mirror of
https://github.com/marcel-dempers/docker-development-youtube-series.git
synced 2025-06-06 17:01:30 +00:00
dynamic secrets and docos
This commit is contained in:
marcel-dempers
parent
2415cb33b2
commit
e711ed29fa
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,4 +1,6 @@
|
||||
c#/src/bin/
|
||||
c#/src/obj/
|
||||
node_modules/
|
||||
__pycache__/
|
||||
__pycache__/
|
||||
*.pem
|
||||
*.csr
|
||||
|
||||
@ -34,6 +34,6 @@ spec:
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: app
|
||||
name: basic-secret
|
||||
labels:
|
||||
app: basic-secret
|
||||
@ -38,4 +38,10 @@ kubectl -n vault-example exec -it vault-example-0 sh
|
||||
vault secrets enable -path=secret/ kv
|
||||
vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
|
||||
exit
|
||||
```
|
||||
|
||||
Lets deploy our app and see if it works:
|
||||
|
||||
```
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
|
||||
```
|
||||
@ -0,0 +1,41 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: postgres-config
|
||||
labels:
|
||||
app: postgres
|
||||
data:
|
||||
POSTGRES_DB: postgresdb
|
||||
POSTGRES_USER: postgresadmin
|
||||
POSTGRES_PASSWORD: admin123
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: postgres
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: postgres
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: postgres
|
||||
spec:
|
||||
containers:
|
||||
- name: postgres
|
||||
image: postgres:10.4
|
||||
imagePullPolicy: "IfNotPresent"
|
||||
ports:
|
||||
- containerPort: 5432
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: postgres-config
|
||||
# volumeMounts:
|
||||
# - mountPath: /var/lib/postgresql/data
|
||||
# name: postgredb
|
||||
# volumes:
|
||||
# - name: postgredb
|
||||
# persistentVolumeClaim:
|
||||
# claimName: postgres-pv-claim
|
||||
68
hashicorp/vault/example-apps/dynamic-postgresql/readme.md
Normal file
68
hashicorp/vault/example-apps/dynamic-postgresql/readme.md
Normal file
@ -0,0 +1,68 @@
|
||||
# Dynamic Secret Creation [PostgreSQL]
|
||||
|
||||
|
||||
Enable the database engine
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 vault login
|
||||
kubectl -n vault-example exec -it vault-example-0 vault secrets enable database
|
||||
|
||||
#map connection details to a role
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write database/config/my-postgresql-database \
|
||||
plugin_name=postgresql-database-plugin \
|
||||
allowed_roles="my-role" \
|
||||
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
|
||||
username="root" \
|
||||
password="root"
|
||||
|
||||
#create the role
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write database/roles/my-role \
|
||||
db_name=my-postgresql-database \
|
||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
|
||||
default_ttl="1h" \
|
||||
max_ttl="24h"
|
||||
|
||||
```
|
||||
|
||||
```
|
||||
#Create a role for our app
|
||||
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \
|
||||
bound_service_account_names=basic-secret \
|
||||
bound_service_account_namespaces=vault-example \
|
||||
policies=basic-secret-policy \
|
||||
ttl=1h
|
||||
```
|
||||
|
||||
The above maps our Kubernetes service account, used by our pod, to a policy.
|
||||
Now lets create the policy to map our service account to a bunch of secrets
|
||||
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
cat <<EOF > /home/vault/app-policy.hcl
|
||||
path "secret/basic-secret/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
vault policy write basic-secret-policy /home/vault/app-policy.hcl
|
||||
exit
|
||||
```
|
||||
|
||||
Now our service account for our pod can access all secrets under `secret/basic-secret/*`
|
||||
Lets create some secrets.
