forked from OWASP/wrongsecrets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secret-challenge-vault-deployment.yml
141 lines (141 loc) · 4.62 KB
/
secret-challenge-vault-deployment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: secret-challenge
name: secret-challenge
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: secret-challenge
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/namespace: "default"
vault.hashicorp.com/log-level: debug
vault.hashicorp.com/agent-inject-secret-challenge46: "secret/data/injected"
vault.hashicorp.com/agent-inject-template-challenge46: |
{{ with secret "/secret/data/injected" }}
{{ range $k, $v := .Data.data }}
{{ printf "echo %s=%s" $k $v }}
{{ end }}
{{ end }}
vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified"
vault.hashicorp.com/agent-inject-template-challenge47: |
{{ with secret "secret/data/codified" }}
export challenge47secret="isthiswhatweneed?"
{{ end }}
vault.hashicorp.com/role: "secret-challenge"
labels:
app: secret-challenge
name: secret-challenge
spec:
securityContext:
runAsUser: 2000
runAsGroup: 2000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
serviceAccountName: vault
volumes:
- name: "ephemeral"
emptyDir: {}
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "wrongsecrets-aws-secretsmanager"
containers:
- image: jeroenwillemsen/wrongsecrets:1.9.1-k8s-vault
imagePullPolicy: IfNotPresent
name: secret-challenge
command: [ "/bin/sh" ]
args: [ "-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar" ]
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
httpGet:
path: "/actuator/health/readiness"
port: 8080
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 5
failureThreshold: 8
livenessProbe:
httpGet:
path: "/actuator/health/liveness"
port: 8080
initialDelaySeconds: 35
timeoutSeconds: 30
periodSeconds: 40
failureThreshold: 5
resources:
requests:
memory: "512Mi"
cpu: "200m"
ephemeral-storage: "1Gi"
limits:
memory: "512Mi"
cpu: "1200m"
ephemeral-storage: "2Gi"
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
env:
- name: K8S_ENV
value: aws
- name: SPECIAL_K8S_SECRET
valueFrom:
configMapKeyRef:
name: secrets-file
key: funny.entry
- name: SPECIAL_SPECIAL_K8S_SECRET
valueFrom:
secretKeyRef:
name: funnystuff
key: funnier
- name: CHALLENGE33
valueFrom:
secretKeyRef:
name: challenge33
key: answer
- name: SEALED_SECRET_ANSWER
valueFrom:
secretKeyRef:
name: challenge48secret
key: secret
- name: SPRING_CLOUD_VAULT_URI
value: "http://vault.vault.svc.cluster.local:8200"
- name: JWT_PATH
value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
- name: "ephemeral"
mountPath: "/tmp"
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30