From be81fcb2cf883a1e50087684dd40911de89dc96d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Wed, 7 Aug 2024 22:42:04 -0700 Subject: [PATCH] Added a new use case (#1094) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * testing a new use case Signed-off-by: Volkan Özçelik * fix Signed-off-by: Volkan Özçelik * mod change Signed-off-by: Volkan Özçelik * fix Signed-off-by: Volkan Özçelik --------- Signed-off-by: Volkan Özçelik --- .../create-secret.sh | 19 ++++ .../deploy.sh | 15 ++++ .../k8s/Deployment.yaml | 86 +++++++++++++++++++ .../k8s/Identity.yaml | 29 +++++++ .../k8s/ServiceAccount.yaml | 16 ++++ .../k8s/image-override.yaml | 26 ++++++ .../k8s/kustomization.yaml | 18 ++++ .../trigger-init-container.sh | 19 ++++ hack/inspector-deploy.sh | 15 ++++ makefiles/VSecMInspector.mk | 12 ++- 10 files changed, 251 insertions(+), 4 deletions(-) create mode 100755 examples/using_init_container_with_k8s_secrets/create-secret.sh create mode 100755 examples/using_init_container_with_k8s_secrets/deploy.sh create mode 100644 examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml create mode 100644 examples/using_init_container_with_k8s_secrets/k8s/Identity.yaml create mode 100644 examples/using_init_container_with_k8s_secrets/k8s/ServiceAccount.yaml create mode 100644 examples/using_init_container_with_k8s_secrets/k8s/image-override.yaml create mode 100644 examples/using_init_container_with_k8s_secrets/k8s/kustomization.yaml create mode 100755 examples/using_init_container_with_k8s_secrets/trigger-init-container.sh create mode 100755 hack/inspector-deploy.sh diff --git a/examples/using_init_container_with_k8s_secrets/create-secret.sh b/examples/using_init_container_with_k8s_secrets/create-secret.sh new file mode 100755 index 00000000..356362ff --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/create-secret.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +SENTINEL=$(kubectl get po -n vsecm-system \ + | grep "vsecm-sentinel-" | awk '{print $1}') + +kubectl exec "$SENTINEL" -n vsecm-system -- safe \ + -w "k8s:vsecm-secret-example" \ + -n "default" \ + -s '{"username": "root", "password": "KeepUrS8crts", "secret": "VSecMRocks"}' diff --git a/examples/using_init_container_with_k8s_secrets/deploy.sh b/examples/using_init_container_with_k8s_secrets/deploy.sh new file mode 100755 index 00000000..a2ac2f98 --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/deploy.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +kubectl apply -f ./k8s/ServiceAccount.yaml +kubectl apply -f ./k8s/Deployment.yaml +kubectl apply -f ./k8s/Identity.yaml diff --git a/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml b/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml new file mode 100644 index 00000000..a1fd2406 --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml @@ -0,0 +1,86 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: example + namespace: default + labels: + app.kubernetes.io/name: example +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: example + template: + metadata: + labels: + app.kubernetes.io/name: example + spec: + serviceAccountName: example + containers: + - name: main + image: vsecm/example-using-init-container:latest + env: + - name: USERNAME + valueFrom: + secretKeyRef: + name: vsecm-secret-example + key: username + - name: PASSWORD + valueFrom: + secretKeyRef: + name: vsecm-secret-example + key: password + - name: SECRET + valueFrom: + secretKeyRef: + name: vsecm-secret-example + key: secret + initContainers: + # See `./register.sh` to register the workload and finalize + # this init container. + - name: init-container + image: vsecm/vsecm-ist-init-container:latest + volumeMounts: + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure VSecM Init Container by providing + # environment variables. + # + # See https://vsecm.com/configuration for more information + # about these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Init Container will assume the default values outlined in the given + # link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "spiffe://vsecm.com/workload/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/using_init_container_with_k8s_secrets/k8s/Identity.yaml b/examples/using_init_container_with_k8s_secrets/k8s/Identity.yaml new file mode 100644 index 00000000..06ef6948 --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/k8s/Identity.yaml @@ -0,0 +1,29 