STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.github/workflows/minikube-k8s-test.yml

		skipped 20 lines
21	21		- name: Start minikube
22	22		uses: medyagh/setup-minikube@master
23	23		with:
24		-	minikube-version: 1.25.2
	24	+	minikube-version: 1.27.0
25	25		driver: docker
26		-	kubernetes-version: v1.22.5
	26	+	kubernetes-version: v1.23.12
27	27		- name: test script
28	28		run: \|
29	29		kubectl apply -f k8s/secrets-config.yml
		skipped 16 lines

■ ■ ■ ■ ■ ■

.github/workflows/minikube-vault-test.yml

		skipped 21 lines
22	22		- name: Start minikube
23	23		uses: medyagh/setup-minikube@master
24	24		with:
25		-	minikube-version: 1.25.2
	25	+	minikube-version: 1.27.0
26	26		driver: docker
27		-	kubernetes-version: v1.22.5
	27	+	kubernetes-version: v1.23.12
28	28		- name: Setup helm
29	29		uses: azure/[email protected]
30	30		id: install
		skipped 4 lines

■ ■ ■ ■ ■ ■

.github/workflows/pre-commit.yml

		skipped 8 lines
9	9		env:
10	10		TF_DOCS_VERSION: v0.16.0
11	11		TFSEC_VERSION: v1.27.6
12		-	TFLINT_VERSION: v0.39.3
	12	+	TFLINT_VERSION: v0.41.0
13	13		permissions:
14	14		contents: read
15	15		jobs:
		skipped 37 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 129 lines
130	130
131	131		### Okteto based
132	132
133		-	Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond. Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
	133	+	Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
134	134
135	135		## Vault exercises with minikube
136	136
		skipped 254 lines

■ ■ ■ ■ ■ ■

aws/README.md

		skipped 100 lines
101	101		\| Name \| Version \|
102	102		\|------\|---------\|
103	103		\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
104		-	\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| ~> 4.1 \|
	104	+	\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| ~> 4.33.0 \|
105	105		\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.1 \|
106		-	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.0 \|
	106	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.4.3 \|
107	107
108	108		## Providers
109	109
110	110		\| Name \| Version \|
111	111		\|------\|---------\|
112		-	\| <a name="provider_aws"></a> [aws](#provider\_aws) \| ~> 4.1 \|
	112	+	\| <a name="provider_aws"></a> [aws](#provider\_aws) \| ~> 4.33.0 \|
113	113		\| <a name="provider_http"></a> [http](#provider\_http) \| ~> 3.1 \|
114		-	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.0 \|
	114	+	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.4.3 \|
115	115
116	116		## Modules
117	117
118	118		\| Name \| Source \| Version \|
119	119		\|------\|--------\|---------\|
	120	+	\| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) \| terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks \| ~> 4.12 \|
120	121		\| <a name="module_eks"></a> [eks](#module\_eks) \| terraform-aws-modules/eks/aws \| 18.30.0 \|
121	122		\| <a name="module_vpc"></a> [vpc](#module\_vpc) \| terraform-aws-modules/vpc/aws \| ~> 3.16.0 \|
122	123
		skipped 28 lines
151	152		\| Name \| Description \| Type \| Default \| Required \|
152	153		\|------\|-------------\|------\|---------\|:--------:\|
153	154		\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The EKS cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
154		-	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The EKS cluster version to use \| `string` \| `"1.22"` \| no \|
	155	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The EKS cluster version to use \| `string` \| `"1.23"` \| no \|
155	156		\| <a name="input_region"></a> [region](#input\_region) \| The AWS region to use \| `string` \| `"eu-west-1"` \| no \|
156	157
157	158		## Outputs
		skipped 9 lines

■ ■ ■ ■ ■ ■

aws/irsa.tf

		skipped 12 lines
13	13		data "aws_iam_policy_document" "assume_role_with_oidc" {
14	14		statement {
15	15		principals {
16		-	type = "Federated"
17		-	identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"]
	16	+	type = "Federated"
	17	+	identifiers = [
	18	+	"arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"
	19	+	]
18	20		}
19	21		effect = "Allow"
20	22		actions = ["sts:AssumeRoleWithWebIdentity"]
		skipped 99 lines
120	122		}
121	123		}
122	124
	125	+	module "ebs_csi_irsa_role" {
	126	+	source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
	127	+	version = "~> 4.12"
	128	+	role_name = "ebs-csi"
	129	+	attach_ebs_csi_policy = true
	130	+
	131	+	oidc_providers = {
	132	+	ex = {
	133	+	provider_arn = module.eks.oidc_provider_arn
	134	+	namespace_service_accounts = ["consul:server", "kube-system:ebs-csi-controller-sa"]
	135	+	}
	136	+	}
	137	+	}
	138	+

