Chris DeLashmutt cdelashmutt-pivotal

## extract-defaults.rb
require 'yaml'

data_hash = YAML.load_file(ARGV[0])
data_hash["job_types"].each { |job|
  job_name = job["name"]
  resource_hash = {}
  job["resource_definitions"].each { |resdef|
    resource_hash[resdef["name"]] = resdef["default"]
  }
  print job_name, resource_hash

## run-errand.sh
#!/bin/sh
# Example of how to run a single errand in BOSH

# Password is what you set in the web UI when you first set up Ops Manager
ssh tempest@<ops-man-vm-ip>

cd /var/tempest/workspaces/default/deployments

# The actual file you use below depends on the product you want to target
# (usually the Elastic Runtime), and the number of times you have installed.

## Jenkins-CF-Zero-Downtime-Push
PLATFORM='unknown'
UNAMESTR=`uname`
if [[ "$UNAMESTR" == 'Darwin' ]]; then
  platform='Mac'
fi

CF_USER="payment-services"
CF_ORG="payment-services"
CF_SPACE="danger zone"
CF_DOMAIN="apps-np.homedepot.com"

## AppInitializer.java
package io.pivotal.demo.slimwebsocket;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class AppInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {

    protected Class<?>[] getRootConfigClasses() { return new Class[] {AppConfig.class};}

    protected Class<?>[] getServletConfigClasses()  { return new Class[] {WebConfig.class, WebSocketConfig.class};}

## rulebase.yml
---
- "Web Profile":
    app_type: java
    file_type: config
    refactor_rating: 0
    description: "Web application config file"
    files:
        - "persistence.xml": { description: "JPA based ORM" }
        - "web.xml"
        - "applicationContext.xml": { description: "Spring application config file" }

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

# Get the IP of the PCF Dev instance and put the Windows cell on the same subnet
# PCFDev creates a host only network in a predictable pattern
subnet = `vboxmanage list hostonlyifs`.split("\n").select { |i| i.start_with?('Name') }.map { |i| i.split(' ')[1] }.sort.reverse![0][7].to_i * 11 + 11
pcfdev_public_ip = ENV['PCFDEV_IP'] || "192.168.#{subnet}.11"
wincell_public_ip = ENV['WIN_PCFDEV_IP'] || "#{pcfdev_public_ip}1"

# Configure the PCFDev instance to support a Windows cell

## get-props.sh
#!/bin/bash

opsman_host_or_ip=YOUR_OPSMAN_IP_OR_HOSTNAME
uaac target "https://$opsman_host_or_ip/uaa" --skip-ssl-validation

uaac token owner get opsman <OPS-MAN-ADMIN-USER>
#Client secret: JUST_PRESS_ENTER
#Password: YOUR_PASSWORD_HERE

access_token=$(uaac context | grep access_token | tr -d " " | cut -d ':' -f 2)

## ISTIO 1.4 on PKS with PSPs.md

      
              8 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                cdelashmutt-pivotal
                / ISTIO 1.4 on PKS with PSPs.md
            
            
              Last active
              December 5, 2019 23:41
                — forked from svrc/ISTIO 1.4 on PKS with PSPs.md
            
              
                Installing Istio 1.4 on PKS with restrictive Pod Security Policy 
              
          
    What does this GIST do or not do


Shows you how to use Istio 1.4 on Kubernetes 1.14+ with a modicum of runtime security for your workloads.
Specifically it installs Istio with CNI support, and allows the use of restrictive PodSecurityPolicies for your workloads.
It is designed for VMware PKS, but doesn't require it ... (just change the CNI bin dir and excluded namespaces in values-cni.yml, also swap the ClusterRole pks-privileged and pks-restricted mentioned throughout these files with your own PSP roles).
It doesn't fix the need for Istio itself to run as root, but that should be fixed in a future Istio release as it's already fixed in trunk.

