Skip to content

Instantly share code, notes, and snippets.

@sgnn7

sgnn7/add_follower_seed_secrets

Last active October 7, 2020 15:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sgnn7/fed534b05932dc921f591920d1c4d23f to your computer and use it in GitHub Desktop.
Save sgnn7/fed534b05932dc921f591920d1c4d23f to your computer and use it in GitHub Desktop.
Download ZIP
Conjur running using k8s secrets
Raw
add_follower_seed_secrets
#!/bin/bash -e
set -o pipefail
CURRENT_DIR=$(dirname $0)
SEED_FILES_DIR="$CURRENT_DIR/tmp"
FOLLOWER_SEED_FILE="$SEED_FILES_DIR/follower-seed.tar"
TEMP_CERT_DIR="$CURRENT_DIR/tmp"
# TODO: Figure out what conjur.pem/key links point to first instead of hardcoding
# conjur-follower prefix
REQUIRED_SSL_CERTS=( "ca.pem"
"conjur-follower.pem"
"conjur-follower.key" )
CONJUR_DATA_KEY_FILE="/opt/conjur/etc/possum.key"
if [ ! -f "$SEED_FILES_DIR/follower-seed.tar" ]; then
echo "ERROR: You haven't pulled the seed file from master into $SEED_FILES_DIR"
exit 1
fi
echo "Extracting relevant certs..."
for cert_file in ${REQUIRED_SSL_CERTS[@]}; do
target_file="$TEMP_CERT_DIR/$cert_file"
echo "Extracting $FOLLOWER_SEED_FILE:$cert_file into $target_file..."
rm -f "$TEMP_CERT_DIR/$cert_file"
# The strip-components flag is to avoid extraction into the nested directories
# matching the archive
tar -xf "$FOLLOWER_SEED_FILE" \
--strip-components=5 \
-C "$SEED_FILES_DIR" \
"/opt/conjur/etc/ssl/$cert_file"
done
target_file="$TEMP_CERT_DIR/possum.key"
echo "Extracting $FOLLOWER_SEED_FILE:$CONJUR_DATA_KEY_FILE into $target_file..."
rm -f "$target_file"
# The strip-components flag is to avoid extraction into the nested directories
# matching the archive
tar -xf "$FOLLOWER_SEED_FILE" \
--strip-components=4 \
-C "$SEED_FILES_DIR" \
"$CONJUR_DATA_KEY_FILE"
echo "$(cat tmp/possum.key | sed 's/CONJUR_DATA_KEY=//g')" > $SEED_FILES_DIR/conjur_data_key.txt
CONTEXT=$(kubectl config current-context)
CURRENT_DIR=$(pwd)
# We may want to save the config for kubectl apply later
KUBECTL_ARGS="--save-config=false"
# Append any additional args provided on CLI
KUBECTL_ARGS+=" $@"
echo "Using context: $CONTEXT"
echo "Deleting old secrets (if present)..."
./remove_cert_secrets || true
echo "Creating CA cert secret..."
kubectl create secret generic conjur-ca-cert $KUBECTL_ARGS \
--from-file="$SEED_FILES_DIR/ca.pem"
echo "Creating CONJUR_DATA_KEY secret..."
kubectl create secret generic conjur-data-key $KUBECTL_ARGS \
--from-file="$SEED_FILES_DIR/conjur_data_key.txt"
echo "Creating conjur follower cert/key secret..."
kubectl create secret tls conjur-follower-cert $KUBECTL_ARGS \
--cert="$SEED_FILES_DIR/conjur-follower.pem" \
--key="$SEED_FILES_DIR/conjur-follower.key"
echo
kubectl get secrets
Raw
deployment-k8s.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: conjur-follower
spec:
replicas: 1
selector:
matchLabels:
app: conjur-follower
strategy:
type: Recreate
template:
metadata:
labels:
app: conjur-follower
spec:
containers:
- name: conjur-pg
env:
- name: DEBUG_CONTAINER
value: "false"
image: conjur-pg
imagePullPolicy: Never
livenessProbe:
tcpSocket:
port: 5432
initialDelaySeconds: 1
periodSeconds: 1
timeoutSeconds: 5
# 1 seconds * 180 = 3 minutes
failureThreshold: 180
readinessProbe:
tcpSocket:
port: 5432
initialDelaySeconds: 1
periodSeconds: 1
timeoutSeconds: 5
# 1 seconds * 180 = 3 minutes
failureThreshold: 180
volumeMounts:
- name: conjur-ca-cert-volume
mountPath: /opt/conjur/etc/ssl/ca
readOnly: true
- name: conjur-follower-cert-volume
mountPath: /opt/conjur/etc/ssl/follower
readOnly: true
- name: conjur-pg-main-db
mountPath: /var/lib/postgresql/9.4
- name: conjur-nginx
image: conjur-nginx
imagePullPolicy: Never
livenessProbe:
httpGet:
path: /status
port: 9443
scheme: HTTPS
initialDelaySeconds: 1
periodSeconds: 1
timeoutSeconds: 2
# 1 seconds * 180 = 3 minutes
failureThreshold: 180
ports:
- containerPort: 9000
- containerPort: 9443
readinessProbe:
httpGet:
path: /
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 20
# 5 seconds * 36 = 3 minutes
failureThreshold: 36
volumeMounts:
- name: conjur-ca-cert-volume
mountPath: /opt/conjur/etc/ssl/ca
readOnly: true
- name: conjur-follower-cert-volume
mountPath: /opt/conjur/etc/ssl/follower
readOnly: true
- name: conjur-possum
env:
- name: DEBUG_CONTAINER
value: "false"
- name: DATABASE_URL
value: "postgresql://conjur@localhost:5432"
image: conjur-possum
imagePullPolicy: Never
livenessProbe:
httpGet:
path: /
port: 3000
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 20
# 5 seconds * 36 = 3 minutes
failureThreshold: 36
readinessProbe:
httpGet:
path: /
port: 3000
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 20
# 5 seconds * 36 = 3 minutes
failureThreshold: 36
volumeMounts:
- name: conjur-data-key-volume
mountPath: /opt/conjur/etc/conjur_data_key
readOnly: true
volumes:
- name: conjur-ca-cert-volume
secret:
secretName: conjur-ca-cert
# Permission == 0400. JSON spec doesn’t support octal notation.
defaultMode: 256
- name: conjur-data-key-volume
secret:
secretName: conjur-data-key
# Permission == 0400. JSON spec doesn’t support octal notation.
defaultMode: 256
- name: conjur-follower-cert-volume
secret:
secretName: conjur-follower-cert
# Permission == 0400. JSON spec doesn’t support octal notation.
defaultMode: 256
- name: conjur-pg-main-db
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: conjur-follower
spec:
ports:
- name: "https"
port: 443
targetPort: 9443
selector:
app: conjur-follower
---
apiVersion: v1
kind: Service
metadata:
name: conjur-follower-external
spec:
type: NodePort
ports:
- name: nginx-https
nodePort: 31001
port: 443
protocol: TCP
targetPort: 9443
# - name: nginx-http
# nodePort: 31002
# port: 80
# protocol: TCP
# targetPort: 9000
# - name: possum-http
# nodePort: 31003
# port: 8080
# protocol: TCP
# targetPort: 3000
selector:
app: conjur-follower
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment