amcginlay

Preparing TLSPC PEM files for AWS ACM

Assuming we have cert-chain and private key files extracted from TLSPC via DigiCert (let's call them my-cert.chain and my-cert.key), how do we get them prepared for AWS ACM import.

In this case my-cert.chain is a full chain and my-cert.key is an encrypted private key.

Requirements

As such we need to cope with two requirements:

amcginlay

Installing the TLSPK agent without jsctl

Steps as follows

Lightweight cluster creation

Create a disposable KinD cluster as follows.

nickname=<YOUR_NICKNAME>

amcginlay

Comparing cert-manager CSI drivers

You will see the following cert-manager CSI drivers side-by-side:

• csi-driver
• csi-driver-spiffe

Lightweight cluster creation

Create a disposable KinD cluster as follows.

amcginlay

echo '"region","instance-id","instance-type","tags-name","tags-auto-owner"'
for region in $(aws ec2 describe-regions --query 'Regions[*].[RegionName]' --output text); do
  aws ec2 describe-instances \
    --region ${region} \
    --filters "Name=instance-state-name,Values=running" \
    --output json | \
      jq --arg region $region -r \
        '.Reservations[].Instances[] | [$region, .InstanceId, .InstanceType, (.Tags[] | select(.Key=="Name") | .Value), (.Tags[] | select(.Key=="auto:owner") | .Value)] | @csv'
done

amcginlay

for region in $(aws ec2 describe-regions --query 'Regions[*].[RegionName]' --output text); do
  # echo "--- ${region} ---"
  aws resourcegroupstaggingapi get-resources \
    --region ${region} \
    # --resource-type-filters 'ec2:instance' \
    --query 'ResourceTagMappingList[*].[ResourceARN]' \
    --output text;
done

amcginlay

Python Notes

Virtual Environments

Python virtual environments are used to create an isolated environment for Python projects. Each virtual environment has its own set of Python packages installed, separate from the global Python installation.

This helps provide:

• Dependency management
• Isolation

amcginlay

Using istio-csr with TLSPK

Download the tlspk-helper script and istioctl CLI.

curl -fsSLO https://venafi-ecosystem.s3.amazonaws.com/tlspk/v1/tlspk-helper.sh && chmod 700 tlspk-helper.sh
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.2 sh -
sudo mv istio-*/bin/istioctl /usr/local/bin

Create a local K8s cluster.

amcginlay

istio-mvp

Question: What's the absolute minimum I need to show Istio in action?

Create cluster.

kind create cluster --name istio-mvp --image kindest/node:v1.26.3

Install istioctl, run a precheck, install, then check status.

amcginlay

istio-traffic-shifting

This example shows a meshed app with a single frontend and a pair of backends (blue and green). A VirtualService is created to split the frontend->backend traffic 50/50 between blue and green.

Create cluster.

kind create cluster --name servicemesh --image kindest/node:v1.26.3

amcginlay

TLSPK Venafi Enhanced Issuer with TLSPC and Vault (v2)

NOTE: v2 of this walkthrough minimizes the use of jsctl and explicitly installs js-operator:v0.0.1-alpha.24 (via Helm) which has built in support for the latest version of VenafiEnhancedIssuer/VenafiConnection CRDs.

Terminology:

• TLSPK: TLS Protect for Kubernetes (previously Jetstack Secure or JSS)
• TLSPC: TLS Protect Cloud (previously Venafi as a Service or VaaS)
• TLSP: TLS Protect Data Centre (previously Venafi Trust Protection Platform or TPP)
• VEI: Venafi Enhanced Issuer (not to be confused with the native cert-manager issuer for Venafi)