crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 9f4d2726
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/workflows/minikube-k8s-test.yml
    skipped 20 lines
    21 21   - name: Start minikube
    22 22   uses: medyagh/setup-minikube@master
    23 23   with:
    24  - minikube-version: 1.25.2
     24 + minikube-version: 1.27.0
    25 25   driver: docker
    26  - kubernetes-version: v1.22.5
     26 + kubernetes-version: v1.23.12
    27 27   - name: test script
    28 28   run: |
    29 29   kubectl apply -f k8s/secrets-config.yml
    skipped 16 lines
  • ■ ■ ■ ■ ■ ■
    .github/workflows/minikube-vault-test.yml
    skipped 21 lines
    22 22   - name: Start minikube
    23 23   uses: medyagh/setup-minikube@master
    24 24   with:
    25  - minikube-version: 1.25.2
     25 + minikube-version: 1.27.0
    26 26   driver: docker
    27  - kubernetes-version: v1.22.5
     27 + kubernetes-version: v1.23.12
    28 28   - name: Setup helm
    29 29   uses: azure/[email protected]
    30 30   id: install
    skipped 4 lines
  • ■ ■ ■ ■
    .github/workflows/pre-commit.yml
    skipped 8 lines
    9 9  env:
    10 10   TF_DOCS_VERSION: v0.16.0
    11 11   TFSEC_VERSION: v1.27.6
    12  - TFLINT_VERSION: v0.39.3
     12 + TFLINT_VERSION: v0.41.0
    13 13  permissions:
    14 14   contents: read
    15 15  jobs:
    skipped 37 lines
  • ■ ■ ■ ■
    README.md
    skipped 129 lines
    130 130   
    131 131  ### Okteto based
    132 132   
    133  -Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond. Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
     133 +Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
    134 134   
    135 135  ## Vault exercises with minikube
    136 136   
    skipped 254 lines
  • ■ ■ ■ ■ ■ ■
    aws/README.md
    skipped 100 lines
    101 101  | Name | Version |
    102 102  |------|---------|
    103 103  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    104  -| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.1 |
     104 +| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.33.0 |
    105 105  | <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    106  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     106 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    107 107   
    108 108  ## Providers
    109 109   
    110 110  | Name | Version |
    111 111  |------|---------|
    112  -| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.1 |
     112 +| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.33.0 |
    113 113  | <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    114  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     114 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    115 115   
    116 116  ## Modules
    117 117   
    118 118  | Name | Source | Version |
    119 119  |------|--------|---------|
     120 +| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.12 |
    120 121  | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.0 |
    121 122  | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.16.0 |
    122 123   
    skipped 28 lines
    151 152  | Name | Description | Type | Default | Required |
    152 153  |------|-------------|------|---------|:--------:|
    153 154  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    154  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.22"` | no |
     155 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
    155 156  | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
    156 157   
    157 158  ## Outputs
    skipped 9 lines
  • ■ ■ ■ ■ ■
    aws/irsa.tf
    skipped 12 lines
    13 13  data "aws_iam_policy_document" "assume_role_with_oidc" {
    14 14   statement {
    15 15   principals {
    16  - type = "Federated"
    17  - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"]
     16 + type = "Federated"
     17 + identifiers = [
     18 + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"
     19 + ]
    18 20   }
    19 21   effect = "Allow"
    20 22   actions = ["sts:AssumeRoleWithWebIdentity"]
    skipped 99 lines
    120 122   }
    121 123  }
    122 124   
     125 +module "ebs_csi_irsa_role" {
     126 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
     127 + version = "~> 4.12"
