Projects STRLCPY wrongsecrets Commits 9f4d2726
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/workflows/minikube-k8s-test.yml
    skipped 20 lines
    21 21   - name: Start minikube
    22 22   uses: medyagh/setup-minikube@master
    23 23   with:
    24  - minikube-version: 1.25.2
     24 + minikube-version: 1.27.0
    25 25   driver: docker
    26  - kubernetes-version: v1.22.5
     26 + kubernetes-version: v1.23.12
    27 27   - name: test script
    28 28   run: |
    29 29   kubectl apply -f k8s/secrets-config.yml
    skipped 16 lines
  • ■ ■ ■ ■ ■ ■
    .github/workflows/minikube-vault-test.yml
    skipped 21 lines
    22 22   - name: Start minikube
    23 23   uses: medyagh/setup-minikube@master
    24 24   with:
    25  - minikube-version: 1.25.2
     25 + minikube-version: 1.27.0
    26 26   driver: docker
    27  - kubernetes-version: v1.22.5
     27 + kubernetes-version: v1.23.12
    28 28   - name: Setup helm
    29 29   uses: azure/[email protected]
    30 30   id: install
    skipped 4 lines
  • ■ ■ ■ ■
    .github/workflows/pre-commit.yml
    skipped 8 lines
    9 9  env:
    10 10   TF_DOCS_VERSION: v0.16.0
    11 11   TFSEC_VERSION: v1.27.6
    12  - TFLINT_VERSION: v0.39.3
     12 + TFLINT_VERSION: v0.41.0
    13 13  permissions:
    14 14   contents: read
    15 15  jobs:
    skipped 37 lines
  • ■ ■ ■ ■
    README.md
    skipped 129 lines
    130 130   
    131 131  ### Okteto based
    132 132   
    133  -Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond. Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
     133 +Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
    134 134   
    135 135  ## Vault exercises with minikube
    136 136   
    skipped 254 lines
  • ■ ■ ■ ■ ■ ■
    aws/README.md
    skipped 100 lines
    101 101  | Name | Version |
    102 102  |------|---------|
    103 103  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    104  -| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.1 |
     104 +| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.33.0 |
    105 105  | <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    106  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     106 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    107 107   
    108 108  ## Providers
    109 109   
    110 110  | Name | Version |
    111 111  |------|---------|
    112  -| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.1 |
     112 +| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.33.0 |
    113 113  | <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    114  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     114 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    115 115   
    116 116  ## Modules
    117 117   
    118 118  | Name | Source | Version |
    119 119  |------|--------|---------|
     120 +| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.12 |
    120 121  | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.0 |
    121 122  | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.16.0 |
    122 123   
    skipped 28 lines
    151 152  | Name | Description | Type | Default | Required |
    152 153  |------|-------------|------|---------|:--------:|
    153 154  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    154  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.22"` | no |
     155 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
    155 156  | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
    156 157   
    157 158  ## Outputs
    skipped 9 lines
  • ■ ■ ■ ■ ■
    aws/irsa.tf
    skipped 12 lines
    13 13  data "aws_iam_policy_document" "assume_role_with_oidc" {
    14 14   statement {
    15 15   principals {
    16  - type = "Federated"
    17  - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"]
     16 + type = "Federated"
     17 + identifiers = [
     18 + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"
     19 + ]
    18 20   }
    19 21   effect = "Allow"
    20 22   actions = ["sts:AssumeRoleWithWebIdentity"]
    skipped 99 lines
    120 122   }
    121 123  }
    122 124   
     125 +module "ebs_csi_irsa_role" {
     126 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