■ ■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-deployment.yml

		skipped 29 lines
30	30		fsGroup: 2000
31	31		serviceAccountName: vault
32	32		volumes:
	33	+	- name: 'ephemeral'
	34	+	emptyDir: { }
33	35		- name: secrets-store-inline
34	36		csi:
35	37		driver: secrets-store.csi.k8s.io
		skipped 3 lines
39	41		containers:
40	42		- image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
41	43		imagePullPolicy: IfNotPresent
	44	+	name: secret-challenge
	45	+	securityContext:
	46	+	allowPrivilegeEscalation: false
	47	+	readOnlyRootFilesystem: true
	48	+	runAsNonRoot: true
42	49		ports:
43	50		- containerPort: 8080
44	51		protocol: TCP
45		-	name: secret-challenge
46		-	resources: {}
	52	+	readinessProbe:
	53	+	httpGet:
	54	+	path: '/actuator/health/readiness'
	55	+	port: 8080
	56	+	initialDelaySeconds: 30
	57	+	timeoutSeconds: 5
	58	+	periodSeconds: 5
	59	+	failureThreshold: 8
	60	+	livenessProbe:
	61	+	httpGet:
	62	+	path: '/actuator/health/liveness'
	63	+	port: 8080
	64	+	initialDelaySeconds: 35
	65	+	timeoutSeconds: 30
	66	+	periodSeconds: 40
	67	+	failureThreshold: 5
	68	+	resources:
	69	+	requests:
	70	+	memory: '512Mi'
	71	+	cpu: '200m'
	72	+	ephemeral-storage: '1Gi'
	73	+	limits:
	74	+	memory: '512Mi'
	75	+	cpu: '1200m'
	76	+	ephemeral-storage: '2Gi'
47	77		terminationMessagePath: /dev/termination-log
48	78		terminationMessagePolicy: File
49	79		env:
		skipped 17 lines
67	97		- name: secrets-store-inline
68	98		mountPath: "/mnt/secrets-store"
69	99		readOnly: true
	100	+	- name: 'ephemeral'
	101	+	mountPath: '/tmp'
70	102		dnsPolicy: ClusterFirst
71	103		restartPolicy: Always
72	104		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

aws/k8s-vault-aws-start.sh

		skipped 25 lines
26	26		kubectl apply -f ../k8s/secrets-secret.yml
27	27		fi
28	28
	29	+	kubectl get sa ebs-csi-controller-sa -n kube-system \| grep '1' &>/dev/null
	30	+	if [ $? == 0 ]; then
	31	+	echo "EBS CSI driver is installed, skipping (1 secret found)"
	32	+	else
	33	+	echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us"
	34	+	kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.12"
	35	+	fi
	36	+
29	37		source ../scripts/install-consul.sh
30	38
31	39		source ../scripts/install-vault.sh
		skipped 30 lines

■ ■ ■ ■ ■ ■

aws/main.tf

		skipped 88 lines
89	89		"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
90	90		"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
91	91		"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
92		-	"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
	92	+	"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
	93	+	"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
93	94		]
94	95		}
95	96
		skipped 1 lines
97	98		bottlerocket_default = {
98	99		create_launch_template = false
99	100		launch_template_name = ""
100		-
101		-	capacity_type = "SPOT"
	101	+	min_size = 1
	102	+	max_size = 3
	103	+	desired_size = 1
	104	+	capacity_type = "SPOT"
102	105
103	106		ami_type = "BOTTLEROCKET_x86_64"
104	107		platform = "bottlerocket"
		skipped 20 lines

■ ■ ■ ■ ■ ■

aws/terraform.tfvars

1		-	cluster_version = "1.22"
	1	+	cluster_version = "1.23"
2	2		region = "eu-west-1"
3	3

■ ■ ■ ■ ■ ■

aws/variables.tf

		skipped 6 lines
7	7		variable "cluster_version" {
8	8		description = "The EKS cluster version to use"
9	9		type = string
10		-	default = "1.22"
	10	+	default = "1.23"
11	11		}
12	12
13	13		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

aws/versions.tf

		skipped 2 lines
3	3
4	4		required_providers {
5	5		aws = {
6		-	version = "~> 4.1"
	6	+	version = "~> 4.33.0"
7	7		}
8	8		random = {
9		-	version = "~> 3.0"
	9	+	version = "~> 3.4.3"
10	10		}
11	11		http = {
12	12		version = "~> 3.1"
		skipped 4 lines

■ ■ ■ ■ ■ ■

azure/README.md

		skipped 94 lines
95	95		\| Name \| Version \|
96	96		\|------\|---------\|
97	97		\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
98		-	\| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) \| ~> 3.9 \|
99		-	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.1 \|
100		-	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.0 \|
	98	+	\| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) \| ~> 3.25.0 \|
	99	+	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.1.0 \|
	100	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.4.3 \|
101	101
102	102		## Providers
103	103
104	104		\| Name \| Version \|
105	105		\|------\|---------\|
106		-	\| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) \| ~> 3.9 \|
107		-	\| <a name="provider_http"></a> [http](#provider\_http) \| ~> 3.1 \|
108		-	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.0 \|
	106	+	\| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) \| ~> 3.25.0 \|
	107	+	\| <a name="provider_http"></a> [http](#provider\_http) \| ~> 3.1.0 \|
	108	+	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.4.3 \|
109	109
110	110		## Modules
111	111
		skipped 28 lines
140	140		\| Name \| Description \| Type \| Default \| Required \|
141	141		\|------\|-------------\|------\|---------\|:--------:\|
142	142		\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The AKS cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
143		-	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The AKS cluster version to use \| `string` \| `"1.22.6"` \| no \|
	143	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The AKS cluster version to use \| `string` \| `"1.23.12"` \| no \|
144	144		\| <a name="input_region"></a> [region](#input\_region) \| The Azure region to use \| `string` \| `"East US"` \| no \|
145	145
146	146		## Outputs
		skipped 15 lines

■ ■ ■ ■ ■ ■

azure/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 25 lines
26	26		aadpodidbinding: wrongsecrets-pod-id
27	27		name: secret-challenge
28	28		spec:
	29	+	securityContext:
	30	+	runAsUser: 2000
	31	+	runAsGroup: 2000
	32	+	fsGroup: 2000
29	33		serviceAccountName: vault
30	34		volumes:
	35	+	- name: 'ephemeral'
	36	+	emptyDir: {}
31	37		- name: secrets-store-inline
32	38		csi:
33	39		driver: secrets-store.csi.k8s.io
		skipped 3 lines
37	43		containers:
38	44		- image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
39	45		imagePullPolicy: IfNotPresent
	46	+	name: secret-challenge
	47	+	securityContext:
	48	+	allowPrivilegeEscalation: false
	49	+	readOnlyRootFilesystem: true
	50	+	runAsNonRoot: true
40	51		ports:
41	52		- containerPort: 8080
42	53		protocol: TCP
43		-	name: secret-challenge
44		-	resources: {}
	54	+	readinessProbe:
	55	+	httpGet:
	56	+	path: '/actuator/health/readiness'
	57	+	port: 8080
	58	+	initialDelaySeconds: 30
	59	+	timeoutSeconds: 5
	60	+	periodSeconds: 5
	61	+	failureThreshold: 8
	62	+	livenessProbe:
	63	+	httpGet:
	64	+	path: '/actuator/health/liveness'
	65	+	port: 8080
	66	+	initialDelaySeconds: 35
	67	+	timeoutSeconds: 30
	68	+	periodSeconds: 40
	69	+	failureThreshold: 5
	70	+	resources:
	71	+	requests:
	72	+	memory: '256Mi'
	73	+	cpu: '200m'
	74	+	ephemeral-storage: '1Gi'
	75	+	limits:
	76	+	memory: '512Mi'
	77	+	cpu: '1200m'
	78	+	ephemeral-storage: '2Gi'
45	79		terminationMessagePath: /dev/termination-log
46	80		terminationMessagePolicy: File
47	81		env:
		skipped 4 lines
52	86		- name: azure_keyvault_uri
53	87		value: ${AZ_VAULT_URI}
54	88		- name: management.health.azure-key-vault.enabled
55		-	value: true
	89	+	value: "true"
56	90		- name: SPECIAL_K8S_SECRET
57	91		valueFrom:
58	92		configMapKeyRef:
		skipped 12 lines
71	105		- name: secrets-store-inline
72	106		mountPath: "/mnt/secrets-store"
73	107		readOnly: true
	108	+	- name: 'ephemeral'
	109	+	mountPath: '/tmp'
74	110		dnsPolicy: ClusterFirst
75	111		restartPolicy: Always
76	112		schedulerName: default-scheduler
77		-	securityContext: {}
78	113		terminationGracePeriodSeconds: 30
79	114