     128 + role_name = "ebs-csi"
     129 + attach_ebs_csi_policy = true
     130 + 
     131 + oidc_providers = {
     132 + ex = {
     133 + provider_arn = module.eks.oidc_provider_arn
     134 + namespace_service_accounts = ["consul:server", "kube-system:ebs-csi-controller-sa"]
     135 + }
     136 + }
     137 +}
     138 + 
  • ■ ■ ■ ■ ■ ■
    aws/k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   fsGroup: 2000
    31 31   serviceAccountName: vault
    32 32   volumes:
     33 + - name: 'ephemeral'
     34 + emptyDir: { }
    33 35   - name: secrets-store-inline
    34 36   csi:
    35 37   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    39 41   containers:
    40 42   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    41 43   imagePullPolicy: IfNotPresent
     44 + name: secret-challenge
     45 + securityContext:
     46 + allowPrivilegeEscalation: false
     47 + readOnlyRootFilesystem: true
     48 + runAsNonRoot: true
    42 49   ports:
    43 50   - containerPort: 8080
    44 51   protocol: TCP
    45  - name: secret-challenge
    46  - resources: {}
     52 + readinessProbe:
     53 + httpGet:
     54 + path: '/actuator/health/readiness'
     55 + port: 8080
     56 + initialDelaySeconds: 30
     57 + timeoutSeconds: 5
     58 + periodSeconds: 5
     59 + failureThreshold: 8
     60 + livenessProbe:
     61 + httpGet:
     62 + path: '/actuator/health/liveness'
     63 + port: 8080
     64 + initialDelaySeconds: 35
     65 + timeoutSeconds: 30
     66 + periodSeconds: 40
     67 + failureThreshold: 5
     68 + resources:
     69 + requests:
     70 + memory: '512Mi'
     71 + cpu: '200m'
     72 + ephemeral-storage: '1Gi'
     73 + limits:
     74 + memory: '512Mi'
     75 + cpu: '1200m'
     76 + ephemeral-storage: '2Gi'
    47 77   terminationMessagePath: /dev/termination-log
    48 78   terminationMessagePolicy: File
    49 79   env:
    skipped 17 lines
    67 97   - name: secrets-store-inline
    68 98   mountPath: "/mnt/secrets-store"
    69 99   readOnly: true
     100 + - name: 'ephemeral'
     101 + mountPath: '/tmp'
    70 102   dnsPolicy: ClusterFirst
    71 103   restartPolicy: Always
    72 104   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    aws/k8s-vault-aws-start.sh
    skipped 25 lines
    26 26   kubectl apply -f ../k8s/secrets-secret.yml
    27 27  fi
    28 28   
     29 +kubectl get sa ebs-csi-controller-sa -n kube-system | grep '1' &>/dev/null
     30 +if [ $? == 0 ]; then
     31 + echo "EBS CSI driver is installed, skipping (1 secret found)"
     32 +else
     33 + echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us"
     34 + kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.12"
     35 +fi
     36 + 
    29 37  source ../scripts/install-consul.sh
    30 38   
    31 39  source ../scripts/install-vault.sh
    skipped 30 lines
  • ■ ■ ■ ■ ■ ■
    aws/main.tf
    skipped 88 lines
    89 89   "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    90 90   "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    91 91   "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
    92  - "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
     92 + "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
     93 + "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
    93 94   ]
    94 95   }
    95 96   
    skipped 1 lines
    97 98   bottlerocket_default = {
    98 99   create_launch_template = false
    99 100   launch_template_name = ""
    100  - 
    101  - capacity_type = "SPOT"
     101 + min_size = 1
     102 + max_size = 3
     103 + desired_size = 1
     104 + capacity_type = "SPOT"
    102 105   
    103 106   ami_type = "BOTTLEROCKET_x86_64"
    104 107   platform = "bottlerocket"
    skipped 20 lines
  • ■ ■ ■ ■
    aws/terraform.tfvars
    1  -cluster_version = "1.22"
     1 +cluster_version = "1.23"
    2 2  region = "eu-west-1"
    3 3   
  • ■ ■ ■ ■
    aws/variables.tf
    skipped 6 lines
    7 7  variable "cluster_version" {
    8 8   description = "The EKS cluster version to use"
    9 9   type = string
    10  - default = "1.22"
     10 + default = "1.23"
    11 11  }
    12 12   
    13 13  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    aws/versions.tf
