Skip to content

Instantly share code, notes, and snippets.

View allthingsclowd's full-sized avatar

Graham Land allthingsclowd

View GitHub Profile
allthingsclowd /
Last active January 10, 2020 14:13
Consul Connect with Envoy and TLS Enabled - Debug

Update - resolved here -> hashicorp/consul#7024

Simple Demo of How to Setup an Envoy Connect Service when Consul is secured with TLS

The goal of this test was to be able to demonstrate a productionised version of a Consul Connect Envoy Service. All online examples today rely on Docker and no TLS - many customers still don't allow Docker in production (I know, unbelieveable!). So I was attempting to running the Envoy proxy directly on Ubuntu without Docker.

Deployment Platforms Tested

allthingsclowd /
Last active March 17, 2024 11:39
How to configure SSH Certificate based Authentication - Great for large scale deployment and management of servers

SSH Certificate based Authentication - Quick Guide

Certificate Authority (CA) Server Host Server(s) Client(s)
Host Server Certificate Configuration
This is the server typically managed by a security team. The root CA private keys are held on this server and should be protected. If these keys are compromised it will be necessary to Revoke & Rotate/Recreate ALL Certificates!! These are the servers that are being built or reprovisioned. The Host CA Signed Certificate is used to prove Host Authenticity to clients. It is sent to the ssh client during the initial handshake when a ssh client attempts to login. The user laptop or server that's runing the ssh client. The Client CA Signed Certificate is used to prove Client Authenticity to the Host Server
Step 1. Create HOST CA signing keys : Example ssh-keygen -t rsa -N '' -C HOST-CA -b 4096 -f host-ca Step 2. Let's generate a fresh set of ssh RSA HOST keys with 4096 bits. Typically the keys are generated by default
allthingsclowd /
Created September 20, 2019 15:10
Example script to create self-signed certs with subject alternate names (SAN)
#!/usr/bin/env bash
set -x
update_key_in_json_file () {
cat ${1}
mv ${1} temp.json
jq -r "${2} |= ${3}" temp.json > ${1}
rm temp.json
cat ${1}
allthingsclowd / GitHubDownloadError.MD
Created June 4, 2019 09:28
Typical Github download error when using freshly built server - How to fix!

Github access via SSH keys

I quite often hit the following issue when building new servers and then trying to download repositiories from

graham@leader01:~ $ git clone
Cloning into 'web_page_counter'...
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
allthingsclowd / VaultTransitKeyPolicies.MD
Last active September 27, 2019 11:54
Example of using two separate Hashicorp Vault policies with a transit engine - create transit key policy and a separate read/delete transit key policy


Policy to create, update a transit key and encrypt/decrypt data

name: shared_transit_create
``` hcl
path "shared/transit/*" {
allthingsclowd /
Created March 25, 2019 20:39
Error Logs From Consul Service Deployment
    leader01: + echo 'Creating factory user to run the factory service'
    leader01: Creating factory user to run the factory service
    leader01: + sudo useradd --system --home /etc/factory.d --shell /bin/false factory
    leader01: + sudo mkdir --parents /opt/factory /usr/local/factory /etc/factory.d
    leader01: + sudo chown --recursive factory:factory /opt/factory /etc/factory.d /usr/local/factory
    leader01: + sudo tee /etc/systemd/system/factory.service
    leader01: ### BEGIN INIT INFO
    leader01: # Provides:          factory
    leader01: # Required-Start:
allthingsclowd /
Last active February 6, 2023 10:24
HashiCorp Vault AWS KMS AutoUnseal Key Rotation Example (all keys are obsolete - just a demo)

A Walk through of Key Rotation of a HashiCorp VAULT cluster using AWS KMS to AutoUnseal

PGP (Keybase) is used to encrypt the recovery keys

Built base environment using HashiCorp's Learn Website

ubuntu@ip-192-168-100-194:~$ export VAULT_ADDR=

ubuntu@ip-192-168-100-194:~$ vault status

Keybase proof

I hereby claim:

  • I am allthingsclowd on github.
  • I am grahamhashicorp ( on keybase.
  • I have a public key ASCBYpD94kHTzJeVQTLZcB8uP9xRsWgWpHylZtj7JEf7LAo

To claim this, I am signing this object:

vault_approle_demo $ git clone .
Cloning into '.'...
remote: Counting objects: 56, done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 56 (delta 13), reused 52 (delta 12), pack-reused 0
Receiving objects: 100% (56/56), 11.34 KiB | 829.00 KiB/s, done.
Resolving deltas: 100% (13/13), done.
vault_approle_demo $ vagrant up
Bringing machine 'vault01' up with 'virtualbox' provider...
allthingsclowd /
Last active February 16, 2018 18:01
VYOS 1.1.8 Appliance Example for use on Fujitsu Cloud Service K5 IaaS

Deploy a VYOS 1.1.8 Appliance in Fujitsu Cloud Service K5

VYOS 1.1.8 image pre-wrapped for use/import into Fujitsu Cloud Service K5 IaaS

Image Import Process - Using Fujitsu K5 IaaS Portal

  • Log into the Fujitsu K5 IaaS Portal, navigate to storage -> object storage and create a new container to hold the vyos vmdk image

  • Upload the included vyos_1.1.8.vmdk image into the container created above image

  • Now select Import/Export -> VMImport, and select the container where the image has just been uploaded and complete the remaining fields image