     127 + version = "~> 4.12"
     128 + role_name = "ebs-csi"
     129 + attach_ebs_csi_policy = true
     130 + 
     131 + oidc_providers = {
     132 + ex = {
     133 + provider_arn = module.eks.oidc_provider_arn
     134 + namespace_service_accounts = ["consul:server", "kube-system:ebs-csi-controller-sa"]
     135 + }
     136 + }
     137 +}
     138 + 
  • ■ ■ ■ ■ ■ ■
    aws/k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   fsGroup: 2000
    31 31   serviceAccountName: vault
    32 32   volumes:
     33 + - name: 'ephemeral'
     34 + emptyDir: { }
    33 35   - name: secrets-store-inline
    34 36   csi:
    35 37   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    39 41   containers:
    40 42   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    41 43   imagePullPolicy: IfNotPresent
     44 + name: secret-challenge
     45 + securityContext:
     46 + allowPrivilegeEscalation: false
     47 + readOnlyRootFilesystem: true
     48 + runAsNonRoot: true
    42 49   ports:
    43 50   - containerPort: 8080
    44 51   protocol: TCP
    45  - name: secret-challenge
    46  - resources: {}
     52 + readinessProbe:
     53 + httpGet:
     54 + path: '/actuator/health/readiness'
     55 + port: 8080
     56 + initialDelaySeconds: 30
     57 + timeoutSeconds: 5
     58 + periodSeconds: 5
     59 + failureThreshold: 8
     60 + livenessProbe:
     61 + httpGet:
     62 + path: '/actuator/health/liveness'
     63 + port: 8080
     64 + initialDelaySeconds: 35
     65 + timeoutSeconds: 30
     66 + periodSeconds: 40
     67 + failureThreshold: 5
     68 + resources:
     69 + requests:
     70 + memory: '512Mi'
     71 + cpu: '200m'
     72 + ephemeral-storage: '1Gi'
     73 + limits:
     74 + memory: '512Mi'
     75 + cpu: '1200m'
     76 + ephemeral-storage: '2Gi'
    47 77   terminationMessagePath: /dev/termination-log
    48 78   terminationMessagePolicy: File
    49 79   env:
    skipped 17 lines
    67 97   - name: secrets-store-inline
    68 98   mountPath: "/mnt/secrets-store"
    69 99   readOnly: true
     100 + - name: 'ephemeral'
     101 + mountPath: '/tmp'
    70 102   dnsPolicy: ClusterFirst
    71 103   restartPolicy: Always
    72 104   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    aws/k8s-vault-aws-start.sh
    skipped 25 lines
    26 26   kubectl apply -f ../k8s/secrets-secret.yml
    27 27  fi
    28 28   
     29 +kubectl get sa ebs-csi-controller-sa -n kube-system | grep '1' &>/dev/null
     30 +if [ $? == 0 ]; then
     31 + echo "EBS CSI driver is installed, skipping (1 secret found)"
     32 +else
     33 + echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us"
     34 + kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.12"
     35 +fi
     36 + 
    29 37  source ../scripts/install-consul.sh
    30 38   
    31 39  source ../scripts/install-vault.sh
    skipped 30 lines
  • ■ ■ ■ ■ ■ ■
    aws/main.tf
    skipped 88 lines
    89 89   "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    90 90   "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    91 91   "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
    92  - "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
     92 + "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
     93 + "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
    93 94   ]
    94 95   }
    95 96   
    skipped 1 lines
    97 98   bottlerocket_default = {
    98 99   create_launch_template = false
    99 100   launch_template_name = ""
    100  - 
    101  - capacity_type = "SPOT"
     101 + min_size = 1
     102 + max_size = 3
     103 + desired_size = 1
     104 + capacity_type = "SPOT"
    102 105   
    103 106   ami_type = "BOTTLEROCKET_x86_64"
    104 107   platform = "bottlerocket"
    skipped 20 lines
  • ■ ■ ■ ■
    aws/terraform.tfvars
    1  -cluster_version = "1.22"
     1 +cluster_version = "1.23"
    2 2  region = "eu-west-1"
    3 3   
  • ■ ■ ■ ■
    aws/variables.tf
    skipped 6 lines
    7 7  variable "cluster_version" {
    8 8   description = "The EKS cluster version to use"
    9 9   type = string
    10  - default = "1.22"
     10 + default = "1.23"
    11 11  }
    12 12   
    13 13  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    aws/versions.tf
    skipped 2 lines
    3 3   
    4 4   required_providers {
    5 5   aws = {
    6  - version = "~> 4.1"
     6 + version = "~> 4.33.0"
    7 7   }
    8 8   random = {
    9  - version = "~> 3.0"
     9 + version = "~> 3.4.3"
    10 10   }
    11 11   http = {
    12 12   version = "~> 3.1"
    skipped 4 lines
  • ■ ■ ■ ■ ■ ■
    azure/README.md
    skipped 94 lines
    95 95  | Name | Version |
    96 96  |------|---------|
    97 97  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    98  -| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.9 |
    99  -| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    100  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     98 +| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.25.0 |
     99 +| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1.0 |
     100 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    101 101   
    102 102  ## Providers
    103 103   
    104 104  | Name | Version |
    105 105  |------|---------|
    106  -| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~> 3.9 |
    107  -| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    108  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     106 +| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~> 3.25.0 |
     107 +| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1.0 |
     108 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    109 109   
    110 110  ## Modules
    111 111   
    skipped 28 lines
    140 140  | Name | Description | Type | Default | Required |
    141 141  |------|-------------|------|---------|:--------:|
    142 142  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    143  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.22.6"` | no |
     143 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.23.12"` | no |
    144 144  | <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
    145 145   
    146 146  ## Outputs
    skipped 15 lines
  • ■ ■ ■ ■ ■
    azure/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 25 lines
    26 26   aadpodidbinding: wrongsecrets-pod-id
    27 27   name: secret-challenge
    28 28   spec:
     29 + securityContext:
     30 + runAsUser: 2000
     31 + runAsGroup: 2000
     32 + fsGroup: 2000
    29 33   serviceAccountName: vault
    30 34   volumes:
     35 + - name: 'ephemeral'
     36 + emptyDir: {}
    31 37   - name: secrets-store-inline
    32 38   csi:
    33 39   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    37 43   containers:
    38 44   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    39 45   imagePullPolicy: IfNotPresent
     46 + name: secret-challenge
     47 + securityContext:
     48 + allowPrivilegeEscalation: false
     49 + readOnlyRootFilesystem: true
     50 + runAsNonRoot: true
    40 51   ports:
    41 52   - containerPort: 8080
    42 53   protocol: TCP
    43  - name: secret-challenge
    44  - resources: {}
     54 + readinessProbe:
     55 + httpGet:
     56 + path: '/actuator/health/readiness'
     57 + port: 8080
     58 + initialDelaySeconds: 30
     59 + timeoutSeconds: 5
     60 + periodSeconds: 5
     61 + failureThreshold: 8
     62 + livenessProbe:
     63 + httpGet:
     64 + path: '/actuator/health/liveness'
     65 + port: 8080
     66 + initialDelaySeconds: 35
     67 + timeoutSeconds: 30
     68 + periodSeconds: 40
     69 + failureThreshold: 5
     70 + resources:
     71 + requests:
     72 + memory: '256Mi'
     73 + cpu: '200m'
     74 + ephemeral-storage: '1Gi'
     75 + limits:
     76 + memory: '512Mi'
     77 + cpu: '1200m'
     78 + ephemeral-storage: '2Gi'
    45 79   terminationMessagePath: /dev/termination-log
    46 80   terminationMessagePolicy: File
    47 81   env:
    skipped 4 lines
    52 86   - name: azure_keyvault_uri
    53 87   value: ${AZ_VAULT_URI}
    54 88   - name: management.health.azure-key-vault.enabled
    55  - value: true
     89 + value: "true"
    56 90   - name: SPECIAL_K8S_SECRET
    57 91   valueFrom:
    58 92   configMapKeyRef:
    skipped 12 lines
    71 105   - name: secrets-store-inline
    72 106   mountPath: "/mnt/secrets-store"
    73 107   readOnly: true
     108 + - name: 'ephemeral'
