Working version of Azure 9 and 10

Author: bendehaan

azure/README.md

@@ -24,10 +24,14 @@ Make sure you have an active subscription at Azure for which you have configured
 
 1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
 1. check whether you have the right project by doing `az account show`.
-2. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
-3. Run `terraform plan`
-4. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the AKS backplane.
-5. Run `./k8s-vault-azure-start.sh`
+1. If not yet enabled, register the required services for the subscription, run:
+    - `az provider register --namespace Microsoft.ContainerService`
+    - `az provider register --namespace Microsoft.KeyVault`
+    - `az provider register --namespace Microsoft.ManagedIdentity`
+1. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
+1. Run `terraform plan` to see what will be created (optional).
+1. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
+1. Run `./k8s-vault-azure-start.sh`. Your kubeconfig file will automatically be updated.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 

azure/k8s-vault-azure-start.sh

@@ -142,8 +142,7 @@ if [ $? == 0 ]; then
   echo "CSI driver is already installed"
 else
   echo "Installing CSI driver"
-  helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
-  helm install -n kube-system csi-secrets-store-azure csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
+  helm install -n kube-system csi-secrets-store-provider-azure csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --set enableSecretRotation=true --set rotationPollInterval=60s
 fi
 
 echo "Add Azure pod identity to repo"
@@ -156,10 +155,6 @@ else
   helm install aad-pod-identity aad-pod-identity/aad-pod-identity
 fi
 
-echo "Install Azure key vault provider"
-kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml
-
-# TODO change to az cli commands
 echo "Generate secret manager challenge secret 2"
 az keyvault secret set --name wrongsecret-2 --vault-name "${AZ_KEY_VAULT_NAME}" --value "$(openssl rand -base64 16)" >/dev/null
 

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.2.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:azuretest2-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
@@ -47,8 +47,8 @@ spec:
           env:
             - name: K8S_ENV
               value: azure
-            - name: AzureKeyVaultUri
-              value: ${AZ_VAULT_URI}
+            - name: AZ_KEY_VAULT_NAME
+              value: ${AZ_KEY_VAULT_NAME}
             - name: SPECIAL_K8S_SECRET
               valueFrom:
                 configMapKeyRef:

azure/k8s/secret-volume.yml.tpl

@@ -1,4 +1,4 @@
-apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
   name: azure-wrongsecrets-vault
@@ -12,11 +12,11 @@ spec:
       array:
         - |
           objectName: wrongsecret
-          objectAlias: WRONGSECRET
+          objectAlias: wrongsecret
           objectType: secret
           objectVersion: ""
         - |
           objectName: wrongsecret-2
-          objectAlias: WRONGSECRET_2
+          objectAlias: wrongsecret-2
           objectType: secret
           objectVersion: ""

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

@@ -172,7 +172,8 @@ private String getGCPChallenge11Value() {
 
     private String getAzureChallenge11Value() {
         if (isAzure()) {
-            String keyVaultUri = System.getenv("AZ_VAULT_URI");
+            String keyVaultName = System.getenv("AZ_VAULT_NAME");
+            String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";
             try {
                 SecretClient secretClient = new SecretClientBuilder()
                     .vaultUrl(keyVaultUri)

src/main/resources/explanations/challenge11-azure_hint.adoc

@@ -17,11 +17,13 @@ spec:
       containers:
         - name: az
           image: mcr.microsoft.com/azure-cli:latest
-          command: ["az", "keyvault", "secret", "show", "--name=wrongsecret-3", "--vault-name=YOUR_VAULT_NAME_HERE"]
+          command:
+            [
+              "sleep", "7200"
+            ]
       restartPolicy: Never
 ```
+- Apply the job with `kubectl apply -f job.yaml`
 
-This job executes something like the command `az keyvault secret show --name wrongsecret-3 --vault-name wrongsecrets-vault-00000`. Since the job can access the same vault as the secret challenge pod, it has access to its secrets.
+You can now exec into the pod, and execute something like `az login --identity --allow-no-subscriptions && az keyvault secret show --name wrongsecret-3 --vault-name wrongsecrets-vault-00000`. Since the job can access the same vault as the secret challenge pod, it has access to its secrets.
 
-- Apply the job with `kubectl apply -f job.yaml`
-- Check the job's logs with `kubectl logs job/wrongsecret-3`. This should show you the solution :)