From ba426f00edd62d23c469dd93dddbc8b707be7b49 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Wed, 11 Oct 2023 15:25:28 -0400 Subject: [PATCH] Changing module strucutre --- .../secrets-manager/deployment copy.yaml | 18 ---- .../secrets-manager/kustomization copy.yaml | 6 -- .../secrets-manager/new-catalog-db copy.yaml | 9 -- .../secret-provider-class.yaml | 11 ++ .../secrets-management/exploring-secrets.md | 50 --------- .../installing-sealed-secrets.md | 2 +- .../sealed-secrets/managing-sealing-keys.md | 2 +- .../sealed-secrets/sealing-secrets.md | 52 ++++++++- .../sealed-secrets/working.md | 2 +- .../secrets-manager/create-secret.md | 2 +- .../secrets-manager/index.md | 2 +- .../validate-cluster-resources.md | 102 ++++++++++++++++++ .../secrets-manager/validate-eks-cluster.md | 34 ------ 13 files changed, 169 insertions(+), 123 deletions(-) delete mode 100644 manifests/modules/security/secrets-manager/deployment copy.yaml delete mode 100644 manifests/modules/security/secrets-manager/kustomization copy.yaml delete mode 100644 manifests/modules/security/secrets-manager/new-catalog-db copy.yaml create mode 100644 manifests/modules/security/secrets-manager/secret-provider-class.yaml create mode 100644 website/docs/security/secrets-management/secrets-manager/validate-cluster-resources.md delete mode 100644 website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md diff --git a/manifests/modules/security/secrets-manager/deployment copy.yaml b/manifests/modules/security/secrets-manager/deployment copy.yaml deleted file mode 100644 index 4c2c6cf37..000000000 --- a/manifests/modules/security/secrets-manager/deployment copy.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: catalog -spec: - template: - spec: - containers: - - name: catalog - env: - - name: DB_USER - valueFrom: - secretKeyRef: - name: catalog-sealed-db - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: catalog-sealed-db diff --git a/manifests/modules/security/secrets-manager/kustomization copy.yaml b/manifests/modules/security/secrets-manager/kustomization copy.yaml deleted file mode 100644 index 8e63958a0..000000000 --- a/manifests/modules/security/secrets-manager/kustomization copy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -bases: -- ../../../base-application/catalog -patches: -- deployment.yaml diff --git a/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml b/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml deleted file mode 100644 index 4079b8444..000000000 --- a/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: catalog-sealed-db - namespace: catalog -type: Opaque -data: - password: ZGVmYXVsdF9wYXNzd29yZA== - username: Y2F0YWxvZ191c2Vy diff --git a/manifests/modules/security/secrets-manager/secret-provider-class.yaml b/manifests/modules/security/secrets-manager/secret-provider-class.yaml new file mode 100644 index 000000000..3ce2dd2c9 --- /dev/null +++ b/manifests/modules/security/secrets-manager/secret-provider-class.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: catalog-spc + namespace: catalog +spec: + provider: aws + parameters: + objects: | + - objectName: "catalog-secret" + objectType: "secretsmanager" \ No newline at end of file diff --git a/website/docs/security/secrets-management/exploring-secrets.md b/website/docs/security/secrets-management/exploring-secrets.md index b9a51db82..16b7e2c5b 100644 --- a/website/docs/security/secrets-management/exploring-secrets.md +++ b/website/docs/security/secrets-management/exploring-secrets.md @@ -66,53 +66,3 @@ With the above Pod specification, the following will occur: * value for the username key in the database-credentials Secret is stored in the file `/etc/data/DATABASE_USER` within the Pod * value for the password key is stored in the file `/etc/data/DATABASE_PASSWORD` - -### Exploring the catalog Pod - -The `catalog` deployment in the `catalog` Namespace accesses the following database values from the catalog-db secret via environment variables: - -* `DB_USER` -* `DB_PASSWORD` - -```bash -$ kubectl -n catalog get deployment catalog -o yaml | yq '.spec.template.spec.containers[] | .env' - -- name: DB_USER - valueFrom: - secretKeyRef: - key: username - name: catalog-db -- name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: catalog-db -- name: DB_NAME - valueFrom: - configMapKeyRef: - key: name - name: catalog -- name: DB_READ_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: catalog-db -- name: DB_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: catalog-db -``` - -Upon exploring the `catalog-db` Secret we can see that it is only encoded with base64 which can be easily decoded as follows hence making it difficult for the secrets manifests to be part of the GitOps workflow. - -```file -manifests/base-application/catalog/secrets.yaml -``` - -```bash -$ kubectl -n catalog get secrets catalog-db --template {{.data.username}} | base64 -d -catalog_user% -$ kubectl -n catalog get secrets catalog-db --template {{.data.password}} | base64 -d -default_password% -``` diff --git a/website/docs/security/secrets-management/sealed-secrets/installing-sealed-secrets.md b/website/docs/security/secrets-management/sealed-secrets/installing-sealed-secrets.md index df05c5c9e..765e8c4ee 100644 --- a/website/docs/security/secrets-management/sealed-secrets/installing-sealed-secrets.md +++ b/website/docs/security/secrets-management/sealed-secrets/installing-sealed-secrets.md @@ -1,6 +1,6 @@ --- title: "Installing Sealed Secrets" -sidebar_position: 62 +sidebar_position: 72 --- The `kubeseal` CLI is used to interact with the sealed secrets controller, and has already been installed in Cloud9. diff --git a/website/docs/security/secrets-management/sealed-secrets/managing-sealing-keys.md b/website/docs/security/secrets-management/sealed-secrets/managing-sealing-keys.md index e2381ac88..2ad757413 100644 --- a/website/docs/security/secrets-management/sealed-secrets/managing-sealing-keys.md +++ b/website/docs/security/secrets-management/sealed-secrets/managing-sealing-keys.md @@ -1,6 +1,6 @@ --- title: "Managing the Sealing Key" -sidebar_position: 64 +sidebar_position: 74 --- The only way to decrypt the encrypted data within a SealedSecret is with the sealing key that is managed by the controller. There could be situations where you are trying to restore the original state of a cluster after a disaster or you want to leverage GitOps workflow to deploy the Kubernetes resources, including SealedSecrets, from a Git repository and create a new EKS cluster. The controller deployed in the new EKS cluster must use the same sealing key to be able to unseal the SealedSecrets. diff --git a/website/docs/security/secrets-management/sealed-secrets/sealing-secrets.md b/website/docs/security/secrets-management/sealed-secrets/sealing-secrets.md index 34ed13b81..6139c7a22 100644 --- a/website/docs/security/secrets-management/sealed-secrets/sealing-secrets.md +++ b/website/docs/security/secrets-management/sealed-secrets/sealing-secrets.md @@ -1,8 +1,58 @@ --- title: "Sealing your Secrets" -sidebar_position: 63 +sidebar_position: 73 --- +### Exploring the catalog Pod + +The `catalog` deployment in the `catalog` Namespace accesses the following database values from the catalog-db secret via environment variables: + +* `DB_USER` +* `DB_PASSWORD` + +```bash +$ kubectl -n catalog get deployment catalog -o yaml | yq '.spec.template.spec.containers[] | .env' + +- name: DB_USER + valueFrom: + secretKeyRef: + key: username + name: catalog-db +- name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: catalog-db +- name: DB_NAME + valueFrom: + configMapKeyRef: + key: name + name: catalog +- name: DB_READ_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: catalog-db +- name: DB_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: catalog-db +``` + +Upon exploring the `catalog-db` Secret we can see that it is only encoded with base64 which can be easily decoded as follows hence making it difficult for the secrets manifests to be part of the GitOps workflow. + +```file +manifests/base-application/catalog/secrets.yaml +``` + +```bash +$ kubectl -n catalog get secrets catalog-db --template {{.data.username}} | base64 -d +catalog_user% +$ kubectl -n catalog get secrets catalog-db --template {{.data.password}} | base64 -d +default_password% +``` + Let's create a new secret `catalog-sealed-db`. We'll create a new file `new-catalog-db.yaml` with the same keys and values as the `catalog-db` Secret. ```file diff --git a/website/docs/security/secrets-management/sealed-secrets/working.md b/website/docs/security/secrets-management/sealed-secrets/working.md index 7710e9bae..4259221f2 100644 --- a/website/docs/security/secrets-management/sealed-secrets/working.md +++ b/website/docs/security/secrets-management/sealed-secrets/working.md @@ -1,6 +1,6 @@ --- title: "Sealed Secrets for Kubernetes" -sidebar_position: 61 +sidebar_position: 71 --- Sealed Secrets is composed of two parts: diff --git a/website/docs/security/secrets-management/secrets-manager/create-secret.md b/website/docs/security/secrets-management/secrets-manager/create-secret.md index cbe2882e1..9f177ab4a 100644 --- a/website/docs/security/secrets-management/secrets-manager/create-secret.md +++ b/website/docs/security/secrets-management/secrets-manager/create-secret.md @@ -1,6 +1,6 @@ --- title: "Storing secrets in AWS Secrets Manager" -sidebar_position: 63 +sidebar_position: 62 --- To store a secret in AWS Secrets Manager, you can either use the AWS Console or the AWS CLI. We will cover both scenarios below. diff --git a/website/docs/security/secrets-management/secrets-manager/index.md b/website/docs/security/secrets-management/secrets-manager/index.md index a4debed8b..68612b482 100644 --- a/website/docs/security/secrets-management/secrets-manager/index.md +++ b/website/docs/security/secrets-management/secrets-manager/index.md @@ -21,7 +21,7 @@ You can view the Terraform that applies these changes [here](https://github.com/ ::: -AWS Secrets Manager (Secrets Manager) allows you to easily rotate, manage, and retrieve sensitive data such as credentials, API keys, certificates, among others. You can use AWS Secrets and Configuration Provider (ASCP) for Kubernetes Secrets Store CSI Driver to mount secrets stored in Secrets Manager as volumes in Kubernetes Pods. +[AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) allows you to easily rotate, manage, and retrieve sensitive data such as credentials, API keys, certificates, among others. You can use [AWS Secrets and Configuration Provider (ASCP)](https://github.com/aws/secrets-store-csi-driver-provider-aws) for [Kubernetes Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount secrets stored in Secrets Manager as volumes in Kubernetes Pods. With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. You can use IAM roles and policies to limit access to your secrets to specific Kubernetes Pods in a cluster. The ASCP retrieves the Pod identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the Pod, and then it can retrieve secrets from Secrets Manager that are authorized for that role. diff --git a/website/docs/security/secrets-management/secrets-manager/validate-cluster-resources.md b/website/docs/security/secrets-management/secrets-manager/validate-cluster-resources.md new file mode 100644 index 000000000..d95cf5469 --- /dev/null +++ b/website/docs/security/secrets-management/secrets-manager/validate-cluster-resources.md @@ -0,0 +1,102 @@ +--- +title: "Validating AWS Secrets and Configuration Provider (ASCP)" +sidebar_position: 61 +--- + +If you ran the `prepare-environment` script detailed in the [previous step](./index.md), it has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver that's required for this lab. + +Lets then, validate if the addons deployed. + +Check the Secret Store CSI drive `DaemonSet` and respective `Pods`. + +```bash +$ kubectl -n secrets-store-csi-driver get pods,daemonsets -l app=secrets-store-csi-driver +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/csi-secrets-store-secrets-store-csi-driver 3 3 3 3 3 kubernetes.io/os=linux 3m57s + +NAME READY STATUS RESTARTS AGE +pod/csi-secrets-store-secrets-store-csi-driver-bzddm 3/3 Running 0 3m57s +pod/csi-secrets-store-secrets-store-csi-driver-k7m6c 3/3 Running 0 3m57s +pod/csi-secrets-store-secrets-store-csi-driver-x2rs4 