Last active
August 12, 2024 17:39
-
-
Save vfarcic/42d96b7a284a5435a2d1eca0156644b5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://gist.github.com/vfarcic/42d96b7a284a5435a2d1eca0156644b5 | |
| ####################################################################### | |
| # Secrets Made My Life Miserable - Consume Secrets Easily With Teller # | |
| # https://youtu.be/Vcjz-YM3uLQ # | |
| ####################################################################### | |
| # Additional Info: | |
| # - Teller: https://github.com/tellerops/teller | |
| # - Manage Kubernetes Secrets With External Secrets Operator (ESO): https://youtu.be/SyRZe5YVCVk | |
| # - SchemaHero - Database Schema Migrations Inside Kubernetes: https://youtu.be/SofQxb4CDQQ | |
| # - How To Inspect, Plan, Migrate DB Schemas With Atlas: https://youtu.be/JLvHpXJ1hHk | |
| ######### | |
| # Setup # | |
| ######### | |
| git clone https://github.com/vfarcic/teller-demo | |
| cd teller-demo | |
| # Watch https://youtu.be/WiFLtcBvGMU if you are not familiar with Devbox. Alternatively, you can skip Devbox and install all the tools listed in `devbox.json` yourself. | |
| devbox shell | |
| # The demo is based on Google Cloud (GCP) and Google Secrets. | |
| # Teller works with almost any type of secrets but you'll have to | |
| # adaprt the manifests and the commands if you're planning to | |
| # use a different provider (other than GCP). | |
| export PROJECT_ID=dot-$(date +%Y%m%d%H%M%S) | |
| gcloud projects create $PROJECT_ID | |
| echo https://console.cloud.google.com/marketplace/product/google/secretmanager.googleapis.com?project=$PROJECT_ID | |
| # Open the output URL in a browser and enable the API. | |
| gcloud sql instances create my-db --tier db-f1-micro \ | |
| --database-version POSTGRES_14 --region us-east1 \ | |
| --project $PROJECT_ID --authorized-networks "0.0.0.0/0" | |
| gcloud sql users set-password postgres --instance my-db \ | |
| --password IWillNeverTell --project $PROJECT_ID | |
| export DB_HOST=$(gcloud sql instances describe my-db \ | |
| --format="value(ipAddresses[0].ipAddress)" \ | |
| --project $PROJECT_ID) | |
| echo -ne $DB_HOST | gcloud secrets create my-db-host \ | |
| --project $PROJECT_ID --data-file - | |
| echo -ne postgres | gcloud secrets create my-db-user \ | |
| --project $PROJECT_ID --data-file - | |
| echo -ne IWillNeverTell | gcloud secrets create my-db-password \ | |
| --project $PROJECT_ID --data-file - | |
| yq --inplace \ | |
| ".providers.google_secretmanager.env.DB_ENDPOINT.path = \"projects/$PROJECT_ID/secrets/my-db-host/versions/1\"" \ | |
| my-db.yaml | |
| yq --inplace \ | |
| ".providers.google_secretmanager.env.DB_USER.path = \"projects/$PROJECT_ID/secrets/my-db-user/versions/1\"" \ | |
| my-db.yaml | |
| yq --inplace \ | |
| ".providers.google_secretmanager.env.DB_PASSWORD.path = \"projects/$PROJECT_ID/secrets/my-db-password/versions/1\"" \ | |
| my-db.yaml | |
| # Install Go if you do not have it already. | |
| ####################################### | |
| # Secrets From a Terminal With Teller # | |
| ####################################### | |
| cat my-db.yaml | |
| teller show --config my-db.yaml | |
| teller env --config my-db.yaml | |
| eval "$(teller env --config my-db.yaml)" | |
| echo $DB_ENDPOINT $DB_USER $DB_PASSWORD | |
| ########################################### | |
| # Secrets For App Development With Teller # | |
| ########################################### | |
| go run . | |
| # Open a second terminal session | |
| # In the second terminal session | |
| curl http://localhost:8080/videos | |
| # In the first terminal session | |
| # Press `ctrl+c`` | |
| # In the first terminal session | |
| teller run --config my-db.yaml env | |
| # In the first terminal session | |
| teller run --config my-db.yaml go run . | |
| # In the second terminal session | |
| curl http://localhost:8080/videos | |
| # In the second terminal session | |
| exit | |
| # Press `ctrl+c` | |
| ################################## | |
| # Secrets For Docker With Teller # | |
| ################################## | |
| docker container run --name silly-demo --detach \ | |
| --publish 8080:8080 c8n.io/vfarcic/silly-demo:1.4.39 | |
| curl http://localhost:8080/videos | |
| docker container rm silly-demo --force | |
| teller env --config my-db.yaml | |
| docker container run --name silly-demo --detach \ | |
| --publish 8080:8080 \ | |
| --env-file <(teller env --config my-db.yaml) \ | |
| c8n.io/vfarcic/silly-demo:1.4.39 | |
| curl http://localhost:8080/videos | |
| docker container rm silly-demo --force | |
| ############################# | |
| # There's More To Teller... # | |
| ############################# | |
| cat all.yaml | |
| # Replace `vfarcic` with your project that contains a | |
| # secrets. | |
| # teller env --config all.yaml | |
| teller show --config all.yaml | |
| teller sh --config my-db.yaml | |
| teller scan --config all.yaml | |
| teller scan --config all.yaml --silent | |
| echo $? | |
| echo "IWillNeverTell should not appear in logs" \ | |
| | teller redact --config my-db.yaml | |
| ########### | |
| # Destroy # | |
| ########### | |
| gcloud projects delete $PROJECT_ID --quiet |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Done!