YurgenUA

func calcUniqueHash() (string, error) {
	body, err := loadFile()
	if err != nil {
		return "", err
	}
	h := sha512.New()
	h.Write(body)
	random := strconv.Itoa(rand.IntN(1000000))
	hash := h.Sum([]byte(random))
	return string(hash), nil

YurgenUA

func hashHandler(w http.ResponseWriter, _ *http.Request) {
	hash, err := calcUniqueHash()
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	fmt.Fprintf(w, "Hash value: %x", hash)
}

YurgenUA

func main() {
	http.HandleFunc("/hash", hashHandler)
	log.Fatal(http.ListenAndServe(":8080", nil))
}

YurgenUA

/ $ vault policy write webapp - << EOF
> path "secret/data/webapp/config" {
>   capabilities = ["read"]
> }
> EOF
>>Success! Uploaded policy: webapp
/ $ vault token create -policy=webapp -ttl=744h
>>Key                  Value
>>---                  -----
>>token                hvs.CAESIHOD5eMOX3BG850WnddTyDkkF...MdzQzOE1wd0ZMTXY4OGhuOXU

YurgenUA

/ $ vault kv get secret/webapp/config
>>====== Secret Path ======
>>secret/data/webapp/config
>>======= Metadata =======
>>Key                Value
>>...
>>====== Data ======
>>Key         Value
>>---         -----
>>password    Losungwort

YurgenUA

kubectl config use-context vaultcluster
>>Switched to context "vaultcluster".
kubectl get pods
>>NAME                                    READY   STATUS    RESTARTS   AGE
>>vault-0                                 1/1     Running   0          1h
>>vault-1                                 1/1     Running   0          1h
>>vault-2                                 1/1     Running   0          1h
>>vault-agent-injector-5d85ff9d44-kwhc8   1/1     Running   0          1h
kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
>>/ $ vault login

YurgenUA

kubectl exec -it -n playground demo-non-privileged-dp-65f45f4fcd-g7r48 -- /bin/bash
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get secrets
>>Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:playground:non-privileged-sa" cannot list resource "secrets" in API group "" in the namespace "playground"
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# kubectl get pods   
>>NAME                                      READY   STATUS    RESTARTS   AGE
>>demo-dp-7756f78b4c-4zfpr                  1/1     Running   0          4m38s
>>demo-non-privileged-dp-65f45f4fcd-g7r48   1/1     Running   0          3m17s
>>root@demo-non-privileged-dp-65f45f4fcd-g7r48:/# exit
>>exit

YurgenUA

resource "kubernetes_role" "non_privileged" {
  metadata {
    name      = "non-privileged-cr"
    namespace = kubernetes_namespace.playground.id
  }

  rule {
    api_groups = [""]
    resources  = ["secrets"]
    verbs      = [""]

YurgenUA

terraform apply --auto-approve 
>>Terraform will perform the following actions:
>>...
>>Plan: 2 to add, 0 to change, 0 to destroy.
>>...
>>kubernetes_deployment.demo-non-privileged: Creating...
>>kubernetes_deployment.demo-non-privileged: Still creating... [10s elapsed]
>>kubernetes_deployment.demo-non-privileged: Still creating... [20s elapsed]
>>...

YurgenUA

resource "kubernetes_deployment" "demo-non-privileged" {
  metadata {
    name      = "demo-non-privileged-dp"
    namespace = kubernetes_namespace.playground.id
  }
  spec {
    replicas = 1
    selector {
      match_labels = {
        app = "demo-non-privileged-lb"