From e64499074920426c65808d7748af9970fecae7a3 Mon Sep 17 00:00:00 2001
From: Fabian Hardt <fabian.hardt@opitz-consulting.com>
Date: Thu, 11 Dec 2025 17:41:34 +0100
Subject: [PATCH] fix q10, make it clearer for students

---
 facilitator/assets/exams/ckad/001/answers.md             | 8 ++++----
 facilitator/assets/exams/ckad/001/assessment.json        | 2 +-
 .../001/scripts/validation/q10_s1_validate_secret.sh     | 9 +++++----
 .../scripts/validation/q10_s3_validate_pod_env_vars.sh   | 8 +++++++-
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/facilitator/assets/exams/ckad/001/answers.md b/facilitator/assets/exams/ckad/001/answers.md
index 4add7da..8f360e0 100644
--- a/facilitator/assets/exams/ckad/001/answers.md
+++ b/facilitator/assets/exams/ckad/001/answers.md
@@ -249,11 +249,11 @@ Save as `config-pod.yaml` and apply:
 kubectl apply -f config-pod.yaml
 ```
 
-## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:5.7' image with these credentials set as environment variables DB_USER and DB_PASSWORD
+## Question 10: Create a Secret named 'db-credentials' in namespace 'workloads' containing username=admin, random=true and password=securepass. Then create a Pod named 'secure-pod' using 'mysql:9.5.0' image with these credentials set as environment variables DB_USER, MYSQL_RANDOM_ROOT_PASSWORD and DB_PASSWORD
 
 ```bash
 # Create the Secret
-kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass
+kubectl create secret generic db-credentials -n workloads --from-literal=username=admin --from-literal=password=securepass --from-literal=random=true
 ```
 
 Create the Pod with Secret environment variables:
@@ -278,11 +278,11 @@ spec:
         secretKeyRef:
           name: db-credentials
           key: password
-    - name: MYSQL_ROOT_PASSWORD
+    - name: MYSQL_RANDOM_ROOT_PASSWORD
       valueFrom:
         secretKeyRef:
           name: db-credentials
-          key: password
+          key: random
   restartPolicy: Always
 ```
 
diff --git a/facilitator/assets/exams/ckad/001/assessment.json b/facilitator/assets/exams/ckad/001/assessment.json
index e4f75f4..27664f2 100644
--- a/facilitator/assets/exams/ckad/001/assessment.json
+++ b/facilitator/assets/exams/ckad/001/assessment.json
@@ -274,7 +274,7 @@
             "id": "10",
             "namespace": "workloads",
             "machineHostname": "ckad9999",
-            "question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing two sensitive values: `username=admin` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:5.7` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
+            "question": "The database team needs to securely deploy a MySQL instance with proper credential management. \n\nCreate a Secret named `db-credentials` in namespace `workloads` containing three sensitive values: `username=admin`, `random=true` and `password=securepass`. \n\nThen create a Pod named `secure-pod` using the `mysql:9.5.0` image that uses these credentials. \n\nConfigure the pod to access the Secret values as environment variables named `DB_USER`, `MYSQL_RANDOM_ROOT_PASSWORD` and `DB_PASSWORD` respectively. \n\nThis pattern demonstrates secure handling of sensitive information in Kubernetes without hardcoding credentials in the pod specification. Ensure the MySQL container is properly configured to use these environment variables for authentication.",
             "concepts": ["secrets", "pods", "environment-variables", "mysql"],
             "verification": [
                 {
diff --git a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
index bfd5e43..4e65620 100755
--- a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
+++ b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s1_validate_secret.sh
@@ -3,13 +3,14 @@
 # Validate if the Secret 'db-credentials' exists in the 'workloads' namespace with correct data
 USERNAME=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.username}' 2>/dev/null | base64 --decode)
 PASSWORD=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.password}' 2>/dev/null | base64 --decode)
+RANDOM=$(kubectl get secret db-credentials -n workloads -o jsonpath='{.data.random}' 2>/dev/null | base64 --decode)
 
-if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ]; then
+if [ "$USERNAME" = "admin" ] && [ "$PASSWORD" = "securepass" ] && [ "$RANDOM" = "true" ]; then
     echo "Success: Secret 'db-credentials' exists with correct data"
     exit 0
 else
     echo "Error: Secret 'db-credentials' does not have the correct data."
-    echo "Expected: username=admin, password=securepass"
-    echo "Found: username=$USERNAME, password=$PASSWORD"
+    echo "Expected: username=admin, password=securepass, random=true"
+    echo "Found: username=$USERNAME, password=$PASSWORD, random=$RANDOM"
     exit 1
-fi 
\ No newline at end of file
+fi
\ No newline at end of file
diff --git a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
index 4173ce4..e9acd30 100644
--- a/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
+++ b/facilitator/assets/exams/ckad/001/scripts/validation/q10_s3_validate_pod_env_vars.sh
@@ -8,6 +8,7 @@ NAMESPACE="workloads"
 EXPECTED_SECRET="db-credentials"
 EXPECTED_USER_KEY="username"
 EXPECTED_PASSWORD_KEY="password"
+EXPECTED_RANDOM_KEY="random"
 
 # Extract secret name and key used for DB_USER
 DB_USER_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_USER')].valueFrom.secretKeyRef.name}")
@@ -17,9 +18,14 @@ DB_USER_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.co
 DB_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.name}")
 DB_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='DB_PASSWORD')].valueFrom.secretKeyRef.key}")
 
+# Extract secret name and key used for MYSQL_RANDOM_ROOT_PASSWORD
+MYSQL_RANDOM_ROOT_PASSWORD_SECRET=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.name}")
+MYSQL_RANDOM_ROOT_PASSWORD_KEY=$(kubectl get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath="{.spec.containers[0].env[?(@.name=='MYSQL_RANDOM_ROOT_PASSWORD')].valueFrom.secretKeyRef.key}")
+
 # Validate all
 if [[ "$DB_USER_SECRET" == "$EXPECTED_SECRET" && "$DB_USER_KEY" == "$EXPECTED_USER_KEY" &&
-      "$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" ]]; then
+      "$DB_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$DB_PASSWORD_KEY" == "$EXPECTED_PASSWORD_KEY" &&
+      "$MYSQL_RANDOM_ROOT_PASSWORD_SECRET" == "$EXPECTED_SECRET" && "$MYSQL_RANDOM_ROOT_PASSWORD_KEY" == "$EXPECTED_RANDOM_KEY" ]]; then
     echo "✅ Success: Pod '$POD_NAME' has correct secret name and keys for env variables"
     exit 0
 else