From b3f4ec2a7ff168a244dc719f09c7230f0801f89e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Fri, 21 Apr 2023 22:16:13 -0700 Subject: [PATCH] preparation for a demo + some important bugfixes (#279) * demo prep * outline * intermediate * fixed a bug * fix * recent fixes * fixes * recent changes * minor * minor * added comments * fixes --- SECURITY.md | 4 +- app/safe/internal/bootstrap/bootstrap.go | 59 +++++++------ app/safe/internal/server/server.go | 4 - .../internal/state/secret-queue-delete.go | 15 ++-- app/safe/internal/state/state.go | 4 - core/entity/data/v1/v1.go | 43 +++++----- core/template/template.go | 14 +++- examples/aegis-workshop/README.md | 12 +++ examples/aegis-workshop/delete-secret.sh | 17 ++++ examples/aegis-workshop/delete-workload.sh | 13 +++ examples/aegis-workshop/encrypt-secret.sh | 15 ++++ examples/aegis-workshop/env.sh | 26 ++++++ examples/aegis-workshop/ids/Inspector.yaml | 26 ++++++ examples/aegis-workshop/ids/Workload.yaml | 26 ++++++ .../aegis-workshop/inspector/Deployment.yaml | 59 +++++++++++++ .../inspector/ServiceAccount.yaml | 14 ++++ .../inspector/image-override.yaml | 22 +++++ .../inspector/kustomization.yaml | 16 ++++ .../install-clusterspiffeids.sh | 12 +++ examples/aegis-workshop/install-inspector.sh | 13 +++ .../install-workload-using-init-container.sh | 18 ++++ .../install-workload-using-sdk.sh | 17 ++++ .../install-workload-using-sidecar.sh | 17 ++++ .../interpolate-to-kubernetes-secrets.sh | 0 .../register-encrypted-secret.sh | 20 +++++ .../aegis-workshop/register-k8s-secret.sh | 18 ++++ .../register-multiple-secrets.sh | 23 +++++ .../aegis-workshop/register-plain-secret.sh | 16 ++++ .../aegis-workshop/register-secret-json.sh | 18 ++++ .../aegis-workshop/register-secret-yaml.sh | 18 ++++ .../register-transformed-secret.sh | 17 ++++ examples/aegis-workshop/safe-logs.sh | 13 +++ examples/aegis-workshop/secrets.sh | 13 +++ examples/aegis-workshop/toc.md | 16 ++++ .../workload-init-container/Deployment.yaml | 84 +++++++++++++++++++ .../workload-init-container/Identity.yaml | 26 ++++++ .../workload-init-container/Secret.yaml | 21 +++++ .../ServiceAccount.yaml | 14 ++++ .../image-override.yaml | 22 +++++ .../kustomization.yaml | 16 ++++ examples/aegis-workshop/workload-logs.sh | 13 +++ .../workload-sdk/Deployment.yaml | 59 +++++++++++++ .../aegis-workshop/workload-sdk/Identity.yaml | 26 ++++++ .../workload-sdk/ServiceAccount.yaml | 14 ++++ .../workload-sdk/image-override.yaml | 19 +++++ .../workload-sdk/kustomization.yaml | 16 ++++ .../workload-sidecar/Deployment.yaml | 83 ++++++++++++++++++ .../workload-sidecar/Identity.yaml | 26 ++++++ .../workload-sidecar/ServiceAccount.yaml | 14 ++++ .../workload-sidecar/image-override.yaml | 21 +++++ .../workload-sidecar/kustomization.yaml | 16 ++++ .../k8s/Identity.yaml | 4 +- .../k8s/Identity.yaml | 4 +- examples/workload-using-sdk/k8s/Identity.yaml | 4 +- .../workload-using-sidecar/k8s/Identity.yaml | 4 +- 55 files changed, 1073 insertions(+), 71 deletions(-) create mode 100755 examples/aegis-workshop/README.md create mode 100755 examples/aegis-workshop/delete-secret.sh create mode 100755 examples/aegis-workshop/delete-workload.sh create mode 100755 examples/aegis-workshop/encrypt-secret.sh create mode 100755 examples/aegis-workshop/env.sh create mode 100644 examples/aegis-workshop/ids/Inspector.yaml create mode 100644 examples/aegis-workshop/ids/Workload.yaml create mode 100644 examples/aegis-workshop/inspector/Deployment.yaml create mode 100644 examples/aegis-workshop/inspector/ServiceAccount.yaml create mode 100644 examples/aegis-workshop/inspector/image-override.yaml create mode 100644 examples/aegis-workshop/inspector/kustomization.yaml create mode 100755 examples/aegis-workshop/install-clusterspiffeids.sh create mode 100755 examples/aegis-workshop/install-inspector.sh create mode 100755 examples/aegis-workshop/install-workload-using-init-container.sh create mode 100755 examples/aegis-workshop/install-workload-using-sdk.sh create mode 100755 examples/aegis-workshop/install-workload-using-sidecar.sh create mode 100755 examples/aegis-workshop/interpolate-to-kubernetes-secrets.sh create mode 100755 examples/aegis-workshop/register-encrypted-secret.sh create mode 100755 examples/aegis-workshop/register-k8s-secret.sh create mode 100755 examples/aegis-workshop/register-multiple-secrets.sh create mode 100755 examples/aegis-workshop/register-plain-secret.sh create mode 100755 examples/aegis-workshop/register-secret-json.sh create mode 100755 examples/aegis-workshop/register-secret-yaml.sh create mode 100755 examples/aegis-workshop/register-transformed-secret.sh create mode 100755 examples/aegis-workshop/safe-logs.sh create mode 100755 examples/aegis-workshop/secrets.sh create mode 100755 examples/aegis-workshop/toc.md create mode 100644 examples/aegis-workshop/workload-init-container/Deployment.yaml create mode 100644 examples/aegis-workshop/workload-init-container/Identity.yaml create mode 100644 examples/aegis-workshop/workload-init-container/Secret.yaml create mode 100644 examples/aegis-workshop/workload-init-container/ServiceAccount.yaml create mode 100644 examples/aegis-workshop/workload-init-container/image-override.yaml create mode 100644 examples/aegis-workshop/workload-init-container/kustomization.yaml create mode 100755 examples/aegis-workshop/workload-logs.sh create mode 100644 examples/aegis-workshop/workload-sdk/Deployment.yaml create mode 100644 examples/aegis-workshop/workload-sdk/Identity.yaml