Skip to content

Instantly share code, notes, and snippets.

View amcginlay's full-sized avatar

Alan McGinlay amcginlay

33 followers · 0 following
View GitHub Profile
@amcginlay
amcginlay / k8s-vault-pki.md
Last active March 14, 2023 11:54
How to enable PKI in K8s Vault for specified subdomains

Enable Secrets Engine PKI in K8s Vault (dev-mode)

Install Vault

helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace --set "server.dev.enabled=true"

Start session on Vault pod

@amcginlay
amcginlay / cert-manager-vault-tlspc.md
Last active February 10, 2023 09:49

cert-manager + Vault + TLSPC

The following instructions have been tested using a KinD cluster and uses the Venafi Secrets Engine for HashiCorp Vault

install vault (dev mode)

helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace \
  --set "server.dev.enabled=true" \
  --set "server.extraArgs=-dev-plugin-dir=/vault/plugins/" \
@amcginlay
amcginlay / kind-csi-driver-tlspc.md
Last active December 22, 2022 15:37

Experiment with KinD, csi-driver and TLS Protect Cloud

Create a KinD cluster

k8s_name=kind-$(date +"%y%m%d%H%M")
cat <<EOF | kind create cluster --config -
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: ${k8s_name}
nodes:
@amcginlay
amcginlay / pomerium_okta.md
Last active December 21, 2022 16:09
Okta authentication through the Pomerium Ingress Controller

Okta authentication through the Pomerium Ingress Controller

Okta: Create an App Integration

@amcginlay
amcginlay / privileged-ports.sh
Last active December 3, 2022 15:10
Non-root use of port 80
# From https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
@amcginlay
amcginlay / cert.yaml
Last active November 11, 2022 12:33
cert.yaml
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: www081050-jetstack-mcginlay-net
spec:
secretName: www081050-jetstack-mcginlay-net-tls
dnsNames:
- www081050.jetstack.mcginlay.net
issuerRef:
@amcginlay
amcginlay / issuer.yaml
Last active October 5, 2023 16:30
issuer.yaml
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: self-signed
spec:
selfSigned: {}
@amcginlay
amcginlay / policy.yaml
Last active November 11, 2022 12:32
---
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
name: accept-all
spec:
allowed:
dnsNames:
values:
- "*"
@amcginlay
amcginlay / kind-cluster-enterprise-tlspk.md
Last active February 16, 2023 11:42
Adding a new cluster to Enterprise Jetstack Secure

Adding clusters to TLS Protect For Kubernetes (TLSPK)

TLSPK Auth

jsctl auth login
jsctl config set organization <ORG_NAME>    # e.g. gallant-wright
jsctl registry auth output 2>&1 > /dev/null # force an image pull secret to be created as necessary

Create a new cluster (KinD)

@amcginlay
amcginlay / cert-manager-certificate.yaml
Created October 28, 2022 15:40
cert-manager-certificate.yaml
kubectl -n demos apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-cert-tls
spec:
dnsNames:
- demo-cert.jetstack.mcginlay.net
issuerRef:
group: cert-manager.io