■ ■ ■ ■ ■ ■

azure/variables.tf

		skipped 6 lines
7	7		variable "cluster_version" {
8	8		description = "The AKS cluster version to use"
9	9		type = string
10		-	default = "1.22.6"
	10	+	default = "1.23.12"
11	11		}
12	12
13	13		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

azure/versions.tf

		skipped 2 lines
3	3
4	4		required_providers {
5	5		random = {
6		-	version = "~> 3.0"
	6	+	version = "~> 3.4.3"
7	7		}
8	8		azurerm = {
9		-	version = "~> 3.9"
	9	+	version = "~> 3.25.0"
10	10		}
11	11		http = {
12		-	version = "~> 3.1"
	12	+	version = "~> 3.1.0"
13	13		}
14	14		}
15	15		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

gcp/README.md

		skipped 44 lines
45	45		5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
46	46		6. Run `terraform plan`
47	47		7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
48		-	8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
49		-	9. Run `./k8s-vault-gcp-start.sh`
	48	+	8. Run `export USE_GKE_GCLOUD_AUTH_PLUGIN=True`
	49	+	9When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
	50	+	10. Run `./k8s-vault-gcp-start.sh`
50	51
51	52		### GKE ingres for shared deployment
52	53
		skipped 39 lines
92	93		\| Name \| Version \|
93	94		\|------\|---------\|
94	95		\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
95		-	\| <a name="requirement_google"></a> [google](#requirement\_google) \| ~> 4.1 \|
96		-	\| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) \| ~> 4.1 \|
97		-	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.1 \|
98		-	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.0 \|
	96	+	\| <a name="requirement_google"></a> [google](#requirement\_google) \| ~> 4.39.0 \|
	97	+	\| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) \| ~> 4.39.0 \|
	98	+	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.1.0 \|
	99	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.4.3 \|
99	100
100	101		## Providers
101	102
102	103		\| Name \| Version \|
103	104		\|------\|---------\|
104		-	\| <a name="provider_google"></a> [google](#provider\_google) \| ~> 4.1 \|
105		-	\| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) \| ~> 4.1 \|
106		-	\| <a name="provider_http"></a> [http](#provider\_http) \| ~> 3.1 \|
107		-	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.0 \|
	105	+	\| <a name="provider_google"></a> [google](#provider\_google) \| ~> 4.39.0 \|
	106	+	\| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) \| ~> 4.39.0 \|
	107	+	\| <a name="provider_http"></a> [http](#provider\_http) \| ~> 3.1.0 \|
	108	+	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.4.3 \|
108	109
109	110		## Modules
110	111
		skipped 29 lines
140	141		\| Name \| Description \| Type \| Default \| Required \|
141	142		\|------\|-------------\|------\|---------\|:--------:\|
142	143		\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The GKE cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
143		-	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The GKE cluster version to use \| `string` \| `"1.22"` \| no \|
	144	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The GKE cluster version to use \| `string` \| `"1.23"` \| no \|
144	145		\| <a name="input_project_id"></a> [project\_id](#input\_project\_id) \| project id \| `string` \| n/a \| yes \|
145	146		\| <a name="input_region"></a> [region](#input\_region) \| The GCP region to use \| `string` \| `"eu-west4"` \| no \|
146	147
		skipped 11 lines

