woose/90DaysOfDevOps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding day 39 - secrets management

Browse Source
This commit is contained in:
MichaelCade 2023-07-19 23:38:25 +01:00
parent 80f91f9983
commit 61f8de6fab
2 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
2023/day39.md
View File

@ -179,7 +179,7 @@ With the following command we will create a kubernetes authentication role
``` ```
vault write auth/kubernetes/role/webapp \ vault write auth/kubernetes/role/webapp \
bound_service_account_names=vault \ bound_service_account_names=vault \
bound_service_account_namespaces=default \ bound_service_account_namespaces=webapp \
policies=webapp \ policies=webapp \
ttl=24h ttl=24h
``` ```
@ -194,6 +194,12 @@ We will create a deployment yaml that looks like the following.
``` ```
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
EOF
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -217,7 +223,7 @@ spec:
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: 'http://vault.vault:8200' value: 'http://vault.vault.svc.cluster.local:8200/'
- name: JWT_PATH - name: JWT_PATH
value: '/var/run/secrets/kubernetes.io/serviceaccount/token' value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
- name: SERVICE_PORT - name: SERVICE_PORT
@ -227,3 +233,19 @@ spec:
Create the webapp namespace Create the webapp namespace
`kubectl create ns webapp` `kubectl create ns webapp`
Our YAML consists of our simple web app and the service account.
`kubectl create -f deployment-01-webapp.yml -n webapp`
I also want to note that the helm chart for vault will deploy
You can check that the authentication has worked by checking pods in the webapp namespace, if they are not in a running state or not there at all then something is not right as this is communicating with vault to make sure that this service is running.
Once the pod is running, we need to port forward our webapp
Find the pod name and then port forward that.
```
kubectl get pods -n webapp
kubectl port-forward <PODNAME> -n webapp 8080:8080
```

9
2023/day39/deployment-01-webapp.yml
View File

@ -1,8 +1,15 @@
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: webapp
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: webapp name: webapp
namespace: webapp
labels: labels:
app: webapp app: webapp
spec: spec:
@ -22,7 +29,7 @@ spec:
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: 'http://127.0.0.1:8200' value: 'http://vault.vault.svc.cluster.local:8200/'
- name: JWT_PATH - name: JWT_PATH
value: '/var/run/secrets/kubernetes.io/serviceaccount/token' value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
- name: SERVICE_PORT - name: SERVICE_PORT