     109 + mountPath: '/tmp'
    74 110   dnsPolicy: ClusterFirst
    75 111   restartPolicy: Always
    76 112   schedulerName: default-scheduler
    77  - securityContext: {}
    78 113   terminationGracePeriodSeconds: 30
    79 114   
  • ■ ■ ■ ■
    azure/variables.tf
    skipped 6 lines
    7 7  variable "cluster_version" {
    8 8   description = "The AKS cluster version to use"
    9 9   type = string
    10  - default = "1.22.6"
     10 + default = "1.23.12"
    11 11  }
    12 12   
    13 13  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    azure/versions.tf
    skipped 2 lines
    3 3   
    4 4   required_providers {
    5 5   random = {
    6  - version = "~> 3.0"
     6 + version = "~> 3.4.3"
    7 7   }
    8 8   azurerm = {
    9  - version = "~> 3.9"
     9 + version = "~> 3.25.0"
    10 10   }
    11 11   http = {
    12  - version = "~> 3.1"
     12 + version = "~> 3.1.0"
    13 13   }
    14 14   }
    15 15  }
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    gcp/README.md
    skipped 44 lines
    45 45  5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
    46 46  6. Run `terraform plan`
    47 47  7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
    48  -8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
    49  -9. Run `./k8s-vault-gcp-start.sh`
     48 +8. Run `export USE_GKE_GCLOUD_AUTH_PLUGIN=True`
     49 +9When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
     50 +10. Run `./k8s-vault-gcp-start.sh`
    50 51   
    51 52  ### GKE ingres for shared deployment
    52 53   
    skipped 39 lines
    92 93  | Name | Version |
    93 94  |------|---------|
    94 95  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    95  -| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.1 |
    96  -| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.1 |
    97  -| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    98  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     96 +| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.39.0 |
     97 +| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.39.0 |
     98 +| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1.0 |
     99 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    99 100   
    100 101  ## Providers
    101 102   
    102 103  | Name | Version |
    103 104  |------|---------|
    104  -| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.1 |
    105  -| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | ~> 4.1 |
    106  -| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    107  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     105 +| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.39.0 |
     106 +| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | ~> 4.39.0 |
     107 +| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1.0 |
     108 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    108 109   
    109 110  ## Modules
    110 111   
    skipped 29 lines
    140 141  | Name | Description | Type | Default | Required |
    141 142  |------|-------------|------|---------|:--------:|
    142 143  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The GKE cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    143  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.22"` | no |
     144 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.23"` | no |
    144 145  | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | project id | `string` | n/a | yes |
    145 146  | <a name="input_region"></a> [region](#input\_region) | The GCP region to use | `string` | `"eu-west4"` | no |
    146 147   
    skipped 11 lines
  • ■ ■ ■ ■ ■ ■
    gcp/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 29 lines
    30 30   fsGroup: 2000
    31 31   serviceAccountName: vault
    32 32   volumes:
     33 + - name: 'ephemeral'
     34 + emptyDir: {}
    33 35   - name: secrets-store-inline
    34 36   csi:
    35 37   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    39 41   containers:
    40 42   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    41 43   imagePullPolicy: IfNotPresent
     44 + name: secret-challenge
    42 45   ports:
    43 46   - containerPort: 8080