    skipped 2 lines
    3 3   
    4 4   required_providers {
    5 5   aws = {
    6  - version = "~> 4.1"
     6 + version = "~> 4.33.0"
    7 7   }
    8 8   random = {
    9  - version = "~> 3.0"
     9 + version = "~> 3.4.3"
    10 10   }
    11 11   http = {
    12 12   version = "~> 3.1"
    skipped 4 lines
  • ■ ■ ■ ■ ■ ■
    azure/README.md
    skipped 94 lines
    95 95  | Name | Version |
    96 96  |------|---------|
    97 97  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    98  -| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.9 |
    99  -| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    100  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     98 +| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.25.0 |
     99 +| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1.0 |
     100 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    101 101   
    102 102  ## Providers
    103 103   
    104 104  | Name | Version |
    105 105  |------|---------|
    106  -| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~> 3.9 |
    107  -| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    108  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     106 +| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~> 3.25.0 |
     107 +| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1.0 |
     108 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    109 109   
    110 110  ## Modules
    111 111   
    skipped 28 lines
    140 140  | Name | Description | Type | Default | Required |
    141 141  |------|-------------|------|---------|:--------:|
    142 142  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    143  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.22.6"` | no |
     143 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.23.12"` | no |
    144 144  | <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
    145 145   
    146 146  ## Outputs
    skipped 15 lines
  • ■ ■ ■ ■ ■
    azure/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 25 lines
    26 26   aadpodidbinding: wrongsecrets-pod-id
    27 27   name: secret-challenge
    28 28   spec:
     29 + securityContext:
     30 + runAsUser: 2000
     31 + runAsGroup: 2000
     32 + fsGroup: 2000
    29 33   serviceAccountName: vault
    30 34   volumes:
     35 + - name: 'ephemeral'
     36 + emptyDir: {}
    31 37   - name: secrets-store-inline
    32 38   csi:
    33 39   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    37 43   containers:
    38 44   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    39 45   imagePullPolicy: IfNotPresent
     46 + name: secret-challenge
     47 + securityContext:
     48 + allowPrivilegeEscalation: false
     49 + readOnlyRootFilesystem: true
     50 + runAsNonRoot: true
    40 51   ports:
    41 52   - containerPort: 8080
    42 53   protocol: TCP
    43  - name: secret-challenge
    44  - resources: {}
     54 + readinessProbe:
     55 + httpGet:
     56 + path: '/actuator/health/readiness'
     57 + port: 8080
     58 + initialDelaySeconds: 30
     59 + timeoutSeconds: 5
     60 + periodSeconds: 5
     61 + failureThreshold: 8
     62 + livenessProbe:
     63 + httpGet:
     64 + path: '/actuator/health/liveness'
     65 + port: 8080
     66 + initialDelaySeconds: 35
     67 + timeoutSeconds: 30
     68 + periodSeconds: 40
     69 + failureThreshold: 5
     70 + resources:
     71 + requests:
     72 + memory: '256Mi'
     73 + cpu: '200m'
     74 + ephemeral-storage: '1Gi'
     75 + limits:
     76 + memory: '512Mi'
     77 + cpu: '1200m'
     78 + ephemeral-storage: '2Gi'
    45 79   terminationMessagePath: /dev/termination-log
    46 80   terminationMessagePolicy: File
    47 81   env:
    skipped 4 lines
    52 86   - name: azure_keyvault_uri
    53 87   value: ${AZ_VAULT_URI}
    54 88   - name: management.health.azure-key-vault.enabled
    55  - value: true
     89 + value: "true"
    56 90   - name: SPECIAL_K8S_SECRET
    57 91   valueFrom:
    58 92   configMapKeyRef:
    skipped 12 lines
    71 105   - name: secrets-store-inline
    72 106   mountPath: "/mnt/secrets-store"
    73 107   readOnly: true
     108 + - name: 'ephemeral'
     109 + mountPath: '/tmp'
