This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: RoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: tiller-binding | |
namespace: stg | |
subjects: | |
- kind: ServiceAccount | |
name: tiller | |
namespace: stg | |
roleRef: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Set these names before you start. | |
CLUSTER_NAME={{cluster name}} | |
GROUP={{group name}} | |
# Get your account ID | |
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account') | |
# Build a role name | |
ROLE_NAME="Kubernetes${CLUSTER_NAME}${GROUP_NAME}Group |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import argparse | |
import sys | |
import boto3 | |
client = boto3.client('s3') | |
def main(args): | |
bucket = args.bucket |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 -o /usr/local/bin/cfssl | |
curl https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 -o /usr/local/bin/cfssljson | |
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: vault-reviewer | |
namespace: default | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: role-tokenreview-binding |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
echo "Openning vault in backgournd via kubectl port forwarding." | |
kubectl port-forward deployment/vault 8200:8200 & | |
vault_connection_pid=$! | |
echo "Re-auth kubernetes with vault" | |
VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}") | |
SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo) | |
SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/env python | |
import os | |
import json | |
import logging | |
import tarfile | |
import requests | |
import sys | |
CA_PATH = "/etc/tls/ca.pem" | |
VAULT_URL = "https://vault.default.svc.cluster.local:8200" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# syntax=docker/dockerfile:1.0.0-experimental | |
## For this to work you must run `export DOCKER_BUILDKIT=1` | |
## then build using the command | |
## docker build --ssh github_ssh_key=/Users/<your_username>/.ssh/id_rsa . | |
## Stage 1 | |
FROM python:2.7.15-alpine3.7 AS base |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## main.tf | |
resource "aws_s3_bucket" "s3_bucket" { | |
count = "${var.enabled}" | |
bucket = "${local.bucket_name}" | |
region = "${var.region}" | |
force_destroy = "${var.force_destroy}" | |
acl = "private" | |
versioning = { | |
enabled = "${var.versioning_enabled}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
annotations: | |
vault.security/enabled: "true" | |
vault.security/vault-addr: "https://vault.default.svc.cluster.local:8200" | |
vault.security/vault-role: "vault-role" | |
vault.security/vault-path: "secret/some/path/in/vault" | |
vault.security/vault-tls-secret-name: "vault-consul-ca" |