■ ■ ■ ■ ■ ■ ■

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 29 lines
30	30		fsGroup: 2000
31	31		serviceAccountName: vault
32	32		volumes:
	33	+	- name: 'ephemeral'
	34	+	emptyDir: {}
33	35		- name: secrets-store-inline
34	36		csi:
35	37		driver: secrets-store.csi.k8s.io
		skipped 3 lines
39	41		containers:
40	42		- image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
41	43		imagePullPolicy: IfNotPresent
	44	+	name: secret-challenge
42	45		ports:
43	46		- containerPort: 8080
44	47		protocol: TCP
45		-	name: secret-challenge
46		-	resources: {}
	48	+	readinessProbe:
	49	+	httpGet:
	50	+	path: '/actuator/health/readiness'
	51	+	port: 8080
	52	+	initialDelaySeconds: 30
	53	+	timeoutSeconds: 5
	54	+	periodSeconds: 5
	55	+	failureThreshold: 8
	56	+	livenessProbe:
	57	+	httpGet:
	58	+	path: '/actuator/health/liveness'
	59	+	port: 8080
	60	+	initialDelaySeconds: 35
	61	+	timeoutSeconds: 30
	62	+	periodSeconds: 40
	63	+	failureThreshold: 5
	64	+	securityContext:
	65	+	allowPrivilegeEscalation: false
	66	+	readOnlyRootFilesystem: true
	67	+	runAsNonRoot: true
	68	+	resources:
	69	+	requests:
	70	+	memory: '512Mi'
	71	+	cpu: '200m'
	72	+	ephemeral-storage: '1Gi'
	73	+	limits:
	74	+	memory: '512Mi'
	75	+	cpu: '800m'
	76	+	ephemeral-storage: '2Gi'
47	77		terminationMessagePath: /dev/termination-log
48	78		terminationMessagePolicy: File
49	79		env:
		skipped 19 lines
69	99		- name: secrets-store-inline
70	100		mountPath: "/mnt/secrets-store"
71	101		readOnly: true
	102	+	- name: 'ephemeral'
	103	+	mountPath: '/tmp'
72	104		dnsPolicy: ClusterFirst
73	105		restartPolicy: Always
74	106		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

gcp/main.tf

		skipped 39 lines
40	40		node_config {
41	41		# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
42	42		service_account = google_service_account.wrongsecrets_cluster.email
43		-	machine_type = "e2-highcpu-2"
	43	+	machine_type = "e2-standard-2"
44	44		oauth_scopes = [
45	45		"https://www.googleapis.com/auth/cloud-platform"
46	46		]
		skipped 19 lines

■ ■ ■ ■ ■ ■

gcp/variables.tf

		skipped 11 lines
12	12		variable "cluster_version" {
13	13		description = "The GKE cluster version to use"
14	14		type = string
15		-	default = "1.22"
	15	+	default = "1.23"
16	16		}
17	17
18	18		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

gcp/versions.tf

		skipped 2 lines
3	3		required_providers {
4	4		google = {
5	5		source = "hashicorp/google"
6		-	version = "~> 4.1"
	6	+	version = "~> 4.39.0"
7	7		}
8	8		google-beta = {
9	9		source = "hashicorp/google-beta"
10		-	version = "~> 4.1"
	10	+	version = "~> 4.39.0"
11	11		}
12	12		random = {
13		-	version = "~> 3.0"
	13	+	version = "~> 3.4.3"
14	14		}
15	15		http = {
16		-	version = "~> 3.1"
	16	+	version = "~> 3.1.0"
17	17		}
18	18		}
19	19		}
		skipped 1 lines

■ ■ ■ ■ ■ ■ ■

k8s/secret-challenge-deployment.yml

		skipped 27 lines
28	28		runAsGroup: 2000
29	29		fsGroup: 2000
30	30		containers:
31		-	- image: jeroenwillemsen/wrongsecrets:1.5.3-no-vault
	31	+	- image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
32	32		imagePullPolicy: IfNotPresent
	33	+	name: secret-challenge
33	34		ports:
34	35		- containerPort: 8080
35	36		protocol: TCP
36		-	name: secret-challenge
37		-	resources: {}
	37	+	readinessProbe:
	38	+	httpGet:
	39	+	path: '/actuator/health/readiness'
	40	+	port: 8080
	41	+	initialDelaySeconds: 30
	42	+	timeoutSeconds: 5
	43	+	periodSeconds: 5
	44	+	failureThreshold: 8
	45	+	livenessProbe:
	46	+	httpGet:
	47	+	path: '/actuator/health/liveness'
	48	+	port: 8080
	49	+	initialDelaySeconds: 35
	50	+	timeoutSeconds: 30
	51	+	periodSeconds: 40
	52	+	failureThreshold: 5
	53	+	resources:
	54	+	requests:
	55	+	memory: '512Mi'
	56	+	cpu: '200m'
	57	+	ephemeral-storage: '1Gi'
	58	+	limits:
	59	+	memory: '512Mi'
	60	+	cpu: '1200m'
	61	+	ephemeral-storage: '2Gi'
	62	+	securityContext:
	63	+	allowPrivilegeEscalation: false
	64	+	readOnlyRootFilesystem: true
	65	+	runAsNonRoot: true
	66	+	volumeMounts:
	67	+	- name: 'ephemeral'
	68	+	mountPath: '/tmp'
38	69		terminationMessagePath: /dev/termination-log
39	70		terminationMessagePolicy: File
40	71		env:
		skipped 9 lines
50	81		secretKeyRef:
51	82		name: funnystuff
52	83		key: funnier
	84	+	volumes:
	85	+	- name: 'ephemeral'
	86	+	emptyDir: { }
53	87		dnsPolicy: ClusterFirst
54	88		restartPolicy: Always
55	89		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■ ■

