From bc673f8e0027218b8576a2b2ed875cea4ca47a45 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Fri, 5 Jul 2024 12:57:17 +0200 Subject: [PATCH 1/5] feat: bump to k8s 1.30 --- .github/workflows/minikube-k8s-test.yml | 2 +- .github/workflows/minikube-vault-test.yml | 4 ++-- aws/.terraform.lock.hcl | 20 ++++++++++++++++++++ aws/k8s-vault-aws-start.sh | 15 ++++++--------- aws/k8s/ebs-csi-driver-values.yaml | 11 +++++++++++ aws/main.tf | 2 +- aws/variables.tf | 2 +- azure/variables.tf | 2 +- gcp/variables.tf | 2 +- k8s-vault-minkube-start.sh | 2 +- k8s/helm-vault-values.yml | 6 ++++++ scripts/install-vault.sh | 8 +------- 12 files changed, 52 insertions(+), 24 deletions(-) create mode 100644 aws/k8s/ebs-csi-driver-values.yaml diff --git a/.github/workflows/minikube-k8s-test.yml b/.github/workflows/minikube-k8s-test.yml index 662ce9235..3bf628e01 100644 --- a/.github/workflows/minikube-k8s-test.yml +++ b/.github/workflows/minikube-k8s-test.yml @@ -26,7 +26,7 @@ jobs: with: minikube-version: 1.33.1 driver: docker - kubernetes-version: v1.28.1 + kubernetes-version: v1.30.0 - name: test script run: | kubectl apply -f k8s/workspace-psa.yml diff --git a/.github/workflows/minikube-vault-test.yml b/.github/workflows/minikube-vault-test.yml index c52daa969..544176680 100644 --- a/.github/workflows/minikube-vault-test.yml +++ b/.github/workflows/minikube-vault-test.yml @@ -27,7 +27,7 @@ jobs: with: minikube-version: 1.33.1 driver: docker - kubernetes-version: v1.28.1 + kubernetes-version: v1.30.0 - name: Setup helm uses: azure/setup-helm@v4 id: install @@ -47,7 +47,7 @@ jobs: with: minikube-version: 1.33.1 driver: docker - kubernetes-version: v1.28.1 + kubernetes-version: v1.30.0 - name: Setup helm uses: azure/setup-helm@v4 id: install diff --git a/aws/.terraform.lock.hcl b/aws/.terraform.lock.hcl index 2b2d9530c..95327d2a9 100644 --- a/aws/.terraform.lock.hcl +++ b/aws/.terraform.lock.hcl @@ -64,6 +64,26 @@ provider "registry.terraform.io/hashicorp/http" { ] } +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = ">= 3.0.0" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + provider "registry.terraform.io/hashicorp/random" { version = "3.6.2" constraints = "~> 3.6.0" diff --git a/aws/k8s-vault-aws-start.sh b/aws/k8s-vault-aws-start.sh index c4a55f9ba..056cf9eba 100755 --- a/aws/k8s-vault-aws-start.sh +++ b/aws/k8s-vault-aws-start.sh @@ -49,15 +49,12 @@ else kubectl apply -f ../k8s/challenge33.yml fi -kubectl get sa ebs-csi-controller-sa -n kube-system | grep '1' &>/dev/null -if [ $? == 0 ]; then - echo "EBS CSI driver is installed, skipping (1 secret found)" -else - echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us" - kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.25" -fi - -source ../scripts/install-consul.sh +helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver +helm repo update +helm upgrade --install aws-ebs-csi-driver --version 2.32.0 \ + --namespace kube-system \ + aws-ebs-csi-driver/aws-ebs-csi-driver \ + --values ./k8s/ebs-csi-driver-values.yaml source ../scripts/install-vault.sh diff --git a/aws/k8s/ebs-csi-driver-values.yaml b/aws/k8s/ebs-csi-driver-values.yaml new file mode 100644 index 000000000..084dfb0f1 --- /dev/null +++ b/aws/k8s/ebs-csi-driver-values.yaml @@ -0,0 +1,11 @@ +# defaultStorageClass: +# enabled: true +storageClasses: + - name: gp3 + annotations: + storageclass.kubernetes.io/is-default-class: "true" + volumeBindingMode: WaitForFirstConsumer + reclaimPolicy: Delete + parameters: + type: gp3 + encrypted: "true" diff --git a/aws/main.tf b/aws/main.tf index a2a4b8837..57e0609ad 100644 --- a/aws/main.tf +++ b/aws/main.tf @@ -65,7 +65,7 @@ module "vpc" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "20.15.0" + version = "20.16.0" cluster_name = var.cluster_name cluster_version = var.cluster_version diff --git a/aws/variables.tf b/aws/variables.tf index 2bb987831..08e2d34f5 100644 --- a/aws/variables.tf +++ b/aws/variables.tf @@ -7,7 +7,7 @@ variable "region" { variable "cluster_version" { description = "The EKS cluster version to use" type = string - default = "1.29" + default = "1.30" } variable "cluster_name" { diff --git a/azure/variables.tf b/azure/variables.tf index 7b07714a6..ae1c433c2 100644 --- a/azure/variables.tf +++ b/azure/variables.tf @@ -7,7 +7,7 @@ variable "region" { variable "cluster_version" { description = "The AKS cluster version to use" type = string - default = "1.27" + default = "1.30" } variable "cluster_name" { diff --git a/gcp/variables.tf b/gcp/variables.tf index 2bae113bd..ddcbb80fb 100644 --- a/gcp/variables.tf +++ b/gcp/variables.tf @@ -12,7 +12,7 @@ variable "project_id" { variable "cluster_version" { description = "The GKE cluster version to use" type = string - default = "1.28" + default = "1.30" } variable "cluster_name" { diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minkube-start.sh index d6c6423ee..7d1103b79 100755 --- a/k8s-vault-minkube-start.sh +++ b/k8s-vault-minkube-start.sh @@ -9,7 +9,7 @@ checkCommandsAvailable helm minikube jq vault sed grep docker grep cat echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup" echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!" -minikube start --kubernetes-version=v1.28.1 +minikube start --kubernetes-version=v1.30.0 echo "Patching default ns with new PSA; we should run as restricted!" kubectl apply -f k8s/workspace-psa.yml diff --git a/k8s/helm-vault-values.yml b/k8s/helm-vault-values.yml index 2b696ecdb..03e1d5845 100644 --- a/k8s/helm-vault-values.yml +++ b/k8s/helm-vault-values.yml @@ -2,6 +2,12 @@ server: affinity: ha: enabled: true + replicas: 3 + raft: + enabled: true injector: enabled: true + +ui: + enabled: true diff --git a/scripts/install-vault.sh b/scripts/install-vault.sh index ccab34ff4..1b9350278 100644 --- a/scripts/install-vault.sh +++ b/scripts/install-vault.sh @@ -6,13 +6,7 @@ else helm repo update hashicorp fi -kubectl get ns | grep 'vault' $>/dev/null -if [ $? == 0 ]; then - echo "Vault ns is already there" -else - kubectl create ns vault - helm upgrade --install vault hashicorp/vault --version 0.27.0 --namespace vault --values ../k8s/helm-vault-values.yml -fi +helm upgrade --install vault hashicorp/vault --version 0.28.0 --namespace vault --values ../k8s/helm-vault-values.yml --create-namespace isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running) From 15e7bdb5c617cc6c19b270503caa19bd3082adde Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:01:23 +0000 Subject: [PATCH 2/5] [pre-commit.ci lite] apply automatic fixes --- aws/README.md | 4 ++-- azure/README.md | 2 +- gcp/README.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aws/README.md b/aws/README.md index a98c15748..628440af2 100644 --- a/aws/README.md +++ b/aws/README.md @@ -132,7 +132,7 @@ The documentation below is auto-generated to give insight on what's created via | Name | Source | Version | |------|--------|---------| | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.5 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.15.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.16.0 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.8.1 | ## Resources @@ -166,7 +166,7 @@ The documentation below is auto-generated to give insight on what's created via | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no | -| [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.29"` | no | +| [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.30"` | no | | [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no | | [tags](#input\_tags) | List of tags to apply to resources | `map(string)` |
{
"Application": "wrongsecrets"
}
| no | diff --git a/azure/README.md b/azure/README.md index 6c02343bb..0475c6dd5 100644 --- a/azure/README.md +++ b/azure/README.md @@ -151,7 +151,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no | -| [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.27"` | no | +| [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.30"` | no | | [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no | ## Outputs diff --git a/gcp/README.md b/gcp/README.md index a505a97a0..fc82c504f 100644 --- a/gcp/README.md +++ b/gcp/README.md @@ -155,7 +155,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | The GKE cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no | -| [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.28"` | no | +| [cluster\_version](#input\_cluster\_version) | The GKE cluster version to use | `string` | `"1.30"` | no | | [project\_id](#input\_project\_id) | project id | `string` | n/a | yes | | [region](#input\_region) | The GCP region to use | `string` | `"europe-west4"` | no | From 6ff4cb22c8190a4ea3fea17481de0efdfe2e81ba Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Fri, 5 Jul 2024 13:02:12 +0200 Subject: [PATCH 3/5] fix: remove consul everywhere --- aws/k8s-vault-aws-start.sh | 18 ++++++++++++------ azure/k8s-vault-azure-start.sh | 2 -- gcp/k8s-vault-gcp-ingress-start.sh | 2 -- gcp/k8s-vault-gcp-start.sh | 2 -- k8s-vault-minkube-start.sh | 9 --------- 5 files changed, 12 insertions(+), 21 deletions(-) diff --git a/aws/k8s-vault-aws-start.sh b/aws/k8s-vault-aws-start.sh index 056cf9eba..34af40156 100755 --- a/aws/k8s-vault-aws-start.sh +++ b/aws/k8s-vault-aws-start.sh @@ -49,12 +49,18 @@ else kubectl apply -f ../k8s/challenge33.yml fi -helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver -helm repo update -helm upgrade --install aws-ebs-csi-driver --version 2.32.0 \ - --namespace kube-system \ - aws-ebs-csi-driver/aws-ebs-csi-driver \ - --values ./k8s/ebs-csi-driver-values.yaml +helm list -n | grep 'aws-ebs-csi-driver' &> /dev/null +if [ $? == 0 ]; then + echo "AWS EBS CSI driver is already installed" +else + echo "Installing AWS EBS CSI driver" + helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver + helm repo update + helm upgrade --install aws-ebs-csi-driver --version 2.32.0 \ + --namespace kube-system \ + aws-ebs-csi-driver/aws-ebs-csi-driver \ + --values ./k8s/ebs-csi-driver-values.yaml +fi source ../scripts/install-vault.sh diff --git a/azure/k8s-vault-azure-start.sh b/azure/k8s-vault-azure-start.sh index 540a305fd..4d044ff4b 100755 --- a/azure/k8s-vault-azure-start.sh +++ b/azure/k8s-vault-azure-start.sh @@ -52,8 +52,6 @@ else kubectl apply -f ../k8s/challenge33.yml fi -source ../scripts/install-consul.sh - source ../scripts/install-vault.sh echo "Add secrets manager driver to repo" diff --git a/gcp/k8s-vault-gcp-ingress-start.sh b/gcp/k8s-vault-gcp-ingress-start.sh index 03d0b6908..0e83750ff 100755 --- a/gcp/k8s-vault-gcp-ingress-start.sh +++ b/gcp/k8s-vault-gcp-ingress-start.sh @@ -33,8 +33,6 @@ else kubectl apply -f ../k8s/challenge33.yml fi -source ../scripts/install-consul.sh - source ../scripts/install-vault.sh echo "Add secrets manager driver to repo" diff --git a/gcp/k8s-vault-gcp-start.sh b/gcp/k8s-vault-gcp-start.sh index 1c2deb5bf..db7330c7d 100755 --- a/gcp/k8s-vault-gcp-start.sh +++ b/gcp/k8s-vault-gcp-start.sh @@ -36,8 +36,6 @@ else kubectl apply -f ../k8s/challenge33.yml fi -source ../scripts/install-consul.sh - source ../scripts/install-vault.sh echo "Add secrets manager driver to repo" diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minkube-start.sh index 7d1103b79..665e80f79 100755 --- a/k8s-vault-minkube-start.sh +++ b/k8s-vault-minkube-start.sh @@ -28,15 +28,6 @@ else kubectl apply -f k8s/secrets-secret.yml kubectl apply -f k8s/challenge33.yml fi -helm list | grep 'consul' &> /dev/null -if [ $? == 0 ]; then - echo "Consul is already installed" -else - helm repo add hashicorp https://helm.releases.hashicorp.com -fi -helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml - -while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done helm list | grep 'vault' &> /dev/null if [ $? == 0 ]; then From 1880b24e5fcfb10ca2b3f7b701a5cb68546e9647 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Fri, 5 Jul 2024 15:02:53 +0200 Subject: [PATCH 4/5] fix: join nodes via raft --- ...