# Install minikube (no virtualbox installed)
brew install minikube
# Start a k8s cluster
minikube start
# Verify the k8s cluster
kubectx # list current context, not important...
kubectl get all --all-namespaces
# Deploy a sample app and check how it goes...
kubectl create deployment --image nginx nginx
# Forward the port from local to k8s
kubectl port-forward $(kubectl get pods --output jsonpath='{.items[].metadata.name}') 8080:80 # https://kubernetes.io/docs/reference/kubectl/cheatsheet/#viewing-finding-resources -> How to play with output from kubectl# Clone the git repo...
git clone [email protected]:riveryc/aus-devops-group.git
# Create role for our app. The configuration below maps our Kubernetes service account, used by our pod, to a policy.
vault write auth/kubernetes/role/basic-secret-role \
bound_service_account_names=basic-secret \
bound_service_account_namespaces=vault-example \
policies=basic-secret-policy \
ttl=1h
# Create the policy to map our service account to a bunch of secrets.
cat <<EOF > /home/vault/app-policy.hcl
path "secret/basic-secret/*" {
capabilities = ["read"]
}
EOF
vault policy write basic-secret-policy /home/vault/app-policy.hcl
# Create a kv secret, and make its ttl as 1m
vault secrets enable -path=secret/ kv
vault kv put secret/basic-secret/helloworld ttl=1m username=dbuser password=vErySecUr3P@ssw0rd
#----------------------------------------------------------------------------------------------------## Create a workload pod to use this secret
kubectl -n vault-example apply -f example-apps/basic-secret/deployment.yaml
## Monitor the vault-agent container
kubectl -n vault-example logs -f $(kubectl -n vault-example get po -l "app=basic-secret" -o jsonpath="{.items[0].metadata.name}") --container vault-agent
# Check the secret inside of the pod
kubectl -n vault-example exec -it $(kubectl -n vault-example get po -l "app=basic-secret" -o jsonpath="{.items[0].metadata.name}") --container app -- cat /vault/secrets/helloworld
# Change the secret value from UI, check the log of vault-agent, then refresh the secret file from pod again