|
||||
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
vault secrets enable -path=secret/ kv
|
||||
vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
|
||||
exit
|
||||
```
|
||||
|
||||
Lets deploy our app and see if it works:
|
||||
|
||||
```
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
|
||||
```
|
||||
@ -4,6 +4,6 @@ metadata:
|
||||
name: vault-example-tls-secret
|
||||
type: Opaque
|
||||
data:
|
||||
vault-example.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUVENDQXpXZ0F3SUJBZ0lVRU1JUSs4cFc3MDJjdzJUdFlYN2VmM2ZsUnYwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF4Ck1ETXlOakF3V2hjTk1qRXdNekF4TURNeU5qQXdXakJ4TVFzd0NRWURWUVFHRXdKQlZURVJNQThHQTFVRUNCTUkKVm1samRHOXlhV0V4RWpBUUJnTlZCQWNUQ1UxbGJHSnZkWEp1WlRFVE1CRUdBMVVFQ2hNS1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDeE1GVm1GMWJIUXhGakFVQmdOVkJBTVREWFpoZFd4MExXVjRZVzF3YkdVd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEQ0VNaERwQ3RjZG9uVS9GT1BGdjIxb0xiejVMSU4KS1ppanNZM1EvWHVWZG8vY1pFSW9uazd5SFZJdTA1NU9xWTJDQnJiM2dwVHpDWVoxZFozb3lsRVdtV1hFakR5UQoyZEFPTFM2SEdoTUZLZ3FvYWlKV3pPb1JPeVhYakVXanBzTGQxWVdnVFRlY0FxMDN0R3lBVjY1WVg5dUpFY3hxCnpSMEFBVDdPZWh4aFNzSUMzeFFyczRNbURSbjdnSVNwTHErcU5RZmc3VEtMOEtleUNBNWFkMVZOWnJ3cktZZ1AKZlNwRUt6ZGhVSGZMaFlEa3M4L0NZUTFLZEJjMnc3THVSMnJDTm9ISmF5ajcwUnVpeUNubGErWU5MeHd4REhGNgpxbEFEUXh6SmZFNWtRRmljVS9HblpLV2dyNVoyNWhpYUdkZjQ2SDk1RE9lMzVzUi8rL21IcFlKbEFnTUJBQUdqCmdmc3dnZmd3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJROGk3VnFrWXRxclVYckp5c3dKL3NSc2dTYwpMREFmQmdOVkhTTUVHREFXZ0JRMVhlQVFUcG9xS25CbjNPQk5VQ1NVc0tYNk56QjVCZ05WSFJFRWNqQndnZzEyCllYVnNkQzFsZUdGdGNHeGxnaTEyWVhWc2RDMWxlR0Z0Y0d4bExuWmhkV3gwTFdWNFlXMXdiR1V1YzNaakxtTnMKZFhOMFpYSXViRzlqWVd5Q0gzWmhkV3gwTFdWNFlXMXdiR1V1ZG1GMWJIUXRaWGhoYlhCc1pTNXpkbU9DQ1d4dgpZMkZzYUc5emRJY0Vmd0FBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUNLUlJHYmw5OUxuYnFBbHlRRzd5CjNFcE1COXdmRUdtOG1hMzZwc05nODhPY1Q1K2hpWnRJR3hQT0w1dEJVRURWYWFjREtpaUg0WG1hdGN2THhHVmgKSW5NYXNIbHB2RlBoUTRONDdqdjBRMk1tL2x4ZzBuOGZTNjYwMU5LNkEycmxBNXl6blZBNGlxeVV5dzZ1K2NmVwpOL3gwWUtINTRLTlA5WEZhQy9aQStoWWNFSG5ZRGZHa01vYXZHVnE1ZnB5T2Zqd2dLT1llVDhTZkJ0VG9zRUNqCkFjR3FmVHp1VGlpSkozaFlNMVViMGVUdzVSU21Gc0tGNm5icG5RYnYzQm1iNjR1WStVbzZaYUM2RXh0SmsxcWYKcjVpbmxjTDA0Sk1UYVhVQ3lMSW5mdjZMZXVXTllldmpmN1dyblJiZ2xuUGJYVDEvazREVDJlWkRiaWFTVHNHcApGUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||
vault-example-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd2hESVE2UXJYSGFKMVB4VGp4Yjl0YUMyOCtTeURTbVlvN0dOMFAxN2xYYVAzR1JDCktKNU84aDFTTHRPZVRxbU5nZ2EyOTRLVTh3bUdkWFdkNk1wUkZwbGx4SXc4a05uUURpMHVoeG9UQlNvS3FHb2kKVnN6cUVUc2wxNHhGbzZiQzNkV0ZvRTAzbkFLdE43UnNnRmV1V0YvYmlSSE1hczBkQUFFK3pub2NZVXJDQXQ4VQpLN09ESmcwWis0Q0VxUzZ2cWpVSDRPMHlpL0Nuc2dnT1duZFZUV2E4S3ltSUQzMHFSQ3MzWVZCM3k0V0E1TFBQCndtRU5TblFYTnNPeTdrZHF3amFCeVdzbys5RWJvc2dwNVd2bURTOGNNUXh4ZXFwUUEwTWN5WHhPWkVCWW5GUHgKcDJTbG9LK1dkdVlZbWhuWCtPaC9lUXpudCtiRWYvdjVoNldDWlFJREFRQUJBb0lCQUh1UGNlTFhZU0JTL1BrVgoyeUhzOG9hMUdDZDdnZjR0Y05rd2tHbnpLcitFS0o2Yld5QS9nMlpXVXVBcnJzekkyYWRqSFJYRUY1QVNqWUMxCjdWK3RpU21KYTZsVDNMQWhibjNJT0txZWFHUE9XOURWR3A0SGhEU0tZMUsxSmhYSGRLVUhjVGdhVWdETUYzdXoKTGE0ZHBZenhJM2RIVk03Zlg4cUVBSGc0ZVY5YnZQdTN4M0NQNm9yV1l0bzZzbUhEcjN2ZkZPM0RMQnIwVHRzRwpVVS9mbjcrU1U3Y2FmQTRJemc0TTlKdXl2aHZzZm91SENCajVXczJvWWxOY2FoV2pxY0tGZnA0WUoya0hkK2dlClR4VlVIejBKTDIrY0pQdThLQ0IxdllKanlwRnhvRlRUZC81cXptK3ZsK2pRNUprY2Nxd3luaXJXYVVKRm5XU3kKank3dnlyVUNnWUVBMmkxRzhHM050YkJHZHFNeVJjQmdGUHZrNXVqTUlGT1hJNHNIVkZ1TEluYzF1MGZZNkR3dQpObEJzNmFCU0ZYOSsybk1seVFDMzlzelVyWlRQakRmRkZvcGczR2FpQ0hvY09yYUVFUWhPSDBWaVpUNGJjMWE0ClNuV3F6aWRhdmkzN3FMZjB2aXladCtsYmg2NllPUWxBSHFPSW4wUlhoUzk1TjBsTzlXYkhCUjhDZ1lFQTQ3VngKRFVSS2xWL1V3REJBa3F6cVpxSWdESklwdGRGL2Yvam9uUXlVYnBLM2llYWUyN3pmaHNLZEFTRGZBcHA5aTd5KwpST1NWdnNWUGRidU9vWGJKQWxzcVJlSVBYdmVYODdGWlluNVZhWkdVdjBteHlwQXZ0NTcrdFdWT1E1aGZydGNYCk1DMyttWFFUTkxhZUxGMThySW11UktENlBxNW1JVk5kS3hibjQvc0NnWUVBeFpFT2xoVzRtL2grTmx4ZDM4L3UKc2RIUVhGRWUxMzhhYy9NbnRmb1hxaVF0SWVSVHhTa0o1K0U0WHU3d3Bjc0lRaVRYYUljZ0QzczRjOTgzZW8vZQpCeVZUeFFHalpPMit0bVFrZjQvM3ZsV0VYbzI1S2Q2emo2bXgvSENpdVdqR1pPZi8xbDVvN0tPQ1lRRjNrdDZQCms2OGV2cXFTWG1hNDY1bVV5S0JEUkowQ2dZRUF3Y2llcmppbzlGZzZ1VmdYQy93bCt6UUw3RWJUUWsxSW9VTFYKeXhseWxHczkwUmkzcHE4azF3MTJDZ2pNWU8zUzNBSEROdVFGWC9XUXV0UGovUnNXMDI5OEdUN1o3K3Jyb05NVQpDNU1SNHlhbW5PZjlhektydVN1US9oUjV0MkxNUXdIL1ZOdy9xSjQwM2c1dnE3ZmZxd0g4a2FFaGRnaDdGKzlYCkFaMmJ1Tk1DZ1lBZWJEaTMrQ3VmQzFOOGlwWUdVS1hSOFRSaFJPdDlmTzdGYjJRM25NdE1UZUx2YzJxNXlaY3oKdThIVUZCbk56Mmx6WDV3N2VwOUtSNzhvRFhRaVZGTnBYY1JwYm9ONS9YZHNFbUlXemNlN0V4ZFI4TGE4TS9YcQpKazkwdis0T2ovd013enlBZm9ZT0NHZ3Y0ZWdCNmZ0MXRwMVBjUG1QcTZCcnF3am1wNERYYmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
|
||||
ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVZnFKeTY5QXlnY1l5MGgvbC9XdTRkeVU4MlRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF4Ck1ETXlOVEF3V2hjTk1qVXdNakk0TURNeU5UQXdXakJTTVFzd0NRWURWUVFHRXdKQlZURVFNQTRHQTFVRUNCTUgKUlhoaGJYQnNaVEVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVJBd0RnWURWUVFLRXdkRmVHRnRjR3hsTVFzdwpDUVlEVlFRTEV3SkRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNelVkWGlOCjRiN3dDK3JrRlFkTFlsclpleWttNkQrYk16T3B2N0JnZUkrdnIrVy9GZE9HR1ZkMnQwbWpDMVhvcWgrSCtERU0Kc3Z0bFpLOW9DT080RnlleUZuSXhqcktDNXp0REJJSlNJYzhYR2NjUTVFY1VXdDRiMnVOVXVKM1dMVFlYcFpFeApqVnd3YzY4aHJ6cC82TDVuMUJxVERxaWxCYk5JUi91OUdmeU40bWpXQlRUbzArTFhkakpkZ3BvOWxmWC83aEFhCnRxT0FIcFJqRWhJM0RreEZyREdSVlJsQ1ZBZlo2MWt5bFRWLzJNMW5CalJWU2RTbDlJK0lWeU4xbXpMM3AzTGwKQ3lwYWxpbGtTWS9LaTNsSFRpNnZGeEJ6c042c3N5SktmeDdpMVJmNDk2MjlKQWZNNXFad0x4enp5OFFNeEw0ZQpMN1VyYmdNMWgwRUhCa0VDQXdFQUFhTm1NR1F3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFJd0hRWURWUjBPQkJZRUZEVmQ0QkJPbWlvcWNHZmM0RTFRSkpTd3BmbzNNQjhHQTFVZEl3UVkKTUJhQUZEVmQ0QkJPbWlvcWNHZmM0RTFRSkpTd3BmbzNNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFnMkZBWApnTUF4UXlndzVrcGkrSFpNWDg5K0QxQ1ptVHhGUXBhUk5vSzdOR1NTVGZLS1Z0Vjdaa1IxVVhJWVJhZTF0R2o2Cm1YeHRpOS9xd281ZlpBckNEaloyVVVNV29EVHFTNHY3ZGVaVmxiRmlVWnl2VXRPb0hjTEhhWitLdmlkVG0yL3UKMDJ0TjhscGtEMDFzeXU5akIyK2wrT01CMUtlRGpXNS8wcDk0ay8xMUd5U2dJRDF1RVVyaFUrai9CMFp1L09GegpXNE00akcrRWlsK1puMHpzcm1wVStmQk1RK20wQzFXZ05mU3NKU0FCYlZxSEVMQ05USUYzVG91V3lNdEE1YUZxCnJ1SFQwNUxxUzl6QVVKNTZ0Q2dqbGdHMDUrUG9FQjFSZUtvV1JURnBNQ0JSL0RxWjk4SnprRDNLYTJyVkMwOXgKUCs1TTNobzl0Q3J4SW42bQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||
vault-example.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUVENDQXpXZ0F3SUJBZ0lVUkJaRmlSVXZnMTRJMFF6NkU0N3RJKzQ0R21Nd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF5Ck1qSTBOakF3V2hjTk1qRXdNekF5TWpJME5qQXdXakJ4TVFzd0NRWURWUVFHRXdKQlZURVJNQThHQTFVRUNCTUkKVm1samRHOXlhV0V4RWpBUUJnTlZCQWNUQ1UxbGJHSnZkWEp1WlRFVE1CRUdBMVVFQ2hNS1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDeE1GVm1GMWJIUXhGakFVQmdOVkJBTVREWFpoZFd4MExXVjRZVzF3YkdVd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDa2JHVHNzSEQ1N3FKVXVIRElsZGpsZHM5QytOWEoKZXpFekNkbEQwdFlsZkVtQU56eURFdnZqbTJielI1MnlCd1VxRGZkeElMdE0xYlQzVFZjYWdSWkVNWkJOVnBtWgpxMUh6aXV1ZkhJMnNVN1pBcmxFbnNyV25oZEdrb0lPd0FyUGl6NXZFVDVJYXh1bXQzUlc3b2hEaE9QdnF0M3ZsCmtBTW9LZXJvMm9QdWp0K0hoQ3ppVDNkMGdjNUlGZWZVbkNiTDBQUmpselBXeFdzQ1ByWDJpYmJaZzkzb2IvNFgKOHlTRVVmZlk4eC9aaytWZDRqZXc3TnhzYllZdGFhUkwzU0M2My9FNERpMkgxSWVtQkRFOGNBNGZiVGpEZGVqKwp5WGcwR1BvYTlWUkVsUlJjMEU1RUQ0eG9IRFFoTFFCeFJqWHJoT1Z1Mmp2cXlvR25OSHQ4MDViQkFnTUJBQUdqCmdmc3dnZmd3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJSeGg5U3JXTzhESlBkMjFqR091OW04d0Q1RQpSVEFmQmdOVkhTTUVHREFXZ0JUdDhnaDErS3pRZTc2N3I0cldaazhUU0FEc0REQjVCZ05WSFJFRWNqQndnZzEyCllYVnNkQzFsZUdGdGNHeGxnaTEyWVhWc2RDMWxlR0Z0Y0d4bExuWmhkV3gwTFdWNFlXMXdiR1V1YzNaakxtTnMKZFhOMFpYSXViRzlqWVd5Q0gzWmhkV3gwTFdWNFlXMXdiR1V1ZG1GMWJIUXRaWGhoYlhCc1pTNXpkbU9DQ1d4dgpZMkZzYUc5emRJY0Vmd0FBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWJ1V3VIbkJORnVKbCttSDlwVndhCnhDcGd4NHNPVDdZeFhJS2RXZ1QrREpPanlKYjFFMkt2ZTJLdVoxZ0tiazZua3pMRzlGZXlDbUFzNmdPTW95cmkKZm1uQ0QzR2FDaFV1OTNlVEtudlgxNVl5UDdoYldNaHVqT3c3Tmo2U0VpQkxTL08yanhHRkwzb0p6cWFRQTFtSwp3bjNsWGY0QVkyUTFFSWxuQ0JvU3lRTFRZS0lISUlNbk5GaWJjRG5jY0lUbG1IdktKd2hVTFk2REJ0WGR0QXFYCmgvam1OSVF4THZNSzFwL0JnRzZrai9XNlBkdXNoZjdLaWgvWU9La3N2WlJWZlhnRjdNeUZQR2NESXNLVk05bHUKRUdRQnBYcDJFa0NjNElXMmM5MGlPaU9wRlZqb0ZvSDFOVHE0TGM5RFk0WDNNa0FSck5RVitoa016M2M5bitWbwpDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||
