This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
echo "Openning vault in backgournd via kubectl port forwarding." | |
kubectl port-forward deployment/vault 8200:8200 & | |
vault_connection_pid=$! | |
echo "Re-auth kubernetes with vault" | |
VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}") | |
SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo) | |
SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl | |
curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson | |
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Set these names before you start. | |
CLUSTER_NAME={{cluster name}} | |
GROUP={{group name}} | |
# Get your account ID | |
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account') | |
# Build a role name | |
ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: tiller-binding | |
namespace: stg | |
subjects: | |
- kind: ServiceAccount | |
name: tiller | |
namespace: stg | |
roleRef: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "server.dc1.cluster.local", | |
"hosts": [ | |
"server.dc1.cluster.local", | |
"127.0.0.1", | |
"consul.default.svc.cluster.local", | |
"vault.default.svc.cluster.local" | |
], | |
"key": { | |
"algo": "rsa", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export PREFIX=<your-prefix>- | |
export KMS_KEY_ID=<kms-key-id> | |
export ROOT_KEY=<vault-root-token> | |
export UNSEAL0=<vault-unseal-key-1> | |
export UNSEAL1=<vault-unseal-key-2> | |
export UNSEAL2=<vault-unseal-key-3> | |
export UNSEAL3=<vault-unseal-key-4> | |
export UNSEAL4=<vault-unseal-key-5> | |
mkdir -p /tmp/vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
namespace: services-stg | |
name: deploy-stg | |
rules: | |
- apiGroups: ["", "extensions", "apps"] # "" indicates the core API group | |
resources: ["*"] | |
verbs: ["*"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: tiller-manager | |
namespace: stg | |
rules: | |
- apiGroups: ["", "extensions", "apps"] | |
resources: ["*"] | |
verbs: ["*"] | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
annotations: | |
vault.security/enabled: "true" | |
vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200" | |
vault.security/vault-role: "vault-role" | |
vault.security/vault-path: "secret/some/path/in/vault" | |
vault.security/vault-tls-secret-name: "vault-consul-ca" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
env: | |
- name: DB_PASS | |
value: "vault:DB_PASS" |