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: example +spec: + className: "vsecm" + # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/" + # for `vsecm-safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://vsecm.com\ + /workload/example\ + /ns/{{ .PodMeta.Namespace }}\ + /sa/{{ .PodSpec.ServiceAccountName }}\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: example + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:example" diff --git a/examples/using_init_container_with_k8s_secrets/k8s/ServiceAccount.yaml b/examples/using_init_container_with_k8s_secrets/k8s/ServiceAccount.yaml new file mode 100644 index 00000000..548f20ac --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/k8s/ServiceAccount.yaml @@ -0,0 +1,16 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: example + namespace: default +automountServiceAccountToken: false diff --git a/examples/using_init_container_with_k8s_secrets/k8s/image-override.yaml b/examples/using_init_container_with_k8s_secrets/k8s/image-override.yaml new file mode 100644 index 00000000..834dc1fb --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/k8s/image-override.yaml @@ -0,0 +1,26 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: example + namespace: default +spec: + template: + spec: + containers: + - name: main + # Change this, if you want to use a different image: + image: vsecm/example-using-init-container:latest + initContainers: + - name: init-container + # Change this, if you want to use a different image: + image: vsecm/vsecm-ist-init-container:latest diff --git a/examples/using_init_container_with_k8s_secrets/k8s/kustomization.yaml b/examples/using_init_container_with_k8s_secrets/k8s/kustomization.yaml new file mode 100644 index 00000000..9892008c --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/k8s/kustomization.yaml @@ -0,0 +1,18 @@ +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Deployment.yaml +patches: +- path: image-override.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/using_init_container_with_k8s_secrets/trigger-init-container.sh b/examples/using_init_container_with_k8s_secrets/trigger-init-container.sh new file mode 100755 index 00000000..95cf0e18 --- /dev/null +++ b/examples/using_init_container_with_k8s_secrets/trigger-init-container.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +SENTINEL=$(kubectl get po -n vsecm-system \ + | grep "vsecm-sentinel-" | awk '{print $1}') + +kubectl exec "$SENTINEL" -n vsecm-system -- safe \ + -w "example" \ + -n "default" \ + -s "trigger-init" diff --git a/hack/inspector-deploy.sh b/hack/inspector-deploy.sh new file mode 100755 index 00000000..b75f32d0 --- /dev/null +++ b/hack/inspector-deploy.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# /* +# | Protect your secrets, protect your sensitive data. +# : Explore VMware Secrets Manager docs at https://vsecm.com/ +# / keep your secrets... secret +# >/ +# <>/' Copyright 2023-present VMware Secrets Manager contributors. +# >/' SPDX-License-Identifier: BSD-2-Clause +# */ + +cd ./examples/using_vsecm_inspector || exit + +k apply -f . diff --git a/makefiles/VSecMInspector.mk b/makefiles/VSecMInspector.mk index 0097dd72..ca886201 100644 --- a/makefiles/VSecMInspector.mk +++ b/makefiles/VSecMInspector.mk @@ -8,22 +8,26 @@ # >/' SPDX-License-Identifier: BSD-2-Clause # */ -# Packages the "Inspector" binary into a container image. +# Packages the "VSecM Inspector" binary into a container image. inspector-bundle: ./hack/bundle.sh "vsecm-inspector" \ $(VERSION) "dockerfiles/util/inspector.Dockerfile" -# Pushes the "Inspector" container image to the public registry. +# Pushes the "VSecM Inspector" container image to the public registry. inspector-push: ./hack/push.sh "vsecm-inspector" \ $(VERSION) "$(VSECM_DOCKERHUB_REGISTRY_URL)/vsecm-inspector" -# Pushes the "Inspector" container image to the public EKS registry. +# Pushes the "VSecM Inspector" container image to the public EKS registry. inspector-push-eks: ./hack/push.sh "vsecm-inspector" $(VERSION) \ "$(VSECM_EKS_REGISTRY_URL)/vsecm-inspector" -# Pushes the "Inspector" container image to the local registry. +# Pushes the "VSecM Inspector" container image to the local registry. inspector-push-local: ./hack/push.sh "vsecm-inspector" $(VERSION) \ "$(VSECM_LOCAL_REGISTRY_URL)/vsecm-inspector" + +# Deploys the "VSecM Inspector" app from the public registry into the cluster. +inspector-deploy: + ./hack/inspector-deploy.sh