-
Notifications
You must be signed in to change notification settings - Fork 455
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e7059cc
commit ba426f0
Showing
13 changed files
with
169 additions
and
123 deletions.
There are no files selected for viewing
18 changes: 0 additions & 18 deletions
18
manifests/modules/security/secrets-manager/deployment copy.yaml
This file was deleted.
Oops, something went wrong.
6 changes: 0 additions & 6 deletions
6
manifests/modules/security/secrets-manager/kustomization copy.yaml
This file was deleted.
Oops, something went wrong.
9 changes: 0 additions & 9 deletions
9
manifests/modules/security/secrets-manager/new-catalog-db copy.yaml
This file was deleted.
Oops, something went wrong.
11 changes: 11 additions & 0 deletions
11
manifests/modules/security/secrets-manager/secret-provider-class.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: secrets-store.csi.x-k8s.io/v1 | ||
kind: SecretProviderClass | ||
metadata: | ||
name: catalog-spc | ||
namespace: catalog | ||
spec: | ||
provider: aws | ||
parameters: | ||
objects: | | ||
- objectName: "catalog-secret" | ||
objectType: "secretsmanager" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...te/docs/security/secrets-management/sealed-secrets/installing-sealed-secrets.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
website/docs/security/secrets-management/sealed-secrets/managing-sealing-keys.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 51 additions & 1 deletion
52
website/docs/security/secrets-management/sealed-secrets/sealing-secrets.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
website/docs/security/secrets-management/sealed-secrets/working.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
website/docs/security/secrets-management/secrets-manager/create-secret.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
102 changes: 102 additions & 0 deletions
102
.../docs/security/secrets-management/secrets-manager/validate-cluster-resources.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
--- | ||
title: "Validating AWS Secrets and Configuration Provider (ASCP)" | ||
sidebar_position: 61 | ||
--- | ||
|
||
If you ran the `prepare-environment` script detailed in the [previous step](./index.md), it has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver that's required for this lab. | ||
|
||
Lets then, validate if the addons deployed. | ||
|
||
Check the Secret Store CSI drive `DaemonSet` and respective `Pods`. | ||
|
||
```bash | ||
$ kubectl -n secrets-store-csi-driver get pods,daemonsets -l app=secrets-store-csi-driver | ||
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE | ||
daemonset.apps/csi-secrets-store-secrets-store-csi-driver 3 3 3 3 3 kubernetes.io/os=linux 3m57s | ||
|
||
NAME READY STATUS RESTARTS AGE | ||
pod/csi-secrets-store-secrets-store-csi-driver-bzddm 3/3 Running 0 3m57s | ||
pod/csi-secrets-store-secrets-store-csi-driver-k7m6c 3/3 Running 0 3m57s | ||
pod/csi-secrets-store-secrets-store-csi-driver-x2rs4 3/3 Running 0 3m57s | ||
``` | ||
|
||
Check the CSI Secrets Store Provider for AWS driver `DaemonSet` and respective `Pods`. | ||
|
||
```bash | ||
$ kubectl -n kube-system get pods,daemonset -l "app=secrets-store-csi-driver-provider-aws" | ||
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE | ||
daemonset.apps/secrets-store-csi-driver-provider-aws 3 3 3 3 3 kubernetes.io/os=linux 2m3s | ||
|
||
NAME READY STATUS RESTARTS AGE | ||
pod/secrets-store-csi-driver-provider-aws-4jf8f 1/1 Running 0 2m2s | ||
pod/secrets-store-csi-driver-provider-aws-djtf5 1/1 Running 0 2m2s | ||
pod/secrets-store-csi-driver-provider-aws-dzg9r 1/1 Running 0 2m2s | ||
``` | ||
|
||
### Exploring the catalog Pod | ||
|
||
The `catalog` deployment in the `catalog` Namespace accesses the following database values from the catalog-db secret via environment variables: | ||
|
||
* `DB_USER` | ||
* `DB_PASSWORD` | ||
|
||
```bash | ||
$ kubectl -n catalog get deployment catalog -o yaml | yq '.spec.template.spec.containers[] | .env' | ||
|
||
- name: DB_USER | ||
valueFrom: | ||
secretKeyRef: | ||
key: username | ||
name: catalog-db | ||
- name: DB_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
key: password | ||
name: catalog-db | ||
- name: DB_NAME | ||
valueFrom: | ||
configMapKeyRef: | ||
key: name | ||
name: catalog | ||
- name: DB_READ_ENDPOINT | ||
valueFrom: | ||
secretKeyRef: | ||
key: endpoint | ||
name: catalog-db | ||
- name: DB_ENDPOINT | ||
valueFrom: | ||
secretKeyRef: | ||
key: endpoint | ||
name: catalog-db | ||
``` | ||
|
||
Upon exploring the `catalog-db` Secret we can see that it is only encoded with base64 which can be easily decoded as follows hence making it difficult for the secrets manifests to be part of the GitOps workflow. | ||
|
||
```file | ||
manifests/base-application/catalog/secrets.yaml | ||
``` | ||
|
||
```bash | ||
$ kubectl -n catalog get secrets catalog-db --template {{.data.username}} | base64 -d | ||
catalog_user% | ||
$ kubectl -n catalog get secrets catalog-db --template {{.data.password}} | base64 -d | ||
default_password% | ||
``` | ||
|
||
You should also see that we already have created a *SecretProviderClass*, which is a namespaced custom resource that's used provide driver configurations and specific parameters to the your secrets in AWS Secrets Manger via CSI driver. | ||
|
||
```bash | ||
$ kubectl -n catalog get secretproviderclass -o yaml | ||
|
||
apiVersion: secrets-store.csi.x-k8s.io/v1 | ||
kind: SecretProviderClass | ||
metadata: | ||
name: catalog-spc | ||
namespace: catalog | ||
spec: | ||
provider: aws | ||
parameters: | ||
objects: | | ||
- objectName: "catalog-secret" | ||
objectType: "secretsmanager" | ||
``` |
34 changes: 0 additions & 34 deletions
34
website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md
This file was deleted.
Oops, something went wrong.