From fa8d908f3b20c557837b27c20478ff53e6ba88fe Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Mon, 20 Mar 2023 14:27:55 -0600 Subject: [PATCH] Update k8s and k8s-rotation dev environments with encoded secret --- .gitignore | 4 ++-- deploy/config/k8s/k8s-secret.yml | 3 +++ deploy/config/openshift/k8s-secret.yml | 3 +++ .../k8s/secrets-provider-init-container.sh.yml | 5 +++++ .../k8s/secrets-provider-k8s-rotation.sh.yml | 5 +++++ deploy/policy/load_policies.sh | 1 + .../templates/conjur-secrets.template.sh.yml | 1 + deploy/utils.sh | 16 ++++++++++------ 8 files changed, 30 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index e7f26f4b..be06f493 100644 --- a/.gitignore +++ b/.gitignore @@ -12,5 +12,5 @@ junit.xml # Temporary directory to store the CyberArk proxy CA certificate build_ca_certificate/ -# Ignore generated policy files -deploy/policy/generated/ +# Ignore generated policy files and manifests +deploy/**/generated/ diff --git a/deploy/config/k8s/k8s-secret.yml b/deploy/config/k8s/k8s-secret.yml index 86b0b315..680e2b90 100644 --- a/deploy/config/k8s/k8s-secret.yml +++ b/deploy/config/k8s/k8s-secret.yml @@ -9,4 +9,7 @@ stringData: var_with_spaces: secrets/var with spaces var_with_pluses: secrets/var+with+pluses var_with_umlaut: secrets/umlaut + var_with_encoded: + id: secrets/encoded + content-type: base64 non-conjur-key: some-value diff --git a/deploy/config/openshift/k8s-secret.yml b/deploy/config/openshift/k8s-secret.yml index 86b0b315..680e2b90 100644 --- a/deploy/config/openshift/k8s-secret.yml +++ b/deploy/config/openshift/k8s-secret.yml @@ -9,4 +9,7 @@ stringData: var_with_spaces: secrets/var with spaces var_with_pluses: secrets/var+with+pluses var_with_umlaut: secrets/umlaut + var_with_encoded: + id: secrets/encoded + content-type: base64 non-conjur-key: some-value diff --git a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml index 10a8876b..7c5fb79c 100755 --- a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml +++ b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml @@ -46,6 +46,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_umlaut + - name: VARIABLE_WITH_ENCODED_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_encoded - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml index aa73be79..026e077f 100755 --- a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml +++ b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml @@ -69,6 +69,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_umlaut + - name: VARIABLE_WITH_ENCODED_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_encoded - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/policy/load_policies.sh b/deploy/policy/load_policies.sh index a49d139b..c49c3e57 100755 --- a/deploy/policy/load_policies.sh +++ b/deploy/policy/load_policies.sh @@ -34,6 +34,7 @@ conjur variable set -i secrets/test_secret -v "some-secret" conjur variable set -i "secrets/var with spaces" -v "some-secret" conjur variable set -i "secrets/var+with+pluses" -v "some-secret" conjur variable set -i "secrets/umlaut" -v "some-secret" +conjur variable set -i "secrets/encoded" -v "c2VjcmV0LXZhbHVl" # == secret-value conjur variable set -i secrets/url -v "postgresql://test-app-backend.app-test.svc.cluster.local:5432" conjur variable set -i secrets/username -v "some-user" conjur variable set -i secrets/password -v "7H1SiSmYp@5Sw0rd" diff --git a/deploy/policy/templates/conjur-secrets.template.sh.yml b/deploy/policy/templates/conjur-secrets.template.sh.yml index f76552e0..27f65449 100755 --- a/deploy/policy/templates/conjur-secrets.template.sh.yml +++ b/deploy/policy/templates/conjur-secrets.template.sh.yml @@ -12,6 +12,7 @@ cat << EOL - !variable var with spaces - !variable var+with+pluses - !variable umlaut + - !variable encoded - !variable url - !variable username - !variable password diff --git a/deploy/utils.sh b/deploy/utils.sh index c718c234..2a74d49e 100644 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -332,6 +332,7 @@ deploy_chart() { } set_config_directory_path() { + export DEV_CONFIG_DIR="dev/config/k8s" export CONFIG_DIR="config/k8s" if [[ "$PLATFORM" = "openshift" ]]; then export CONFIG_DIR="config/openshift" @@ -380,8 +381,9 @@ deploy_init_env() { echo "Running Deployment Manifest" if [[ "$DEV" = "true" ]]; then - ./dev/config/k8s/secrets-provider-init-container.sh.yml > ./dev/config/k8s/secrets-provider-init-container.yml - $cli_with_timeout apply -f ./dev/config/k8s/secrets-provider-init-container.yml + mkdir -p $DEV_CONFIG_DIR/generated + $DEV_CONFIG_DIR/secrets-provider-init-container.sh.yml > $DEV_CONFIG_DIR/generated/secrets-provider-init-container.yml + $cli_with_timeout apply -f $DEV_CONFIG_DIR/generated/secrets-provider-init-container.yml $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=init-env --no-headers | wc -l" else @@ -407,8 +409,9 @@ deploy_k8s_rotation_env() { echo "Running Deployment Manifest" if [[ "$DEV" = "true" ]]; then - ./dev/config/k8s/secrets-provider-k8s-rotation.sh.yml > ./dev/config/k8s/secrets-provider-k8s-rotation.yml - $cli_with_timeout apply -f ./dev/config/k8s/secrets-provider-k8s-rotation.yml + mkdir -p $DEV_CONFIG_DIR/generated + $DEV_CONFIG_DIR/secrets-provider-k8s-rotation.sh.yml > $DEV_CONFIG_DIR/generated/secrets-provider-k8s-rotation.yml + $cli_with_timeout apply -f $DEV_CONFIG_DIR/generated/secrets-provider-k8s-rotation.yml $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-app --no-headers | wc -l" else @@ -649,8 +652,9 @@ deploy_push_to_file() { deployment_name="test-env" if [[ "$DEV" = "true" ]]; then - "./dev/config/k8s/$dev_yaml_file_name.sh.yml" > "./dev/config/k8s/$dev_yaml_file_name.yml" - $cli_with_timeout apply -f "./dev/config/k8s/$dev_yaml_file_name.yml" + mkdir -p $DEV_CONFIG_DIR/generated + "$DEV_CONFIG_DIR/$dev_yaml_file_name.sh.yml" > "$DEV_CONFIG_DIR/generated/$dev_yaml_file_name.yml" + $cli_with_timeout apply -f "$config_dir/generated/$dev_yaml_file_name.yml" $cli_with_timeout "get pods --namespace=$APP_NAMESPACE_NAME --selector app=$deployment_name --no-headers | wc -l" else