Kawsar Kamal kawsark

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kawsark
                / keybase.md
            
            
              Created
              June 19, 2018 21:31
            
          
    Keybase proof

I hereby claim:

I am kawsark on github.
I am kawsar (https://keybase.io/kawsar) on keybase.
I have a public key ASC40CV4CtjmbLI4VF9dL6Xr6YAb1G3pbJNnDOsgKcb8Ewo

To claim this, I am signing this object:

  
## vault
#!/bin/sh
#
# vault - this script manages the vault server
#
# chkconfig:   345 96 04
# processname: vault

### BEGIN INIT INFO
# Provides:       vault
# Required-Start: $local_fs $network

## vault_approle.py
import os
import hvac
import json
import socket
import time

vault_role_id = os.environ['ROLE_ID']
secrets_path = os.environ['SECRETS_PATH']

print("***********************")

## envconsul.txt
➜  envconsul envconsul -config testgcp1.hcl
2019/12/06 16:01:41 [DEBUG] (logging) enabling syslog on LOCAL5
2019/12/06 21:01:41.417692 [INFO] envconsul v0.9.1 (b5e928a7)
2019/12/06 21:01:41.417753 [INFO] (runner) creating new runner (once: false)
2019/12/06 21:01:41.418195 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"/Users/kawsark/code/local/envconsul/app-wrapper.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":5000000000,"Timeout":0},"K

## app-wrapper.sh
#!/bin/bash
echo "~~~~~~~ Application wrapper invoked, starting loop"
i=0
while [ "$i" -lt 100 ]
do
  echo "Loop # $i"
  echo "Checking for GOOGLE_APPLICATION_CREDENTIALS"
  echo $GOOGLE_APPLICATION_CREDENTIALS
#  echo "Checking for GCP_KEY_VIEWER_PRIVATE_KEY_DATA"
#  echo $GCP_KEY_VIEWER_PRIVATE_KEY_DATA

## consul-agent
#!/bin/bash

# Set variables
export PATH="$${PATH}:/usr/local/bin"
export local_ip="$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)"

consul_version="1.7.2"
consul_url="https://releases.hashicorp.com/consul/${consul_version}/consul_${consul_version}_linux_amd64.zip"

curl "${consul_url}" -o consul.zip

## consul
#!/bin/sh
#
# consul - this script manages the consul agent
#
# chkconfig:   345 95 05
# processname: consul

### BEGIN INIT INFO
# Provides:       consul
# Required-Start: $local_fs $network

## vault-ssh-ca-ansible
# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed.
# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH
export VAULT_TOKEN=<Admin-or-Root-key>
vault secrets disable ssh
vault secrets disable kv

# 2. Enable SSH secrets engine (Client signer role) and generate a CA
vault secrets enable -path=ssh ssh
vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem

## vault-jenkins-approle.md

      
              1 file
            
          
              5 forks
            
          
              4 comments
            
          
              10 stars
            
          
                kawsark
                / vault-jenkins-approle.md
            
            
              Last active
              June 29, 2023 14:39
            
              
                Example Jenkins integration for Vault using AppRole and curl 
              
          
    Example Jenkins integration for Vault

This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.
AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.

Pre-created SECRET_ID as a Jenkins secret. An out-of-band workflow will need to refresh the SECRET_ID periodically so Jenkins continues to perform AppRole logins successfully.
Alternative AppRole design: Give Jenkins the ability to refresh the SECRET_ID by itself.

1. Pre-created Secret ID


## vault-agent-pki
### Configure variables
These variables will be used for this snippet. Please substitute accordingly.
```bash
export RootCAName="root_ca"
export InterCAName="inter_ca"
export CommonName="hashidemos.io"
export InterCommonName="inter.hashidemos.io"
export Root_CA_ttl="730h"
export Inter_CA_ttl="350h"
export Cert_ttl="8h"
	#!/bin/sh
	#
	# vault - this script manages the vault server
	#
	# chkconfig: 345 96 04
	# processname: vault

	### BEGIN INIT INFO
	# Provides: vault
	# Required-Start: $local_fs $network
	import os
	import hvac
	import json
	import socket
	import time

	vault_role_id = os.environ['ROLE_ID']
	secrets_path = os.environ['SECRETS_PATH']

	print("***********************")
	➜ envconsul envconsul -config testgcp1.hcl
	2019/12/06 16:01:41 [DEBUG] (logging) enabling syslog on LOCAL5
	2019/12/06 21:01:41.417692 [INFO] envconsul v0.9.1 (b5e928a7)
	2019/12/06 21:01:41.417753 [INFO] (runner) creating new runner (once: false)
	2019/12/06 21:01:41.418195 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"/Users/kawsark/code/local/envconsul/app-wrapper.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":5000000000,"Timeout":0},"K
	#!/bin/bash
	echo "~~~~~~~ Application wrapper invoked, starting loop"
	i=0
	while [ "$i" -lt 100 ]
	do
	echo "Loop # $i"
	echo "Checking for GOOGLE_APPLICATION_CREDENTIALS"
	echo $GOOGLE_APPLICATION_CREDENTIALS
	# echo "Checking for GCP_KEY_VIEWER_PRIVATE_KEY_DATA"
	# echo $GCP_KEY_VIEWER_PRIVATE_KEY_DATA
	#!/bin/bash

	# Set variables
	export PATH="$${PATH}:/usr/local/bin"
	export local_ip="$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)"

	consul_version="1.7.2"
	consul_url="https://releases.hashicorp.com/consul/${consul_version}/consul_${consul_version}_linux_amd64.zip"

	curl "${consul_url}" -o consul.zip
	#!/bin/sh
	#
	# consul - this script manages the consul agent
	#
	# chkconfig: 345 95 05
	# processname: consul

	### BEGIN INIT INFO
	# Provides: consul
	# Required-Start: $local_fs $network
	# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed.
	# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH
	export VAULT_TOKEN=<Admin-or-Root-key>
	vault secrets disable ssh
	vault secrets disable kv

	# 2. Enable SSH secrets engine (Client signer role) and generate a CA
	vault secrets enable -path=ssh ssh
	vault write -format=json ssh/config/ca generate_signing_key=true \| jq -r '.data.public_key' > ./trusted-user-ca-keys.pem
	### Configure variables
	These variables will be used for this snippet. Please substitute accordingly.
	```bash
	export RootCAName="root_ca"
	export InterCAName="inter_ca"
	export CommonName="hashidemos.io"
	export InterCommonName="inter.hashidemos.io"
	export Root_CA_ttl="730h"
	export Inter_CA_ttl="350h"
	export Cert_ttl="8h"