3/3 Running 0 3m57s +``` + +Check the CSI Secrets Store Provider for AWS driver `DaemonSet` and respective `Pods`. + +```bash +$ kubectl -n kube-system get pods,daemonset -l "app=secrets-store-csi-driver-provider-aws" +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/secrets-store-csi-driver-provider-aws 3 3 3 3 3 kubernetes.io/os=linux 2m3s + +NAME READY STATUS RESTARTS AGE +pod/secrets-store-csi-driver-provider-aws-4jf8f 1/1 Running 0 2m2s +pod/secrets-store-csi-driver-provider-aws-djtf5 1/1 Running 0 2m2s +pod/secrets-store-csi-driver-provider-aws-dzg9r 1/1 Running 0 2m2s +``` + +### Exploring the catalog Pod + +The `catalog` deployment in the `catalog` Namespace accesses the following database values from the catalog-db secret via environment variables: + +* `DB_USER` +* `DB_PASSWORD` + +```bash +$ kubectl -n catalog get deployment catalog -o yaml | yq '.spec.template.spec.containers[] | .env' + +- name: DB_USER + valueFrom: + secretKeyRef: + key: username + name: catalog-db +- name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: catalog-db +- name: DB_NAME + valueFrom: + configMapKeyRef: + key: name + name: catalog +- name: DB_READ_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: catalog-db +- name: DB_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: catalog-db +``` + +Upon exploring the `catalog-db` Secret we can see that it is only encoded with base64 which can be easily decoded as follows hence making it difficult for the secrets manifests to be part of the GitOps workflow. + +```file +manifests/base-application/catalog/secrets.yaml +``` + +```bash +$ kubectl -n catalog get secrets catalog-db --template {{.data.username}} | base64 -d +catalog_user% +$ kubectl -n catalog get secrets catalog-db --template {{.data.password}} | base64 -d +default_password% +``` + +You should also see that we already have created a *SecretProviderClass*, which is a namespaced custom resource that's used provide driver configurations and specific parameters to the your secrets in AWS Secrets Manger via CSI driver. + +```bash +$ kubectl -n catalog get secretproviderclass -o yaml + +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: catalog-spc + namespace: catalog +spec: + provider: aws + parameters: + objects: | + - objectName: "catalog-secret" + objectType: "secretsmanager" +``` diff --git a/website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md b/website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md deleted file mode 100644 index 095c10fc0..000000000 --- a/website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: "Validating AWS Secrets and Configuration Provider (ASCP)" -sidebar_position: 62 ---- - -If you ran the `prepare-environment` script detailed in the [previous step](./index.md), it has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver that's required for this lab. - -Lets then, validate if the addons deployed. - -Check the Secret Store CSI drive `DaemonSet` and respective `Pods`. - -```bash -$ kubectl -n secrets-store-csi-driver get pods,daemonsets -l app=secrets-store-csi-driver -NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE -daemonset.apps/csi-secrets-store-secrets-store-csi-driver 3 3 3 3 3 kubernetes.io/os=linux 3m57s - -NAME READY STATUS RESTARTS AGE -pod/csi-secrets-store-secrets-store-csi-driver-bzddm 3/3 Running 0 3m57s -pod/csi-secrets-store-secrets-store-csi-driver-k7m6c 3/3 Running 0 3m57s -pod/csi-secrets-store-secrets-store-csi-driver-x2rs4 3/3 Running 0 3m57s -``` - -Check the CSI Secrets Store Provider for AWS driver `DaemonSet` and respective `Pods`. - -```bash -$ kubectl -n kube-system get pods,daemonset -l "app=secrets-store-csi-driver-provider-aws" -NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE -daemonset.apps/secrets-store-csi-driver-provider-aws 3 3 3 3 3 kubernetes.io/os=linux 2m3s - -NAME READY STATUS RESTARTS AGE -pod/secrets-store-csi-driver-provider-aws-4jf8f 1/1 Running 0 2m2s -pod/secrets-store-csi-driver-provider-aws-djtf5 1/1 Running 0 2m2s -pod/secrets-store-csi-driver-provider-aws-dzg9r 1/1 Running 0 2m2s -```