From 292a648652c4600249af7438f42af78ae04936e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Thu, 25 Jul 2024 00:43:32 -0700 Subject: [PATCH] manifest updates (#1077) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * manifest updates Signed-off-by: Volkan Özçelik * manifest update Signed-off-by: Volkan Özçelik * explicitly reference secrets Signed-off-by: Volkan Özçelik --------- Signed-off-by: Volkan Özçelik --- docs/content/community/hello.md | 13 +++ docs/content/community/maintainers.md | 8 +- docs/templates/index.html | 8 +- .../multiple_secrets/k8s-eks/Deployment.yaml | 61 ------------- .../multiple_secrets/k8s-eks/Identity.yaml | 29 ------- .../k8s-eks/ServiceAccount.yaml | 16 ---- .../k8s-eks/image-override.yaml | 24 ------ .../k8s-eks/kustomization.yaml | 18 ---- examples/multiple_secrets/k8s/Deployment.yaml | 2 +- .../multiple_secrets/k8s/image-override.yaml | 1 + .../k8s-eks/Deployment.yaml | 71 ---------------- .../k8s-eks/Identity.yaml | 29 ------- .../using_init_container/k8s-eks/Secret.yaml | 23 ----- .../k8s-eks/ServiceAccount.yaml | 16 ---- .../k8s-eks/image-override.yaml | 24 ------ .../k8s-eks/kustomization.yaml | 18 ---- .../using_init_container/k8s/Deployment.yaml | 4 +- .../k8s/image-override.yaml | 2 + examples/using_sdk_go/k8s-eks/Deployment.yaml | 61 ------------- examples/using_sdk_go/k8s-eks/Identity.yaml | 29 ------- examples/using_sdk_go/k8s-eks/Secret.yaml | 23 ----- .../using_sdk_go/k8s-eks/image-override.yaml | 21 ----- .../using_sdk_go/k8s-eks/kustomization.yaml | 18 ---- examples/using_sdk_go/k8s/Deployment.yaml | 2 +- examples/using_sdk_go/k8s/image-override.yaml | 1 + .../using_sidecar/k8s-eks/Deployment.yaml | 85 ------------------- examples/using_sidecar/k8s-eks/Identity.yaml | 29 ------- examples/using_sidecar/k8s-eks/Secret.yaml | 23 ----- .../using_sidecar/k8s-eks/ServiceAccount.yaml | 16 ---- .../using_sidecar/k8s-eks/image-override.yaml | 23 ----- .../using_sidecar/k8s-eks/kustomization.yaml | 18 ---- examples/using_sidecar/k8s/Deployment.yaml | 4 +- .../using_sidecar/k8s/image-override.yaml | 2 + .../using_vsecm_inspector/Deployment.yaml | 2 +- .../0.26.2/charts/safe/templates/Secret.yaml | 2 + .../charts/safe/templates/ServiceAccount.yaml | 2 + .../charts/sentinel/templates/Role.yaml | 16 ++-- .../sentinel/templates/RoleBinding.yaml | 23 +++++ .../charts/sentinel/templates/Secret.yaml | 2 + .../sentinel/templates/ServiceAccount.yaml | 2 + k8s/0.26.2/eks/vsecm-distroless-fips.yaml | 55 ++++++++++++ k8s/0.26.2/eks/vsecm-distroless.yaml | 55 ++++++++++++ k8s/0.26.2/local/vsecm-distroless-fips.yaml | 55 ++++++++++++ k8s/0.26.2/local/vsecm-distroless.yaml | 55 ++++++++++++ k8s/0.26.2/remote/vsecm-distroless-fips.yaml | 55 ++++++++++++ k8s/0.26.2/remote/vsecm-distroless.yaml | 55 ++++++++++++ 46 files changed, 406 insertions(+), 695 deletions(-) delete mode 100644 examples/multiple_secrets/k8s-eks/Deployment.yaml delete mode 100644 examples/multiple_secrets/k8s-eks/Identity.yaml delete mode 100644 examples/multiple_secrets/k8s-eks/ServiceAccount.yaml delete mode 100644 examples/multiple_secrets/k8s-eks/image-override.yaml delete mode 100644 examples/multiple_secrets/k8s-eks/kustomization.yaml delete mode 100644 examples/using_init_container/k8s-eks/Deployment.yaml delete mode 100644 examples/using_init_container/k8s-eks/Identity.yaml delete mode 100644 examples/using_init_container/k8s-eks/Secret.yaml delete mode 100644 examples/using_init_container/k8s-eks/ServiceAccount.yaml delete mode 100644 examples/using_init_container/k8s-eks/image-override.yaml delete mode 100644 examples/using_init_container/k8s-eks/kustomization.yaml delete mode 100644 examples/using_sdk_go/k8s-eks/Deployment.yaml delete mode 100644 examples/using_sdk_go/k8s-eks/Identity.yaml delete mode 100644 examples/using_sdk_go/k8s-eks/Secret.yaml delete mode 100644 examples/using_sdk_go/k8s-eks/image-override.yaml delete mode 100644 examples/using_sdk_go/k8s-eks/kustomization.yaml delete mode 100644 examples/using_sidecar/k8s-eks/Deployment.yaml delete mode 100644 