Sebastien Braun planetrobbie

## collection.json
{
	"info": {
		"_postman_id": "2255e3f0-2da2-4530-aff9-9673d1e5fdb9",
		"name": "HashiCorp Vault TFE  Onboard",
		"description": "Onboarding a Project team on Vault",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
	},
	"item": [
		{
			"name": "namespace",

## TFE installation steps
Terraform Enterprise instalation

# Docs
https://www.terraform.io/docs/enterprise/install/installer.html
https://www.terraform.io/docs/enterprise/before-installing/rhel-requirements.html
https://www.terraform.io/docs/enterprise/before-installing/rhel-requirements.html

# Check docker version

	docker -v

## Vault SSH
$ Vault ssh

OpenSSH 5.4 (March 2010), an SSH signed certificate contains a public key and metadata: Validity, Principals and Extensions

# Client Signing

## Create a key for user

    ssh-keygen -t rsa -C "sebastien@v2.prod.yet.org"

## vault-sidecar-workflow.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                planetrobbie
                / vault-sidecar-workflow.md
            
            
              Last active
              October 3, 2019 14:23
            
          
    Vault Kubernetes - sidecar integration step by step guide


documentation
source code

mirror example code

git clone https://github.com/hashicorp/vault-guides.git

workflow


## k8s sidecar vault workflow
$ Vault k8s sidecar

- [article](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s)
- [code](https://github.com/hashicorp/vault-guides/tree/master/identity/vault-agent-k8s-demo)
- [RFC vault agent template](https://docs.google.com/document/d/1TBE5TuzgXpTBq2gGaJLd9gjWd1KW1MfXm2AUEIvFJtY/edit)
- [RFC Vault Kubernetes Admissions Webhook](https://docs.google.com/document/d/1nEaJiH_WO3SaHU178-zHRvz1Ic4m5q6ofbJJYxOV0X4/edit) mutate pod specs to add sidecar which will auth/auto renew and write secrets to a shared in-memory volume. Will live in a new binary named vault-k8s similar to consul-k8s.
- Above is using [Kubernetes Admission Webhooks available in 1.9](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) configured using annotations.

# Example Scripting

## workshop tfe
$ Terraform AWS workshop

# Demo Prep

    source ~/in/aws/auth.sh
    aws ec2 describe-instances

If failure auth to AWS Console

https://eu-west-3.signin.aws.amazon.com

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                planetrobbie
                / keybase.md
            
            
              Created
              June 20, 2019 08:16
            
              
                Keybase identity Proof
              
          
    Keybase proof

I hereby claim:

I am planetrobbie on github.
I am planetrobbie (https://keybase.io/planetrobbie) on keybase.
I have a public key ASC3W8XszVxcFvl4oa0mTFPn_4Zrnoll-f-YZxtNGbv9Lgo

To claim this, I am signing this object:

  
## audit.log
"time":"2019-01-28T20:46:29.435016455Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":"","token_type":"default"},"request":{"id":"52919fae-6c8e-03f1-51c8-23efb9a0041e","operation":"read","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"sys/replication/status","data":null,"policy_override":false,"remote_address":"130.211.0.225","wrap_ttl":0,"headers":{}},"error":""}
{"time":"2019-01-28T20:46:29.43583858Z","type":"response","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":"","token_type":"default"},"request":{"id":"52919fae-6c8e-03f1-51c8-23efb9a0041e","operation":"read","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"sys/replication/status","data":null,"policy_override":false,"remote_address":"130.211.0.225","wrap_ttl":0,"headers":{}},"response":{"data":{"dr":{"mode":"hmac-sha256:3a4bd796ed9f8ae4195a2d941df

## config.json
{
    "addresses": {
        "dns": "127.0.0.1",
        "grpc": "127.0.0.1",
        "http": "127.0.0.1",
        "https": "127.0.0.1"
    },
    "advertise_addr": "10.132.0.4",
    "advertise_addr_wan": "10.132.0.4",
    "bind_addr": "10.132.0.4",

## resume.html
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width, initial-scale=1"/><title>Sébastien Braun</title><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"/><style>@font-face {
  font-family: 'icomoon';
  src:  url('fonts/icomoon.eot?9yug7q');
  src:  url('fonts/icomoon.eot?9yug7q#iefix') format('embedded-opentype'),
    url('fonts/icomoon.ttf?9yug7q') format('truetype'),
    url('fonts/icomoon.woff?9yug7q') format('woff'),
    url('fonts/icomoon.svg?9yug7q#icomoon') format('svg');
  font-weight: normal;
  font-style: normal;
}
	{
	"info": {
	"_postman_id": "2255e3f0-2da2-4530-aff9-9673d1e5fdb9",
	"name": "HashiCorp Vault TFE Onboard",
	"description": "Onboarding a Project team on Vault",
	"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
	},
	"item": [
	{
	"name": "namespace",
	Terraform Enterprise instalation

	# Docs
	https://www.terraform.io/docs/enterprise/install/installer.html
	https://www.terraform.io/docs/enterprise/before-installing/rhel-requirements.html
	https://www.terraform.io/docs/enterprise/before-installing/rhel-requirements.html

	# Check docker version

	docker -v
	$ Vault ssh

	OpenSSH 5.4 (March 2010), an SSH signed certificate contains a public key and metadata: Validity, Principals and Extensions

	# Client Signing

	## Create a key for user

	ssh-keygen -t rsa -C "sebastien@v2.prod.yet.org"
	$ Vault k8s sidecar

	- [article](https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s)
	- [code](https://github.com/hashicorp/vault-guides/tree/master/identity/vault-agent-k8s-demo)
	- [RFC vault agent template](https://docs.google.com/document/d/1TBE5TuzgXpTBq2gGaJLd9gjWd1KW1MfXm2AUEIvFJtY/edit)
	- [RFC Vault Kubernetes Admissions Webhook](https://docs.google.com/document/d/1nEaJiH_WO3SaHU178-zHRvz1Ic4m5q6ofbJJYxOV0X4/edit) mutate pod specs to add sidecar which will auth/auto renew and write secrets to a shared in-memory volume. Will live in a new binary named vault-k8s similar to consul-k8s.
	- Above is using [Kubernetes Admission Webhooks available in 1.9](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) configured using annotations.

	# Example Scripting
	$ Terraform AWS workshop

	# Demo Prep

	source ~/in/aws/auth.sh
	aws ec2 describe-instances

	If failure auth to AWS Console

	https://eu-west-3.signin.aws.amazon.com
	{
	"addresses": {
	"dns": "127.0.0.1",
	"grpc": "127.0.0.1",
	"http": "127.0.0.1",
	"https": "127.0.0.1"
	},
	"advertise_addr": "10.132.0.4",
	"advertise_addr_wan": "10.132.0.4",
	"bind_addr": "10.132.0.4",
	<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width, initial-scale=1"/><title>Sébastien Braun</title><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"/><style>@font-face {
	font-family: 'icomoon';
	src: url('fonts/icomoon.eot?9yug7q');
	src: url('fonts/icomoon.eot?9yug7q#iefix') format('embedded-opentype'),
	url('fonts/icomoon.ttf?9yug7q') format('truetype'),
	url('fonts/icomoon.woff?9yug7q') format('woff'),
	url('fonts/icomoon.svg?9yug7q#icomoon') format('svg');
	font-weight: normal;
	font-style: normal;
	}