multipass launch -m2G -c2 -d5G -n "k8scp" lts --network "en0" wget https://cm.lf.training/LFS258/LFS258_V2023-09-14_SOLUTIONS.tar.xz --user=LFtraining --password=Penguin2014
tar -xvf LFS258_V2023-09-14_SOLUTIONS.tar.xz
Guy Barros GuyBarros
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export VAULT_ADDR=https://localhost:8200 | |
| export VAULT_TOKEN=root | |
| CHILD_CA=admin/kms | |
| # Root CA | |
| vault secrets enable -path=pki_root pki | |
| # tune to 10 years | |
| vault secrets tune -max-lease-ttl=87600h pki_root | |
| # Generate internal certificate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "vault_mount" "ca_root" { | |
| path = "ca_root" | |
| type = "pki" | |
| max_lease_ttl_seconds = 315360000 # 10 years | |
| } | |
| resource "vault_pki_secret_backend_root_cert" "ca_root" { | |
| backend = vault_mount.ca_root.path |
GuyBarros
/ vault-non-disruptive-pki-rotation_sh
Created
December 16, 2022 15:25
vault 1.11+ non disruptive pki rotation example script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| ########### | |
| # Root CA # | |
| ########### | |
| vault secrets enable pki | |
| vault secrets tune -max-lease-ttl=87600h pki |
GuyBarros
/ vault_ldap.tf
Created
September 26, 2022 14:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "vault_mount" "ldap" { | |
| path = "ldap" | |
| type = "openldap" | |
| description = "LDAP Secret Engine" | |
| } | |
| resource "vault_generic_endpoint" "openldapconfig" { | |
| depends_on = [vault_mount.ldap] | |
| path = "${vault_mount.ldap.path}/config" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Executing the command below will bring a list of entities , their auth method and their id: | |
| Export VAULT_ADDR=https://<Vault_address>:8200 | |
| export VAULT_TOKEN=<Vault_token> | |
| export VAULT_NAMESPACE=<Vault_namespace> |
GuyBarros
/ MY_TLS_LOGIN_SETUP
Created
April 29, 2021 10:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################ start ################################################# | |
| ############################### | |
| export VAULT_ADDR=https://vault.hashidemos.io:8200 | |
| export VAULT_TOKEN=s.evX | |
| # Set up the PKI Secret Engine | |
| ############################### | |
| ## Root CA Mount |
GuyBarros
/ jenkins_create_approle_secret
Created
February 9, 2021 12:41
script to create approle credential
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hudson.util.Secret | |
| import com.datapipe.jenkins.vault.credentials.* | |
| import com.cloudbees.plugins.credentials.impl.* | |
| import com.cloudbees.plugins.credentials.* | |
| import com.cloudbees.plugins.credentials.domains.* | |
| | |
| | |
| VaultAppRoleCredential customCredential = new VaultAppRoleCredential( | |
| CredentialsScope.GLOBAL, | |
| 'custom-credential', |
GuyBarros
/ hashicorp-vault-helm-values.yaml
Created
November 2, 2020 17:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global: | |
| # enabled is the master enabled switch. Setting this to true or false | |
| # will enable or disable all the components within this chart by default. | |
| enabled: true | |
| # TLS for end-to-end encrypted transport | |
| tlsDisable: true | |
| # If deploying to OpenShift | |
| psp: | |
| enable: false |
GuyBarros
/ vault4pfx.hcl
Created
December 18, 2019 15:43
A TFScript to connect to Vault , generate a PKI cert and use that cert as the seed for a pfx file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "vault_host" { | |
| description = "Vault hostname" | |
| default = "vault.ric-lnd-stack.ric.aws.hashidemos.io" | |
| } | |
| terraform { | |
| backend "remote" { | |
| organization = "hc-emea-sentinel-demo" | |
| workspaces { | |
| name = "vault-integration" | |
| } |
NewerOlder