Skip to content

Instantly share code, notes, and snippets.

View innovia's full-sized avatar

Ami Mahloof innovia

20 followers · 4 following
View GitHub Profile
@innovia
innovia / setup-vault-reviewer.sh
Created October 21, 2018 19:49
setup vault reviewer token
#!/bin/bash
echo "Openning vault in backgournd via kubectl port forwarding."
kubectl port-forward deployment/vault 8200:8200 &
vault_connection_pid=$!
echo "Re-auth kubernetes with vault"
VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}")
SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)
SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
@innovia
innovia / cfssl-toolkit-install.sh
Created September 10, 2018 08:58
cfssl-toolkit-installation-mac
curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl
curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
@innovia
innovia / create_role.sh
Last active March 12, 2019 12:17
# Set these names before you start.
CLUSTER_NAME={{cluster name}}
GROUP={{group name}}
# Get your account ID
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
# Build a role name
ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group
@innovia
innovia / tiller_role_binding.yaml
Created May 30, 2018 06:32
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
namespace: stg
subjects:
- kind: ServiceAccount
name: tiller
namespace: stg
roleRef:
@innovia
innovia / consul-csr.json
Last active March 12, 2019 12:18
hosts section on consul_csr
{
"CN": "server.dc1.cluster.local",
"hosts": [
"server.dc1.cluster.local",
"127.0.0.1",
"consul.default.svc.cluster.local",
"vault.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
@innovia
innovia / vault-kms-ssm.sh
Created January 21, 2018 12:25
encrypt-vault-unseal-keys-kms-ssm
export PREFIX=<your-prefix>-
export KMS_KEY_ID=<kms-key-id>
export ROOT_KEY=<vault-root-token>
export UNSEAL0=<vault-unseal-key-1>
export UNSEAL1=<vault-unseal-key-2>
export UNSEAL2=<vault-unseal-key-3>
export UNSEAL3=<vault-unseal-key-4>
export UNSEAL4=<vault-unseal-key-5>
mkdir -p /tmp/vault
@innovia
innovia / service_account_role_and_role_binding.yaml
Last active March 12, 2019 12:19
Role for serviceacocunt bound to namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: services-stg
name: deploy-stg
rules:
- apiGroups: ["", "extensions", "apps"] # "" indicates the core API group
resources: ["*"]
verbs: ["*"]
@innovia
innovia / tiller_role_service_account_rbac.yaml
Last active March 12, 2019 12:19
Tiller service account per namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-manager
namespace: stg
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
@innovia
innovia / annotations.yaml
Created June 16, 2019 08:39
annotations:
vault.security/enabled: "true"
vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200"
vault.security/vault-role: "vault-role"
vault.security/vault-path: "secret/some/path/in/vault"
vault.security/vault-tls-secret-name: "vault-consul-ca"
@innovia
innovia / vault-env-var.yaml
Created June 16, 2019 08:48
env:
- name: DB_PASS
value: "vault:DB_PASS"