Merge pull request #56 from FabianHardt/fix/ckad-001-q10

2026-05-06 00:26:41 +00:00 · 2026-04-04 07:48:33 +05:30
parent b53d281fc7 70c1a5e55c
commit 199f4be4f4
6 changed files with 25 additions and 15 deletions
--- a/facilitator/assets/exams/ckad/001/answers.md
+++ b/facilitator/assets/exams/ckad/001/answers.md
@@ -249,11 +249,11 @@ Save as `config-pod.yaml` and apply:
 kubectl apply -f config-pod.yaml
 ```

-## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:5.7' image with these credentials set as environment variables DB_USER and DB_PASSWORD
+## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin, random=true and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:9.5.0' image with these credentials set as environment variables DB_USER, MYSQL_RANDOM_ROOT_PASSWORD and DB_PASSWORD

 ```bash
 # Create the Secret
-kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass
+kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass --from-literal=random=true
 ```

 Create the Pod with Secret environment variables:
@@ -266,7 +266,7 @@ metadata:
 spec:
  containers:
  - name: mysql
-    image: mysql:latest
+    image: mysql:9.5.0
    env:
    - name: DB_USER
      valueFrom:
@@ -278,11 +278,11 @@ spec:
        secretKeyRef:
          name: db-credentials
          key: password
-    - name: MYSQL_ROOT_PASSWORD
+    - name: MYSQL_RANDOM_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
-          key: password
+          key: random
  restartPolicy: Always
 ```

--- a/facilitator/assets/exams/ckad/001/assessment.json
+++ b/facilitator/assets/exams/ckad/001/assessment.json
@@ -274,7 +274,7 @@
            "id": "10",
            "namespace": "workloads",
            "machineHostname": "ckad9999",
-            "question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing two sensitive values: `username=admin` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:5.7` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
+            "question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing three sensitive values: `username=admin`, `random=true` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:9.5.0` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER`, `MYSQL_RANDOM_ROOT_PASSWORD` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
            "concepts": ["secrets", "pods", "environment-variables", "mysql"],
            "verification": [
                {
--- a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
+++ b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
@@ -3,13 +3,14 @@
 # Validate if the Secret 'db-credentials' exists in the 'workloads' namespace with correct data
 USERNAME=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.username}' 2>/dev/null | base64 --decode)
 PASSWORD=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.password}' 2>/dev/null | base64 --decode)
+RANDOM=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.random}' 2>/dev/null | base64 --decode)

-if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ]; then
+if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ] && [ "$RANDOM" = "true" ]; then
    echo "Success: Secret 'db-credentials' exists with correct data"
    exit 0
 else
    echo "Error: Secret 'db-credentials' does not have the correct data."
-    echo "Expected: username=admin, password=securepass"
-    echo "Found: username=$USERNAME, password=$PASSWORD"
+    echo "Expected: username=admin, password=securepass, random=true"
+    echo "Found: username=$USERNAME, password=$PASSWORD, random=$RANDOM"
    exit 1
-fi 
+fi
--- a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
+++ b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
@@ -8,6 +8,7 @@ NAMESPACE="workloads"
 EXPECTED_SECRET="db-credentials"
 EXPECTED_USER_KEY="username"
 EXPECTED_PASSWORD_KEY="password"
+EXPECTED_RANDOM_KEY="random"

 # Extract secret name and key used for DB_USER
 DB_USER_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_USER')].valueFrom.secretKeyRef.name}")
@@ -17,9 +18,14 @@ DB_USER_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.co
 DB_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.name}")
 DB_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.key}")

+# Extract secret name and key used for MYSQL_RANDOM_ROOT_PASSWORD
+MYSQL_RANDOM_ROOT_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.name}")
+MYSQL_RANDOM_ROOT_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.key}")
+
 # Validate all
 if [[ "$DB_USER_SECRET" == "$EXPECTED_SECRET" && "$DB_USER_KEY" == "$EXPECTED_USER_KEY" &&
-      "$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" ]]; then
+      "$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" &&
+      "$MYSQL_RANDOM_ROOT_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$MYSQL_RANDOM_ROOT_PASSWORD_KEY" == "$EXPECTED_RANDOM_KEY" ]]; then
    echo "✅ Success: Pod '$POD_NAME' has correct secret name and keys for env variables"
    exit 0
 else
--- a/facilitator/assets/exams/ckad/002/answers.md
+++ b/facilitator/assets/exams/ckad/002/answers.md
@@ -62,6 +62,9 @@ spec:
    volumeMounts:
    - name: log-volume
      mountPath: /var/log
+    - name: log-volume
+      mountPath: /var/log/nginx
+      subPath: nginx
  - name: sidecar-container
    image: busybox
    command: ['sh', '-c', 'while true; do echo $(date) >> /var/log/app.log; sleep 5; done']
--- a/facilitator/assets/exams/ckad/002/scripts/validation/q2_s4_validate_shared_volume.sh
+++ b/facilitator/assets/exams/ckad/002/scripts/validation/q2_s4_validate_shared_volume.sh
@@ -6,10 +6,10 @@ VOLUME_NAME=$(kubectl get pod multi-container-pod -n multi-container -o jsonpath

 if [[ "$VOLUME_NAME" == "log-volume" ]]; then
    # Volume exists, now check if it's mounted in both containers
-    MAIN_CONTAINER_MOUNT=$(kubectl get pod multi-container-pod -n multi-container -o jsonpath='{.spec.containers[?(@.name=="main-container")].volumeMounts[?(@.name=="log-volume")].mountPath}' 2>/dev/null)
+    MAIN_CONTAINER_MOUNT=$(kubectl get pod multi-container-pod -n multi-container -o jsonpath='{.spec.containers[?(@.name=="main-container")].volumeMounts[?(@.name=="log-volume")]}' 2>/dev/null)
    SIDECAR_CONTAINER_MOUNT=$(kubectl get pod multi-container-pod -n multi-container -o jsonpath='{.spec.containers[?(@.name=="sidecar-container")].volumeMounts[?(@.name=="log-volume")].mountPath}' 2>/dev/null)
-    
-    if [[ "$MAIN_CONTAINER_MOUNT" == "/var/log" && "$SIDECAR_CONTAINER_MOUNT" == "/var/log" ]]; then
+
+    if [[ "$MAIN_CONTAINER_MOUNT" == *"/var/log"* && "$SIDECAR_CONTAINER_MOUNT" == "/var/log" ]]; then
        # Both containers have the volume mounted at the correct path
        exit 0
    else
@@ -21,4 +21,4 @@ if [[ "$VOLUME_NAME" == "log-volume" ]]; then
 else
    echo "Volume 'log-volume' does not exist in pod 'multi-container-pod'"
    exit 1
-fi 
+fi