    44 47   protocol: TCP
    45  - name: secret-challenge
    46  - resources: {}
     48 + readinessProbe:
     49 + httpGet:
     50 + path: '/actuator/health/readiness'
     51 + port: 8080
     52 + initialDelaySeconds: 30
     53 + timeoutSeconds: 5
     54 + periodSeconds: 5
     55 + failureThreshold: 8
     56 + livenessProbe:
     57 + httpGet:
     58 + path: '/actuator/health/liveness'
     59 + port: 8080
     60 + initialDelaySeconds: 35
     61 + timeoutSeconds: 30
     62 + periodSeconds: 40
     63 + failureThreshold: 5
     64 + securityContext:
     65 + allowPrivilegeEscalation: false
     66 + readOnlyRootFilesystem: true
     67 + runAsNonRoot: true
     68 + resources:
     69 + requests:
     70 + memory: '512Mi'
     71 + cpu: '200m'
     72 + ephemeral-storage: '1Gi'
     73 + limits:
     74 + memory: '512Mi'
     75 + cpu: '800m'
     76 + ephemeral-storage: '2Gi'
    47 77   terminationMessagePath: /dev/termination-log
    48 78   terminationMessagePolicy: File
    49 79   env:
    skipped 19 lines
    69 99   - name: secrets-store-inline
    70 100   mountPath: "/mnt/secrets-store"
    71 101   readOnly: true
     102 + - name: 'ephemeral'
     103 + mountPath: '/tmp'
    72 104   dnsPolicy: ClusterFirst
    73 105   restartPolicy: Always
    74 106   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■
    gcp/main.tf
    skipped 39 lines
    40 40   node_config {
    41 41   # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    42 42   service_account = google_service_account.wrongsecrets_cluster.email
    43  - machine_type = "e2-highcpu-2"
     43 + machine_type = "e2-standard-2"
    44 44   oauth_scopes = [
    45 45   "https://www.googleapis.com/auth/cloud-platform"
    46 46   ]
    skipped 19 lines
  • ■ ■ ■ ■
    gcp/variables.tf
    skipped 11 lines
    12 12  variable "cluster_version" {
    13 13   description = "The GKE cluster version to use"
    14 14   type = string
    15  - default = "1.22"
     15 + default = "1.23"
    16 16  }
    17 17   
    18 18  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    gcp/versions.tf
    skipped 2 lines
    3 3   required_providers {
    4 4   google = {
    5 5   source = "hashicorp/google"
    6  - version = "~> 4.1"
     6 + version = "~> 4.39.0"
    7 7   }
    8 8   google-beta = {
    9 9   source = "hashicorp/google-beta"
    10  - version = "~> 4.1"
     10 + version = "~> 4.39.0"
    11 11   }
    12 12   random = {
    13  - version = "~> 3.0"
     13 + version = "~> 3.4.3"
    14 14   }
    15 15   http = {
    16  - version = "~> 3.1"
     16 + version = "~> 3.1.0"
    17 17   }
    18 18   }
    19 19  }
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    k8s/secret-challenge-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:1.5.3-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
    32 32   imagePullPolicy: IfNotPresent
     33 + name: secret-challenge
    33 34   ports:
    34 35   - containerPort: 8080
    35 36   protocol: TCP
    36  - name: secret-challenge
    37  - resources: {}
     37 + readinessProbe:
     38 + httpGet:
     39 + path: '/actuator/health/readiness'
     40 + port: 8080
     41 + initialDelaySeconds: 30
     42 + timeoutSeconds: 5
     43 + periodSeconds: 5
     44 + failureThreshold: 8
     45 + livenessProbe:
     46 + httpGet:
     47 + path: '/actuator/health/liveness'
     48 + port: 8080
     49 + initialDelaySeconds: 35
     50 + timeoutSeconds: 30
     51 + periodSeconds: 40
     52 + failureThreshold: 5
     53 + resources:
     54 + requests:
     55 + memory: '512Mi'
     56 + cpu: '200m'
     57 + ephemeral-storage: '1Gi'
     58 + limits:
     59 + memory: '512Mi'
     60 + cpu: '1200m'
     61 + ephemeral-storage: '2Gi'
     62 + securityContext:
     63 + allowPrivilegeEscalation: false
     64 + readOnlyRootFilesystem: true
     65 + runAsNonRoot: true
     66 + volumeMounts:
     67 + - name: 'ephemeral'
     68 + mountPath: '/tmp'
    38 69   terminationMessagePath: /dev/termination-log
    39 70   terminationMessagePolicy: File
    40 71   env:
    skipped 9 lines
    50 81   secretKeyRef:
    51 82   name: funnystuff
    52 83   key: funnier
     84 + volumes:
     85 + - name: 'ephemeral'
