Merge pull request #1500 from OWASP/feat/bump-to-1.30

feat: bump to k8s 1.30

.github/workflows/minikube-k8s-test.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           minikube-version: 1.33.1
           driver: docker
-          kubernetes-version: v1.28.1
+          kubernetes-version: v1.30.0
       - name: test script
         run: |
           kubectl apply -f k8s/workspace-psa.yml

.github/workflows/minikube-vault-test.yml

@@ -27,13 +27,13 @@ jobs:
         with:
           minikube-version: 1.33.1
           driver: docker
-          kubernetes-version: v1.28.1
+          kubernetes-version: v1.30.0
       - name: Setup helm
         uses: azure/setup-helm@v4
         id: install
       - name: test script
         run: |
-          ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7
+          ./k8s-vault-minikube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7
 
   cypress-tests:
     name: Cypress Test for Challenges
@@ -47,13 +47,13 @@ jobs:
         with:
           minikube-version: 1.33.1
           driver: docker
-          kubernetes-version: v1.28.1
+          kubernetes-version: v1.30.0
       - name: Setup helm
         uses: azure/setup-helm@v4
         id: install
       - name: test script
         run: |
-          ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7
+          ./k8s-vault-minikube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7
       - name: Run Tests
         run: |
           cd src/test/K8s-tests

README.md

@@ -176,7 +176,7 @@ The K8S setup currently is based on using Minikube for local fun. You can use th
 Alternatively you can do :
 
 ```bash
-    ./k8s-vault-minkube-start.sh
+    ./k8s-vault-minikube-start.sh
 ```
 
 now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
@@ -219,7 +219,7 @@ Make sure you have the following installed:
 -   vault [Install from here](https://www.vaultproject.io/downloads),
 -   grep, Cat, and Sed
 
-Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-46.
+Run `./k8s-vault-minikube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-46.
 
 When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`.
 This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.

aws/README.md

@@ -132,7 +132,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.5 |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.15.0 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.16.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.8.1 |
 
 ## Resources
@@ -166,7 +166,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.29"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.30"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources | `map(string)` | <pre>{<br>  "Application": "wrongsecrets"<br>}</pre> | no |
 

aws/k8s-vault-aws-start.sh

@@ -49,16 +49,19 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-kubectl get sa ebs-csi-controller-sa  -n kube-system | grep '1'  &>/dev/null
+helm list -n | grep 'aws-ebs-csi-driver' &> /dev/null
 if [ $? == 0 ]; then
-  echo "EBS CSI driver is installed, skipping (1 secret found)"
+  echo "AWS EBS CSI driver is already installed"
 else
-  echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us"
-  kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.25"
+  echo "Installing AWS EBS CSI driver"
+  helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
+  helm repo update
+  helm upgrade --install aws-ebs-csi-driver --version 2.32.0 \
+    --namespace kube-system \
+    aws-ebs-csi-driver/aws-ebs-csi-driver \
+    --values ./k8s/ebs-csi-driver-values.yaml
 fi
 
-source ../scripts/install-consul.sh
-
 source ../scripts/install-vault.sh
 
 echo "Setting up IRSA for the vault service account"

aws/k8s/ebs-csi-driver-values.yaml

@@ -0,0 +1,11 @@
+# defaultStorageClass:
+#   enabled: true
+storageClasses:
+  - name: gp3
+    annotations:
+      storageclass.kubernetes.io/is-default-class: "true"
+    volumeBindingMode: WaitForFirstConsumer
+    reclaimPolicy: Delete
+    parameters:
+      type: gp3
+      encrypted: "true"

aws/main.tf

@@ -65,7 +65,7 @@ module "vpc" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.15.0"
+  version = "20.16.0"
 
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version

aws/variables.tf

@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The EKS cluster version to use"
   type        = string
-  default     = "1.29"
+  default     = "1.30"
 }
 
 variable "cluster_name" {

azure/README.md

@@ -151,7 +151,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.27"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.30"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
 
 ## Outputs

azure/k8s-vault-azure-start.sh

@@ -52,8 +52,6 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-source ../scripts/install-consul.sh
-
 source ../scripts/install-vault.sh
 
 echo "Add secrets manager driver to repo"

azure/variables.tf

@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The AKS cluster version to use"
   type        = string
-  default     = "1.27"
+  default     = "1.30"
 }
 
 variable "cluster_name" {

gcp/README.md

@@ -155,7 +155,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The GKE cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.28"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.30"` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | project id | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The GCP region to use | `string` | `"europe-west4"` | no |
 

gcp/k8s-vault-gcp-ingress-start.sh

@@ -33,8 +33,6 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-source ../scripts/install-consul.sh
-
 source ../scripts/install-vault.sh
 
 echo "Add secrets manager driver to repo"

gcp/k8s-vault-gcp-start.sh

@@ -36,8 +36,6 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-source ../scripts/install-consul.sh
-
 source ../scripts/install-vault.sh
 
 echo "Add secrets manager driver to repo"

gcp/variables.tf

@@ -12,7 +12,7 @@ variable "project_id" {
 variable "cluster_version" {
   description = "The GKE cluster version to use"
   type        = string
-  default     = "1.28"
+  default     = "1.30"
 }
 
 variable "cluster_name" {

k8s-vault-minkube-start.sh → k8s-vault-minikube-start.sh

@@ -9,7 +9,7 @@ checkCommandsAvailable helm minikube jq vault sed grep docker grep cat
 
 echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
-minikube start --kubernetes-version=v1.28.1
+minikube start --kubernetes-version=v1.30.0
 
 echo "Patching default ns with new PSA; we should run as restricted!"
 kubectl apply -f k8s/workspace-psa.yml
@@ -28,15 +28,6 @@ else
   kubectl apply -f k8s/secrets-secret.yml
   kubectl apply -f k8s/challenge33.yml
 fi
-helm list | grep 'consul' &> /dev/null
-if [ $? == 0 ]; then
-   echo "Consul is already installed"
-else
-  helm repo add hashicorp https://helm.releases.hashicorp.com
-fi
-helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml
-
-while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
 
 helm list | grep 'vault' &> /dev/null
 if [ $? == 0 ]; then
@@ -61,10 +52,16 @@ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
 echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
 echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults"
 
-kubectl exec -it vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
+echo "Unsealing Vault 0"
+kubectl exec -it vault-0 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
+
+echo "Joining & unsealing Vault 1"
+kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
 kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
 
+echo "Joining & unsealing Vault 2"
+kubectl exec -it vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
+kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
 
 echo "Obtaining root token"
 jq .root_token cluster-keys.json > commentedroottoken

k8s/helm-vault-values.yml

@@ -2,6 +2,12 @@ server:
   affinity:
   ha:
     enabled: true
+    replicas: 3
+    raft:
+      enabled: true
 
 injector:
   enabled: true
+
+ui:
+  enabled: true

scripts/install-vault.sh

@@ -6,13 +6,7 @@ else
   helm repo update hashicorp
 fi
 
-kubectl get ns | grep 'vault' $>/dev/null
-if [ $? == 0 ]; then
-  echo "Vault ns is already there"
-else
-  kubectl create ns vault
-  helm upgrade --install vault hashicorp/vault --version 0.27.0 --namespace vault --values ../k8s/helm-vault-values.yml
-fi
+helm upgrade --install vault hashicorp/vault --version 0.28.0 --namespace vault --values ../k8s/helm-vault-values.yml --create-namespace
 
 
 isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
@@ -30,9 +24,16 @@ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
 echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
 echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be asked for it 3 times to unseal the vaults"
 
+echo "Unsealing Vault 0"
 kubectl exec -it vault-0 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec -it vault-1 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec -it vault-2 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
+
+echo "Joining & unsealing Vault 1"
+kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
+kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
+
+echo "Joining & unsealing Vault 2"
+kubectl exec -it vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
+kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
 
 echo "Obtaining root token"
 jq .root_token cluster-keys.json >commentedroottoken