCore
-while getopts :dm:s:e: opt; do
+while getopts :dDm:s:e: opt; do
     case $opt in
         d) dev_mode=true;;
+        D) secretless_host=secretless-debug;;
         m) mssql_host=${OPTARG};;
         s) secretless_host=${OPTARG};;
         e) mssql_edition=${OPTARG};;