k8s/secret-challenge-vault-deployment.yml

		skipped 29 lines
30	30		runAsNonRoot: true
31	31		serviceAccountName: vault
32	32		containers:
33		-	- image: jeroenwillemsen/wrongsecrets:1.5.3-k8s-vault
	33	+	- image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
34	34		imagePullPolicy: IfNotPresent
	35	+	name: secret-challenge
	36	+	securityContext:
	37	+	allowPrivilegeEscalation: false
	38	+	readOnlyRootFilesystem: true
	39	+	runAsNonRoot: true
35	40		ports:
36	41		- containerPort: 8080
37	42		protocol: TCP
38		-	name: secret-challenge
39		-	resources: { }
	43	+	readinessProbe:
	44	+	httpGet:
	45	+	path: '/actuator/health/readiness'
	46	+	port: 8080
	47	+	initialDelaySeconds: 30
	48	+	timeoutSeconds: 5
	49	+	periodSeconds: 5
	50	+	failureThreshold: 8
	51	+	livenessProbe:
	52	+	httpGet:
	53	+	path: '/actuator/health/liveness'
	54	+	port: 8080
	55	+	initialDelaySeconds: 35
	56	+	timeoutSeconds: 30
	57	+	periodSeconds: 40
	58	+	failureThreshold: 5
	59	+	resources:
	60	+	requests:
	61	+	memory: '512Mi'
	62	+	cpu: '200m'
	63	+	ephemeral-storage: '1Gi'
	64	+	limits:
	65	+	memory: '512Mi'
	66	+	cpu: '1200m'
	67	+	ephemeral-storage: '2Gi'
	68	+	volumeMounts:
	69	+	- name: 'ephemeral'
	70	+	mountPath: '/tmp'
40	71		terminationMessagePath: /dev/termination-log
41	72		terminationMessagePolicy: File
42	73		env:
		skipped 13 lines
56	87		value: "http://vault:8200"
57	88		- name: JWT_PATH
58	89		value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
	90	+	volumes:
	91	+	- name: 'ephemeral'
	92	+	emptyDir: { }
59	93		dnsPolicy: ClusterFirst
60	94		restartPolicy: Always
61	95		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

k8s-vault-minkube-start.sh

		skipped 8 lines
9	9
10	10		echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
11	11		echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
12		-	minikube start --kubernetes-version=v1.22.5
	12	+	minikube start --kubernetes-version=v1.23.12
13	13
14	14		kubectl get configmaps \| grep 'secrets-file' &> /dev/null
15	15		if [ $? == 0 ]; then
		skipped 13 lines
29	29		echo "Consul is already installed"
30	30		else
31	31		helm repo add hashicorp https://helm.releases.hashicorp.com
32		-	helm install consul hashicorp/consul --version 0.30.0 --values k8s/helm-consul-values.yml
33	32		fi
	33	+	helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml
34	34
35		-	while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
	35	+	while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
36	36
37	37		helm list \| grep 'vault' &> /dev/null
38	38		if [ $? == 0 ]; then
39	39		echo "Vault is already installed"
40	40		else
41	41		helm repo add hashicorp https://helm.releases.hashicorp.com
42		-	helm install vault hashicorp/vault --version 0.19.0 --values k8s/helm-vault-values.yml
43	42		fi
	43	+	helm upgrade --install vault hashicorp/vault --version 0.22.0 --values k8s/helm-vault-values.yml
44	44
45	45		isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
46	46		while [[ $isvaultrunning != "vault-0" ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
		skipped 5 lines
52	52		kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
53	53		cat cluster-keys.json \| jq -r ".unseal_keys_b64[]"
54	54		VAULT_UNSEAL_KEY=$(cat cluster-keys.json \| jq -r ".unseal_keys_b64[]")
55		-	kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
56		-	kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
57		-	kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
	55	+
	56	+	echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
	57	+	echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults"
	58	+
	59	+	kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
	60	+	kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
	61	+	kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
58	62
59	63
60	64		echo "Obtaining root token"
		skipped 59 lines

