Merge pull request #11 from kolayne-IU-assignments/lab11

Lab11

Author: kolayne

k8s/11.md

@@ -0,0 +1,65 @@
+# Secrets
+
+## Kubectl secrets
+
+```
+$ kubectl create secret generic demo-secret --from-literal=password=sensitive
+secret/demo-secret created
+$ kubectl describe secrets/demo-secret
+Name:         demo-secret
+Namespace:    default
+Labels:       <none>
+Annotations:  <none>
+
+Type:  Opaque
+
+Data
+====
+password:  9 bytes
+$ kubectl get secrets/demo-secret -o jsonpath='{.data.password}' | base64 -d; echo
+sensitive
+$
+```
+
+## Helm-secrets-managed secrets
+
+```
+$ kubectl get pods
+NAME                      READY   STATUS    RESTARTS   AGE
+app-py-797f75bf4f-cb7vz   1/1     Running   0          2m44s
+app-py-797f75bf4f-gz2zf   1/1     Running   0          2m44s
+app-py-797f75bf4f-lvh57   1/1     Running   0          2m44s
+app-py-797f75bf4f-rccl7   1/1     Running   0          2m44s
+$ kubectl exec app-py-797f75bf4f-cb7vz -- printenv | grep -i secret
+SecretEntry=sensitive
+$ 
+```
+
+## Vault-managed secrets
+
+```
+$ kubectl exec -it app-py-5db7d795db-qg5xn -- cat /vault/secrets/another_secret.txt
+Defaulted container "app-py" out of: app-py, vault-agent, vault-agent-init (init)
+data: map[value:sensitive2!]
+metadata: map[created_time:2024-04-12T13:15:12.335484444Z custom_metadata:<nil> deletion_time: destroyed:false version:1]
+$ kubectl exec -it app-py-5db7d795db-qg5xn -- df
+Defaulted container "app-py" out of: app-py, vault-agent, vault-agent-init (init)
+Filesystem           1K-blocks      Used Available Use% Mounted on
+overlay              171367696 130850160  31739760  80% /
+tmpfs                    65536         0     65536   0% /dev
+/dev/nvme0n1p5       171367696 130850160  31739760  80% /dev/termination-log
+tmpfs                 16211940         4  16211936   0% /vault/secrets
+/dev/nvme0n1p5       171367696 130850160  31739760  80% /etc/resolv.conf
+/dev/nvme0n1p5       171367696 130850160  31739760  80% /etc/hostname
+/dev/nvme0n1p5       171367696 130850160  31739760  80% /etc/hosts
+shm                      65536         0     65536   0% /dev/shm
+tmpfs                 16211940        12  16211928   0% /run/secrets/kubernetes.io/serviceaccount
+tmpfs                  8105968         0   8105968   0% /proc/asound
+tmpfs                  8105968         0   8105968   0% /proc/acpi
+tmpfs                    65536         0     65536   0% /proc/kcore
+tmpfs                    65536         0     65536   0% /proc/keys
+tmpfs                    65536         0     65536   0% /proc/timer_list
+tmpfs                  8105968         0   8105968   0% /proc/scsi
+tmpfs                  8105968         0   8105968   0% /sys/firmware
+$
+```

k8s/app-go/templates/_helpers.tpl

@@ -60,3 +60,10 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "app-go.environ" -}}
+- name: var1
+  value: val1
+- name: var2
+  value: val2
+{{- end }}

k8s/app-go/templates/deployment.yaml

@@ -50,6 +50,8 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+            {{ include "app-go.environ" . | nindent 12 }}
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

k8s/app-go/values.yaml

@@ -51,17 +51,17 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
+  limits:
   #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+    memory: 50Mi
+  requests:
+    cpu: 2000m
+    memory: 20Mi
 
 livenessProbe:
   httpGet:

k8s/app-py/env-secrets.yaml

@@ -0,0 +1,24 @@
+password: ENC[AES256_GCM,data:jkIHSRXIJJg6,iv:C1tzrVqcM8p0prM33gbb8qUIH9aC3AmcioOabPiObsM=,tag:ZQROaZu/9SKI014pw6bqkg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-04-11T09:21:07Z"
+    mac: ENC[AES256_GCM,data:FUujMws7tys9W2kqmXegmOLVeOqfpaVR9k8lLXz9xd8FejL30L7n3C6G2lQOdyLxiAoM6QNsd7w391QtDial4EK/s45iIWTTErhltnI+FmtWA+mkKvSz49MXHo0crs9klmi9KrAXkdvNatOzR4U130WKvKg05sNSueU1O2a1Umc=,iv:OXeA+7nnFkP3KegqhUIN8+9zJBEv1J9xo78mjgDkLQo=,tag:aNTwP7Q84Br29x6ZPRWqOw==,type:str]
+    pgp:
+        - created_at: "2024-04-11T07:33:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D+wRifE+fehgSAQdARWW5wgUqLNWnutSU0gfj5577Mh5GuEhrzO9EHQB5wUYw
+            ln0wAfD8FifZc8Vsx1J9HUTZ43bD2WJFJPW03CovsPQB/FQ6ruB98eh/qJwi0Uep
+            1GgBCQIQuDxgGga8HLacn7hlx6Ne6S9ncanhpBt8n0iazmEZ6POWpuABM/4Jtfqw
+            lEyPVhTG5lHN7gBeH6dUy8p0ToFkr5+cgqKVhkLTC5QDvRDJiFFbVLSFKldVaBlg
+            2fgJasjY10VeMA==
+            =SEai
+            -----END PGP MESSAGE-----
+          fp: 6B5B7AD70550DCAA8A5E592479753ED3261B7AAB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

k8s/app-py/templates/_helpers.tpl

@@ -60,3 +60,10 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "app-py.environ" -}}
+- name: var1
+  value: val1
+- name: var2
+  value: val2
+{{- end }}

k8s/app-py/templates/deployment.yaml

@@ -50,6 +50,13 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+            - name: SecretEntry
+              valueFrom:
+                secretKeyRef:
+                  name: env-secret
+                  key: value
+            {{ include "app-py.environ" . | nindent 12 }}
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

k8s/app-py/templates/secrets.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: env-secret
+data:
+  value: {{ .Values.password | b64enc | quote }}

k8s/app-py/values.yaml

@@ -15,9 +15,13 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  name: "web-app"
 
-podAnnotations: {}
+podAnnotations:
+  git: keep
+  vault.hashicorp.com/agent-inject: 'true'
+  vault.hashicorp.com/role: 'web-app'
+  vault.hashicorp.com/agent-inject-secret-another_secret.txt: 'internal/data/another_secret'
 podLabels: {}
 
 podSecurityContext: {}
@@ -51,17 +55,17 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
+  limits:
   #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+    memory: 60Mi
+  requests:
+    cpu: 2000m
+    memory: 30Mi
 
 livenessProbe:
   httpGet: