johanngyger

❯ az login -o none
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...

❯ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/azurerm versions matching "~> 2.0"...

johanngyger

resource "azurerm_container_group" "aci_caddy" {
  resource_group_name = "aci_caddy"
  location            = local.location
  name                = "aci_caddy"
  os_type             = "Linux"
  dns_name_label      = "aci-caddy"
  ip_address_type     = "public"

  container {
    name   = "app"

johanngyger

resource "azurerm_resource_group" "aci_caddy" {
  name     = "aci_caddy"
  location = local.location
}

resource "azurerm_storage_account" "aci_caddy" {
  name                      = "acicaddy"
  resource_group_name       = azurerm_resource_group.aci_caddy.name
  location                  = azurerm_resource_group.aci_caddy.location
  account_tier              = "Standard"

johanngyger

terraform {
  required_version = ">= 0.14, < 0.15"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 2.0"
    }
  }
}

johanngyger

$ envsubst < vault-kubernetes-synchronizer-demo.yaml | k apply -f -
job.batch/vault-kubernetes-synchronizer-demo created

$ k get all
NAME                                           READY   STATUS    RESTARTS   AGE
pod/vault-kubernetes-synchronizer-demo-m2xnz   1/1     Running   0          4s
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   3d5h
NAME                                           COMPLETIONS   DURATION   AGE
job.batch/vault-kubernetes-synchronizer-demo   0/1           4s         4s

johanngyger

---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-kubernetes-synchronizer-demo
spec:
  backoffLimit: 0
  template:
    spec:
      serviceAccountName: vault-serviceaccount

johanngyger

$ envsubst < vault-kubernetes-token-renewer-demo.yaml | k apply -f -
deployment.apps/vault-kubernetes-token-renewer-demo created

$ k get all
NAME                                                       READY   STATUS    RESTARTS   AGE
pod/vault-kubernetes-token-renewer-demo-694cc7dbbd-rkbbs   2/2     Running   0          4s
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   31h
NAME                                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/vault-kubernetes-token-renewer-demo   1/1     1            1           4s

johanngyger

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-kubernetes-token-renewer-demo
  labels:
    appl: vault-kubernetes-token-renewer-demo
spec:
  replicas: 1
  selector:

johanngyger

$ envsubst < vault-kubernetes-authenticator-demo.yaml | k apply -f -
deployment.apps/vault-kubernetes-authenticator-demo created

$ k get all
NAME                                                      READY   STATUS    RESTARTS   AGE
pod/vault-kubernetes-authenticator-demo-fc49b957c-b5bnx   1/1     Running   0          81s
NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   20h
NAME                                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/vault-kubernetes-authenticator-demo   1/1     1            1           81s

johanngyger

$ k apply -f vault-rbac.yaml 
serviceaccount/vault-serviceaccount created
clusterrolebinding.rbac.authorization.k8s.io/vault-clusterrolebinding created
role.rbac.authorization.k8s.io/vault-secret-admin-role created
rolebinding.rbac.authorization.k8s.io/vault-demo-secret-admin-rolebinding created