Skip to content

Commit

Permalink
Merge pull request #1832 from OWASP/hotfix/minikube
Browse files Browse the repository at this point in the history 
Hotfix/minikube: update sealed secrets and vault version
  • Loading branch information
@commjoen
commjoen authored Feb 2, 2025
2 parents 047d0c0 + 99a86ea commit 972f557
Show file tree
Hide file tree
Showing 11 changed files with 24 additions and 17 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/minikube-k8s-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
- name: Start minikube
uses: medyagh/setup-minikube@master
with:
minikube-version: 1.33.1
minikube-version: 1.35.0
driver: docker
kubernetes-version: v1.30.0
- name: test script
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/minikube-vault-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- name: Start minikube
uses: medyagh/setup-minikube@master
with:
minikube-version: 1.33.1
minikube-version: 1.35.0
driver: docker
kubernetes-version: v1.30.0
- name: Setup helm
Expand All @@ -45,7 +45,7 @@ jobs:
- name: Start minikube
uses: medyagh/setup-minikube@master
with:
minikube-version: 1.33.1
minikube-version: 1.35.0
driver: docker
kubernetes-version: v1.30.0
- name: Setup helm
Expand Down
2 changes: 1 addition & 1 deletion aws/k8s-vault-aws-start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ else
fi

echo "Setting up the bitnami sealed secret controler"
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml
kubectl apply -f ../k8s/sealed-secret-controller.yaml
kubectl apply -f ../k8s/main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
Expand Down
8 changes: 6 additions & 2 deletions aws/k8s/secret-challenge-vault-deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,12 @@ spec:
- image: jeroenwillemsen/wrongsecrets:1.10.2-k8s-vault
imagePullPolicy: IfNotPresent
name: secret-challenge
command: [ "/bin/sh" ]
args: [ "-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar" ]
command: ["/bin/sh"]
args:
[
"-c",
"source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application/application.jar",
]
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Expand Down
2 changes: 1 addition & 1 deletion azure/k8s-vault-azure-start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ else
fi

echo "Setting up the bitnami sealed secret controler"
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml
kubectl apply -f ../k8s/sealed-secret-controller.yaml
kubectl apply -f ../k8s/main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
Expand Down
2 changes: 1 addition & 1 deletion azure/k8s/secret-challenge-vault-deployment.yml.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ spec:
imagePullPolicy: IfNotPresent
name: secret-challenge
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"]
args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application/application.jar"]
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Expand Down
2 changes: 1 addition & 1 deletion gcp/k8s-vault-gcp-start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ else
fi

echo "Setting up the bitnami sealed secret controler"
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml
kubectl apply -f ../k8s/sealed-secret-controller.yaml
kubectl apply -f ../k8s/main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
Expand Down
2 changes: 1 addition & 1 deletion gcp/k8s/secret-challenge-vault-deployment.yml.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ spec:
imagePullPolicy: IfNotPresent
name: secret-challenge
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"]
args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application/application.jar"]
ports:
- containerPort: 8080
protocol: TCP
Expand Down
8 changes: 4 additions & 4 deletions k8s-vault-minikube-start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ checkCommandsAvailable helm minikube jq vault sed grep docker grep cat

echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
minikube start --kubernetes-version=v1.30.0
minikube start --kubernetes-version=v1.30.0 --driver=docker

echo "Patching default ns with new PSA; we should run as restricted!"
kubectl apply -f k8s/workspace-psa.yml
Expand All @@ -21,7 +21,7 @@ else
kubectl apply -f k8s/secrets-config.yml
fi
echo "Setting up the bitnami sealed secret controler"
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml
kubectl apply -f k8s/sealed-secret-controller.yaml
kubectl apply -f k8s/main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
Expand All @@ -41,10 +41,10 @@ helm list | grep 'vault' &> /dev/null
if [ $? == 0 ]; then
echo "Vault is already installed"
else
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo add hashicorp https://helm.releases.hashicorp.com
fi
kubectl create ns vault
helm upgrade --install vault hashicorp/vault --version 0.27.0 --namespace vault --values k8s/helm-vault-values.yml
helm upgrade --install vault hashicorp/vault --version 0.29.1 --namespace vault --values k8s/helm-vault-values.yml

isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
Expand Down
6 changes: 5 additions & 1 deletion k8s/secret-challenge-vault-deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,11 @@ spec:
imagePullPolicy: IfNotPresent
name: secret-challenge
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"]
args:
[
"-c",
"source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application/application.jar",
]
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Expand Down
3 changes: 1 addition & 2 deletions scripts/install-vault.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ else
helm repo update hashicorp
fi

helm upgrade --install vault hashicorp/vault --version 0.28.0 --namespace vault --values ../k8s/helm-vault-values.yml --create-namespace

helm upgrade --install vault hashicorp/vault --version 0.29.1 --namespace vault --values ../k8s/helm-vault-values.yml --create-namespace

isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault0" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
Expand Down

0 comments on commit 972f557

Please sign in to comment.