lab 11 imprv

inno-devops-labs · Nov 16, 2024 · acc7c83 · acc7c83
1 parent 39d5e19
commit acc7c83
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 2 deletions.
diff --git a/k8s/11.md b/k8s/11.md
@@ -0,0 +1,69 @@
+```bash
+(venv) smasiner@smasIners-MacBook-Pro k8s % kubectl create secret generic db-user-pass \
+    --from-literal=username=admin \
+    --from-literal=password='S!B*d$zDsb='
+secret/db-user-pass created
+(venv) smasiner@smasIners-MacBook-Pro k8s % kubectl get secret db-user-pass -o yaml
+
+apiVersion: v1
+data:
+  password: UyFCXCpkJHpEc2I9
+  username: YWRtaW4=
+kind: Secret
+metadata:
+  creationTimestamp: "2024-11-13T02:42:22Z"
+  name: db-user-pass
+  namespace: default
+  resourceVersion: "5821"
+  uid: a568406b-25a5-4b88-a843-a3fb7a7104bd
+type: Opaque
+(venv) smasiner@smasIners-MacBook-Pro k8s % echo -n "UyFCXCpkJHpEc2I9" | base64 --decode
+S!B\*d$zDsb=%                                                                                                                                                          (venv) smasiner@smasIners-MacBook-Pro k8s % echo -n "YWRtaW4=" | base64 --decode
+(venv) smasiner@smasIners-MacBook-Pro k8s % echo -n "YWRtaW4=" | base64 --decode
+admin%
+```
+# 1.3
+
+![img_1.png](img_1.png)
+
+# Part 2
+```bash
+(venv) smasiner@smasIners-MacBook-Pro templates % kubectl exec -it vault-0 -- /bin/sh
+/ $ vault kv get internal/database/config
+======== Secret Path ========
+internal/data/database/config
+
+======= Metadata =======
+Key                Value
+---                -----
+created_time       2024-11-16T19:20:00.301597588Z
+custom_metadata    <nil>
+deletion_time      n/a
+destroyed          false
+version            2
+
+==== Data ====
+Key      Value
+---      -----
+token    tokentoken
+/ $ exit
+(venv) smasiner@smasIners-MacBook-Pro templates % kubectl get serviceaccounts
+NAME                   SECRETS   AGE
+default                0         3d18h
+helmapp                0         124m
+internal-app           0         3d15h
+vault                  0         42m
+vault-agent-injector   0         42m
+(venv) smasiner@smasIners-MacBook-Pro templates % kubectlget pods
+zsh: command not found: kubectlget
+(venv) smasiner@smasIners-MacBook-Pro templates % kubectl get pods
+NAME                                    READY   STATUS    RESTARTS   AGE
+helmapp-6854689bd4-hcp9s                1/1     Running   0          21m
+vault-0                                 1/1     Running   0          43m
+vault-agent-injector-84b987db6f-gkrxp   1/1     Running   0          43m
+(venv) smasiner@smasIners-MacBook-Pro templates % kubectl exec -it helmapp-6854689bd4-hcp9s -- sh
+/app_python $ cat /vault/secrets/database-config.txt 
+Bearer token: tokentoken
+
+```
+
diff --git a/k8s/helmapp/templates/deployment.yaml b/k8s/helmapp/templates/deployment.yaml
@@ -50,6 +50,12 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+            - name: MY_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: my-secret
+                  key: MY_PASS
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

diff --git a/k8s/helmapp/templates/patch-inject-secrets.yaml b/k8s/helmapp/templates/patch-inject-secrets.yaml
@@ -0,0 +1,7 @@
+spec:
+   template:
+      metadata:
+      annotations:
+         vault.hashicorp.com/agent-inject: 'true'
+         vault.hashicorp.com/role: 'internal-app'
+         vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
diff --git a/k8s/helmapp/templates/secrets.yaml b/k8s/helmapp/templates/secrets.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+type: Opaque
+data:
+  MY_PASS: {{ .Values.mySecret | b64enc | quote }}
diff --git a/k8s/helmapp/values.yaml b/k8s/helmapp/values.yaml
@@ -31,9 +31,16 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+
 # This is for setting Kubernetes Annotations to a Pod.
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-podAnnotations: {}
+podAnnotations: {
+  vault.hashicorp.com/agent-inject: 'true',
+  vault.hashicorp.com/agent-inject-status: 'update',
+  vault.hashicorp.com/role: 'internal-app',
+  vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config',
+  vault.hashicorp.com/agent-inject-template-database-config.txt: '{{- with secret "internal/data/database/config" -}}Bearer token: {{ .Data.data.token }}{{- end -}}'
+}
 # This is for setting Kubernetes Labels to a Pod.
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {}
@@ -109,7 +116,7 @@ volumes: []
 #   secret:
 #     secretName: mysecret
 #     optional: false
-
+mySecret: "abraabra"
 # Additional volumeMounts on the output Deployment definition.
 volumeMounts: []
 # - name: foo

diff --git a/k8s/img_1.png b/k8s/img_1.png