Skip to content

Instantly share code, notes, and snippets.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
namespace: stg
subjects:
- kind: ServiceAccount
name: tiller
namespace: stg
roleRef:
# Set these names before you start.
CLUSTER_NAME={{cluster name}}
GROUP={{group name}}
# Get your account ID
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
# Build a role name
ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group
#!/usr/bin/env python
import argparse
import sys
import boto3
client = boto3.client('s3')
def main(args):
bucket = args.bucket
@innovia
innovia / cfssl-toolkit-install.sh
Created September 10, 2018 08:58
cfssl-toolkit-installation-mac
curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl
curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
@innovia
innovia / vault-reviewer.yaml
Created October 21, 2018 19:41
vault-reviewer rbac
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-reviewer
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
@innovia
innovia / setup-vault-reviewer.sh
Created October 21, 2018 19:49
setup vault reviewer token
#!/bin/bash
echo "Openning vault in backgournd via kubectl port forwarding."
kubectl port-forward deployment/vault 8200:8200 &
vault_connection_pid=$!
echo "Re-auth kubernetes with vault"
VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}")
SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)
SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
@innovia
innovia / vault-pod-runner.py
Created October 21, 2018 20:05
Vault Runner - get secret from vault and replace process
#!/env python
import os
import json
import logging
import tarfile
import requests
import sys
CA_PATH = "/etc/tls/ca.pem"
VAULT_URL = "https://vault.default.svc.cluster.local:8200"
@innovia
innovia / Dockerfile
Last active December 9, 2018 15:13
Dockerfile MultiStage SSH Mount
# syntax=docker/dockerfile:1.0.0-experimental
## For this to work you must run `export DOCKER_BUILDKIT=1`
## then build using the command
## docker build --ssh github_ssh_key=/Users/<your_username>/.ssh/id_rsa .
## Stage 1
FROM python:2.7.15-alpine3.7 AS base
## main.tf
resource "aws_s3_bucket" "s3_bucket" {
count = "${var.enabled}"
bucket = "${local.bucket_name}"
region = "${var.region}"
force_destroy = "${var.force_destroy}"
acl = "private"
versioning = {
enabled = "${var.versioning_enabled}"
annotations:
vault.security/enabled: "true"
vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200"
vault.security/vault-role: "vault-role"
vault.security/vault-path: "secret/some/path/in/vault"
vault.security/vault-tls-secret-name: "vault-consul-ca"