-minkube-resume.sh => k8s-vault-minikube-resume.sh | 0 ...lt-minkube-start.sh => k8s-vault-minikube-start.sh | 10 ++++++++-- scripts/install-vault.sh | 11 +++++++++-- 3 files changed, 17 insertions(+), 4 deletions(-) rename k8s-vault-minkube-resume.sh => k8s-vault-minikube-resume.sh (100%) rename k8s-vault-minkube-start.sh => k8s-vault-minikube-start.sh (94%) diff --git a/k8s-vault-minkube-resume.sh b/k8s-vault-minikube-resume.sh similarity index 100% rename from k8s-vault-minkube-resume.sh rename to k8s-vault-minikube-resume.sh diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minikube-start.sh similarity index 94% rename from k8s-vault-minkube-start.sh rename to k8s-vault-minikube-start.sh index 665e80f79..d81afa22a 100755 --- a/k8s-vault-minkube-start.sh +++ b/k8s-vault-minikube-start.sh @@ -52,10 +52,16 @@ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰" echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults" -kubectl exec -it vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY +echo "Unsealing Vault 0" +kubectl exec -it vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY + +echo "Joining & unsealing Vault 1" +kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200 kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY -kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY +echo "Joining & unsealing Vault 2" +kubectl exec -it vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200 +kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY echo "Obtaining root token" jq .root_token cluster-keys.json > commentedroottoken diff --git a/scripts/install-vault.sh b/scripts/install-vault.sh index 1b9350278..3083958e6 100644 --- a/scripts/install-vault.sh +++ b/scripts/install-vault.sh @@ -24,9 +24,16 @@ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰" echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be asked for it 3 times to unseal the vaults" +echo "Unsealing Vault 0" kubectl exec -it vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY -kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY -kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY + +echo "Joining & unsealing Vault 1" +kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200 +kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY + +echo "Joining & unsealing Vault 2" +kubectl exec -it vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200 +kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY echo "Obtaining root token" jq .root_token cluster-keys.json >commentedroottoken From 637a7750f18b78637d7a191e8faeb2a39abcb668 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Fri, 5 Jul 2024 15:06:42 +0200 Subject: [PATCH 5/5] fix: complete typo rename --- .github/workflows/minikube-vault-test.yml | 4 ++-- README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/minikube-vault-test.yml b/.github/workflows/minikube-vault-test.yml index 544176680..ce6d8618e 100644 --- a/.github/workflows/minikube-vault-test.yml +++ b/.github/workflows/minikube-vault-test.yml @@ -33,7 +33,7 @@ jobs: id: install - name: test script run: | - ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7 + ./k8s-vault-minikube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7 cypress-tests: name: Cypress Test for Challenges @@ -53,7 +53,7 @@ jobs: id: install - name: test script run: | - ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7 + ./k8s-vault-minikube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7 - name: Run Tests run: | cd src/test/K8s-tests diff --git a/README.md b/README.md index cbdb0e047..5245fa271 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ The K8S setup currently is based on using Minikube for local fun. You can use th Alternatively you can do : ```bash - ./k8s-vault-minkube-start.sh + ./k8s-vault-minikube-start.sh ``` now you can use the provided IP address and port to further play with the K8s variant (instead of localhost). @@ -219,7 +219,7 @@ Make sure you have the following installed: - vault [Install from here](https://www.vaultproject.io/downloads), - grep, Cat, and Sed -Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at . This will allow you to run challenges 1-8, 12-46. +Run `./k8s-vault-minikube-start.sh`, when the script is done, then the challenges will wait for you at . This will allow you to run challenges 1-8, 12-46. When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.