examples/using_sidecar/k8s-eks/Identity.yaml delete mode 100644 examples/using_sidecar/k8s-eks/Secret.yaml delete mode 100644 examples/using_sidecar/k8s-eks/ServiceAccount.yaml delete mode 100644 examples/using_sidecar/k8s-eks/image-override.yaml delete mode 100644 examples/using_sidecar/k8s-eks/kustomization.yaml rename examples/using_sdk_go/k8s-eks/ServiceAccount.yaml => helm-charts/0.26.2/charts/sentinel/templates/Role.yaml (51%) create mode 100644 helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml diff --git a/docs/content/community/hello.md b/docs/content/community/hello.md index 24ab994d..2407f7e6 100644 --- a/docs/content/community/hello.md +++ b/docs/content/community/hello.md @@ -49,6 +49,19 @@ As a small, dedicated team of security enthusiasts, we value focused, effective communication. Thus, we prefer to consolidate our interactions into a single channel, rather than dispersing them across multiple platforms. +> **Türkçe Konuşanlar İçin:** +> +> Özgür yazılım birlikte olunca güzel 🤗. +> +> Eğer **VMware Secrets Manager** ile ilgili bir sorun varsa, projeye +> katkıda bulunmak istiyorsan veya başka bir konuda yardıma ihtiyacın varsa, +> dil engeli olmadan bize ulaşabilirsin. +> +> [Kampus Discord Sunucusu'nda **VMware Secrets Manager** kanalında][kampus] +> buluşalım ve birlikte dünyayı daha güvenli hale getirelim 🤘. + +[kampus]: https://discord.gg/kampus "Join Kampus Discord Server" + ## Join Our Public Meetings > **We Are Stronger Together** diff --git a/docs/content/community/maintainers.md b/docs/content/community/maintainers.md index 3887b3d5..964d3f56 100644 --- a/docs/content/community/maintainers.md +++ b/docs/content/community/maintainers.md @@ -49,10 +49,10 @@ assisting in feature development. **Qi Hu** (*Patrick*) [@BulldromeQ](https://github.com/BulldromeQ) -Patrick has played a crucial role in integrating VSecM to work seamlessly with -the [Carvel](https://carvel.dev) suite of tools. He has helped enhance the -stability and reliability of both the VSecM and SPIRE. And he is actively -involved in making VSecM even more robust. +Patrick has played a crucial role in integrating **VSecM** to work seamlessly +with the [Carvel](https://carvel.dev) suite of tools. He has helped enhance the +stability and reliability of both the **VSecM** and **SPIRE**. And he is +actively involved in making **VSecM** even more robust. [codeowners]: https://github.com/vmware-tanzu/secrets-manager/blob/main/CODEOWNERS "VMware Secrets Manager CODEOWNERS" diff --git a/docs/templates/index.html b/docs/templates/index.html index 93b084bc..796bb00f 100644 --- a/docs/templates/index.html +++ b/docs/templates/index.html @@ -71,21 +71,21 @@ Calendar Favorite 1 Streamline Icon: https://streamlinehq.com -  Mark Your Calendars: +  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-07-25 + >Thursday, 2024-08-30 at 8:00am Pacific time. diff --git a/examples/multiple_secrets/k8s-eks/Deployment.yaml b/examples/multiple_secrets/k8s-eks/Deployment.yaml deleted file mode 100644 index ce57646e..00000000 --- a/examples/multiple_secrets/k8s-eks/Deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default - labels: - app.kubernetes.io/name: example -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: example - template: - metadata: - labels: - app.kubernetes.io/name: example - spec: - serviceAccountName: example - containers: - - name: main - image: vsecm/example-multiple-secrets:0.26.2 - volumeMounts: - # Volume mount for SPIRE unix domain socket. - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure this workload by providing environment variables. - # - # See https://vsecm.com/configuration for more information - # about these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Safe will assume the default values outlined in the given link above. - # - env: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/examples/multiple_secrets/k8s-eks/Identity.yaml b/examples/multiple_secrets/k8s-eks/Identity.yaml deleted file mode 100644 index 06ef6948..00000000 --- a/examples/multiple_secrets/k8s-eks/Identity.