■ ■ ■ ■ ■ ■ ■

okteto/k8s/secret-challenge-deployment.yml

		skipped 28 lines
29	29		fsGroup: 2000
30	30		containers:
31	31		- image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
	32	+	name: secret-challenge
32	33		imagePullPolicy: IfNotPresent
	34	+	securityContext:
	35	+	allowPrivilegeEscalation: false
	36	+	readOnlyRootFilesystem: true
	37	+	runAsNonRoot: true
33	38		ports:
34	39		- containerPort: 8080
35	40		protocol: TCP
36		-	name: secret-challenge
37		-	resources: {}
	41	+	readinessProbe:
	42	+	httpGet:
	43	+	path: '/actuator/health/readiness'
	44	+	port: 8080
	45	+	initialDelaySeconds: 30
	46	+	timeoutSeconds: 5
	47	+	periodSeconds: 5
	48	+	failureThreshold: 8
	49	+	livenessProbe:
	50	+	httpGet:
	51	+	path: '/actuator/health/liveness'
	52	+	port: 8080
	53	+	initialDelaySeconds: 35
	54	+	timeoutSeconds: 30
	55	+	periodSeconds: 40
	56	+	failureThreshold: 5
	57	+	resources:
	58	+	requests:
	59	+	memory: '512Mi'
	60	+	cpu: '200m'
	61	+	ephemeral-storage: '1Gi'
	62	+	limits:
	63	+	memory: '512Mi'
	64	+	cpu: '1200m'
	65	+	ephemeral-storage: '2Gi'
	66	+	volumeMounts:
	67	+	- name: 'ephemeral'
	68	+	mountPath: '/tmp'
38	69		terminationMessagePath: /dev/termination-log
39	70		terminationMessagePolicy: File
40	71		env:
		skipped 9 lines
50	81		secretKeyRef:
51	82		name: funnystuff
52	83		key: funnier
	84	+	volumes:
	85	+	- name: 'ephemeral'
	86	+	emptyDir: {}
53	87		dnsPolicy: ClusterFirst
54	88		restartPolicy: Always
55	89		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

scripts/install-consul.sh

		skipped 3 lines
4	4		else
5	5		helm repo add hashicorp https://helm.releases.hashicorp.com
6	6		helm repo update hashicorp
7		-	helm install consul hashicorp/consul --version 0.30.0 --values ../k8s/helm-consul-values.yml
	7	+	helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values ../k8s/helm-consul-values.yml
8	8		fi
9	9
10		-	while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
	10	+	while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
11	11

■ ■ ■ ■ ■ ■

scripts/install-vault.sh

		skipped 3 lines
4	4		else
5	5		helm repo add hashicorp https://helm.releases.hashicorp.com
6	6		helm repo update hashicorp
7		-	helm install vault hashicorp/vault --version 0.19.0 --values ../k8s/helm-vault-values.yml
	7	+	helm upgrade --install vault hashicorp/vault --version 0.22.0 --values ../k8s/helm-vault-values.yml
8	8		fi
9	9
10	10		isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
		skipped 4 lines
15	15		echo "Setting up port forwarding"
16	16		kubectl port-forward vault-0 8200:8200 &
17	17		echo "Unsealing Vault"
18		-	kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json
	18	+	kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
19	19		cat cluster-keys.json \| jq -r ".unseal_keys_b64[]"
20	20		VAULT_UNSEAL_KEY=$(cat cluster-keys.json \| jq -r ".unseal_keys_b64[]")
21		-	kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
22		-	kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
23		-	kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
	21	+
	22	+	echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
	23	+	echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be asked for it 3 times to unseal the vaults"
	24	+
	25	+	kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
	26	+	kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
	27	+	kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
24	28
25	29		echo "Obtaining root token"
26	30		jq .root_token cluster-keys.json >commentedroottoken
		skipped 42 lines

Merge pull request #452 from commjoen/hardening