Skip to content

Instantly share code, notes, and snippets.

Avatar
🙊
I'm really good at keeping secrets.

Joe Garcia infamousjoeg

🙊
I'm really good at keeping secrets.
View GitHub Profile
@infamousjoeg
infamousjoeg / .env
Last active May 23, 2022
Ansible Multiple Secret Playbook
View .env
export CONJUR_ACCOUNT=poc
export CONJUR_APPLIANCE_URL=https://ec2-00-00-00-00.compute-1.amazonaws.com
export CONJUR_CERT_FILE=conjur-poc.pem
export CONJUR_AUTHN_LOGIN=admin
export CONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
@infamousjoeg
infamousjoeg / k8s-secrets-crontjob.yaml
Last active Mar 7, 2022
CyberArk Conjur Kubernetes Secrets Provider as a CronJob
View k8s-secrets-crontjob.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-secrets-provider-account
namespace: conjur
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@infamousjoeg
infamousjoeg / explanation.md
Last active Mar 7, 2022
Why Client Certificate Authentication requires both Certificate & Private Key
View explanation.md

Certificates on their own are only public pieces of information. What links a public key certificate to the name it contains is the fact that whoever has legitimate control over that name (e.g. your name or your server's name) also has the private key for it.

Certificates are used to prove the identity of the remote party by challenging the remote party to perform an operation that can only be done with the corresponding private key: signing something (which can be verified with the public key) or deciphering something that was encrypted with the public key. (Both can happen in the SSL/TLS handshake, depending on the cipher suite.)

During the SSL/TLS handshake, the server sends its certificate (in clear) and proves to the client that it has the corresponding private key using an authenticated key exchange.

In this case, they also want to use client-certificate authentication. It's not enough to send the client certificate during the handshake: the cl

@infamousjoeg
infamousjoeg / aws-instances.sh
Last active Mar 14, 2022
Bash Helper Script for AWS Lab using Summon
View aws-instances.sh
#!/bin/bash
if [[ "$1" == "list" ]]; then
echo "Running Instances:"
echo "=================="
summon --provider ring.py -e aws -f ~/secrets.yml aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | select( .State.Name == "running") | .Tags[] | select ( .Key == "Name" ) | .Value'
echo ""
echo "Stopped Instances:"
echo "=================="
summon --provider ring.py -e aws -f ~/secrets.yml aws ec2 describe-instances | jq -r '.Reservations[].Instances[] | select( .State.Name == "stopped") | .Tags[] | select ( .Key == "Name" ) | .Value'
@infamousjoeg
infamousjoeg / k8s-secrets-app.yml
Last active Mar 2, 2022
authn-k8s Kubernetes Secrets Application Policy Template
View k8s-secrets-app.yml
- !policy
id: k8s-secrets-demo
body:
- &secrets
- !variable secret1
- !variable secret2
- !host
annotations:
authn-k8s/namespace: namespace
@infamousjoeg
infamousjoeg / cyberark-conjur-authn-k8s-config.yml
Last active Mar 1, 2022
Conjur Authn-K8s - Initial Config Manifest
View cyberark-conjur-authn-k8s-config.yml
---
apiVersion: v1
kind: Namespace
metadata:
name: cyberark-conjur
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: authn-k8s-sa
@infamousjoeg
infamousjoeg / k8sSecretsProvider.yml
Last active Mar 3, 2022
K8s Secrets Provider Deployment Manifest
View k8sSecretsProvider.yml
---
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
namespace: k8s-secrets-app
type: Opaque
stringData:
conjur-map: |-
address: cd/kubernetes/db/host
@infamousjoeg
infamousjoeg / debugging_info.md
Created Feb 24, 2022 — forked from micahlee/debugging_info.md
Conjur K8s Authenticator Debugging
View debugging_info.md
  • Display role bindings for conjur-cluster service account token

    oc get clusterrolebindings -o json \
      | jq '.items | map(select(any(.subjects[]; .name | contains("conjur-cluster"))))'
    
  • Display conjur-authenticator role information

    oc describe clusterrole conjur-authenticator
    
@infamousjoeg
infamousjoeg / sni_builder.sh
Last active Feb 23, 2022
Automated Building of Certificates when OpenShift SNI Present
View sni_builder.sh
#!/usr/bin/env bash
APIURL="https://cluster.com"
PORT="6443"
SERVERNAME="cluster.com"
output_prefix="final-"
extension="temp"
dlfilename="retrieved.pem"
pullcerticate_test() {
local tofile="$1"
@infamousjoeg
infamousjoeg / 01-install-snapd.sh
Last active Feb 22, 2022
How to Setup & Renew Let's Encrypt SSL on Ansible Automation Platform 2
View 01-install-snapd.sh
#!/bin/bash
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y upgrade
sudo yum install -y snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo reboot now