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - className: "vsecm" - # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/" - # for `vsecm-safe` to recognize the workload and dispatch secrets to it. - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/example\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: example - workloadSelectorTemplates: - - "k8s:ns:default" - - "k8s:sa:example" diff --git a/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml b/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml deleted file mode 100644 index 548f20ac..00000000 --- a/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: example - namespace: default -automountServiceAccountToken: false diff --git a/examples/multiple_secrets/k8s-eks/image-override.yaml b/examples/multiple_secrets/k8s-eks/image-override.yaml deleted file mode 100644 index 7a114ff4..00000000 --- a/examples/multiple_secrets/k8s-eks/image-override.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default -spec: - template: - spec: - containers: - - name: main - image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.2 - env: - - name: VSECM_LOG_LEVEL - value: "7" \ No newline at end of file diff --git a/examples/multiple_secrets/k8s-eks/kustomization.yaml b/examples/multiple_secrets/k8s-eks/kustomization.yaml deleted file mode 100644 index e58cdad7..00000000 --- a/examples/multiple_secrets/k8s-eks/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- Deployment.yaml -generatorOptions: - disableNameSuffixHash: true -patches: -- path: image-override.yaml diff --git a/examples/multiple_secrets/k8s/Deployment.yaml b/examples/multiple_secrets/k8s/Deployment.yaml index ce57646e..f6d428fd 100644 --- a/examples/multiple_secrets/k8s/Deployment.yaml +++ b/examples/multiple_secrets/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-multiple-secrets:0.26.2 + image: vsecm/example-multiple-secrets:latest volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/multiple_secrets/k8s/image-override.yaml b/examples/multiple_secrets/k8s/image-override.yaml index ce19daf8..ba2103de 100644 --- a/examples/multiple_secrets/k8s/image-override.yaml +++ b/examples/multiple_secrets/k8s/image-override.yaml @@ -18,6 +18,7 @@ spec: spec: containers: - name: main + # Change this, if you want to use a different image: image: localhost:5000/example-multiple-secrets:0.26.2 env: - name: VSECM_LOG_LEVEL diff --git a/examples/using_init_container/k8s-eks/Deployment.yaml b/examples/using_init_container/k8s-eks/Deployment.yaml deleted file mode 100644 index 876223de..00000000 --- a/examples/using_init_container/k8s-eks/Deployment.yaml +++ /dev/null @@ -1,71 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default - labels: - app.kubernetes.io/name: example -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: example - template: - metadata: - labels: - app.kubernetes.io/name: example - spec: - serviceAccountName: example - containers: - - name: main - image: vsecm/example-using-init-container:0.26.2 - - initContainers: - # See `./register.sh` to register the workload and finalize - # this init container. - - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.2 - volumeMounts: - # Volume mount for SPIRE unix domain socket. - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure VSecM Init Container by providing - # environment variables. - # - # See https://vsecm.com/configuration for more information - # about these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Init Container will assume the default values outlined in the given - # link above. - # - env: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_INIT_CONTAINER_POLL_INTERVAL - value: "5000" - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/examples/using_init_container/k8s-eks/Identity.yaml b/examples/using_init_container/k8s-eks/Identity.yaml deleted file mode 100644 index 06ef6948..00000000 --- a/examples/using_init_container/k8s-eks/Identity.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - className: "vsecm" - # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/" - # for `vsecm-safe` to recognize the workload and dispatch secrets to it. - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/example\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: example - workloadSelectorTemplates: - - "k8s:ns:default" - - "k8s:sa:example" diff --git a/examples/using_init_container/k8s-eks/Secret.yaml b/examples/using_init_container/k8s-eks/Secret.yaml deleted file mode 100644 index de021ff1..00000000 --- a/examples/using_init_container/k8s-eks/Secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - # The string after `vsecm-secret-` must match the workload's name. - # For example, this is an VSecM-managed secret for the workload named `example` - # with the SPIFFE ID - # `"spiffe://vsecm.com/workload/example\ - # /ns/{{ .PodMeta.Namespace }}\ - # /sa/{{ .PodSpec.ServiceAccountName }}\ - # /n/{{ .PodMeta.Name }}"` - name: vsecm-secret-example - namespace: default -type: Opaque diff --git a/examples/using_init_container/k8s-eks/ServiceAccount.yaml b/examples/using_init_container/k8s-eks/ServiceAccount.yaml deleted file mode 100644 index 548f20ac..00000000 --- a/examples/using_init_container/k8s-eks/ServiceAccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: example - namespace: default -automountServiceAccountToken: false diff --git a/examples/using_init_container/k8s-eks/image-override.yaml b/examples/using_init_container/k8s-eks/image-override.yaml deleted file mode 100644 index dc9e8a26..00000000 --- a/examples/using_init_container/k8s-eks/image-override.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default -spec: - template: - spec: - containers: - - name: main - image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.2 - initContainers: - - name: init-container - image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.2 diff --git a/examples/using_init_container/k8s-eks/kustomization.yaml b/examples/using_init_container/k8s-eks/kustomization.yaml deleted file mode 100644 index 9892008c..00000000 --- a/examples/using_init_container/k8s-eks/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- Deployment.yaml -patches: -- path: image-override.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/examples/using_init_container/k8s/Deployment.yaml b/examples/using_init_container/k8s/Deployment.yaml index 876223de..b5d6e822 100644 --- a/examples/using_init_container/k8s/Deployment.yaml +++ b/examples/using_init_container/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-init-container:0.26.2 + image: vsecm/example-using-init-container:latest initContainers: # See `./register.sh` to register the workload and finalize # this init container. - name: init-container - image: vsecm/vsecm-ist-init-container:0.26.2 + image: vsecm/vsecm-ist-init-container:latest volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_init_container/k8s/image-override.yaml b/examples/using_init_container/k8s/image-override.yaml index f1fdd902..88aabb9d 100644 --- a/examples/using_init_container/k8s/image-override.yaml +++ b/examples/using_init_container/k8s/image-override.yaml @@ -18,7 +18,9 @@ spec: spec: containers: - name: main + # Change this, if you want to use a different image: image: localhost:5000/example-using-init-container:0.26.2 initContainers: - name: init-container + # Change this, if you want to use a different image: image: localhost:5000/vsecm-ist-init-container:0.26.2 diff --git a/examples/using_sdk_go/k8s-eks/Deployment.yaml b/examples/using_sdk_go/k8s-eks/Deployment.yaml deleted file mode 100644 index f4573f92..00000000 --- a/examples/using_sdk_go/k8s-eks/Deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default - labels: - app.kubernetes.io/name: example -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: example - template: - metadata: - labels: - app.kubernetes.io/name: example - spec: - serviceAccountName: example - containers: - - name: main - image: vsecm/example-using-sdk-go:0.26.2 - volumeMounts: - # Volume mount for SPIRE unix domain socket. - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure this workload by providing environment variables. - # - # See https://vsecm.com/configuration for more information - # about these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Safe will assume the default values outlined in the given link above. - # - env: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - volumes: - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/examples/using_sdk_go/k8s-eks/Identity.yaml b/examples/using_sdk_go/k8s-eks/Identity.yaml deleted file mode 100644 index 06ef6948..00000000 --- a/examples/using_sdk_go/k8s-eks/Identity.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - className: "vsecm" - # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/" - # for `vsecm-safe` to recognize the workload and dispatch secrets to it. - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/example\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: example - workloadSelectorTemplates: - - "k8s:ns:default" - - "k8s:sa:example" diff --git a/examples/using_sdk_go/k8s-eks/Secret.yaml b/examples/using_sdk_go/k8s-eks/Secret.yaml deleted file mode 100644 index de021ff1..00000000 --- a/examples/using_sdk_go/k8s-eks/Secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - # The string after `vsecm-secret-` must match the workload's name. - # For example, this is an VSecM-managed secret for the workload named `example` - # with the SPIFFE ID - # `"spiffe://vsecm.com/workload/example\ - # /ns/{{ .PodMeta.Namespace }}\ - # /sa/{{ .PodSpec.ServiceAccountName }}\ - # /n/{{ .PodMeta.Name }}"` - name: vsecm-secret-example - namespace: default -type: Opaque diff --git a/examples/using_sdk_go/k8s-eks/image-override.yaml b/examples/using_sdk_go/k8s-eks/image-override.yaml deleted file mode 100644 index 787dff86..00000000 --- a/examples/using_sdk_go/k8s-eks/image-override.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default -spec: - template: - spec: - containers: - - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.2 diff --git a/examples/using_sdk_go/k8s-eks/kustomization.yaml b/examples/using_sdk_go/k8s-eks/kustomization.yaml deleted file mode 100644 index 9892008c..00000000 --- a/examples/using_sdk_go/k8s-eks/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- Deployment.yaml -patches: -- path: image-override.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/examples/using_sdk_go/k8s/Deployment.yaml b/examples/using_sdk_go/k8s/Deployment.yaml index f4573f92..5e2051bf 100644 --- a/examples/using_sdk_go/k8s/Deployment.yaml +++ b/examples/using_sdk_go/k8s/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sdk-go:0.26.2 + image: vsecm/example-using-sdk-go:latest volumeMounts: # Volume mount for SPIRE unix domain socket. - name: spire-agent-socket diff --git a/examples/using_sdk_go/k8s/image-override.yaml b/examples/using_sdk_go/k8s/image-override.yaml index 57e04822..87b800d6 100644 --- a/examples/using_sdk_go/k8s/image-override.yaml +++ b/examples/using_sdk_go/k8s/image-override.yaml @@ -18,4 +18,5 @@ spec: spec: containers: - name: main + # Change this, if you want to use a different image image: localhost:5000/example-using-sdk-go:0.26.2 diff --git a/examples/using_sidecar/k8s-eks/Deployment.yaml b/examples/using_sidecar/k8s-eks/Deployment.yaml deleted file mode 100644 index 346621fd..00000000 --- a/examples/using_sidecar/k8s-eks/Deployment.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default - labels: - app.kubernetes.io/name: example -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: example - template: - metadata: - labels: - app.kubernetes.io/name: example - spec: - serviceAccountName: example - containers: - - name: main - image: vsecm/example-using-sidecar:0.26.2 - volumeMounts: - # `main` shares this volume with `sidecar`. - - mountPath: /opt/vsecm - name: vsecm-secrets-volume - - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.26.2 - volumeMounts: - # /opt/vsecm/secrets.json is the place the secrets will be at. - - mountPath: /opt/vsecm - name: vsecm-secrets-volume - # Volume mount for SPIRE unix domain socket. - - name: spire-agent-socket - mountPath: /spire-agent-socket - readOnly: true - # - # You can configure this workload by providing environment variables. - # - # See https://vsecm.com/configuration for more information about - # these environment variables. - # - # When you don't explicitly provide env vars here, VMware Secrets Manager - # Safe will assume the default values outlined in the given link above. - # - env: - - name: SPIFFE_ENDPOINT_SOCKET - value: "unix:///spire-agent-socket/spire-agent.sock" - - name: VSECM_LOG_LEVEL - value: "7" - - name: VSECM_SPIFFEID_PREFIX_WORKLOAD - value: "spiffe://vsecm.com/workload/" - - name: VSECM_SPIFFEID_PREFIX_SAFE - value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" - - name: VSECM_SIDECAR_POLL_INTERVAL - value: "5000" - - name: VSECM_SIDECAR_MAX_POLL_INTERVAL - value: "300000" - - name: VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER - value: "2" - - name: VSECM_SIDECAR_SUCCESS_THRESHOLD - value: "3" - - name: VSECM_SIDECAR_ERROR_THRESHOLD - value: "2" - volumes: - # A memory-backed volume is recommended (but not required) to keep - # the secrets. The secrets can be stored in any kind of volume. - - name: vsecm-secrets-volume - emptyDir: - medium: Memory - # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket - # ref: https://github.com/spiffe/spiffe-csi - - name: spire-agent-socket - csi: - driver: "csi.spiffe.io" - readOnly: true diff --git a/examples/using_sidecar/k8s-eks/Identity.yaml b/examples/using_sidecar/k8s-eks/Identity.yaml deleted file mode 100644 index 4cea3d90..00000000 --- a/examples/using_sidecar/k8s-eks/Identity.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - className: "vsecm" - # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/" - # for `safe` to recognize the workload and dispatch secrets to it. - spiffeIDTemplate: "spiffe://vsecm.com\ - /workload/example\ - /ns/{{ .PodMeta.Namespace }}\ - /sa/{{ .PodSpec.ServiceAccountName }}\ - /n/{{ .PodMeta.Name }}" - podSelector: - matchLabels: - app.kubernetes.io/name: example - workloadSelectorTemplates: - - "k8s:ns:default" - - "k8s:sa:example" diff --git a/examples/using_sidecar/k8s-eks/Secret.yaml b/examples/using_sidecar/k8s-eks/Secret.yaml deleted file mode 100644 index de021ff1..00000000 --- a/examples/using_sidecar/k8s-eks/Secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: Secret -metadata: - # The string after `vsecm-secret-` must match the workload's name. - # For example, this is an VSecM-managed secret for the workload named `example` - # with the SPIFFE ID - # `"spiffe://vsecm.com/workload/example\ - # /ns/{{ .PodMeta.Namespace }}\ - # /sa/{{ .PodSpec.ServiceAccountName }}\ - # /n/{{ .PodMeta.Name }}"` - name: vsecm-secret-example - namespace: default -type: Opaque diff --git a/examples/using_sidecar/k8s-eks/ServiceAccount.yaml b/examples/using_sidecar/k8s-eks/ServiceAccount.yaml deleted file mode 100644 index 548f20ac..00000000 --- a/examples/using_sidecar/k8s-eks/ServiceAccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: example - namespace: default -automountServiceAccountToken: false diff --git a/examples/using_sidecar/k8s-eks/image-override.yaml b/examples/using_sidecar/k8s-eks/image-override.yaml deleted file mode 100644 index 03ae87ab..00000000 --- a/examples/using_sidecar/k8s-eks/image-override.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example - namespace: default -spec: - template: - spec: - containers: - - name: main - image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.2 - - name: sidecar - image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.2 diff --git a/examples/using_sidecar/k8s-eks/kustomization.yaml b/examples/using_sidecar/k8s-eks/kustomization.yaml deleted file mode 100644 index 9892008c..00000000 --- a/examples/using_sidecar/k8s-eks/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# /* -# | Protect your secrets, protect your sensitive data. -# : Explore VMware Secrets Manager docs at https://vsecm.com/ -# / keep your secrets... secret -# >/ -# <>/' Copyright 2023-present VMware Secrets Manager contributors. -# >/' SPDX-License-Identifier: BSD-2-Clause -# */ - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- Deployment.yaml -patches: -- path: image-override.