Last active
July 27, 2022 15:04
-
-
Save vfarcic/f300b3452691346c8028fa62605c9ccc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://gist.github.com/f300b3452691346c8028fa62605c9ccc | |
####################################################################### | |
# Eliminate Kubernetes Secrets With Secrets Store CSI Driver (SSCSID) # | |
# https://youtu.be/DsQu66ZMG4M # | |
####################################################################### | |
# Additional Info: | |
# - Secrets Store CSI: https://secrets-store-csi-driver.sigs.k8s.io | |
# - Manage Kubernetes Secrets With External Secrets Operator: https://youtu.be/SyRZe5YVCVk | |
# - Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc | |
######### | |
# Setup # | |
######### | |
# The demo assumes that secrets are stored in HashiCorp Vault. | |
# If that's not the case, some of the commands and manifests might need to be modified. | |
git clone https://github.com/vfarcic/secrets-store-csi-demo | |
cd secrets-store-csi-demo | |
# Create a Kubernetes cluster (if you do not have it already) | |
kubectl create namespace production | |
helm repo add secrets-store-csi-driver \ | |
https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts | |
helm repo add hashicorp \ | |
https://helm.releases.hashicorp.com | |
helm repo update | |
helm upgrade --install \ | |
csi-secrets-store \ | |
secrets-store-csi-driver/secrets-store-csi-driver \ | |
--namespace kube-system \ | |
--set enableSecretRotation=true \ | |
--set rotationPollInterval=10s \ | |
--wait | |
helm upgrade --install \ | |
vault hashicorp/vault \ | |
--namespace vault \ | |
--create-namespace \ | |
--values vault-values.yaml \ | |
--wait | |
kubectl --namespace vault \ | |
exec -it vault-0 -- /bin/sh | |
vault kv put secret/db-auth \ | |
password="YouWillNeverFindOut" | |
vault auth enable kubernetes | |
vault write auth/kubernetes/config \ | |
issuer="https://kubernetes.default.svc.cluster.local" \ | |
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ | |
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ | |
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt | |
vault policy write csi - <<EOF | |
path "secret/data/db-auth" { | |
capabilities = ["read"] | |
} | |
EOF | |
vault write auth/kubernetes/role/csi \ | |
bound_service_account_names=silly-demo \ | |
bound_service_account_namespaces=production \ | |
policies=csi \ | |
ttl=20m | |
exit | |
###################################### | |
# Secrets Store CSI Driver In Action # | |
###################################### | |
kubectl --namespace kube-system \ | |
get all | |
cat k8s/secrets-store.yaml | |
cat k8s/deployment.yaml | |
datree test k8s/*.yaml | |
# Fix the issues in k8s/deployment.yaml | |
datree test k8s/*.yaml \ | |
--ignore-missing-schemas | |
kubectl --namespace production apply \ | |
--filename k8s/ | |
kubectl --namespace production get pods | |
# Replace `[...]` with the name of one of the Pods | |
export POD_NAME=[...] | |
kubectl --namespace production \ | |
exec $POD_NAME \ | |
-- cat /mnt/secrets-store/password | |
kubectl --namespace vault \ | |
exec -it vault-0 -- /bin/sh | |
vault kv put secret/db-auth \ | |
password="MyPrecious" | |
exit | |
kubectl --namespace production \ | |
exec $POD_NAME \ | |
-- cat /mnt/secrets-store/password | |
########### | |
# Destroy # | |
########### | |
# Destroy or reset the cluster |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment