Update k8s and k8s-rotation dev environments with encoded secret

cyberark · Mar 21, 2023 · 4274d14 · 4274d14
1 parent 231c303
commit 4274d14
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,5 +12,5 @@ junit.xml
 # Temporary directory to store the CyberArk proxy CA certificate
 build_ca_certificate/
 
-# Ignore generated policy files
-deploy/policy/generated/
+# Ignore generated policy files and manifests
+deploy/**/generated/
diff --git a/deploy/config/k8s/k8s-secret.yml b/deploy/config/k8s/k8s-secret.yml
@@ -9,4 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
+    var_with_encoded:
+      id: secrets/encoded
+      content-type: base64
   non-conjur-key: some-value
diff --git a/deploy/config/openshift/k8s-secret.yml b/deploy/config/openshift/k8s-secret.yml
@@ -9,4 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
+    var_with_encoded:
+      id: secrets/encoded
+      content-type: base64
   non-conjur-key: some-value
diff --git a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml
@@ -46,6 +46,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_ENCODED_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_encoded
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

diff --git a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml
@@ -69,6 +69,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_ENCODED_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_encoded
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

diff --git a/deploy/policy/load_policies.sh b/deploy/policy/load_policies.sh
@@ -34,6 +34,7 @@ conjur variable set -i secrets/test_secret -v "some-secret"
 conjur variable set -i "secrets/var with spaces" -v "some-secret"
 conjur variable set -i "secrets/var+with+pluses" -v "some-secret"
 conjur variable set -i "secrets/umlaut" -v "some-secret"
+conjur variable set -i "secrets/encoded" -v "c2VjcmV0LXZhbHVl" # == secret-value
 conjur variable set -i secrets/url -v "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 conjur variable set -i secrets/username -v "some-user"
 conjur variable set -i secrets/password -v "7H1SiSmYp@5Sw0rd"

diff --git a/deploy/policy/templates/conjur-secrets.template.sh.yml b/deploy/policy/templates/conjur-secrets.template.sh.yml
@@ -12,6 +12,7 @@ cat << EOL
       - !variable var with spaces
       - !variable var+with+pluses
       - !variable umlaut
+      - !variable encoded
       - !variable url
       - !variable username
       - !variable password

diff --git a/deploy/utils.sh b/deploy/utils.sh
@@ -332,6 +332,7 @@ deploy_chart() {
 }
 
 set_config_directory_path() {
+  export DEV_CONFIG_DIR="dev/config/k8s"
   export CONFIG_DIR="config/k8s"
   if [[ "$PLATFORM" = "openshift" ]]; then
     export CONFIG_DIR="config/openshift"
@@ -380,8 +381,9 @@ deploy_init_env() {
   echo "Running Deployment Manifest"
 
   if [[ "$DEV" = "true" ]]; then
-    ./dev/config/k8s/secrets-provider-init-container.sh.yml > ./dev/config/k8s/secrets-provider-init-container.yml
-    $cli_with_timeout apply -f ./dev/config/k8s/secrets-provider-init-container.yml
+    mkdir -p $DEV_CONFIG_DIR/generated
+    $DEV_CONFIG_DIR/secrets-provider-init-container.sh.yml > $DEV_CONFIG_DIR/generated/secrets-provider-init-container.yml
+    $cli_with_timeout apply -f $DEV_CONFIG_DIR/generated/secrets-provider-init-container.yml
 
     $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=init-env --no-headers | wc -l"
   else
@@ -407,8 +409,9 @@ deploy_k8s_rotation_env() {
   echo "Running Deployment Manifest"
 
   if [[ "$DEV" = "true" ]]; then
-    ./dev/config/k8s/secrets-provider-k8s-rotation.sh.yml > ./dev/config/k8s/secrets-provider-k8s-rotation.yml
-    $cli_with_timeout apply -f ./dev/config/k8s/secrets-provider-k8s-rotation.yml
+    mkdir -p $DEV_CONFIG_DIR/generated
+    $DEV_CONFIG_DIR/secrets-provider-k8s-rotation.sh.yml > $DEV_CONFIG_DIR/generated/secrets-provider-k8s-rotation.yml
+    $cli_with_timeout apply -f $DEV_CONFIG_DIR/generated/secrets-provider-k8s-rotation.yml
 
     $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-app --no-headers | wc -l"
   else
@@ -649,8 +652,9 @@ deploy_push_to_file() {
   deployment_name="test-env"
 
   if [[ "$DEV" = "true" ]]; then
-    "./dev/config/k8s/$dev_yaml_file_name.sh.yml" > "./dev/config/k8s/$dev_yaml_file_name.yml"
-    $cli_with_timeout apply -f "./dev/config/k8s/$dev_yaml_file_name.yml"
+    mkdir -p $DEV_CONFIG_DIR/generated
+    "$DEV_CONFIG_DIR/$dev_yaml_file_name.sh.yml" > "$DEV_CONFIG_DIR/generated/$dev_yaml_file_name.yml"
+    $cli_with_timeout apply -f "$DEV_CONFIG_DIR/generated/$dev_yaml_file_name.yml"
 
     $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=$deployment_name --no-headers | wc -l"
   else