     86 + emptyDir: { }
    53 87   dnsPolicy: ClusterFirst
    54 88   restartPolicy: Always
    55 89   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   runAsNonRoot: true
    31 31   serviceAccountName: vault
    32 32   containers:
    33  - - image: jeroenwillemsen/wrongsecrets:1.5.3-k8s-vault
     33 + - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    34 34   imagePullPolicy: IfNotPresent
     35 + name: secret-challenge
     36 + securityContext:
     37 + allowPrivilegeEscalation: false
     38 + readOnlyRootFilesystem: true
     39 + runAsNonRoot: true
    35 40   ports:
    36 41   - containerPort: 8080
    37 42   protocol: TCP
    38  - name: secret-challenge
    39  - resources: { }
     43 + readinessProbe:
     44 + httpGet:
     45 + path: '/actuator/health/readiness'
     46 + port: 8080
     47 + initialDelaySeconds: 30
     48 + timeoutSeconds: 5
     49 + periodSeconds: 5
     50 + failureThreshold: 8
     51 + livenessProbe:
     52 + httpGet:
     53 + path: '/actuator/health/liveness'
     54 + port: 8080
     55 + initialDelaySeconds: 35
     56 + timeoutSeconds: 30
     57 + periodSeconds: 40
     58 + failureThreshold: 5
     59 + resources:
     60 + requests:
     61 + memory: '512Mi'
     62 + cpu: '200m'
     63 + ephemeral-storage: '1Gi'
     64 + limits:
     65 + memory: '512Mi'
     66 + cpu: '1200m'
     67 + ephemeral-storage: '2Gi'
     68 + volumeMounts:
     69 + - name: 'ephemeral'
     70 + mountPath: '/tmp'
    40 71   terminationMessagePath: /dev/termination-log
    41 72   terminationMessagePolicy: File
    42 73   env:
    skipped 13 lines
    56 87   value: "http://vault:8200"
    57 88   - name: JWT_PATH
    58 89   value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
     90 + volumes:
     91 + - name: 'ephemeral'
     92 + emptyDir: { }
    59 93   dnsPolicy: ClusterFirst
    60 94   restartPolicy: Always
    61 95   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    k8s-vault-minkube-start.sh
    skipped 8 lines
    9 9   
    10 10  echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
    11 11  echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
    12  -minikube start --kubernetes-version=v1.22.5
     12 +minikube start --kubernetes-version=v1.23.12
    13 13   
    14 14  kubectl get configmaps | grep 'secrets-file' &> /dev/null
    15 15  if [ $? == 0 ]; then
    skipped 13 lines
    29 29   echo "Consul is already installed"
    30 30  else
    31 31   helm repo add hashicorp https://helm.releases.hashicorp.com
    32  - helm install consul hashicorp/consul --version 0.30.0 --values k8s/helm-consul-values.yml
    33 32  fi
     33 +helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml
    34 34   
    35  -while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
     35 +while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
    36 36   
    37 37  helm list | grep 'vault' &> /dev/null
    38 38  if [ $? == 0 ]; then
    39 39   echo "Vault is already installed"
    40 40  else
    41 41   helm repo add hashicorp https://helm.releases.hashicorp.com
    42  - helm install vault hashicorp/vault --version 0.19.0 --values k8s/helm-vault-values.yml
    43 42  fi
     43 +helm upgrade --install vault hashicorp/vault --version 0.22.0 --values k8s/helm-vault-values.yml
    44 44   
    45 45  isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
    46 46  while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
    skipped 5 lines
    52 52  kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
    53 53  cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
    54 54  VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
    55  -kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
    56  -kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
    57  -kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
     55 + 
     56 +echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
     57 +echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults"
     58 + 
     59 +kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
     60 +kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
     61 +kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
    58 62   
    59 63   
    60 64  echo "Obtaining root token"
    skipped 59 lines
  • ■ ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-deployment.yml
    skipped 28 lines
    29 29   fsGroup: 2000
    30 30   containers:
    31 31   - image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
     32 + name: secret-challenge
    32 33   imagePullPolicy: IfNotPresent
     34 + securityContext:
     35 + allowPrivilegeEscalation: false
     36 + readOnlyRootFilesystem: true
     37 + runAsNonRoot: true
    33 38   ports:
    34 39   - containerPort: 8080
    35 40   protocol: TCP
    36  - name: secret-challenge
    37  - resources: {}
     41 + readinessProbe:
     42 + httpGet:
     43 + path: '/actuator/health/readiness'
     44 + port: 8080
     45 + initialDelaySeconds: 30
     46 + timeoutSeconds: 5
     47 + periodSeconds: 5
     48 + failureThreshold: 8
     49 + livenessProbe:
     50 + httpGet:
     51 + path: '/actuator/health/liveness'
     52 + port: 8080
     53 + initialDelaySeconds: 35
     54 + timeoutSeconds: 30
     55 + periodSeconds: 40
     56 + failureThreshold: 5
     57 + resources:
     58 + requests:
     59 + memory: '512Mi'
     60 + cpu: '200m'
     61 + ephemeral-storage: '1Gi'
     62 + limits:
     63 + memory: '512Mi'
     64 + cpu: '1200m'
     65 + ephemeral-storage: '2Gi'
     66 + volumeMounts:
     67 + - name: 'ephemeral'
     68 + mountPath: '/tmp'
    38 69   terminationMessagePath: /dev/termination-log
    39 70   terminationMessagePolicy: File
    40 71   env:
    skipped 9 lines
    50 81   secretKeyRef:
    51 82   name: funnystuff
    52 83   key: funnier
     84 + volumes:
     85 + - name: 'ephemeral'
     86 + emptyDir: {}
    53 87   dnsPolicy: ClusterFirst
    54 88   restartPolicy: Always
    55 89   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    scripts/install-consul.sh
    skipped 3 lines
    4 4  else
    5 5   helm repo add hashicorp https://helm.releases.hashicorp.com
    6 6   helm repo update hashicorp
    7  - helm install consul hashicorp/consul --version 0.30.0 --values ../k8s/helm-consul-values.yml
     7 + helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values ../k8s/helm-consul-values.yml
    8 8  fi
    9 9   
    10  -while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
     10 +while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != *"True True"* && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != *"True True True True"* ]]; do echo "waiting for Consul" && sleep 2; done
    11 11   
  • ■ ■ ■ ■ ■ ■
    scripts/install-vault.sh
    skipped 3 lines
    4 4  else
    5 5   helm repo add hashicorp https://helm.releases.hashicorp.com
    6 6   helm repo update hashicorp
    7  - helm install vault hashicorp/vault --version 0.19.0 --values ../k8s/helm-vault-values.yml
     7 + helm upgrade --install vault hashicorp/vault --version 0.22.0 --values ../k8s/helm-vault-values.yml
    8 8  fi
    9 9   
    10 10  isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
    skipped 4 lines
    15 15  echo "Setting up port forwarding"
    16 16  kubectl port-forward vault-0 8200:8200 &
    17 17  echo "Unsealing Vault"
    18  -kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json
     18 +kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
    19 19  cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
    20 20  VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
    21  -kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
    22  -kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
    23  -kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
     21 + 
     22 +echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
     23 +echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be asked for it 3 times to unseal the vaults"
     24 + 
     25 +kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
     26 +kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
     27 +kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
    24 28   
    25 29  echo "Obtaining root token"
    26 30  jq .root_token cluster-keys.json >commentedroottoken
    skipped 42 lines
Please wait...
Page is in error, reload to recover