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/examples/using_sidecar/k8s/Deployment.yaml b/examples/using_sidecar/k8s/Deployment.yaml index 346621fd..6b7e9db0 100644 --- a/examples/using_sidecar/k8s/Deployment.yaml +++ b/examples/using_sidecar/k8s/Deployment.yaml @@ -28,13 +28,13 @@ spec: serviceAccountName: example containers: - name: main - image: vsecm/example-using-sidecar:0.26.2 + image: vsecm/example-using-sidecar:latest volumeMounts: # `main` shares this volume with `sidecar`. - mountPath: /opt/vsecm name: vsecm-secrets-volume - name: sidecar - image: vsecm/vsecm-ist-sidecar:0.26.2 + image: vsecm/vsecm-ist-sidecar:latest volumeMounts: # /opt/vsecm/secrets.json is the place the secrets will be at. - mountPath: /opt/vsecm diff --git a/examples/using_sidecar/k8s/image-override.yaml b/examples/using_sidecar/k8s/image-override.yaml index b17962bd..637f943d 100644 --- a/examples/using_sidecar/k8s/image-override.yaml +++ b/examples/using_sidecar/k8s/image-override.yaml @@ -18,6 +18,8 @@ spec: spec: containers: - name: main + # Change this, if you want to use a different image image: localhost:5000/example-using-sidecar:0.26.2 - name: sidecar + # Change this, if you want to use a different image image: localhost:5000/vsecm-ist-sidecar:0.26.2 diff --git a/examples/using_vsecm_inspector/Deployment.yaml b/examples/using_vsecm_inspector/Deployment.yaml index 2737bf8a..9199e42c 100644 --- a/examples/using_vsecm_inspector/Deployment.yaml +++ b/examples/using_vsecm_inspector/Deployment.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: vsecm-inspector containers: - name: main - image: localhost:5000/vsecm-inspector:0.26.2 + image: localhost:5000/vsecm-inspector:latest volumeMounts: - name: spire-agent-socket mountPath: /spire-agent-socket diff --git a/helm-charts/0.26.2/charts/safe/templates/Secret.yaml b/helm-charts/0.26.2/charts/safe/templates/Secret.yaml index 7073ddbc..65adcc41 100644 --- a/helm-charts/0.26.2/charts/safe/templates/Secret.yaml +++ b/helm-charts/0.26.2/charts/safe/templates/Secret.yaml @@ -16,6 +16,8 @@ metadata: labels: {{- include "safe.labels" . | nindent 4 }} app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: {{ include "safe.serviceAccountName" . }} type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret diff --git a/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml index f5ca50c6..9cd283cb 100644 --- a/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml +++ b/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml @@ -23,4 +23,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} automountServiceAccountToken: true +secrets: + - name: {{ .Values.rootKeySecretName }} {{- end }} diff --git a/examples/using_sdk_go/k8s-eks/ServiceAccount.yaml b/helm-charts/0.26.2/charts/sentinel/templates/Role.yaml similarity index 51% rename from examples/using_sdk_go/k8s-eks/ServiceAccount.yaml rename to helm-charts/0.26.2/charts/sentinel/templates/Role.yaml index 548f20ac..49c9e02c 100644 --- a/examples/using_sdk_go/k8s-eks/ServiceAccount.yaml +++ b/helm-charts/0.26.2/charts/sentinel/templates/Role.yaml @@ -8,9 +8,15 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: example - namespace: default -automountServiceAccountToken: false + name: vsecm-sentinel-secret-reader + namespace: {{ .Values.global.vsecm.namespace }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] + + diff --git a/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml b/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml new file mode 100644 index 00000000..70e8b8fc --- /dev/null +++ b/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml @@ -0,0 +1,23 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: {{ .Values.global.vsecm.namespace }} +subjects: + - kind: ServiceAccount + name: {{ include "sentinel.serviceAccountName" . }} + namespace: {{ .Values.global.vsecm.namespace }} +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml b/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml index 1f651f1d..e882fd3e 100644 --- a/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml +++ b/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml @@ -17,6 +17,8 @@ metadata: labels: {{- include "sentinel.labels" . | nindent 4 }} app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: {{ include "sentinel.serviceAccountName" . }} type: Opaque stringData: data: {{ .Values.initCommand.command | quote }} diff --git a/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml b/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml index 7e4b044d..c9d9bbe9 100644 --- a/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml +++ b/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml @@ -23,4 +23,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret {{- end }} diff --git a/k8s/0.26.2/eks/vsecm-distroless-fips.yaml b/k8s/0.26.2/eks/vsecm-distroless-fips.yaml index 1b9d7784..09b77937 100644 --- a/k8s/0.26.2/eks/vsecm-distroless-fips.yaml +++ b/k8s/0.26.2/eks/vsecm-distroless-fips.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data. diff --git a/k8s/0.26.2/eks/vsecm-distroless.yaml b/k8s/0.26.2/eks/vsecm-distroless.yaml index f26776b6..f7822bdd 100644 --- a/k8s/0.26.2/eks/vsecm-distroless.yaml +++ b/k8s/0.26.2/eks/vsecm-distroless.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data. diff --git a/k8s/0.26.2/local/vsecm-distroless-fips.yaml b/k8s/0.26.2/local/vsecm-distroless-fips.yaml index a913c1cf..72410516 100644 --- a/k8s/0.26.2/local/vsecm-distroless-fips.yaml +++ b/k8s/0.26.2/local/vsecm-distroless-fips.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data. diff --git a/k8s/0.26.2/local/vsecm-distroless.yaml b/k8s/0.26.2/local/vsecm-distroless.yaml index 4257a23f..b6d98968 100644 --- a/k8s/0.26.2/local/vsecm-distroless.yaml +++ b/k8s/0.26.2/local/vsecm-distroless.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data. diff --git a/k8s/0.26.2/remote/vsecm-distroless-fips.yaml b/k8s/0.26.2/remote/vsecm-distroless-fips.yaml index 167552c7..4a638950 100644 --- a/k8s/0.26.2/remote/vsecm-distroless-fips.yaml +++ b/k8s/0.26.2/remote/vsecm-distroless-fips.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data. diff --git a/k8s/0.26.2/remote/vsecm-distroless.yaml b/k8s/0.26.2/remote/vsecm-distroless.yaml index 96287ebd..a0836362 100644 --- a/k8s/0.26.2/remote/vsecm-distroless.yaml +++ b/k8s/0.26.2/remote/vsecm-distroless.yaml @@ -67,6 +67,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-root-key automountServiceAccountToken: true +secrets: + - name: vsecm-root-key --- # Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml # /* @@ -95,6 +97,8 @@ metadata: kubernetes.io/enforce-mountable-secrets: "true" kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret automountServiceAccountToken: false +secrets: + - name: vsecm-sentinel-init-secret --- # Source: vsecm/charts/safe/templates/Secret.yaml # /* @@ -120,6 +124,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-safe type: Opaque data: # '{}' (e30=) is a special placeholder to tell Safe that the Secret @@ -149,6 +155,8 @@ metadata: app.kubernetes.io/version: "0.26.2" app.kubernetes.io/managed-by: Helm app.kubernetes.io/operated-by: vsecm + annotations: + kubernetes.io/service-account.name: vsecm-sentinel type: Opaque stringData: data: "exit:true\n--\n" @@ -268,6 +276,53 @@ roleRef: # ## --- +# Source: vsecm/charts/sentinel/templates/Role.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vsecm-sentinel-secret-reader + namespace: vsecm-system +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["vsecm-sentinel-init-secret"] +--- +# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets + namespace: vsecm-system +subjects: + - kind: ServiceAccount + name: vsecm-sentinel + namespace: vsecm-system +roleRef: + kind: Role + name: vsecm-sentinel-secret-reader + apiGroup: rbac.authorization.k8s.io +--- # Source: vsecm/charts/safe/templates/Service.yaml # /* # | Protect your secrets, protect your sensitive data.