Ami Mahloof innovia

## tiller_role_binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-binding
  namespace: stg
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: stg
roleRef:

## create_role.sh
# Set these names before you start.
CLUSTER_NAME={{cluster name}}
GROUP={{group name}}

# Get your account ID
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')

# Build a role name
ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group

## set_s3_acl.py
#!/usr/bin/env python
import argparse
import sys

import boto3

client = boto3.client('s3')

def main(args):
    bucket = args.bucket

## cfssl-toolkit-install.sh
curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl
curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson

## vault-reviewer.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-reviewer
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding

## setup-vault-reviewer.sh
#!/bin/bash

echo "Openning vault in backgournd via kubectl port forwarding."
kubectl port-forward deployment/vault 8200:8200 &
vault_connection_pid=$!
echo "Re-auth kubernetes with vault"
VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}")
SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)
SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)

## vault-pod-runner.py
#!/env python
import os
import json
import logging
import tarfile
import requests
import sys

CA_PATH = "/etc/tls/ca.pem"
VAULT_URL = "https://vault.default.svc.cluster.local:8200"

## Dockerfile
# syntax=docker/dockerfile:1.0.0-experimental

## For this to work you must run `export DOCKER_BUILDKIT=1`
## then build using the command
##  docker build --ssh github_ssh_key=/Users/<your_username>/.ssh/id_rsa .


## Stage 1
FROM python:2.7.15-alpine3.7 AS base

## gist:c45b1bb999754910046ffcdba52bcaec
## main.tf
resource "aws_s3_bucket" "s3_bucket" {
  count         = "${var.enabled}"
  bucket        = "${local.bucket_name}"
  region        = "${var.region}"
  force_destroy = "${var.force_destroy}"
  acl           = "private"

  versioning = {
    enabled = "${var.versioning_enabled}"

## annotations.yaml
 annotations:
   vault.security/enabled: "true"
   vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200"
   vault.security/vault-role: "vault-role"
   vault.security/vault-path: "secret/some/path/in/vault"
   vault.security/vault-tls-secret-name: "vault-consul-ca"
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: tiller-binding
	namespace: stg
	subjects:
	- kind: ServiceAccount
	name: tiller
	namespace: stg
	roleRef:
	# Set these names before you start.
	CLUSTER_NAME={{cluster name}}
	GROUP={{group name}}

	# Get your account ID
	ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')

	# Build a role name
	ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group
	#!/usr/bin/env python
	import argparse
	import sys

	import boto3

	client = boto3.client('s3')

	def main(args):
	bucket = args.bucket
	curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl
	curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson
	chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: vault-reviewer
	namespace: default
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: role-tokenreview-binding
	#!/bin/bash

	echo "Openning vault in backgournd via kubectl port forwarding."
	kubectl port-forward deployment/vault 8200:8200 &
	vault_connection_pid=$!
	echo "Re-auth kubernetes with vault"
	VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}")
	SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" \| base64 --decode; echo)
	SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" \| base64 --decode; echo)
	#!/env python
	import os
	import json
	import logging
	import tarfile
	import requests
	import sys

	CA_PATH = "/etc/tls/ca.pem"
	VAULT_URL = "https://vault.default.svc.cluster.local:8200"
	# syntax=docker/dockerfile:1.0.0-experimental

	## For this to work you must run `export DOCKER_BUILDKIT=1`
	## then build using the command
	## docker build --ssh github_ssh_key=/Users/<your_username>/.ssh/id_rsa .


	## Stage 1
	FROM python:2.7.15-alpine3.7 AS base
	## main.tf
	resource "aws_s3_bucket" "s3_bucket" {
	count = "${var.enabled}"
	bucket = "${local.bucket_name}"
	region = "${var.region}"
	force_destroy = "${var.force_destroy}"
	acl = "private"

	versioning = {
	enabled = "${var.versioning_enabled}"
	annotations:
	vault.security/enabled: "true"
	vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200"
	vault.security/vault-role: "vault-role"
	vault.security/vault-path: "secret/some/path/in/vault"
	vault.security/vault-tls-secret-name: "vault-consul-ca"