create mode 100644 examples/aegis-workshop/workload-sdk/ServiceAccount.yaml create mode 100644 examples/aegis-workshop/workload-sdk/image-override.yaml create mode 100644 examples/aegis-workshop/workload-sdk/kustomization.yaml create mode 100644 examples/aegis-workshop/workload-sidecar/Deployment.yaml create mode 100644 examples/aegis-workshop/workload-sidecar/Identity.yaml create mode 100644 examples/aegis-workshop/workload-sidecar/ServiceAccount.yaml create mode 100644 examples/aegis-workshop/workload-sidecar/image-override.yaml create mode 100644 examples/aegis-workshop/workload-sidecar/kustomization.yaml diff --git a/SECURITY.md b/SECURITY.md index 18a82b6..bd40160 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,7 +9,7 @@ Note that **Aegis** consists of more than a single project, and during a release cut, all projects are signed and tagged with the same version. -Afer **Aegis** hits a major 1.0.0. version, this will change +After **Aegis** hits a major 1.0.0. version, this will change, and we will also have a support plan various major versions. ## Reporting a Vulnerability @@ -19,6 +19,6 @@ Send your vulnerability reports to [security@aegis.ist](mailto:security@aegis.is We don’t have an official turnover time, but if nobody gets back to you within a week please send another email. -We take all vulnerability reports seriously and you will be notified +We take all vulnerability reports seriously, and you will be notified if your report is accepted or declined, and what further actions we are going to take on it. diff --git a/app/safe/internal/bootstrap/bootstrap.go b/app/safe/internal/bootstrap/bootstrap.go index c24885a..6f24b53 100644 --- a/app/safe/internal/bootstrap/bootstrap.go +++ b/app/safe/internal/bootstrap/bootstrap.go @@ -46,33 +46,41 @@ func Monitor( timedOut <-chan bool, ) { counter := 3 - select { - case <-acquiredSvid: - log.InfoLn(correlationId, "Acquired identity.") - counter-- + for { if counter == 0 { - state.Initialize() - log.DebugLn(correlationId, "Creating readiness probe.") - go probe.CreateReadiness() + break } - case <-updatedSecret: - log.InfoLn(correlationId, "Updated age key.") - counter-- - if counter == 0 { - state.Initialize() - log.DebugLn(correlationId, "Creating readiness probe.") - go probe.CreateReadiness() - } - case <-serverStarted: - log.InfoLn(correlationId, "Server ready.") - counter-- - if counter == 0 { - state.Initialize() - log.DebugLn(correlationId, "Creating readiness probe.") - go probe.CreateReadiness() + select { + case <-acquiredSvid: + log.InfoLn(correlationId, "Acquired identity.") + counter-- + log.InfoLn(correlationId, "remaining:", counter) + if counter == 0 { + state.Initialize() + log.DebugLn(correlationId, "Creating readiness probe.") + go probe.CreateReadiness() + } + case <-updatedSecret: + log.InfoLn(correlationId, "Updated age key.") + counter-- + log.InfoLn(correlationId, "remaining:", counter) + if counter == 0 { + state.Initialize() + log.DebugLn(correlationId, "Creating readiness probe.") + go probe.CreateReadiness() + } + case <-serverStarted: + log.InfoLn(correlationId, "Server ready.") + counter-- + log.InfoLn(correlationId, "remaining:", counter) + if counter == 0 { + state.Initialize() + log.DebugLn(correlationId, "Creating readiness probe.") + go probe.CreateReadiness() + } + case <-timedOut: + log.FatalLn(correlationId, "Failed to acquire an identity in a timely manner.") } - case <-timedOut: - log.FatalLn(correlationId, "Failed to acquire an identity in a timely manner.") } } @@ -111,7 +119,9 @@ func AcquireSource( ) } + log.TraceLn(id, "Sending: Acquired SVID", len(acquiredSvid)) acquiredSvid <- true + log.TraceLn(id, "Sent: Acquired SVID", len(acquiredSvid)) return source } @@ -142,6 +152,7 @@ func CreateCryptoKey(id *string, updatedSecret chan<- bool) { if secret != state.BlankAgeKeyValue { log.InfoLn(id, "Secret has been set in the cluster, will reuse it") state.SetAgeKey(secret) + updatedSecret <- true return } diff --git a/app/safe/internal/server/server.go b/app/safe/internal/server/server.go index fc92608..2748bb7 100644 --- a/app/safe/internal/server/server.go +++ b/app/safe/internal/server/server.go @@ -12,7 +12,6 @@ import ( "github.com/pkg/errors" "github.com/shieldworks/aegis/app/safe/internal/server/handle" "github.com/shieldworks/aegis/core/env" - "github.com/shieldworks/aegis/core/probe" "github.com/shieldworks/aegis/core/validation" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" @@ -45,9 +44,6 @@ func Serve(source *workloadapi.X509Source, serverStarted chan<- bool) error { serverStarted <- true - // Since server has started, we can enable the readiness probe. - go probe.CreateReadiness() - if err := server.ListenAndServeTLS("", ""); err != nil { return errors.Wrap(err, "serve: failed to listen and serve") } diff --git a/app/safe/internal/state/secret-queue-delete.go b/app/safe/internal/state/secret-queue-delete.go index edac0d3..127be89 100644 --- a/app/safe/internal/state/secret-queue-delete.go +++ b/app/safe/internal/state/secret-queue-delete.go @@ -48,17 +48,22 @@ func processSecretDeleteQueue() { // Get a secret to be removed from the disk. secret := <-secretDeleteQueue - cid := secret.Meta.CorrelationId + if secret.Name == "" { + log.WarnLn(&id, "processSecretDeleteQueue: trying to delete an empty secret. "+ + "Possibly picked a nil secret", len(secretQueue)) + return + } - log.TraceLn(&cid, "processSecretDeleteQueue: picked a secret", len(secretQueue)) + log.TraceLn(&id, "processSecretDeleteQueue: picked a secret", len(secretQueue)) // Remove secret from disk. dataPath := path.Join(env.SafeDataPath(), secret.Name+".age") + log.TraceLn(&id, "processSecretDeleteQueue: removing secret from disk:", dataPath) err := os.Remove(dataPath) - if !os.IsNotExist(err) { - log.WarnLn(&cid, "processSecretDeleteQueue: failed to remove secret", err.Error()) + if err != nil && !os.IsNotExist(err) { + log.WarnLn(&id, "processSecretDeleteQueue: failed to remove secret", err.Error()) } - log.TraceLn(&cid, "processSecretDeleteQueue: should have persisted the secret.") + log.TraceLn(&id, "processSecretDeleteQueue: should have deleted the secret.") } } diff --git a/app/safe/internal/state/state.go b/app/safe/internal/state/state.go index bc2780f..c81c6a2 100644 --- a/app/safe/internal/state/state.go +++ b/app/safe/internal/state/state.go @@ -225,10 +225,6 @@ func DeleteSecret(secret entity.SecretStored) { s, exists := secrets.Load(secret.Name) if !exists { log.WarnLn(&cid, "DeleteSecret: Secret does not exist. Cannot delete.", secret.Name) - - ss := s.(entity.SecretStored) - secret.Created = ss.Created - return } diff --git a/core/entity/data/v1/v1.go b/core/entity/data/v1/v1.go index 8f4d27a..4e3e19d 100644 --- a/core/entity/data/v1/v1.go +++ b/core/entity/data/v1/v1.go @@ -218,8 +218,11 @@ func transform(secret SecretStored, value string) (string, error) { switch secret.Meta.Format { case None: + // Return the parsed string as is, without any further validation. return parsedString, nil case Json: + // If the parsed string is a valid JSON, return it as is. + // Otherwise, assume the parsing failed and return the original JSON string. if tpl.ValidJSON(parsedString) { return parsedString, nil } else { @@ -233,37 +236,37 @@ func transform(secret SecretStored, value string) (string, error) { } return yml, nil } else { - yml, err := tpl.JsonToYaml(jsonData) - if err != nil { - return jsonData, err - } - return yml, nil + // Parsed string is not a valid JSON, so return it as is. + // It can be either a valid YAML already, or some random string. + // There is not much can be done at this point other than returning it. + return parsedString, nil } default: - return "", fmt.Errorf("unknown format: %s", secret.Meta.Format) + // The program flow shall never enter here. + return parsedString, fmt.Errorf("unknown format: %s", secret.Meta.Format) } } // Parse takes a data.SecretStored type as input and returns the parsed // string or an error. // -// If the Meta.Template field is empty, it tries to parse the first secret.Values; -// otherwise it transforms secret.Values[0] using the Go template transformation -// defined by Meta.Template. -// -// If the Meta.Format field is None, it returns the parsed string. -// -// If the Meta.Format field is Json, it returns the parsed string if it’s a -// valid JSON or the original string otherwise. +// It parses all the `.Values` of the secret, and for each value tries to apply +// a template transformation. // -// If the Meta.Format field is Yaml, it tries its best to transform the data -// into Yaml. If it fails, it tries to return a valid JSON at least. If that -// fails too, returns the original secret value. +// Here is how the template transformation is applied: // -// If the Meta.Format field is not recognized, it returns an empty string. +// 1. Compute parsedString: +// If the Meta.Template field is empty, then parsedString is the original value. +// Otherwise, parsedString is the result of applying the template transformation +// to the original value. // -// If there is more than one value in the Values collection then the transformation -// is applied to each value and the result is returned as a JSON array. +// 2. Compute the output string: +// - If the Meta.Format field is None, then the output string is parsedString. +// - If the Meta.Format field is Json, then the output string is parsedString +// if parsedString is a valid JSON, otherwise it’s the original value. +// - If the Meta.Format field is Yaml, then the output string is the result of +// transforming parsedString into Yaml if parsedString is a valid JSON, +// otherwise it’s parsedString. func (secret SecretStored) Parse() (string, error) { if len(secret.Values) == 0 { return "", fmt.Errorf("no values found for secret %s", secret.Name) diff --git a/core/template/template.go b/core/template/template.go index 04fb543..20dff00 100644 --- a/core/template/template.go +++ b/core/template/template.go @@ -60,16 +60,22 @@ func JsonToYaml(js string) (string, error) { // // On successful execution, the function returns the resulting string from the // executed template. -func TryParse(tmpStr, json string) string { +func TryParse(tmpStr, jason string) string { tmpl, err := template.New("secret").Parse(tmpStr) if err != nil { - return json + return jason + } + + var result map[string]any + err = json.Unmarshal([]byte(jason), &result) + if err != nil { + return jason } var tpl bytes.Buffer - err = tmpl.Execute(&tpl, json) + err = tmpl.Execute(&tpl, result) if err != nil { - return json + return jason } return tpl.String() diff --git a/examples/aegis-workshop/README.md b/examples/aegis-workshop/README.md new file mode 100755 index 0000000..5c88d27 --- /dev/null +++ b/examples/aegis-workshop/README.md @@ -0,0 +1,12 @@ +# Aegis + +![Aegis](../../assets/aegis-icon.png "Aegis") + +## Aegis Workshop + +This workshop is designed to help you get started with Aegis. It will walk you +through the installation of Aegis and its components, and then demonstrate how +to use Aegis to protect your secrets. + +There is a work-in-progress video recording of this workshop. We’ll update this +document with a link to the video once it’s ready. \ No newline at end of file diff --git a/examples/aegis-workshop/delete-secret.sh b/examples/aegis-workshop/delete-secret.sh new file mode 100755 index 0000000..61d50ac --- /dev/null +++ b/examples/aegis-workshop/delete-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +# FIXME: -s argument should not be needed. +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-s "dummy" \ +-d diff --git a/examples/aegis-workshop/delete-workload.sh b/examples/aegis-workshop/delete-workload.sh new file mode 100755 index 0000000..310466d --- /dev/null +++ b/examples/aegis-workshop/delete-workload.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl delete deployment "$DEPLOYMENT" -n default diff --git a/examples/aegis-workshop/encrypt-secret.sh b/examples/aegis-workshop/encrypt-secret.sh new file mode 100755 index 0000000..0a35983 --- /dev/null +++ b/examples/aegis-workshop/encrypt-secret.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. /home/v0lk4n/Desktop/AEGIS/aegis/examples/aegis-workshop/env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-s '{"username": "root", "password": "SuperSecret", "value": "AegisRocks"}' \ +-e diff --git a/examples/aegis-workshop/env.sh b/examples/aegis-workshop/env.sh new file mode 100755 index 0000000..3d7b01c --- /dev/null +++ b/examples/aegis-workshop/env.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + + +export SECRET="ComputeMe!" + +export SENTINEL=$(kubectl get po -n aegis-system \ + | grep "aegis-sentinel-" | awk '{print $1}') + +export SAFE=$(kubectl get po -n aegis-system \ + | grep "aegis-safe-" | awk '{print $1}') + +export WORKLOAD=$(kubectl get po -n default \ + | grep "aegis-workload-demo-" | awk '{print $1}') + +export INSPECTOR=$(kubectl get po -n default \ + | grep "aegis-inspector-" | awk '{print $1}') + +export DEPLOYMENT="aegis-workload-demo" \ No newline at end of file diff --git a/examples/aegis-workshop/ids/Inspector.yaml b/examples/aegis-workshop/ids/Inspector.yaml new file mode 100644 index 0000000..c6f7dd1 --- /dev/null +++ b/examples/aegis-workshop/ids/Inspector.yaml @@ -0,0 +1,26 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: aegis-inspector +spec: + # SPIFFE ID `MUST` start with "spiffe://aegis.ist/workload/$workloadName/ns/" + # for `aegis-safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://aegis.ist\ + /workload/aegis-workload-demo\ + /ns/default\ + /sa/aegis-workload-demo\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: aegis-inspector + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:aegis-inspector" diff --git a/examples/aegis-workshop/ids/Workload.yaml b/examples/aegis-workshop/ids/Workload.yaml new file mode 100644 index 0000000..869a17d --- /dev/null +++ b/examples/aegis-workshop/ids/Workload.yaml @@ -0,0 +1,26 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: aegis-workload-demo +spec: + # SPIFFE ID `MUST` start with "spiffe://aegis.ist/workload/$workloadName/ns/" + # for `aegis-safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://aegis.ist\ + /workload/aegis-workload-demo\ + /ns/{{ .PodMeta.Namespace }}\ + /sa/{{ .PodSpec.ServiceAccountName }}\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/aegis-workshop/inspector/Deployment.yaml b/examples/aegis-workshop/inspector/Deployment.yaml new file mode 100644 index 0000000..f4c7fdf --- /dev/null +++ b/examples/aegis-workshop/inspector/Deployment.yaml @@ -0,0 +1,59 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-inspector + namespace: default + labels: + app.kubernetes.io/name: aegis-inspector +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: aegis-inspector + template: + metadata: + labels: + app.kubernetes.io/name: aegis-inspector + spec: + serviceAccountName: aegis-inspector + containers: + - name: main + image: aegishub/aegis-workload-demo-multiple-secrets:0.15.7 + volumeMounts: + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure this workload by providing environment variables. + # + # See https://aegis.ist/docs/configuration for more information + # about these environment variables. + # + # When you don’t explicitly provide env vars here, Aegis Safe will + # assume the default values outlined in the given link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/agent.sock" + - name: AEGIS_LOG_LEVEL + value: "7" + - name: AEGIS_WORKLOAD_SVID_PREFIX + value: "spiffe://aegis.ist/workload/" + - name: AEGIS_SAFE_SVID_PREFIX + value: "spiffe://aegis.ist/workload/aegis-safe/ns/aegis-system/sa/aegis-safe/n/" + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/aegis-workshop/inspector/ServiceAccount.yaml b/examples/aegis-workshop/inspector/ServiceAccount.yaml new file mode 100644 index 0000000..1ea5ebd --- /dev/null +++ b/examples/aegis-workshop/inspector/ServiceAccount.yaml @@ -0,0 +1,14 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aegis-inspector + namespace: default +automountServiceAccountToken: false diff --git a/examples/aegis-workshop/inspector/image-override.yaml b/examples/aegis-workshop/inspector/image-override.yaml new file mode 100644 index 0000000..23542d6 --- /dev/null +++ b/examples/aegis-workshop/inspector/image-override.yaml @@ -0,0 +1,22 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-inspector + namespace: default +spec: + template: + spec: + containers: + - name: main + image: localhost:5000/aegis-workload-demo-multiple-secrets:0.15.7 + env: + - name: AEGIS_LOG_LEVEL + value: "0" diff --git a/examples/aegis-workshop/inspector/kustomization.yaml b/examples/aegis-workshop/inspector/kustomization.yaml new file mode 100644 index 0000000..878112d --- /dev/null +++ b/examples/aegis-workshop/inspector/kustomization.yaml @@ -0,0 +1,16 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Deployment.yaml +patchesStrategicMerge: +- image-override.