Added a new use case (#1094)

* testing a new use case

Signed-off-by: Volkan Özçelik <[email protected]>

* fix

Signed-off-by: Volkan Özçelik <[email protected]>

* mod change

Signed-off-by: Volkan Özçelik <[email protected]>

* fix

Signed-off-by: Volkan Özçelik <[email protected]>

---------

Signed-off-by: Volkan Özçelik <[email protected]>

examples/using_init_container_with_k8s_secrets/create-secret.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+SENTINEL=$(kubectl get po -n vsecm-system \
+  | grep "vsecm-sentinel-" | awk '{print $1}')
+
+kubectl exec "$SENTINEL" -n vsecm-system -- safe \
+  -w "k8s:vsecm-secret-example" \
+  -n "default" \
+  -s '{"username": "root", "password": "KeepUrS8crts", "secret": "VSecMRocks"}'

examples/using_init_container_with_k8s_secrets/deploy.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+kubectl apply -f ./k8s/ServiceAccount.yaml
+kubectl apply -f ./k8s/Deployment.yaml
+kubectl apply -f ./k8s/Identity.yaml

examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml

@@ -0,0 +1,86 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example
+  namespace: default
+  labels:
+    app.kubernetes.io/name: example
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: example
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: example
+    spec:
+      serviceAccountName: example
+      containers:
+      - name: main
+        image: vsecm/example-using-init-container:latest
+        env:
+        - name: USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: vsecm-secret-example
+              key: username
+        - name: PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: vsecm-secret-example
+              key: password
+        - name: SECRET
+          valueFrom:
+            secretKeyRef:
+              name: vsecm-secret-example
+              key: secret
+      initContainers:
+      # See `./register.sh` to register the workload and finalize
+      # this init container.
+      - name: init-container
+        image: vsecm/vsecm-ist-init-container:latest
+        volumeMounts:
+        # Volume mount for SPIRE unix domain socket.
+        - name: spire-agent-socket
+          mountPath: /spire-agent-socket
+          readOnly: true
+        #
+        # You can configure VSecM Init Container by providing
+        # environment variables.
+        #
+        # See https://vsecm.com/configuration for more information
+        # about these environment variables.
+        #
+        # When you don't explicitly provide env vars here, VMware Secrets Manager
+        # Init Container will assume the default values outlined in the given
+        # link above.
+        #
+        env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: "unix:///spire-agent-socket/spire-agent.sock"
+        - name: VSECM_LOG_LEVEL
+          value: "7"
+        - name: VSECM_SPIFFEID_PREFIX_WORKLOAD
+          value: "spiffe://vsecm.com/workload/"
+        - name: VSECM_SPIFFEID_PREFIX_SAFE
+          value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
+        - name: VSECM_INIT_CONTAINER_POLL_INTERVAL
+          value: "5000"
+      volumes:
+      # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
+      # ref: https://github.com/spiffe/spiffe-csi
+      - name: spire-agent-socket
+        csi:
+          driver: "csi.spiffe.io"
+          readOnly: true

examples/using_init_container_with_k8s_secrets/k8s/Identity.yaml

@@ -0,0 +1,29 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ClusterSPIFFEID
+metadata:
+  name: example
+spec:
+  className: "vsecm"
+  # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/"
+  # for `vsecm-safe` to recognize the workload and dispatch secrets to it.
+  spiffeIDTemplate: "spiffe://vsecm.com\
+    /workload/example\
+    /ns/{{ .PodMeta.Namespace }}\
+    /sa/{{ .PodSpec.ServiceAccountName }}\
+    /n/{{ .PodMeta.Name }}"
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: example
+  workloadSelectorTemplates:
+  - "k8s:ns:default"
+  - "k8s:sa:example"

examples/using_init_container_with_k8s_secrets/k8s/ServiceAccount.yaml

@@ -0,0 +1,16 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: example
+  namespace: default
+automountServiceAccountToken: false

examples/using_init_container_with_k8s_secrets/k8s/image-override.yaml

@@ -0,0 +1,26 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: main
+        # Change this, if you want to use a different image:
+        image: vsecm/example-using-init-container:latest
+      initContainers:
+      - name: init-container
+        # Change this, if you want to use a different image:
+        image: vsecm/vsecm-ist-init-container:latest

examples/using_init_container_with_k8s_secrets/k8s/kustomization.yaml

@@ -0,0 +1,18 @@
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- Deployment.yaml
+patches:
+- path: image-override.yaml
+generatorOptions:
+  disableNameSuffixHash: true

examples/using_init_container_with_k8s_secrets/trigger-init-container.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+SENTINEL=$(kubectl get po -n vsecm-system \
+  | grep "vsecm-sentinel-" | awk '{print $1}')
+
+kubectl exec "$SENTINEL" -n vsecm-system -- safe \
+  -w "example" \
+  -n "default" \
+  -s "trigger-init"

hack/inspector-deploy.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# /*
+# |    Protect your secrets, protect your sensitive data.
+# :    Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/  keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/'  SPDX-License-Identifier: BSD-2-Clause
+# */
+
+cd ./examples/using_vsecm_inspector || exit
+
+k apply -f .

makefiles/VSecMInspector.mk

@@ -8,22 +8,26 @@
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
 
-# Packages the "Inspector" binary into a container image.
+# Packages the "VSecM Inspector" binary into a container image.
 inspector-bundle:
 	./hack/bundle.sh "vsecm-inspector" \
 		$(VERSION) "dockerfiles/util/inspector.Dockerfile"
 
-# Pushes the "Inspector" container image to the public registry.
+# Pushes the "VSecM Inspector" container image to the public registry.
 inspector-push:
 	./hack/push.sh "vsecm-inspector" \
 		$(VERSION) "$(VSECM_DOCKERHUB_REGISTRY_URL)/vsecm-inspector"
 
-# Pushes the "Inspector" container image to the public EKS registry.
+# Pushes the "VSecM Inspector" container image to the public EKS registry.
 inspector-push-eks:
 	./hack/push.sh "vsecm-inspector" $(VERSION) \
 		"$(VSECM_EKS_REGISTRY_URL)/vsecm-inspector"
 
-# Pushes the "Inspector" container image to the local registry.
+# Pushes the "VSecM Inspector" container image to the local registry.
 inspector-push-local:
 	./hack/push.sh "vsecm-inspector" $(VERSION) \
 		"$(VSECM_LOCAL_REGISTRY_URL)/vsecm-inspector"
+
+# Deploys the "VSecM Inspector" app from the public registry into the cluster.
+inspector-deploy:
+	./hack/inspector-deploy.sh