Feat(#646): updated centralized vault upgrade script, migrated GCP to k8s 1.25

Author: commjoen

gcp/README.md

@@ -49,7 +49,7 @@ The bucket name should be in the output. Please use that to configure the Terraf
 6. Run `terraform plan`
 7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
 8. Run `export USE_GKE_GCLOUD_AUTH_PLUGIN=True`
-9When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
+9. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
 10. Run `./k8s-vault-gcp-start.sh`
 
 ### GKE ingres for shared deployment

gcp/k8s-vault-gcp-start.sh

@@ -13,6 +13,9 @@ echo "This script is based on the steps defined in https://learn.hashicorp.com/t
 export GCP_PROJECT=$(gcloud config list --format 'value(core.project)' 2>/dev/null)
 #export USE_GKE_GCLOUD_AUTH_PLUGIN=True
 
+echo "Setting up workspace PSA to restricted for default"
+kubectl apply -f ../k8s/workspace-psa.yml
+
 kubectl get configmaps | grep 'secrets-file' &>/dev/null
 if [ $? == 0 ]; then
   echo "secrets config is already installed"

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -65,6 +65,11 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               memory: '512Mi'
@@ -93,8 +98,8 @@ spec:
                 secretKeyRef:
                   name: funnystuff
                   key: funnier
-            - name: VAULT_ADDR
-              value: "http://vault:8200"
+            - name: SPRING_CLOUD_VAULT_URI
+              value: "http://vault.vault.svc.cluster.local:8200"
             - name: JWT_PATH
               value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
           volumeMounts:

scripts/install-vault.sh

@@ -4,10 +4,17 @@ if [ $? == 0 ]; then
 else
   helm repo add hashicorp https://helm.releases.hashicorp.com
   helm repo update hashicorp
+fi
+
+kubectl get ns | grep 'vault' $>/dev/null
+if [ $? == 0 ]; then
+  echo "Vault ns is already there"
+else
   kubectl create ns vault
   helm upgrade --install vault hashicorp/vault --version 0.23.0 --namespace vault --values ../k8s/helm-vault-values.yml
 fi
 
+
 isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
 while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault0" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
 while [[ $isvaultrunning != *"vault-1"* ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
@@ -25,7 +32,7 @@ echo "PLEASE COPY PASTE THE FOLLOWING VALUE: $VAULT_UNSEAL_KEY, you will be aske
 
 kubectl exec -it vault-0 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
 kubectl exec -it vault-1 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
+kubectl exec -it vault-2 -n vault  -- vault operator unseal $VAULT_UNSEAL_KEY
 
 echo "Obtaining root token"
 jq .root_token cluster-keys.json >commentedroottoken
@@ -70,3 +77,5 @@ kubectl exec vault-0 -n vault -- vault write auth/kubernetes/role/secret-challen
   ttl=24h &&
   vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)" &&
   vault kv put secret/application vaultpassword.password="$(openssl rand -base64 16)"
+
+kubectl create serviceaccount vault