    74 110   dnsPolicy: ClusterFirst
    75 111   restartPolicy: Always
    76 112   schedulerName: default-scheduler
    77  - securityContext: {}
    78 113   terminationGracePeriodSeconds: 30
    79 114   
  • ■ ■ ■ ■
    azure/variables.tf
    skipped 6 lines
    7 7  variable "cluster_version" {
    8 8   description = "The AKS cluster version to use"
    9 9   type = string
    10  - default = "1.22.6"
     10 + default = "1.23.12"
    11 11  }
    12 12   
    13 13  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    azure/versions.tf
    skipped 2 lines
    3 3   
    4 4   required_providers {
    5 5   random = {
    6  - version = "~> 3.0"
     6 + version = "~> 3.4.3"
    7 7   }
    8 8   azurerm = {
    9  - version = "~> 3.9"
     9 + version = "~> 3.25.0"
    10 10   }
    11 11   http = {
    12  - version = "~> 3.1"
     12 + version = "~> 3.1.0"
    13 13   }
    14 14   }
    15 15  }
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    gcp/README.md
    skipped 44 lines
    45 45  5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
    46 46  6. Run `terraform plan`
    47 47  7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
    48  -8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
    49  -9. Run `./k8s-vault-gcp-start.sh`
     48 +8. Run `export USE_GKE_GCLOUD_AUTH_PLUGIN=True`
     49 +9When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
     50 +10. Run `./k8s-vault-gcp-start.sh`
    50 51   
    51 52  ### GKE ingres for shared deployment
    52 53   
    skipped 39 lines
    92 93  | Name | Version |
    93 94  |------|---------|
    94 95  | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
    95  -| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.1 |
    96  -| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.1 |
    97  -| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
    98  -| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
     96 +| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.39.0 |
     97 +| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.39.0 |
     98 +| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1.0 |
     99 +| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
    99 100   
    100 101  ## Providers
    101 102   
    102 103  | Name | Version |
    103 104  |------|---------|
    104  -| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.1 |
    105  -| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | ~> 4.1 |
    106  -| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
    107  -| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
     105 +| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.39.0 |
     106 +| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | ~> 4.39.0 |
     107 +| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1.0 |
     108 +| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
    108 109   
    109 110  ## Modules
    110 111   
    skipped 29 lines
    140 141  | Name | Description | Type | Default | Required |
    141 142  |------|-------------|------|---------|:--------:|
    142 143  | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The GKE cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
    143  -| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.22"` | no |
     144 +| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.23"` | no |
    144 145  | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | project id | `string` | n/a | yes |
    145 146  | <a name="input_region"></a> [region](#input\_region) | The GCP region to use | `string` | `"eu-west4"` | no |
    146 147   
    skipped 11 lines
  • ■ ■ ■ ■ ■ ■
    gcp/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 29 lines
    30 30   fsGroup: 2000
    31 31   serviceAccountName: vault
    32 32   volumes:
     33 + - name: 'ephemeral'
     34 + emptyDir: {}
    33 35   - name: secrets-store-inline
    34 36   csi:
    35 37   driver: secrets-store.csi.k8s.io
    skipped 3 lines
    39 41   containers:
    40 42   - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    41 43   imagePullPolicy: IfNotPresent
     44 + name: secret-challenge
    42 45   ports:
    43 46   - containerPort: 8080
    44 47   protocol: TCP
