Marc Boorshtein mlbiam

## istio-app.yaml
---
apiVersion: openunison.tremolo.io/v1
kind: Trust
metadata:
  name: istio
  namespace: openunison
spec:
  accessTokenSkewMillis: 120000
  accessTokenTimeToLive: 120000
  authChainName: login-service

## cicdproxy-values.yaml
cicd_proxy:
    image: docker.io/tremolosecurity/kube-oidc-proxy:latest
    replicas: 1
    explicit_certificate_trust: true
    oidc:
      audience: https://cicd.apps-crc.testing/
      issuer: ou.apps.192-168-2-79.nip.io/auth/idp/remotek8s
      claims:
        user: sub
      ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVDakNDQXZLZ0F3SUJBZ0lHQVlpZzJnN0RNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1IOHhKREFpQmdOVkJBTU0KRzI5MUxtRndjSE11TVRreUxURTJPQzB5TFRjNUxtNXBjQzVwYnpFVE1CRUdBMVVFQ3d3S1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDZ3dGVFhsUGNtY3hFekFSQmdOVkJBY01DazE1SUVOc2RYTjBaWEl4Q1RBSEJnTlZCQWdNCkFERVNNQkFHQTFVRUJoTUpUWGxEYjNWdWRISjVNQjRYRFRJek1EWXdPVEUxTlRBeU5Gb1hEVEkwTURZd09ERTEKTlRBeU5Gb3dmekVrTUNJR0ExVUVBd3diYjNVdVlYQndjeTR4T1RJdE1UWTRMVEl0TnprdWJtbHdMbWx2TVJNdwpFUVlEVlFRTERBcExkV0psY201bGRHVnpNUTR3REFZRFZRUUtEQVZOZVU5eVp6RVRNQkVHQTFVRUJ3d0tUWGtnClEyeDFjM1JsY2pFSk1BY0dBMVVFQ0F3QU1SSXdFQVlEVlFRR0V3bE5lVU52ZFc1MGNua3dnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREljZWNoS3lqVWsyQUlVUnBDblFMMjNRQWZkeXdnUHRacwpaNWx6UHV

## clear-oidc-sessions.py
from kubernetes import client, config
from kubernetes.client import CustomObjectsApi
from datetime import datetime,timezone
from sys import argv

config.load_kube_config()

group = "openunison.tremolo.io"
version = "v2"
plural = "oidc-sessions"

## aws-saml1-idp.yaml
---
apiVersion: openunison.tremolo.io/v2
kind: Application
metadata:
  labels:
    app.kubernetes.io/component: openunison-applications
    app.kubernetes.io/instance: openunison-orchestra-login-portal
    app.kubernetes.io/name: openunison
    app.kubernetes.io/part-of: openunison
  name: aws

## DeleteCookies.java
package XXXXXX;

import java.util.ArrayList;
import java.util.List;

import javax.servlet.http.Cookie;

import com.google.gson.Gson;
import com.tremolosecurity.proxy.cookies.UnisonCookie;
import com.tremolosecurity.proxy.filter.HttpFilter;

## argocd-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-http-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:

## openunison-vcluster-values.yaml
network:
  openunison_host: "k8sou.apps.212.2.242.251.nip.io"
  dashboard_host: "k8sdb.apps.212.2.242.251.nip.io"
  api_server_host: "k8sapi.apps.212.2.242.251.nip.io"
  session_inactivity_timeout_seconds: 900
  k8s_url: https://0.0.0.0:6443
  force_redirect_to_tls: true
  createIngressCertificate: true
  ingress_type: nginx
  ingress_annotations:

## vcluster-creation.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: vcluster-blog
spec: {}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:

## cert-2
-----BEGIN CERTIFICATE-----
MIIG2zCCBcOgAwIBAgIQBM6JL/SX6DSAwk8ARvpB5zANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA4MTcwMDAwMDBa
Fw0yMzA4MTcyMzU5NTlaMHQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5p
YTEQMA4GA1UEBxMHRmFpcmZheDEiMCAGA1UEChMZRmFpcmZheCBDb3VudHkgR292
ZXJubWVudDEcMBoGA1UEAxMTaWFtcy1zYW1sLm5jcm5ldC51czCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMBAzgwJLQ1JMs4IHogplzQFrVIx1ZjZ5aOO
SHaGx2ZQMpFpwrWuhYfWZ3YSlahRjif4NouRQMmd0KwZAtd1jJDj32Wk7lMDMvbT
5O8sN5xL10KxSc0DG+a2hkgyIjJwohykQ0HZ+ZyVFJkzBCIfhWZBv1VrdkC+k4RF

## ldap_check_alive.sh
#!/bin/bash

USER_DN="cn=ou_svc_account,ou=Users,DC=sub,DC=domain,DC=com"
USER_PASSWORD="start123"
PORT="10983"

if ! $(ldapsearch -x -D $USER_DN -w $USER_PASSWORD -b $USER_DN -s base -H ldap://127.0.0.1:$PORT/ -l 10 > /dev/null  ) ; then
  echo "failed"
  # hard kill
  kill -9 $(ps -A | grep java | awk '{print $1}')
	---
	apiVersion: openunison.tremolo.io/v1
	kind: Trust
	metadata:
	name: istio
	namespace: openunison
	spec:
	accessTokenSkewMillis: 120000
	accessTokenTimeToLive: 120000
	authChainName: login-service
	cicd_proxy:
	image: docker.io/tremolosecurity/kube-oidc-proxy:latest
	replicas: 1
	explicit_certificate_trust: true
	oidc:
	audience: https://cicd.apps-crc.testing/
	issuer: ou.apps.192-168-2-79.nip.io/auth/idp/remotek8s
	claims:
	user: sub
	ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVDakNDQXZLZ0F3SUJBZ0lHQVlpZzJnN0RNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1IOHhKREFpQmdOVkJBTU0KRzI5MUxtRndjSE11TVRreUxURTJPQzB5TFRjNUxtNXBjQzVwYnpFVE1CRUdBMVVFQ3d3S1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDZ3dGVFhsUGNtY3hFekFSQmdOVkJBY01DazE1SUVOc2RYTjBaWEl4Q1RBSEJnTlZCQWdNCkFERVNNQkFHQTFVRUJoTUpUWGxEYjNWdWRISjVNQjRYRFRJek1EWXdPVEUxTlRBeU5Gb1hEVEkwTURZd09ERTEKTlRBeU5Gb3dmekVrTUNJR0ExVUVBd3diYjNVdVlYQndjeTR4T1RJdE1UWTRMVEl0TnprdWJtbHdMbWx2TVJNdwpFUVlEVlFRTERBcExkV0psY201bGRHVnpNUTR3REFZRFZRUUtEQVZOZVU5eVp6RVRNQkVHQTFVRUJ3d0tUWGtnClEyeDFjM1JsY2pFSk1BY0dBMVVFQ0F3QU1SSXdFQVlEVlFRR0V3bE5lVU52ZFc1MGNua3dnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREljZWNoS3lqVWsyQUlVUnBDblFMMjNRQWZkeXdnUHRacwpaNWx6UHV
	from kubernetes import client, config
	from kubernetes.client import CustomObjectsApi
	from datetime import datetime,timezone
	from sys import argv

	config.load_kube_config()

	group = "openunison.tremolo.io"
	version = "v2"
	plural = "oidc-sessions"
	---
	apiVersion: openunison.tremolo.io/v2
	kind: Application
	metadata:
	labels:
	app.kubernetes.io/component: openunison-applications
	app.kubernetes.io/instance: openunison-orchestra-login-portal
	app.kubernetes.io/name: openunison
	app.kubernetes.io/part-of: openunison
	name: aws
	package XXXXXX;

	import java.util.ArrayList;
	import java.util.List;

	import javax.servlet.http.Cookie;

	import com.google.gson.Gson;
	import com.tremolosecurity.proxy.cookies.UnisonCookie;
	import com.tremolosecurity.proxy.filter.HttpFilter;
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	name: argocd-server-http-ingress
	namespace: argocd
	annotations:
	kubernetes.io/ingress.class: "nginx"
	nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
	nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
	spec:
	network:
	openunison_host: "k8sou.apps.212.2.242.251.nip.io"
	dashboard_host: "k8sdb.apps.212.2.242.251.nip.io"
	api_server_host: "k8sapi.apps.212.2.242.251.nip.io"
	session_inactivity_timeout_seconds: 900
	k8s_url: https://0.0.0.0:6443
	force_redirect_to_tls: true
	createIngressCertificate: true
	ingress_type: nginx
	ingress_annotations:
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: vcluster-blog
	spec: {}
	---
	apiVersion: v1
	kind: PersistentVolumeClaim
	metadata:
	-----BEGIN CERTIFICATE-----
	MIIG2zCCBcOgAwIBAgIQBM6JL/SX6DSAwk8ARvpB5zANBgkqhkiG9w0BAQsFADBP
	MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
	aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA4MTcwMDAwMDBa
	Fw0yMzA4MTcyMzU5NTlaMHQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5p
	YTEQMA4GA1UEBxMHRmFpcmZheDEiMCAGA1UEChMZRmFpcmZheCBDb3VudHkgR292
	ZXJubWVudDEcMBoGA1UEAxMTaWFtcy1zYW1sLm5jcm5ldC51czCCASIwDQYJKoZI
	hvcNAQEBBQADggEPADCCAQoCggEBAMBAzgwJLQ1JMs4IHogplzQFrVIx1ZjZ5aOO
	SHaGx2ZQMpFpwrWuhYfWZ3YSlahRjif4NouRQMmd0KwZAtd1jJDj32Wk7lMDMvbT
	5O8sN5xL10KxSc0DG+a2hkgyIjJwohykQ0HZ+ZyVFJkzBCIfhWZBv1VrdkC+k4RF
	#!/bin/bash

	USER_DN="cn=ou_svc_account,ou=Users,DC=sub,DC=domain,DC=com"
	USER_PASSWORD="start123"
	PORT="10983"

	if ! $(ldapsearch -x -D $USER_DN -w $USER_PASSWORD -b $USER_DN -s base -H ldap://127.0.0.1:$PORT/ -l 10 > /dev/null ) ; then
	echo "failed"
	# hard kill
	kill -9 $(ps -A \| grep java \| awk '{print $1}')