Use Case k8s Allowed Network Policy Vault Secrets GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki
Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)
- Namespace: uc-secrets-vault-k8s
We will use pubsub topic ACLβs to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace βappconfigmgrv2-systemβ. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google APIβs.
gsutil cat gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-secrets-vault-k8s/deploy-apps.yaml | kubectl apply -f -
*NOTE - will document vault in wiki
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq
Allowed Services View |
---|
Dev Service -> All |
Svc 1 -> Svc 4, Pubsub |
Svc 2 -> Svc 1, Svc 4 |
Svc 3 -> No One |
Svc 4 -> Svc 2, Svc 3 |
External Access via NAT (open) |
Svc 2 -> Svc 1 -> Outbound (Should Work)
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=https://httpbin.org/get"
Response (Success)
host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-7769c48764-mwl4v
host:hello-app-sm-py-1-76b8fb54f8-pkmkj
{
"args": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate",
"Host": "httpbin.org",
"User-Agent": "python-requests/2.22.0"
},
"origin": "35.184.53.199, 35.184.53.199",
"url": "https://httpbin.org/get"
}
Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-vault-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic1&message=hello1"
gcloud pubsub subscriptions pull --auto-ack appconfigcrd-demo-topic1 --page-size 20 --limit 20 --project $PROJECT_NAME
host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-65bb79f7d5-6sxlf
host:hello-app-sm-py-1-669578dd95-pqpnc
Publish Success: 608858688012712
ββββββββββ¬ββββββββββββββββββ¬βββββββββββββ
β DATA β MESSAGE_ID β ATTRIBUTES β
ββββββββββΌββββββββββββββββββΌβββββββββββββ€
β hello1 β 608858688012712 β β
ββββββββββ΄ββββββββββββββββββ΄βββββββββββββ
Try different topic (2) - also works due to roleset setup
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq&call2=http://app-secrets-vault-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-vault-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic2&message=hello2"
gcloud pubsub subscriptions pull --auto-ack appconfigcrd-demo-topic2 --page-size 20 --limit 20 --project $PROJECT_NAME
host:hello-app-drv-py-1-56998958f4-vz84t
host:hello-app-sm-py-2-54576b75c7-gjz8b
host:hello-app-sm-py-1-5dff48f945-zfz7k
Publish Success: 67158926176972