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/aegis-workshop/install-clusterspiffeids.sh b/examples/aegis-workshop/install-clusterspiffeids.sh new file mode 100755 index 0000000..d90db87 --- /dev/null +++ b/examples/aegis-workshop/install-clusterspiffeids.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +cd ids || exit +kubectl apply -f . diff --git a/examples/aegis-workshop/install-inspector.sh b/examples/aegis-workshop/install-inspector.sh new file mode 100755 index 0000000..7b4a42a --- /dev/null +++ b/examples/aegis-workshop/install-inspector.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +cd inspector || exit +kubectl apply -f ServiceAccount.yaml +kubectl apply -k . diff --git a/examples/aegis-workshop/install-workload-using-init-container.sh b/examples/aegis-workshop/install-workload-using-init-container.sh new file mode 100755 index 0000000..05b0cad --- /dev/null +++ b/examples/aegis-workshop/install-workload-using-init-container.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +cd ./workload-init-container || exit + +kubectl apply -f Identity.yaml +kubectl apply -f ServiceAccount.yaml +kubectl apply -f Secret.yaml +kubectl apply -k . diff --git a/examples/aegis-workshop/install-workload-using-sdk.sh b/examples/aegis-workshop/install-workload-using-sdk.sh new file mode 100755 index 0000000..4f3ce8e --- /dev/null +++ b/examples/aegis-workshop/install-workload-using-sdk.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +cd ./workload-sdk || exit + +kubectl apply -f Identity.yaml +kubectl apply -f ServiceAccount.yaml +kubectl apply -k . diff --git a/examples/aegis-workshop/install-workload-using-sidecar.sh b/examples/aegis-workshop/install-workload-using-sidecar.sh new file mode 100755 index 0000000..e094fc6 --- /dev/null +++ b/examples/aegis-workshop/install-workload-using-sidecar.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +cd ./workload-sidecar || exit + +kubectl apply -f Identity.yaml +kubectl apply -f ServiceAccount.yaml +kubectl apply -k . diff --git a/examples/aegis-workshop/interpolate-to-kubernetes-secrets.sh b/examples/aegis-workshop/interpolate-to-kubernetes-secrets.sh new file mode 100755 index 0000000..e69de29 diff --git a/examples/aegis-workshop/register-encrypted-secret.sh b/examples/aegis-workshop/register-encrypted-secret.sh new file mode 100755 index 0000000..9b1f07a --- /dev/null +++ b/examples/aegis-workshop/register-encrypted-secret.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +echo "Secret: '$SECRET'" + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s "$SECRET" \ +-e \ +-a diff --git a/examples/aegis-workshop/register-k8s-secret.sh b/examples/aegis-workshop/register-k8s-secret.sh new file mode 100755 index 0000000..a66701c --- /dev/null +++ b/examples/aegis-workshop/register-k8s-secret.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s '{"username": "root", "password": "SuperSecret", "value": "AegisRocks"}' \ +-t '{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}", "VALUE": "{{.value}}"}' \ +-k diff --git a/examples/aegis-workshop/register-multiple-secrets.sh b/examples/aegis-workshop/register-multiple-secrets.sh new file mode 100755 index 0000000..90e0f2e --- /dev/null +++ b/examples/aegis-workshop/register-multiple-secrets.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +source ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s '{"name": "USERNAME", "value": "admin"}' \ +-a + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s '{"name": "PASSWORD", "value": "AegisRocks!"}' \ +-a diff --git a/examples/aegis-workshop/register-plain-secret.sh b/examples/aegis-workshop/register-plain-secret.sh new file mode 100755 index 0000000..d24bf74 --- /dev/null +++ b/examples/aegis-workshop/register-plain-secret.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s "AegisRocks!" diff --git a/examples/aegis-workshop/register-secret-json.sh b/examples/aegis-workshop/register-secret-json.sh new file mode 100755 index 0000000..933352d --- /dev/null +++ b/examples/aegis-workshop/register-secret-json.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-f "json" \ +-s '{"username": "root", "password": "SuperSecret", "value": "AegisRocks"}' \ +-t '{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}", "VALUE": "{{.value}}"}' diff --git a/examples/aegis-workshop/register-secret-yaml.sh b/examples/aegis-workshop/register-secret-yaml.sh new file mode 100755 index 0000000..40ce063 --- /dev/null +++ b/examples/aegis-workshop/register-secret-yaml.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-f "yaml" \ +-s '{"username": "root", "password": "SuperSecret", "value": "AegisRocks"}' \ +-t '{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}", "VALUE": "{{.value}}"}' diff --git a/examples/aegis-workshop/register-transformed-secret.sh b/examples/aegis-workshop/register-transformed-secret.sh new file mode 100755 index 0000000..dbf0540 --- /dev/null +++ b/examples/aegis-workshop/register-transformed-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl exec "$SENTINEL" -n aegis-system -- aegis \ +-w "aegis-workload-demo" \ +-n "default" \ +-s '{"username": "root", "password": "SuperSecret", "value": "AegisRocks"}' \ +-t '{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}", "VALUE": "{{.value}}"}' diff --git a/examples/aegis-workshop/safe-logs.sh b/examples/aegis-workshop/safe-logs.sh new file mode 100755 index 0000000..d2a4fff --- /dev/null +++ b/examples/aegis-workshop/safe-logs.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl logs "$SAFE" -n aegis-system -f diff --git a/examples/aegis-workshop/secrets.sh b/examples/aegis-workshop/secrets.sh new file mode 100755 index 0000000..fdd9bb5 --- /dev/null +++ b/examples/aegis-workshop/secrets.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +source ./env.sh + +kubectl exec "$INSPECTOR" -n default -- ./env diff --git a/examples/aegis-workshop/toc.md b/examples/aegis-workshop/toc.md new file mode 100755 index 0000000..244812a --- /dev/null +++ b/examples/aegis-workshop/toc.md @@ -0,0 +1,16 @@ +## Agenda + +* A Brief Overview of SPIRE and Aegis +* Overview the Installed SPIRE Components +* Overview the Installed Aegis Components +* What are ClusterSPIFFEIDs +* Examine the Current ClusterSPIFFEIDs +* Install ClusterSPIFFEIDs We’ll Need +* Examine Inspector’s ClusterSPIFFEID +* View Inspector’s Source Code +* Install Inspector +* Examine Inspector’s ClusterSPIFFEID +* Use Case: Workload Using Sidecar +* Use Case: Workload Using SDK +* Use Case: Workload Using Init Container +* Use Case: Transforming Secrets diff --git a/examples/aegis-workshop/workload-init-container/Deployment.yaml b/examples/aegis-workshop/workload-init-container/Deployment.yaml new file mode 100644 index 0000000..d69bf61 --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/Deployment.yaml @@ -0,0 +1,84 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default + labels: + app.kubernetes.io/name: aegis-workload-demo +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + template: + metadata: + labels: + app.kubernetes.io/name: aegis-workload-demo + spec: + serviceAccountName: aegis-workload-demo + containers: + - name: main + image: aegishub/aegis-workload-demo-using-init-container:0.15.7 + env: + - name: SECRET + valueFrom: + secretKeyRef: + name: aegis-secret-aegis-workload-demo + key: VALUE + - name: USERNAME + valueFrom: + secretKeyRef: + name: aegis-secret-aegis-workload-demo + key: USERNAME + - name: PASSWORD + valueFrom: + secretKeyRef: + name: aegis-secret-aegis-workload-demo + key: PASSWORD + + initContainers: + # See `./register.sh` to register the workload and finalize + # this init container. + - name: init-container + image: aegishub/aegis-init-container:0.15.7 + volumeMounts: + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure Aegis Init Container by providing environment + # variables. + # + # See https://aegis.ist/docs/configuration for more information + # about these environment variables. + # + # When you don’t explicitly provide env vars here, Aegis Init Container + # will assume the default values outlined in the given link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/agent.sock" + - name: AEGIS_LOG_LEVEL + value: "7" + - name: AEGIS_WORKLOAD_SVID_PREFIX + value: "spiffe://aegis.ist/workload/" + - name: AEGIS_SAFE_SVID_PREFIX + value: "spiffe://aegis.ist/workload/aegis-safe/ns/aegis-system/sa/aegis-safe/n/" + - name: AEGIS_INIT_CONTAINER_POLL_INTERVAL + value: "5000" + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/aegis-workshop/workload-init-container/Identity.yaml b/examples/aegis-workshop/workload-init-container/Identity.yaml new file mode 100644 index 0000000..869a17d --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/Identity.yaml @@ -0,0 +1,26 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: aegis-workload-demo +spec: + # SPIFFE ID `MUST` start with "spiffe://aegis.ist/workload/$workloadName/ns/" + # for `aegis-safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://aegis.ist\ + /workload/aegis-workload-demo\ + /ns/{{ .PodMeta.Namespace }}\ + /sa/{{ .PodSpec.ServiceAccountName }}\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/aegis-workshop/workload-init-container/Secret.yaml b/examples/aegis-workshop/workload-init-container/Secret.yaml new file mode 100644 index 0000000..b2a9614 --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/Secret.yaml @@ -0,0 +1,21 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: v1 +kind: Secret +metadata: + # The string after `aegis-secret-` must match the workload’s name. + # For example, this is an Aegis-managed secret for `aegis-workload-demo` + # with the SPIFFE ID + # `"spiffe://aegis.ist/workload/aegis-workload-demo\ + # /ns/{{ .PodMeta.Namespace }}\ + # /sa/{{ .PodSpec.ServiceAccountName }}\ + # /n/{{ .PodMeta.Name }}"` + name: aegis-secret-aegis-workload-demo + namespace: default +type: Opaque diff --git a/examples/aegis-workshop/workload-init-container/ServiceAccount.yaml b/examples/aegis-workshop/workload-init-container/ServiceAccount.yaml new file mode 100644 index 0000000..ad377bf --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/ServiceAccount.yaml @@ -0,0 +1,14 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aegis-workload-demo + namespace: default +automountServiceAccountToken: false diff --git a/examples/aegis-workshop/workload-init-container/image-override.yaml b/examples/aegis-workshop/workload-init-container/image-override.yaml new file mode 100644 index 0000000..82e4a20 --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/image-override.yaml @@ -0,0 +1,22 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default +spec: + template: + spec: + containers: + - name: main + image: localhost:5000/aegis-workload-demo-using-init-container:0.15.7 + initContainers: + - name: init-container + image: localhost:5000/aegis-init-container:0.15.7 diff --git a/examples/aegis-workshop/workload-init-container/kustomization.yaml b/examples/aegis-workshop/workload-init-container/kustomization.yaml new file mode 100644 index 0000000..878112d --- /dev/null +++ b/examples/aegis-workshop/workload-init-container/kustomization.yaml @@ -0,0 +1,16 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Deployment.yaml +patchesStrategicMerge: +- image-override.