dustinmm80

Outline

Application configuration

• Do you use config files for your app, or do you have a distributed solution? (etcd, serf, etc)

  If config files:

  • How do you set them up to work in multiple environments?

• How are they different for developer machines?

dustinmm80

For the saltstack tutorial, just install the [latest vagrant](https://docs.vagrantup.com/v2/getting-started/index.html) and use the below Vagrantfile to build a new vagrant box:

`Vagrantfile`
```
# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/trusty64"
 config.vm.provision "shell", inline: <<-SHELL

dustinmm80

#!/bin/bash

# Creates a host identity using host-factory and places it in /etc/conjur.identity
# Requires the Conjur CLI and host-factory plugin to be installed
# Usage:
# ./hostfactory_bootstrap.sh 92198eb129peh812ue9puihd891 mynewhost1

hostfactory_token=$1
host_name=$2

dustinmm80

# First, let's define some secrets we want to pass to Chef

cat << SECRETS > /etc/chef.secrets
DB_PASSWORD: !var db/postgres/customers/password # exports value as env var
SSL_CERT:    !tmp certs/ssl/mydomain             # creates temporary file and exports path as env var
SECRETS

# In our recipe we can use ENV['DB_PASSWORD'] and ENV['SSL_CERT'] where secrets are needed

# We have the Conjur CLI on the machine, so we can use conjur env

dustinmm80

policy "demo-factory-1-0" do
  variables = [ 
    variable("aws/access_key_id"), 
    variable("aws/secret_access_key"),
    variable("sentry/projects/demo-factory/dsn"),
    variable("hipchat/api-token"),
    variable("trials/hubspot/api-key"),
    variable("mandrill/api-key"),
    variable("keen.io/demo-factory/project-id"),
    variable("keen.io/demo-factory/write-key")

dustinmm80

# Applying a Conjur identity to a Heroku app via config vars

# Name of your conjur organization
heroku config:set CONJUR_ACCOUNT=myorg
# Endpoint of your Conjur server
heroku config:set CONJUR_APPLIANCE_URL=https://conjur-master.myorg.com/api
# Name of the host you created to represent the Heroku app
heroku config:set CONJUR_AUTHN_LOGIN=host/production/heroku/demo-factory-conjur
# API key of the host you created 
heroku config:set CONJUR_AUTHN_API_KEY=sb0ncv1yj9c4w2e9pb1a2s8eh18dgf1gfz3nb31ft33s7nnz1cjw1r7

dustinmm80

AWS_ACCESS_KEY_ID:     !var aws/access_key_id
AWS_SECRET_ACCESS_KEY: !var aws/secret_access_key
SENTRY_DSN:            !var sentry/projects/demo-factory/dsn
HIPCHAT_TOKEN:         !var hipchat/api-token
HUBSPOT_API_KEY:       !var trials/hubspot/api-key
MANDRILL_API_KEY:      !var mandrill/api-key
KEEN_PROJECT_ID:       !var keen.io/demo-factory/project-id
KEEN_WRITE_KEY:        !var keen.io/demo-factory/write-key

dustinmm80

# I have a policy named demo-factory-1-0 defined in policy.rb

# Let's create a development policy
conjur policy load --as-group v4/ops --collection development policy.rb
# The collection flag means our policy is named development/demo-factory-1-0
# Any variables, groups, etc created will have the prefix development/demo-factory-1-0
# Ex: I defined variable aws/access_key_id in policy.rb so it's name will be development/demo-factory-1-0/aws/access_key_id
# I can then go and add a value to that variable

# Now we can use the policy flag to conjur env to specify a prefix for the variables when retrieving them

dustinmm80

require 'net/http'
require 'net/https'
require 'uri'

class Conjur::Command::Jenkins < Conjur::Command
  desc 'Interact with Jenkins using Conjur credentials'
  command :jenkins do |jenkins|
    jenkins.desc 'Build a Jenkins job'
    jenkins.arg_name 'job_name'
    jenkins.command 'build' do |c|

dustinmm80

package main

/*
./keychain -name mysecret
Siam589_logy

On run you'll get a popup window asking for access.
*/

import (