adding day 39 - secrets management

2024-12-22 21:23:13 +07:00 · 2023-07-19 23:38:25 +01:00 · 2023-07-19 23:38:25 +01:00 · 61f8de6fab
commit 61f8de6fab
parent 80f91f9983
2 changed files with 34 additions and 5 deletions
--- a/2023/day39.md
+++ b/2023/day39.md
@ -179,7 +179,7 @@ With the following command we will create a kubernetes authentication role
 ```
 vault write auth/kubernetes/role/webapp \
        bound_service_account_names=vault \
-        bound_service_account_namespaces=default \
+        bound_service_account_namespaces=webapp \
        policies=webapp \
        ttl=24h
 ```
@ -194,6 +194,12 @@ We will create a deployment yaml that looks like the following.

 ```
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+EOF
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -217,7 +223,7 @@ spec:
          imagePullPolicy: Always
          env:
            - name: VAULT_ADDR
-              value: 'http://vault.vault:8200'
+              value: 'http://vault.vault.svc.cluster.local:8200/'
            - name: JWT_PATH
              value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
            - name: SERVICE_PORT
@ -226,4 +232,20 @@ spec:

 Create the webapp namespace 

-`kubectl create ns webapp`
+`kubectl create ns webapp`
+
+Our YAML consists of our simple web app and the service account. 
+
+`kubectl create -f deployment-01-webapp.yml -n webapp`
+
+I also want to note that the helm chart for vault will deploy 
+
+You can check that the authentication has worked by checking pods in the webapp namespace, if they are not in a running state or not there at all then something is not right as this is communicating with vault to make sure that this service is running. 
+
+Once the pod is running, we need to port forward our webapp 
+Find the pod name and then port forward that. 
+```
+kubectl get pods -n webapp 
+kubectl port-forward <PODNAME> -n webapp 8080:8080
+```
+
--- a/2023/day39/deployment-01-webapp.yml
+++ b/2023/day39/deployment-01-webapp.yml
@ -1,8 +1,15 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: webapp
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: webapp
+  namespace: webapp
  labels:
    app: webapp
 spec:
@ -22,8 +29,8 @@ spec:
          imagePullPolicy: Always
          env:
            - name: VAULT_ADDR
-              value: 'http://127.0.0.1:8200'
+              value: 'http://vault.vault.svc.cluster.local:8200/'
            - name: JWT_PATH
              value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
            - name: SERVICE_PORT
-              value: '8080'
+              value: '8080'