    45  - name: secret-challenge
    46  - resources: {}
     48 + readinessProbe:
     49 + httpGet:
     50 + path: '/actuator/health/readiness'
     51 + port: 8080
     52 + initialDelaySeconds: 30
     53 + timeoutSeconds: 5
     54 + periodSeconds: 5
     55 + failureThreshold: 8
     56 + livenessProbe:
     57 + httpGet:
     58 + path: '/actuator/health/liveness'
     59 + port: 8080
     60 + initialDelaySeconds: 35
     61 + timeoutSeconds: 30
     62 + periodSeconds: 40
     63 + failureThreshold: 5
     64 + securityContext:
     65 + allowPrivilegeEscalation: false
     66 + readOnlyRootFilesystem: true
     67 + runAsNonRoot: true
     68 + resources:
     69 + requests:
     70 + memory: '512Mi'
     71 + cpu: '200m'
     72 + ephemeral-storage: '1Gi'
     73 + limits:
     74 + memory: '512Mi'
     75 + cpu: '800m'
     76 + ephemeral-storage: '2Gi'
    47 77   terminationMessagePath: /dev/termination-log
    48 78   terminationMessagePolicy: File
    49 79   env:
    skipped 19 lines
    69 99   - name: secrets-store-inline
    70 100   mountPath: "/mnt/secrets-store"
    71 101   readOnly: true
     102 + - name: 'ephemeral'
     103 + mountPath: '/tmp'
    72 104   dnsPolicy: ClusterFirst
    73 105   restartPolicy: Always
    74 106   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■
    gcp/main.tf
    skipped 39 lines
    40 40   node_config {
    41 41   # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    42 42   service_account = google_service_account.wrongsecrets_cluster.email
    43  - machine_type = "e2-highcpu-2"
     43 + machine_type = "e2-standard-2"
    44 44   oauth_scopes = [
    45 45   "https://www.googleapis.com/auth/cloud-platform"
    46 46   ]
    skipped 19 lines
  • ■ ■ ■ ■
    gcp/variables.tf
    skipped 11 lines
    12 12  variable "cluster_version" {
    13 13   description = "The GKE cluster version to use"
    14 14   type = string
    15  - default = "1.22"
     15 + default = "1.23"
    16 16  }
    17 17   
    18 18  variable "cluster_name" {
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    gcp/versions.tf
    skipped 2 lines
    3 3   required_providers {
    4 4   google = {
    5 5   source = "hashicorp/google"
    6  - version = "~> 4.1"
     6 + version = "~> 4.39.0"
    7 7   }
    8 8   google-beta = {
    9 9   source = "hashicorp/google-beta"
    10  - version = "~> 4.1"
     10 + version = "~> 4.39.0"
    11 11   }
    12 12   random = {
    13  - version = "~> 3.0"
     13 + version = "~> 3.4.3"
    14 14   }
    15 15   http = {
    16  - version = "~> 3.1"
     16 + version = "~> 3.1.0"
    17 17   }
    18 18   }
    19 19  }
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    k8s/secret-challenge-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:1.5.3-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
    32 32   imagePullPolicy: IfNotPresent
     33 + name: secret-challenge
    33 34   ports:
    34 35   - containerPort: 8080
    35 36   protocol: TCP
    36  - name: secret-challenge
    37  - resources: {}
     37 + readinessProbe:
     38 + httpGet:
     39 + path: '/actuator/health/readiness'
     40 + port: 8080
     41 + initialDelaySeconds: 30
     42 + timeoutSeconds: 5
     43 + periodSeconds: 5
     44 + failureThreshold: 8
     45 + livenessProbe:
     46 + httpGet:
     47 + path: '/actuator/health/liveness'
     48 + port: 8080
     49 + initialDelaySeconds: 35
     50 + timeoutSeconds: 30
     51 + periodSeconds: 40
     52 + failureThreshold: 5
     53 + resources:
     54 + requests:
     55 + memory: '512Mi'
     56 + cpu: '200m'
     57 + ephemeral-storage: '1Gi'
     58 + limits:
     59 + memory: '512Mi'
     60 + cpu: '1200m'
     61 + ephemeral-storage: '2Gi'
     62 + securityContext:
     63 + allowPrivilegeEscalation: false
     64 + readOnlyRootFilesystem: true
     65 + runAsNonRoot: true
     66 + volumeMounts:
     67 + - name: 'ephemeral'
     68 + mountPath: '/tmp'
    38 69   terminationMessagePath: /dev/termination-log
    39 70   terminationMessagePolicy: File
    40 71   env:
    skipped 9 lines
    50 81   secretKeyRef:
    51 82   name: funnystuff
    52 83   key: funnier
     84 + volumes:
     85 + - name: 'ephemeral'
     86 + emptyDir: { }
