github/CK-X
1
0
Fork 0
mirror of https://github.com/sailor-sh/CK-X.git synced 2026-05-16 05:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix q10, make it clearer for students

Browse Source
This commit is contained in:
Fabian Hardt
2025-12-11 17:41:34 +01:00
parent fb2bc9a77f
commit e644990749
4 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
facilitator/assets/exams/ckad/001/answers.md
View File

@@ -249,11 +249,11 @@ Save as `config-pod.yaml` and apply:
kubectl apply -f config-pod.yaml
```
## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:5.7' image with these credentials set as environment variables DB_USER and DB_PASSWORD
## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin, random=true and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:9.5.0' image with these credentials set as environment variables DB_USER, MYSQL_RANDOM_ROOT_PASSWORD and DB_PASSWORD
```bash
# Create the Secret
kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass
kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass --from-literal=random=true
```
Create the Pod with Secret environment variables:
@@ -278,11 +278,11 @@ spec:
secretKeyRef:
name: db-credentials
key: password
- name: MYSQL_ROOT_PASSWORD
- name: MYSQL_RANDOM_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
key: random
restartPolicy: Always
```

2
facilitator/assets/exams/ckad/001/assessment.json
View File

@@ -274,7 +274,7 @@
"id": "10",
"namespace": "workloads",
"machineHostname": "ckad9999",
"question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing two sensitive values: `username=admin` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:5.7` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
"question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing three sensitive values: `username=admin`, `random=true` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:9.5.0` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER`, `MYSQL_RANDOM_ROOT_PASSWORD` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
"concepts": ["secrets", "pods", "environment-variables", "mysql"],
"verification": [
{

9
facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
View File

@@ -3,13 +3,14 @@
# Validate if the Secret 'db-credentials' exists in the 'workloads' namespace with correct data
USERNAME=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.username}' 2>/dev/null | base64 --decode)
PASSWORD=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.password}' 2>/dev/null | base64 --decode)
RANDOM=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.random}' 2>/dev/null | base64 --decode)
if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ]; then
if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ] && [ "$RANDOM" = "true" ]; then
echo "Success: Secret 'db-credentials' exists with correct data"
exit 0
else
echo "Error: Secret 'db-credentials' does not have the correct data."
echo "Expected: username=admin, password=securepass"
echo "Found: username=$USERNAME, password=$PASSWORD"
echo "Expected: username=admin, password=securepass, random=true"
echo "Found: username=$USERNAME, password=$PASSWORD, random=$RANDOM"
exit 1
fi
fi

8
facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
View File

@@ -8,6 +8,7 @@ NAMESPACE="workloads"
EXPECTED_SECRET="db-credentials"
EXPECTED_USER_KEY="username"
EXPECTED_PASSWORD_KEY="password"
EXPECTED_RANDOM_KEY="random"
# Extract secret name and key used for DB_USER
DB_USER_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_USER')].valueFrom.secretKeyRef.name}")
@@ -17,9 +18,14 @@ DB_USER_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.co
DB_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.name}")
DB_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.key}")
# Extract secret name and key used for MYSQL_RANDOM_ROOT_PASSWORD
MYSQL_RANDOM_ROOT_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.name}")
MYSQL_RANDOM_ROOT_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.key}")
# Validate all
if [[ "$DB_USER_SECRET" == "$EXPECTED_SECRET" && "$DB_USER_KEY" == "$EXPECTED_USER_KEY" &&
"$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" ]]; then
"$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" &&
"$MYSQL_RANDOM_ROOT_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$MYSQL_RANDOM_ROOT_PASSWORD_KEY" == "$EXPECTED_RANDOM_KEY" ]]; then
echo "✅ Success: Pod '$POD_NAME' has correct secret name and keys for env variables"
exit 0
else