From 0ebcb9c1cb8b6f63b0851ddca05abe5fba73f3cd Mon Sep 17 00:00:00 2001
From: MichaelCade <michael.cade@outlook.com>
Date: Fri, 21 Jul 2023 10:09:09 +0100
Subject: [PATCH] fixing and adding day39 brief steps

---
 .DS_Store                           | Bin 10244 -> 10244 bytes
 2023/day39.md                       | 111 +++++++---------------------
 2023/day39/cluster-keys.json        |   6 +-
 2023/day39/deployment-01-webapp.yml |   2 -
 2023/day39/devwebapp.yaml           |  16 ++++
 5 files changed, 47 insertions(+), 88 deletions(-)
 create mode 100644 2023/day39/devwebapp.yaml

diff --git a/.DS_Store b/.DS_Store
index df74ac8c01e39cdfd4a52937b33b53da2d9ebbb7..25e87e4337c7f7593c9688ef0472261306b24e47 100644
GIT binary patch
delta 16
XcmZn(XbIS$C&X-QWW3o>=&~pPEv*F-

delta 16
XcmZn(XbIS$C&X-KVzk*%=&~pPEzJcM

diff --git a/2023/day39.md b/2023/day39.md
index aadcdd974..b71098cb7 100644
--- a/2023/day39.md
+++ b/2023/day39.md
@@ -131,122 +131,67 @@ We must now exec into our vault-0 pod to enable the secret engine.
 
 `kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh`
 
-We will now have to authenticate and login using `vault login` and provide the token we discovered with root_token in a previous step. 
-
 ![](images/day39-7.png)
 
-We will now run the following commands the first will enable the secret engine and the second will create secret at the path.  
-
-```
-vault secrets enable -path=secret kv-v2
-
-vault kv put secret/webapp/config username="static-user" password="static-password"
-```
 
-You can then verify with the following command 
+`vault secrets enable -path=secret kv-v2`
 
-`vault kv get secret/webapp/config` 
 
-So far we have used our root token this root user can peform any operation at any path and as you can expect best practices states that we dont or should not use this account other than initial setup and configuration. 
+`vault kv put secret/devwebapp/config username='giraffe' password='salsa'`
 
-You should still be in your vault-0 pod. We are going to enable the Kubernetes authentication method with the following command: 
+`vault kv get secret/devwebapp/config`
 
 `vault auth enable kubernetes`
 
-***Vault accepts this service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a configured Kubernetes endpoint.***
-
-Next we need to configure the Kubernetes authentication method to use the location of the Kubernetes API.
-
 ```
 vault write auth/kubernetes/config \
     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
 ```
-
-## Creating a Vault Policy 
-
-For a client or application to access the secret data defined, at secret/webapp/config, requires that the read capability be granted for the path secret/data/webapp/config.
-
 ```
-vault policy write webapp - <<EOF
-path "secret/data/webapp/config" {
+vault policy write devwebapp - <<EOF
+path "secret/data/devwebapp/config" {
   capabilities = ["read"]
 }
 EOF
 ```
 
-Our Application shortly will be defined as webapp 
-
-With the following command we will create a kubernetes authentication role 
-
 ```
-vault write auth/kubernetes/role/webapp \
-        bound_service_account_names=vault \
-        bound_service_account_namespaces=webapp \
-        policies=webapp \
+vault write auth/kubernetes/role/devweb-app \
+        bound_service_account_names=internal-app \
+        bound_service_account_namespaces=default \
+        policies=devwebapp \
         ttl=24h
 ```
 
