Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Learning K8S from schoolofdevops

Kawsar Kamal kawsark

💭
Learning K8S from schoolofdevops
View GitHub Profile
@kawsark
kawsark / vault-agent-pki
Last active Jul 13, 2021
Vault Agent with PKI certificate rendering
View vault-agent-pki
### Configure variables
These variables will be used for this snippet. Please substitute accordingly.
```bash
export RootCAName="root_ca"
export InterCAName="inter_ca"
export CommonName="hashidemos.io"
export InterCommonName="inter.hashidemos.io"
export Root_CA_ttl="730h"
export Inter_CA_ttl="350h"
export Cert_ttl="8h"
View consul-agent
#!/bin/bash
# Set variables
export PATH="$${PATH}:/usr/local/bin"
export local_ip="$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)"
consul_version="1.7.2"
consul_url="https://releases.hashicorp.com/consul/${consul_version}/consul_${consul_version}_linux_amd64.zip"
curl "${consul_url}" -o consul.zip
@kawsark
kawsark / vault-jenkins-approle.md
Last active Jul 5, 2021
Example Jenkins integration for Vault using AppRole and curl
View vault-jenkins-approle.md

Example Jenkins integration for Vault

This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.

AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.

  1. Pre-created SECRET_ID as a Jenkins secret. An out-of-band workflow will need to refresh the SECRET_ID periodically so Jenkins continues to perform AppRole logins successfully.
  2. Alternative AppRole design: Give Jenkins the ability to refresh the SECRET_ID by itself.

1. Pre-created Secret ID

@kawsark
kawsark / vault-ssh-ca-ansible
Created Mar 24, 2020
Steps to setup Vault SSH CA secrets engine for use with Ansible
View vault-ssh-ca-ansible
# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed.
# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH
export VAULT_TOKEN=<Admin-or-Root-key>
vault secrets disable ssh
vault secrets disable kv
# 2. Enable SSH secrets engine (Client signer role) and generate a CA
vault secrets enable -path=ssh ssh
vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem
@kawsark
kawsark / app-wrapper.sh
Created Dec 6, 2019
Simple EnvConsul application
View app-wrapper.sh
#!/bin/bash
echo "~~~~~~~ Application wrapper invoked, starting loop"
i=0
while [ "$i" -lt 100 ]
do
echo "Loop # $i"
echo "Checking for GOOGLE_APPLICATION_CREDENTIALS"
echo $GOOGLE_APPLICATION_CREDENTIALS
# echo "Checking for GCP_KEY_VIEWER_PRIVATE_KEY_DATA"
# echo $GCP_KEY_VIEWER_PRIVATE_KEY_DATA
@kawsark
kawsark / envconsul.txt
Created Dec 6, 2019
Envconsul output with GCP dynamic credentials from Vault
View envconsul.txt
➜ envconsul envconsul -config testgcp1.hcl
2019/12/06 16:01:41 [DEBUG] (logging) enabling syslog on LOCAL5
2019/12/06 21:01:41.417692 [INFO] envconsul v0.9.1 (b5e928a7)
2019/12/06 21:01:41.417753 [INFO] (runner) creating new runner (once: false)
2019/12/06 21:01:41.418195 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"/Users/kawsark/code/local/envconsul/app-wrapper.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":5000000000,"Timeout":0},"K
View vault_approle.py
import os
import hvac
import json
import socket
import time
vault_role_id = os.environ['ROLE_ID']
secrets_path = os.environ['SECRETS_PATH']
print("***********************")
@kawsark
kawsark / example-vault-admin-policy.hcl
Last active Jul 13, 2021
An example Vault admin policy with capability to manage leses
View example-vault-admin-policy.hcl
# Allow managing leases
path "sys/leases/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
@kawsark
kawsark / Vault-ssh-ca-README.md
Created Mar 28, 2019
A guide for configuring Vault's SSH-CA
View Vault-ssh-ca-README.md

SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

Prerequisites

  • This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
  • The client system must be able to reach the Vault server and the OpenSSH server.
  • We will refer to these systems respectively as:
    • VAULT_SERVER
@kawsark
kawsark / vault
Last active Mar 5, 2019 — forked from yunano/vault
/etc/init.d/vault for CentOS 6
View vault
#!/bin/sh
#
# vault - this script manages the vault server
#
# chkconfig: 345 96 04
# processname: vault
### BEGIN INIT INFO
# Provides: vault
# Required-Start: $local_fs $network