forked from hashicorp/vault-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile
88 lines (75 loc) · 2.93 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
REGISTRY_NAME?=docker.io/hashicorp
IMAGE_NAME=vault-k8s
VERSION?=0.0.0-dev
IMAGE_TAG?=$(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION)
PUBLISH_LOCATION?=https://releases.hashicorp.com
DOCKER_DIR=./build/docker
BUILD_DIR=dist
GOOS?=linux
GOARCH?=amd64
BIN_NAME=$(IMAGE_NAME)
GOFMT_FILES?=$$(find . -name '*.go' | grep -v vendor)
XC_PUBLISH?=
PKG=github.com/hashicorp/vault-k8s/version
LDFLAGS?="-X '$(PKG).Version=v$(VERSION)'"
TESTARGS ?= '-test.v'
HELM_CHART_VERSION ?= 0.25.0
.PHONY: all test build image clean version deploy exercise teardown
all: build
version:
@echo $(VERSION)
build:
CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build \
-ldflags $(LDFLAGS) \
-o $(BUILD_DIR)/$(BIN_NAME) \
.
image: build
docker build --build-arg VERSION=$(VERSION) --no-cache -t $(IMAGE_TAG) .
# Deploys Vault dev server and a locally built Agent Injector.
# Run multiple times to deploy new builds of the injector.
deploy: image
kind load docker-image hashicorp/vault-k8s:$(VERSION)
helm upgrade --install vault vault --repo https://helm.releases.hashicorp.com --version=$(HELM_CHART_VERSION) \
--wait --timeout=5m \
--set 'server.dev.enabled=true' \
--set 'server.logLevel=debug' \
--set 'injector.image.tag=$(VERSION)' \
--set 'injector.image.pullPolicy=Never' \
--set 'injector.affinity=null' \
--set 'injector.annotations.deployed=unix-$(shell date +%s)'
# Populates the Vault dev server with a secret, configures kubernetes auth, and
# deploys an nginx pod with annotations to have the secret injected.
exercise:
kubectl exec vault-0 -- vault kv put secret/test-app hello=world
kubectl exec vault-0 -- vault auth enable kubernetes || true
kubectl exec vault-0 -- sh -c 'vault write auth/kubernetes/config kubernetes_host="https://$$KUBERNETES_PORT_443_TCP_ADDR:443"'
echo 'path "secret/data/*" { capabilities = ["read"] }' | kubectl exec -i vault-0 -- vault policy write test-app -
kubectl exec vault-0 -- vault write auth/kubernetes/role/test-app \
bound_service_account_names=test-app-sa \
bound_service_account_namespaces=default \
policies=test-app
kubectl create serviceaccount test-app-sa || true
kubectl delete pod nginx --ignore-not-found
kubectl run nginx \
--image=nginx \
--annotations="vault.hashicorp.com/agent-inject=true" \
--annotations="vault.hashicorp.com/role=test-app" \
--annotations="vault.hashicorp.com/agent-inject-secret-secret.txt=secret/data/test-app" \
--overrides='{ "apiVersion": "v1", "spec": { "serviceAccountName": "test-app-sa" } }'
kubectl wait --for=condition=Ready --timeout=5m pod nginx
kubectl exec nginx -c nginx -- cat /vault/secrets/secret.txt
# Teardown any resources created in deploy and exercise targets.
teardown:
helm uninstall vault || true
kubectl delete --ignore-not-found serviceaccount test-app-sa
kubectl delete --ignore-not-found pod nginx
clean:
-rm -rf $(BUILD_DIR)
test: unit-test
unit-test:
go test -race $(TESTARGS) ./...
.PHONY: mod
mod:
@go mod tidy
fmt:
gofmt -w $(GOFMT_FILES)