So making sealed secrets with WSL is not a good idea. But it seems I …

…got everything else set up to make a secret. I will want to commit the keystore too for consistency
adwise-fiu · Feb 11, 2024 · b33849f · b33849f
1 parent 8f41531
commit b33849f
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -19,18 +19,49 @@ pip3 install pyyaml
 pip3 install configobj
 curl -s "https://get.sdkman.io" | bash
 source "$HOME/.sdkman/bin/sdkman-init.sh"
+# In a new terminal, you run this command
 sdk install gradle
 ```
 
-Run this command and all future commands from `Level-Site-PPDT` folder, run the following command once to install docker.
+Run this command and all future commands from `Level-Site-PPDT` folder, run the following command once to install docker and MiniKube.
 
 **Reboot your machine, then re-run the command to install minikube.**
 ```bash
 bash setup.sh
 ```
 
+Also,
+remember to install [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets?tab=readme-ov-file#installation).
+```bash
+sudo apt-get install jq
+
+# Fetch the latest sealed-secrets version using GitHub API
+KUBESEAL_VERSION=$(curl -s https://api.github.com/repos/bitnami-labs/sealed-secrets/tags | jq -r '.[0].name' | cut -c 2-)
+
+# Check if the version was fetched successfully
+if [ -z "$KUBESEAL_VERSION" ]; then
+ echo "Failed to fetch the latest KUBESEAL_VERSION"
+ exit 1
+fi
+
+wget "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
+tar -xvzf kubeseal-"${KUBESEAL_VERSION}"-linux-amd64.tar.gz kubeseal
+sudo install -m 755 kubeseal /usr/local/bin/kubeseal
+rm kubeseal
+
+# Install Helm
+curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+chmod 700 get_helm.sh
+./get_helm.sh
+rm ./get_helm
+
+# Add Sealed Secret Cluster
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+helm install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets
+```
+
 Before you run the PPDT, make sure to create your keystore, this is necessary as the level-sites use TLS sockets. 
-Run the `create_keystore.sh` script, make sure the password is consistent with the Kubernetes secret.
+Either run `create_keystore.sh` script, make sure the password is consistent with the Kubernetes secret, or just use the Sealed Secret.
 
 ## Running PPDT locally
 
@@ -64,25 +95,6 @@ drawing of what the DT looks like.
 To make it easier for deploying on the cloud, we also provided a method to export our system into Kubernetes.
 This would assume one execution rather than multiple executions.
 
-### Creating a Kubernetes Secret
-You should set up a Kubernetes secret file, called `ppdt-secrets.yaml` in the `k8/level-sites`, `k8/client`, and `k8/server` folder.
-In the yaml file, you will need to replace <SECRET_VALUE> with a random string encoded in Base64.
-This secret is to access the keystore in the container. If you want to replicate results with what is 
-stored on DockerHub now, set it to the Base64 encoding of `WeshoulduseSealedSecretsSometime`.
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
- name: ppdt-secrets
-type: Opaque
-data:
- keystore-pass: <SECRET_VALUE>>
-```
-
-or you can use the command:
-
- kubectl create secret generic ppdt-secrets --from-literal=keystore-pass=<SECRET_VALUE>
-
 ### Option 1 - Using Minikube
 You will need to start and configure minikube. When writing the paper, we provided 8 CPUs and 20 GB of memory; this was set using the arguments that fit your computer's specs.
 
@@ -114,6 +126,20 @@ eksctl get clusters --region us-east-2
 aws eks update-kubeconfig --name ppdt --region us-east-2
 ```
 
+### Using/Creating a Kubernetes Sealed Secret
+It is suggested you use the existing sealed secret. The password in this secret is aligned with what is on the keystore,
+
+```commandline
+kubectl -f apply ppdt-sealedsecret.yaml
+```
+
+Alternatively, you can create a new sealed secret as follows:
+```bash
+kubectl create secret generic ppdt-secrets --from-literal=keystore-pass=ZifangHuang
+kubectl get secret ppdt-secrets -o yaml | kubeseal > ppdt-sealedsecret.yaml
+```
+However, if you make a new sealed secret, you should re-make the keystore as well.
+
 ### Running Kubernetes Commands
 The next step is to start deploying all the components running the following:
 

diff --git a/setup.sh b/setup.sh
@@ -16,15 +16,29 @@
 # Install docker if user is not already in docker group
 if [[ $(id) != *\(docker\)* ]]; then
  # INSTALL DOCKER
+ # https://docs.docker.com/engine/install/ubuntu/
  echo '##################################################'
  echo '[*] Installing Docker...'
  echo '##################################################'
  sleep 3
- sudo apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
- curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
- sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
- sudo apt-get update
- sudo apt-get install -y docker-ce docker-ce-cli containerd.io
+
+ for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
+
+ # Add Docker's official GPG key:
+ sudo apt-get update
+ sudo apt-get install ca-certificates curl
+ sudo install -m 0755 -d /etc/apt/keyrings
+ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+ sudo chmod a+r /etc/apt/keyrings/docker.asc
+
+ # Add the repository to Apt sources:
+ echo \
+ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+ sudo apt-get update
+
+ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
  # CONFIGURE STANDARD USER TO MANAGE DOCKER WITHOUT ROOT
  echo '##################################################'
@@ -38,16 +52,16 @@ if [[ $(id) != *\(docker\)* ]]; then
  echo '#####################################################################'
 else
  # INSTALL KUBERNETES CLI TOOLS
+ # https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
  echo '##################################################'
  echo '[*] Installing kubectl...'
  echo '##################################################'
  sleep 3
- sudo apt-get install -y apt-transport-https ca-certificates curl
- sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
- echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
- sudo apt-get update -y
- sudo apt-get install -y kubectl
+ curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+ sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+ rm kubectl
 
+ # https://minikube.sigs.k8s.io/docs/start/
  echo '##################################################'
  echo '[*] Installing minikube...'
  echo '##################################################'