I hereby claim:
- I am kawsark on github.
- I am kawsar (https://keybase.io/kawsar) on keybase.
- I have a public key ASC40CV4CtjmbLI4VF9dL6Xr6YAb1G3pbJNnDOsgKcb8Ewo
To claim this, I am signing this object:
kawsark
/ keybase.md
Created
June 19, 2018 21:31
kawsark
/ consul
Last active
October 11, 2022 14:13
— forked from yunano/consul
/etc/init.d/consul for CentOS 6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # consul - this script manages the consul agent | |
| # | |
| # chkconfig: 345 95 05 | |
| # processname: consul | |
| ### BEGIN INIT INFO | |
| # Provides: consul | |
| # Required-Start: $local_fs $network |
kawsark
/ vault
Last active
March 5, 2019 08:00
— forked from yunano/vault
/etc/init.d/vault for CentOS 6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # vault - this script manages the vault server | |
| # | |
| # chkconfig: 345 96 04 | |
| # processname: vault | |
| ### BEGIN INIT INFO | |
| # Provides: vault | |
| # Required-Start: $local_fs $network |
kawsark
/ Vault-ssh-ca-README.md
Created
March 28, 2019 16:12
A guide for configuring Vault's SSH-CA
In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.
- This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
- The client system must be able to reach the Vault server and the OpenSSH server.
- We will refer to these systems respectively as:
- VAULT_SERVER
kawsark
/ example-vault-admin-policy.hcl
Last active
August 1, 2024 10:27
An example Vault admin policy with capability to manage leses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Allow managing leases | |
| path "sys/leases/*" | |
| { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| # Manage auth methods broadly across Vault | |
| path "auth/*" | |
| { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] |
kawsark
/ vault_approle.py
Last active
August 13, 2019 13:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import hvac | |
| import json | |
| import socket | |
| import time | |
| vault_role_id = os.environ['ROLE_ID'] | |
| secrets_path = os.environ['SECRETS_PATH'] | |
| print("***********************") |
kawsark
/ envconsul.txt
Created
December 6, 2019 21:23
Envconsul output with GCP dynamic credentials from Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ➜ envconsul envconsul -config testgcp1.hcl | |
| 2019/12/06 16:01:41 [DEBUG] (logging) enabling syslog on LOCAL5 | |
| 2019/12/06 21:01:41.417692 [INFO] envconsul v0.9.1 (b5e928a7) | |
| 2019/12/06 21:01:41.417753 [INFO] (runner) creating new runner (once: false) | |
| 2019/12/06 21:01:41.418195 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"/Users/kawsark/code/local/envconsul/app-wrapper.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":5000000000,"Timeout":0},"K |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "~~~~~~~ Application wrapper invoked, starting loop" | |
| i=0 | |
| while [ "$i" -lt 100 ] | |
| do | |
| echo "Loop # $i" | |
| echo "Checking for GOOGLE_APPLICATION_CREDENTIALS" | |
| echo $GOOGLE_APPLICATION_CREDENTIALS | |
| # echo "Checking for GCP_KEY_VIEWER_PRIVATE_KEY_DATA" | |
| # echo $GCP_KEY_VIEWER_PRIVATE_KEY_DATA |
kawsark
/ vault-ssh-ca-ansible
Created
March 24, 2020 16:09
Steps to setup Vault SSH CA secrets engine for use with Ansible
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1. (Optional) Disable SSH and Key/Value secrets engine if they existed. | |
| # NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH | |
| export VAULT_TOKEN=<Admin-or-Root-key> | |
| vault secrets disable ssh | |
| vault secrets disable kv | |
| # 2. Enable SSH secrets engine (Client signer role) and generate a CA | |
| vault secrets enable -path=ssh ssh | |
| vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem |
kawsark
/ vault-jenkins-approle.md
Last active
September 24, 2024 13:49
Example Jenkins integration for Vault using AppRole and curl
This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.
AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.
- Pre-created SECRET_ID as a Jenkins secret. An out-of-band workflow will need to refresh the SECRET_ID periodically so Jenkins continues to perform AppRole logins successfully.
- Alternative AppRole design: Give Jenkins the ability to refresh the SECRET_ID by itself.
OlderNewer