-now `exit` from the vault-0 pod and back to the local machine. 
+`exit`
 
-## Deploying our Application 
+`kubectl create ns webdevapp`
 
-I am again going to be using the web app that is used in the HashiCorp tutorial mentioned earlier. 
-
-We will create a deployment yaml that looks like the following. 
+`kubectl create sa internal-app -n devwebapp`
 
 ```
+cat > devwebapp.yaml <<EOF
 ---
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault
----
-apiVersion: apps/v1
-kind: Deployment
+kind: Pod
 metadata:
-  name: webapp
+  name: devwebapp
   labels:
-    app: webapp
+    app: devwebapp
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "devweb-app"
+    vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/devwebapp/config"
 spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: webapp
-  template:
-    metadata:
-      labels:
-        app: webapp
-    spec:
-      serviceAccountName: vault
-      containers:
-        - name: app
-          image: hashieducation/simple-vault-client:latest
-          imagePullPolicy: Always
-          env:
-            - name: VAULT_ADDR
-              value: 'http://vault.vault.svc.cluster.local:8200/'
-            - name: JWT_PATH
-              value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
-            - name: SERVICE_PORT
-              value: '8080'
+  serviceAccountName: internal-app
+  containers:
+    - name: devwebapp
+      image: jweissig/app:0.0.1
+EOF
 ```
+`kubectl create -f devwebapp.yaml -n devwebapp` 
 
-Create the webapp namespace 
-
-`kubectl create ns webapp`
-
-Our YAML consists of our simple web app and the service account. 
+`kubectl get pods -n devwebapp`
 
-`kubectl create -f deployment-01-webapp.yml -n webapp`
-
-I also want to note that the helm chart for vault will deploy 
-
-You can check that the authentication has worked by checking pods in the webapp namespace, if they are not in a running state or not there at all then something is not right as this is communicating with vault to make sure that this service is running. 
-
-Once the pod is running, we need to port forward our webapp 
-Find the pod name and then port forward that. 
-```
-kubectl get pods -n webapp 
-kubectl port-forward <PODNAME> -n webapp 8080:8080
-```
+`kubectl exec --stdin=true --tty=true devwebapp -n devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt`
 
diff --git a/2023/day39/cluster-keys.json b/2023/day39/cluster-keys.json
index d5ac0109c..86e05759c 100644
--- a/2023/day39/cluster-keys.json
+++ b/2023/day39/cluster-keys.json
@@ -1,9 +1,9 @@
 {
   "unseal_keys_b64": [
-    "qZiqjl0/r8zgnoCU8j9tdr5eN8W56rXb6xFpGmGumUs="
+    "s/zg7van3BR5U55FXJchQCZrA5IRA2mLAwVklF/lExM="
   ],
   "unseal_keys_hex": [
-    "a998aa8e5d3fafcce09e8094f23f6d76be5e37c5b9eab5dbeb11691a61ae994b"
+    "b3fce0eef6a7dc1479539e455c972140266b03921103698b030564945fe51313"
   ],
   "unseal_shares": 1,
   "unseal_threshold": 1,
@@ -11,5 +11,5 @@
   "recovery_keys_hex": [],
   "recovery_keys_shares": 0,
   "recovery_keys_threshold": 0,
-  "root_token": "hvs.SyXEwWlOzmBnQxe4xr6r337P"
+  "root_token": "hvs.p1rm1RK7193dXelo4q3wSjDu"
 }
diff --git a/2023/day39/deployment-01-webapp.yml b/2023/day39/deployment-01-webapp.yml
index b9703b195..c703f2dbe 100644
--- a/2023/day39/deployment-01-webapp.yml
+++ b/2023/day39/deployment-01-webapp.yml
@@ -3,13 +3,11 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: vault
-  namespace: webapp
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: webapp
-  namespace: webapp
   labels:
     app: webapp
 spec:
diff --git a/2023/day39/devwebapp.yaml b/2023/day39/devwebapp.yaml
new file mode 100644
index 000000000..1f09ae53f
--- /dev/null
+++ b/2023/day39/devwebapp.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: devwebapp
+  labels:
+    app: devwebapp
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "devweb-app"
+    vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/devwebapp/config"
+spec:
+  serviceAccountName: internal-app
+  containers:
+    - name: devwebapp
+      image: jweissig/app:0.0.1