    53 87   dnsPolicy: ClusterFirst
    54 88   restartPolicy: Always
    55 89   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   runAsNonRoot: true
    31 31   serviceAccountName: vault
    32 32   containers:
    33  - - image: jeroenwillemsen/wrongsecrets:1.5.3-k8s-vault
     33 + - image: jeroenwillemsen/wrongsecrets:1.5.7-k8s-vault
    34 34   imagePullPolicy: IfNotPresent
     35 + name: secret-challenge
     36 + securityContext:
     37 + allowPrivilegeEscalation: false
     38 + readOnlyRootFilesystem: true
     39 + runAsNonRoot: true
    35 40   ports:
    36 41   - containerPort: 8080
    37 42   protocol: TCP
    38  - name: secret-challenge
    39  - resources: { }
     43 + readinessProbe:
     44 + httpGet:
     45 + path: '/actuator/health/readiness'
     46 + port: 8080
     47 + initialDelaySeconds: 30
     48 + timeoutSeconds: 5
     49 + periodSeconds: 5
     50 + failureThreshold: 8
     51 + livenessProbe:
     52 + httpGet:
     53 + path: '/actuator/health/liveness'
     54 + port: 8080
     55 + initialDelaySeconds: 35
     56 + timeoutSeconds: 30
     57 + periodSeconds: 40
     58 + failureThreshold: 5
     59 + resources:
     60 + requests:
     61 + memory: '512Mi'
     62 + cpu: '200m'
     63 + ephemeral-storage: '1Gi'
     64 + limits:
     65 + memory: '512Mi'
     66 + cpu: '1200m'
     67 + ephemeral-storage: '2Gi'
     68 + volumeMounts:
     69 + - name: 'ephemeral'
     70 + mountPath: '/tmp'
    40 71   terminationMessagePath: /dev/termination-log
    41 72   terminationMessagePolicy: File
    42 73   env:
    skipped 13 lines
    56 87   value: "http://vault:8200"
    57 88   - name: JWT_PATH
    58 89   value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
     90 + volumes:
     91 + - name: 'ephemeral'
     92 + emptyDir: { }
    59 93   dnsPolicy: ClusterFirst
    60 94   restartPolicy: Always
    61 95   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    k8s-vault-minkube-start.sh
    skipped 8 lines
    9 9   
    10 10  echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
    11 11  echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
    12  -minikube start --kubernetes-version=v1.22.5
     12 +minikube start --kubernetes-version=v1.23.12
    13 13   
    14 14  kubectl get configmaps | grep 'secrets-file' &> /dev/null
    15 15  if [ $? == 0 ]; then
    skipped 13 lines
    29 29   echo "Consul is already installed"
    30 30  else
    31 31   helm repo add hashicorp https://helm.releases.hashicorp.com
    32  - helm install consul hashicorp/consul --version 0.30.0 --values k8s/helm-consul-values.yml
    33 32  fi
     33 +helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml
    34 34   
    35  -while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
     35 +while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
    36 36   
    37 37  helm list | grep 'vault' &> /dev/null
    38 38  if [ $? == 0 ]; then
    39 39   echo "Vault is already installed"
    40 40  else
    41 41   helm repo add hashicorp https://helm.releases.hashicorp.com
    42  - helm install vault hashicorp/vault --version 0.19.0 --values k8s/helm-vault-values.yml
    43 42  fi
     43 +helm upgrade --install vault hashicorp/vault --version 0.22.0 --values k8s/helm-vault-values.yml
    44 44   
    45 45  isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
    46 46  while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
    skipped 5 lines
    52 52  kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
    53 53  cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
    54 54  VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
    55  -kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
    56  -kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
    57  -kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
     55 + 
     56 +echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
     57 +echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults"
     58 + 
     59 +kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
     60 +kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
     61 +kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
    58 62   
    59 63   
    60 64  echo "Obtaining root token"
    skipped 59 lines
  • ■ ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-deployment.yml
    skipped 28 lines
    29 29   fsGroup: 2000
    30 30   containers:
    31 31   - image: jeroenwillemsen/wrongsecrets:1.5.7-no-vault
     32 + name: secret-challenge
    32 33   imagePullPolicy: IfNotPresent
     34 + securityContext:
     35 + allowPrivilegeEscalation: false
     36 + readOnlyRootFilesystem: true
     37 + runAsNonRoot: true
    33 38   ports:
    34 39   - containerPort: 8080
    35 40   protocol: TCP
    36  - name: secret-challenge
    37  - resources: {}
     41 + readinessProbe:
     42 + httpGet:
     43 + path: '/actuator/health/readiness'
     44 + port: 8080
     45 + initialDelaySeconds: 30
     46 + timeoutSeconds: 5
     47 + periodSeconds: 5
     48 + failureThreshold: 8
     49 + livenessProbe:
     50 + httpGet:
     51 + path: '/actuator/health/liveness'
     52 + port: 8080
     53 + initialDelaySeconds: 35
     54 + timeoutSeconds: 30
     55 + periodSeconds: 40
     56 + failureThreshold: 5
     57 + resources:
     58 + requests:
     59 + memory: '512Mi'
     60 + cpu: '200m'
     61 + ephemeral-storage: '1Gi'
     62 + limits:
     63 + memory: '512Mi'
     64 + cpu: '1200m'
     65 + ephemeral-storage: '2Gi'
     66 + volumeMounts:
     67 + - name: 'ephemeral'
     68 + mountPath: '/tmp'
    38 69   terminationMessagePath: /dev/termination-log
    39 70   terminationMessagePolicy: File
    40 71   env:
    skipped 9 lines
    50 81   secretKeyRef:
    51 82   name: funnystuff
    52 83   key: funnier
     84 + volumes:
     85 + - name: 'ephemeral'
     86 + emptyDir: {}
    53 87   dnsPolicy: ClusterFirst
    54 88   restartPolicy: Always
    55 89   schedulerName: default-scheduler
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    scripts/install-consul.sh
    skipped 3 lines
    4 4  else
    5 5   helm repo add hashicorp https://helm.releases.hashicorp.com
    6 6   helm repo update hashicorp
    7  - helm install consul hashicorp/consul --version 0.30.0 --values ../k8s/helm-consul-values.yml
     7 + helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values ../k8s/helm-consul-values.yml
    8 8  fi
    9 9   
    10  -while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
     10 +while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != *"True True"* && $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != *"True True True True"* ]]; do echo "waiting for Consul" && sleep 2; done
    11 11   
  • ■ ■ ■ ■ ■ ■
    scripts/install-vault.sh
    skipped 3 lines
    4 4  else
    5 5   helm repo add hashicorp https://helm.releases.hashicorp.com
    6 6   helm repo update hashicorp
    7  - helm install vault hashicorp/vault --version 0.19.0 --values ../k8s/helm-vault-values.yml
     7 + helm upgrade --install vault hashicorp/vault --version 0.22.0 --values ../k8s/helm-vault-values.yml
    8 8  fi
    9 9   
    10 10  isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
    skipped 4 lines
    15 15  echo "Setting up port forwarding"
    16 16  kubectl port-forward vault-0 8200:8200 &
    17 17  echo "Unsealing Vault"
    18  -kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json
     18 +kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
    19 19  cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
    20 20  VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
    21  -kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
    22  -kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
    23  -kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
     21 + 
     22 +echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
     23 +echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be asked for it 3 times to unseal the vaults"
     24 + 
     25 +kubectl exec -it vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
     26 +kubectl exec -it vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
     27 +kubectl exec -it vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
    24 28   
    25 29  echo "Obtaining root token"
    26 30  jq .root_token cluster-keys.json >commentedroottoken
    skipped 42 lines
Please wait...
Page is in error, reload to recover