I hereby claim:
- I am kawsark on github.
- I am kawsar (https://keybase.io/kawsar) on keybase.
- I have a public key ASC40CV4CtjmbLI4VF9dL6Xr6YAb1G3pbJNnDOsgKcb8Ewo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#!/bin/sh | |
# | |
# vault - this script manages the vault server | |
# | |
# chkconfig: 345 96 04 | |
# processname: vault | |
### BEGIN INIT INFO | |
# Provides: vault | |
# Required-Start: $local_fs $network |
import os | |
import hvac | |
import json | |
import socket | |
import time | |
vault_role_id = os.environ['ROLE_ID'] | |
secrets_path = os.environ['SECRETS_PATH'] | |
print("***********************") |
➜ envconsul envconsul -config testgcp1.hcl | |
2019/12/06 16:01:41 [DEBUG] (logging) enabling syslog on LOCAL5 | |
2019/12/06 21:01:41.417692 [INFO] envconsul v0.9.1 (b5e928a7) | |
2019/12/06 21:01:41.417753 [INFO] (runner) creating new runner (once: false) | |
2019/12/06 21:01:41.418195 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"/Users/kawsark/code/local/envconsul/app-wrapper.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":5000000000,"Timeout":0},"K |
#!/bin/bash | |
echo "~~~~~~~ Application wrapper invoked, starting loop" | |
i=0 | |
while [ "$i" -lt 100 ] | |
do | |
echo "Loop # $i" | |
echo "Checking for GOOGLE_APPLICATION_CREDENTIALS" | |
echo $GOOGLE_APPLICATION_CREDENTIALS | |
# echo "Checking for GCP_KEY_VIEWER_PRIVATE_KEY_DATA" | |
# echo $GCP_KEY_VIEWER_PRIVATE_KEY_DATA |
#!/bin/bash | |
# Set variables | |
export PATH="$${PATH}:/usr/local/bin" | |
export local_ip="$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)" | |
consul_version="1.7.2" | |
consul_url="https://releases.hashicorp.com/consul/${consul_version}/consul_${consul_version}_linux_amd64.zip" | |
curl "${consul_url}" -o consul.zip |
#!/bin/sh | |
# | |
# consul - this script manages the consul agent | |
# | |
# chkconfig: 345 95 05 | |
# processname: consul | |
### BEGIN INIT INFO | |
# Provides: consul | |
# Required-Start: $local_fs $network |
# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed. | |
# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH | |
export VAULT_TOKEN=<Admin-or-Root-key> | |
vault secrets disable ssh | |
vault secrets disable kv | |
# 2. Enable SSH secrets engine (Client signer role) and generate a CA | |
vault secrets enable -path=ssh ssh | |
vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem |
This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl
utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.
AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.
### Configure variables | |
These variables will be used for this snippet. Please substitute accordingly. | |
```bash | |
export RootCAName="root_ca" | |
export InterCAName="inter_ca" | |
export CommonName="hashidemos.io" | |
export InterCommonName="inter.hashidemos.io" | |
export Root_CA_ttl="730h" | |
export Inter_CA_ttl="350h" | |
export Cert_ttl="8h" |