mikegreen

# 2020-06-23 
# this shows creating a Vault instance running integrated storage/raft, 
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

# not meant to be a live script to run!
# this uses the vault_config.hcl from https://gist.github.com/mikegreen/c2df5eea2283f0dbc5f3a5d3650536fd 

grantorchard

#!/bin/bash

# Login to 1Password. 
# Assumes you have installed the OP CLI and performed the initial configuration
# For more details see https://support.1password.com/command-line-getting-started/
eval $(op signin my)

# My setup uses a 1Password type of 'Password' and stores all records within a 
# single section. The label is the key, and the value is the value.
ev=`op get item "Environment Variables"` 

kawsark

# Allow managing leases
path "sys/leases/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

kawsark

SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

Prerequisites

• This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
• The client system must be able to reach the Vault server and the OpenSSH server.
• We will refer to these systems respectively as:
• VAULT_SERVER

vincentramirez

These steps assume you are running at Vault v.0.11.0 or higher

Create new namespace:

Log into the root namespace via the Vault UI (root token)

Make sure you are in the root name space

Click on Access > Namespaces >create a namespace >

Create secrets engine and secret in the new namespace:

mindplace

1. Make sure git is tracking your project locally

Do you need a refresher on git? Go through Codecademy's git course.

1. Using your terminal/command line, get inside the folder where your project files are kept: cd /path/to/my/codebase. → You cannot do this simply by opening the folder normally, you must do this with the command line/terminal.
   → Do you need a refresher on using your command line/terminal? I've compiled my favorite resources here.

2. Check if git is already initialized: git status

wpscholar

Typing vagrant from the command line will display a list of all available commands.

Be sure that you are in the same directory as the Vagrantfile when running these commands!

Creating a VM

• vagrant init -- Initialize Vagrant with a Vagrantfile and ./.vagrant directory, using no specified base image. Before you can do vagrant up, you'll need to specify a base image in the Vagrantfile.
• vagrant init <boxpath> -- Initialize Vagrant with a specific box. To find a box, go to the public Vagrant box catalog. When you find one you like, just replace it's name with boxpath. For example, vagrant init ubuntu/trusty64.

Starting a VM

• vagrant up -- starts vagrant environment (also provisions only on the FIRST vagrant up)