Prerequisites


You are logged into your cluster as a cluster admin, K8s 1.14 at least


## Get Trusted Certificate Expiry for BOSH via Operations Manager
$(om -t <opsman-host> -u <admin-user> -p <admin-password> curl -s --path /api/v0/deployed/director/manifest | convertfrom-json | select -expand instance_groups | where {$_.name -eq 'bosh'} | select -expand properties | select -expand director | select -expand trusted_certs).Trim() -split '(?<!^)(?=-----BEGIN CERTIFICATE-----)' | where {$_ -ne ''} | foreach {$i=0} { $i++; $certArray = $_.Trim() -split '\n'; $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate; $cert.Import([System.Convert]::FromBase64String(-join $certArray[1..($certArray.Length-2)])); Write-Host "Cert[$i]: $($cert.Subject) - $($cert.GetExpirationDateString())" }

## Create-OpenSSHPubAndPrivateKeys.ps1
<#
.SYNOPSIS
Create an OpenSSH compatible Public and Private Key in pure Powershell
.DESCRIPTION
Many scripts rely on the openssh or openssl tools to be available to generate public and private keys compatible with OpenSSH, but this script relies purely on Powershell (and some .NET classes already included) to generate public and private keys.
.EXAMPLE
PS /git/scripts> ./Create-OpenSSHPubAndPrivateKeys.ps1 -PublicKeyPath my-key.pub -PrivateKeyPath my-key
.LINK
mailto:grog@grogscave.net
#>
	require 'yaml'

	data_hash = YAML.load_file(ARGV[0])
	data_hash["job_types"].each { \|job\|
	job_name = job["name"]
	resource_hash = {}
	job["resource_definitions"].each { \|resdef\|
	resource_hash[resdef["name"]] = resdef["default"]
	}
	print job_name, resource_hash
	#!/bin/sh
	# Example of how to run a single errand in BOSH

	# Password is what you set in the web UI when you first set up Ops Manager
	ssh tempest@<ops-man-vm-ip>

	cd /var/tempest/workspaces/default/deployments

	# The actual file you use below depends on the product you want to target
	# (usually the Elastic Runtime), and the number of times you have installed.
	PLATFORM='unknown'
	UNAMESTR=`uname`
	if [[ "$UNAMESTR" == 'Darwin' ]]; then
	platform='Mac'
	fi

	CF_USER="payment-services"
	CF_ORG="payment-services"
	CF_SPACE="danger zone"
	CF_DOMAIN="apps-np.homedepot.com"
	package io.pivotal.demo.slimwebsocket;

	import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

	public class AppInitializer
	extends AbstractAnnotationConfigDispatcherServletInitializer {

	protected Class<?>[] getRootConfigClasses() { return new Class[] {AppConfig.class};}

	protected Class<?>[] getServletConfigClasses() { return new Class[] {WebConfig.class, WebSocketConfig.class};}
	---
	- "Web Profile":
	app_type: java
	file_type: config
	refactor_rating: 0
	description: "Web application config file"
	files:
	- "persistence.xml": { description: "JPA based ORM" }
	- "web.xml"
	- "applicationContext.xml": { description: "Spring application config file" }
	# -- mode: ruby --
	# vi: set ft=ruby :

	# Get the IP of the PCF Dev instance and put the Windows cell on the same subnet
	# PCFDev creates a host only network in a predictable pattern
	subnet = `vboxmanage list hostonlyifs`.split("\n").select { \|i\| i.start_with?('Name') }.map { \|i\| i.split(' ')[1] }.sort.reverse![0][7].to_i * 11 + 11
	pcfdev_public_ip = ENV['PCFDEV_IP'] \|\| "192.168.#{subnet}.11"
	wincell_public_ip = ENV['WIN_PCFDEV_IP'] \|\| "#{pcfdev_public_ip}1"

	# Configure the PCFDev instance to support a Windows cell
	#!/bin/bash

	opsman_host_or_ip=YOUR_OPSMAN_IP_OR_HOSTNAME
	uaac target "https://$opsman_host_or_ip/uaa" --skip-ssl-validation

	uaac token owner get opsman <OPS-MAN-ADMIN-USER>
	#Client secret: JUST_PRESS_ENTER
	#Password: YOUR_PASSWORD_HERE

	access_token=$(uaac context \| grep access_token \| tr -d " " \| cut -d ':' -f 2)
	<#
	.SYNOPSIS
	Create an OpenSSH compatible Public and Private Key in pure Powershell
	.DESCRIPTION
	Many scripts rely on the openssh or openssl tools to be available to generate public and private keys compatible with OpenSSH, but this script relies purely on Powershell (and some .NET classes already included) to generate public and private keys.
	.EXAMPLE
	PS /git/scripts> ./Create-OpenSSHPubAndPrivateKeys.ps1 -PublicKeyPath my-key.pub -PrivateKeyPath my-key
	.LINK
	mailto:grog@grogscave.net
	#>