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/aegis-workshop/workload-logs.sh b/examples/aegis-workshop/workload-logs.sh new file mode 100755 index 0000000..037725b --- /dev/null +++ b/examples/aegis-workshop/workload-logs.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +. ./env.sh + +kubectl logs "$WORKLOAD" -n default -f diff --git a/examples/aegis-workshop/workload-sdk/Deployment.yaml b/examples/aegis-workshop/workload-sdk/Deployment.yaml new file mode 100644 index 0000000..04e4960 --- /dev/null +++ b/examples/aegis-workshop/workload-sdk/Deployment.yaml @@ -0,0 +1,59 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default + labels: + app.kubernetes.io/name: aegis-workload-demo +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + template: + metadata: + labels: + app.kubernetes.io/name: aegis-workload-demo + spec: + serviceAccountName: aegis-workload-demo + containers: + - name: main + image: aegishub/aegis-workload-demo-using-sdk:0.15.7 + volumeMounts: + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure this workload by providing environment variables. + # + # See https://aegis.ist/docs/configuration for more information + # about these environment variables. + # + # When you don’t explicitly provide env vars here, Aegis Safe will + # assume the default values outlined in the given link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/agent.sock" + - name: AEGIS_LOG_LEVEL + value: "7" + - name: AEGIS_WORKLOAD_SVID_PREFIX + value: "spiffe://aegis.ist/workload/" + - name: AEGIS_SAFE_SVID_PREFIX + value: "spiffe://aegis.ist/workload/aegis-safe/ns/aegis-system/sa/aegis-safe/n/" + volumes: + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/aegis-workshop/workload-sdk/Identity.yaml b/examples/aegis-workshop/workload-sdk/Identity.yaml new file mode 100644 index 0000000..869a17d --- /dev/null +++ b/examples/aegis-workshop/workload-sdk/Identity.yaml @@ -0,0 +1,26 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: aegis-workload-demo +spec: + # SPIFFE ID `MUST` start with "spiffe://aegis.ist/workload/$workloadName/ns/" + # for `aegis-safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://aegis.ist\ + /workload/aegis-workload-demo\ + /ns/{{ .PodMeta.Namespace }}\ + /sa/{{ .PodSpec.ServiceAccountName }}\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/aegis-workshop/workload-sdk/ServiceAccount.yaml b/examples/aegis-workshop/workload-sdk/ServiceAccount.yaml new file mode 100644 index 0000000..ad377bf --- /dev/null +++ b/examples/aegis-workshop/workload-sdk/ServiceAccount.yaml @@ -0,0 +1,14 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aegis-workload-demo + namespace: default +automountServiceAccountToken: false diff --git a/examples/aegis-workshop/workload-sdk/image-override.yaml b/examples/aegis-workshop/workload-sdk/image-override.yaml new file mode 100644 index 0000000..39155cd --- /dev/null +++ b/examples/aegis-workshop/workload-sdk/image-override.yaml @@ -0,0 +1,19 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default +spec: + template: + spec: + containers: + - name: main + image: localhost:5000/aegis-workload-demo-using-sdk:0.15.7 diff --git a/examples/aegis-workshop/workload-sdk/kustomization.yaml b/examples/aegis-workshop/workload-sdk/kustomization.yaml new file mode 100644 index 0000000..878112d --- /dev/null +++ b/examples/aegis-workshop/workload-sdk/kustomization.yaml @@ -0,0 +1,16 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Deployment.yaml +patchesStrategicMerge: +- image-override.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/aegis-workshop/workload-sidecar/Deployment.yaml b/examples/aegis-workshop/workload-sidecar/Deployment.yaml new file mode 100644 index 0000000..0d7cd5e --- /dev/null +++ b/examples/aegis-workshop/workload-sidecar/Deployment.yaml @@ -0,0 +1,83 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default + labels: + app.kubernetes.io/name: aegis-workload-demo +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + template: + metadata: + labels: + app.kubernetes.io/name: aegis-workload-demo + spec: + serviceAccountName: aegis-workload-demo + containers: + - name: main + image: aegishub/aegis-workload-demo-using-sidecar:0.15.7 + volumeMounts: + # `main` shares this volume with `sidecar`. + - mountPath: /opt/aegis + name: aegis-secrets-volume + - name: sidecar + image: aegishub/aegis-sidecar:0.14.0 + volumeMounts: + # /opt/aegis/secrets.json is the place the secrets will be at. + - mountPath: /opt/aegis + name: aegis-secrets-volume + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + # + # You can configure this workload by providing environment variables. + # + # See https://aegis.ist/docs/configuration for more information about + # these environment variables. + # + # When you don’t explicitly provide env vars here, Aegis Safe will assume + # the default values outlined in the given link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/agent.sock" + - name: AEGIS_LOG_LEVEL + value: "7" + - name: AEGIS_WORKLOAD_SVID_PREFIX + value: "spiffe://aegis.ist/workload/" + - name: AEGIS_SAFE_SVID_PREFIX + value: "spiffe://aegis.ist/workload/aegis-safe/ns/aegis-system/sa/aegis-safe/n/" + - name: AEGIS_SIDECAR_POLL_INTERVAL + value: "20000" + - name: AEGIS_SIDECAR_MAX_POLL_INTERVAL + value: "300000" + - name: AEGIS_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER + value: "2" + - name: AEGIS_SIDECAR_SUCCESS_THRESHOLD + value: "3" + - name: AEGIS_SIDECAR_ERROR_THRESHOLD + value: "2" + volumes: + # A memory-backed volume is recommended (but not required) to keep + # the secrets. The secrets can be stored in any kind of volume. + - name: aegis-secrets-volume + emptyDir: + medium: Memory + # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket + # ref: https://github.com/spiffe/spiffe-csi + - name: spire-agent-socket + csi: + driver: "csi.spiffe.io" + readOnly: true diff --git a/examples/aegis-workshop/workload-sidecar/Identity.yaml b/examples/aegis-workshop/workload-sidecar/Identity.yaml new file mode 100644 index 0000000..ecccf56 --- /dev/null +++ b/examples/aegis-workshop/workload-sidecar/Identity.yaml @@ -0,0 +1,26 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: aegis-workload-demo +spec: + # SPIFFE ID `MUST` start with "spiffe://aegis.ist/workload/$workloadName/ns/" + # for `safe` to recognize the workload and dispatch secrets to it. + spiffeIDTemplate: "spiffe://aegis.ist\ + /workload/aegis-workload-demo\ + /ns/{{ .PodMeta.Namespace }}\ + /sa/{{ .PodSpec.ServiceAccountName }}\ + /n/{{ .PodMeta.Name }}" + podSelector: + matchLabels: + app.kubernetes.io/name: aegis-workload-demo + workloadSelectorTemplates: + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/aegis-workshop/workload-sidecar/ServiceAccount.yaml b/examples/aegis-workshop/workload-sidecar/ServiceAccount.yaml new file mode 100644 index 0000000..ad377bf --- /dev/null +++ b/examples/aegis-workshop/workload-sidecar/ServiceAccount.yaml @@ -0,0 +1,14 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aegis-workload-demo + namespace: default +automountServiceAccountToken: false diff --git a/examples/aegis-workshop/workload-sidecar/image-override.yaml b/examples/aegis-workshop/workload-sidecar/image-override.yaml new file mode 100644 index 0000000..3c41b01 --- /dev/null +++ b/examples/aegis-workshop/workload-sidecar/image-override.yaml @@ -0,0 +1,21 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aegis-workload-demo + namespace: default +spec: + template: + spec: + containers: + - name: main + image: localhost:5000/aegis-workload-demo-using-sidecar:0.15.7 + - name: sidecar + image: localhost:5000/aegis-sidecar:0.15.7 diff --git a/examples/aegis-workshop/workload-sidecar/kustomization.yaml b/examples/aegis-workshop/workload-sidecar/kustomization.yaml new file mode 100644 index 0000000..878112d --- /dev/null +++ b/examples/aegis-workshop/workload-sidecar/kustomization.yaml @@ -0,0 +1,16 @@ +# +# .-'_.---._'-. +# ||####|(__)|| Protect your secrets, protect your business. +# \\()|##// Secure your sensitive data with Aegis. +# \\ |#// +# .\_/. +# + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Deployment.yaml +patchesStrategicMerge: +- image-override.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/workload-multiple-secrets/k8s/Identity.yaml b/examples/workload-multiple-secrets/k8s/Identity.yaml index 0f9ab8c..869a17d 100644 --- a/examples/workload-multiple-secrets/k8s/Identity.yaml +++ b/examples/workload-multiple-secrets/k8s/Identity.yaml @@ -22,5 +22,5 @@ spec: matchLabels: app.kubernetes.io/name: aegis-workload-demo workloadSelectorTemplates: - - "k8s:ns:{{ .PodMeta.Namespace }}" - - "k8s:sa:{{ .PodSpec.ServiceAccountName }}" + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/workload-using-init-container/k8s/Identity.yaml b/examples/workload-using-init-container/k8s/Identity.yaml index 0f9ab8c..869a17d 100644 --- a/examples/workload-using-init-container/k8s/Identity.yaml +++ b/examples/workload-using-init-container/k8s/Identity.yaml @@ -22,5 +22,5 @@ spec: matchLabels: app.kubernetes.io/name: aegis-workload-demo workloadSelectorTemplates: - - "k8s:ns:{{ .PodMeta.Namespace }}" - - "k8s:sa:{{ .PodSpec.ServiceAccountName }}" + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/workload-using-sdk/k8s/Identity.yaml b/examples/workload-using-sdk/k8s/Identity.yaml index 0f9ab8c..869a17d 100644 --- a/examples/workload-using-sdk/k8s/Identity.yaml +++ b/examples/workload-using-sdk/k8s/Identity.yaml @@ -22,5 +22,5 @@ spec: matchLabels: app.kubernetes.io/name: aegis-workload-demo workloadSelectorTemplates: - - "k8s:ns:{{ .PodMeta.Namespace }}" - - "k8s:sa:{{ .PodSpec.ServiceAccountName }}" + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo" diff --git a/examples/workload-using-sidecar/k8s/Identity.yaml b/examples/workload-using-sidecar/k8s/Identity.yaml index d88acab..ecccf56 100644 --- a/examples/workload-using-sidecar/k8s/Identity.yaml +++ b/examples/workload-using-sidecar/k8s/Identity.yaml @@ -22,5 +22,5 @@ spec: matchLabels: app.kubernetes.io/name: aegis-workload-demo workloadSelectorTemplates: - - "k8s:ns:{{ .PodMeta.Namespace }}" - - "k8s:sa:{{ .PodSpec.ServiceAccountName }}" + - "k8s:ns:default" + - "k8s:sa:aegis-workload-demo"