vault-example-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcEd4azdMQncrZTZpVkxod3lKWFk1WGJQUXZqVnlYc3hNd25aUTlMV0pYeEpnRGM4Cmd4TDc0NXRtODBlZHNnY0ZLZzMzY1NDN1ROVzA5MDFYR29FV1JER1FUVmFabWF0Ujg0cnJueHlOckZPMlFLNVIKSjdLMXA0WFJwS0NEc0FLejRzK2J4RStTR3NicHJkMFZ1NklRNFRqNzZyZDc1WkFES0NucTZOcUQ3bzdmaDRRcwo0azkzZElIT1NCWG4xSndteTlEMFk1Y3oxc1ZyQWo2MTlvbTIyWVBkNkcvK0YvTWtoRkgzMlBNZjJaUGxYZUkzCnNPemNiRzJHTFdta1M5MGd1dC94T0E0dGg5U0hwZ1F4UEhBT0gyMDR3M1hvL3NsNE5CajZHdlZVUkpVVVhOQk8KUkErTWFCdzBJUzBBY1VZMTY0VGxidG83NnNxQnB6UjdmTk9Xd1FJREFRQUJBb0lCQUJtY1NKd1ZYNE9PaC9wcQpRQ2IrTUNxTnR2clhoM1U2bXc4NEdYOVc5OFFlOTlQZ3hxd2o2TmdxL0g0b1NZZlJVQnljMEUzdXF6M3NpNk41CmlIZTRZNTk3bU41eS9yblExWkw1c0htNEdOa2VzT1NpUWtITXREN0R1VVBMUExmTnMvZEFIeU1Vd2MwcDdud0cKVTd4R0locnlwVXFLQ2VKWDdDWDFZWUdqaDZsQWwrYWR0YmFCaG1MSkRaek53WmZTcnlneVVPSnVjQXpOZCtxRwpxUXBmU1Y0c0Z6WGdQL3F3REtHcGg0anFYRnBFWkNCQzgyNE9rdUVQL0k2TVBrK3M5N2xjQXlmaWVGamRwT2E3CnVHUm1sV3BUNG9QZXNFTmF0YkNid1dsR25jamJtL1VxSldVRndJdjRFYlhlQ1JOVlRBM1VOSjlWMlRQVHFIRVUKb2FScFo0RUNnWUVBemhvWUR6R0c0S2xDdjAvclE4MDN5dHJwVzNqWEpOWlBNa1ZpcFNEUVV3MFp5SWpDeVdQWAo1WEhtaG1uc0I5YkpYbFpjK1pRTTBtalBYUGFOZXgzek1NSkp0L1VIM0Roc0FZL3dUOW0zQk1VbjhNeU4rWCt3CjFvUUhOMmZTSFhQNUx6bSs5YWQwUGpIRkVLOGlFQ2J1a1FmQkUwOGc0QjkyU3liN3F6VVM3RGNDZ1lFQXpEc2YKK0VTcUsvUEpleWs4Vmd1eTFISVNUY054d0htejVYcEpoTVYzRnRKTDJyM0l2dHloNGxiaExsenNlcHB5U3JsLwo3d3BlQW1aQklUblpia3dnVW9WVlR0VHdwT05TSEF1aEpNc1RFbzhBdnZGQ0hUQXMzbVQvcDBuT3hoTmgvbVdGCjJLSHgxakcxNUlBWHppWkZNNmhmY2lLcjV6QWZWMGpzR3hhRnlNY0NnWUJoWmUxMnlLWC81NTFXZ2JNaHdJcWMKUCtYRng0Nk1wd2FZTURnVTV6UHIrNlh5b2NiRG0zNTh2TjMvS1hGVXB3bFVucVdqZ0hhcXZNTTZJSDN0NzlKcwplWFNURGFYZ1NYMnBJMWVpdExXTCtJd09mT3lmT3R2Y0ZGckFzVHlYbEtYdXpuQlM4UWE3R1pRU2RXRTRsdDFwCkJtd1U3dkVQV1c3eXh3SnAvMVBvOHdLQmdGTVMwY1JKR2ZkYTZOL2lQQnE4RTNmN0ZwcnZIend0eFJGWkZzS2QKRi8zK2VNQjNaa3JNc0VUREZrR25wc0dRUldGRDUxZ3luVjdZZlRHb3VGcjNPRWFZMmNTQk5ZbTh0YytXbzJ1MQo5d0lialRBZUxzaDBxaXVrWmFHRWtrbGI1UVo0QVdQSEsvbjJxb2hSMmwwT2tDT2RINFhydUlVSHZCZmpIN2M5CkNCcE5Bb0dBYzdBUHh2UGRMemJlQkhmYTEvcFhkYm1VQ3hFd25YMEwwYWdSOUxpQk8wWmJmUHhwWFpKV2wrVDMKOXFMQWFwMFFQMFhpQU9RS3g2M1ZWcks1dDZRdzJUTlhSOWcrRnZDS1lwVkt0aHVvbU9yeUpTQ2pOTFFlVTBpTApKa1hVd3lPK0lhampVNVdCSk1lWSt1cTlFaW9jaUdNRU1ONDBWQUZhdzhTUnhaVlA4SDA9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
|
||||
ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtRENDQW9DZ0F3SUJBZ0lVY0c2TVdaVDJka3Rla24vRk5XZUxQdG16SWp3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VqRUxNQWtHQTFVRUJoTUNRVlV4RURBT0JnTlZCQWdUQjBWNFlXMXdiR1V4RWpBUUJnTlZCQWNUQ1UxbApiR0p2ZFhKdVpURVFNQTRHQTFVRUNoTUhSWGhoYlhCc1pURUxNQWtHQTFVRUN4TUNRMEV3SGhjTk1qQXdNekF5Ck1qSTBOakF3V2hjTk1qVXdNekF4TWpJME5qQXdXakJTTVFzd0NRWURWUVFHRXdKQlZURVFNQTRHQTFVRUNCTUgKUlhoaGJYQnNaVEVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVJBd0RnWURWUVFLRXdkRmVHRnRjR3hsTVFzdwpDUVlEVlFRTEV3SkRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLMm94UkFhCmF6MUs5VGVQdmxiL24rQUxOUCtET2h2eHorSHdxUXo0b0llSEV5NkEwUGZVcnVSRCtMcktrbTA4VVJyeXBKcjYKZXI3QWJKVmFqcXNNYXUxazQ3NTJkdFhzek9pcnlPUlpZeVFSTWF1M2MrK1VycnZHWi9nd2dSWGNleEhZRHlIYgptUDFTQjdiUXAzK2cvQ053OUVmL0N0dXFkMi8ydVc1clY4VFZYZldzMVNILyszT1VVY1ZzZ1E1RWYvbnVpOWN0CjhCT3JRUW5kQndjYWxYenlSV1A3MEswTXhleDU2M3UwU1pBTndYbWRLN21RcXVNREV6VEtwU0ZveC9RRTdIMDQKd3V3SHp1MFRiLzIwYlk2eWlzMVVRajJMSU02SDNHMU55TThNK2V2ZUJzaGxGckVQMzRRSWtzZldpVFl5RUdudwppT3N0MzBvekM1TkhkdDBDQXdFQUFhTm1NR1F3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFJd0hRWURWUjBPQkJZRUZPM3lDSFg0ck5CN3ZydXZpdFptVHhOSUFPd01NQjhHQTFVZEl3UVkKTUJhQUZPM3lDSFg0ck5CN3ZydXZpdFptVHhOSUFPd01NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFjalE2YgpNRWZkWUQzd3FUUVhXY1ovYjFHTEFXWHNsTFU5VDYyNVJUUDV1MjFyc1FnaGJHWi9XcUgwT0JLa2FzVjc3c1JTCm9rRUJuVzd1UmpJbFBlS1pXS0tibHZ2ZGhyU2RDRmpraUVVYTBLdHkwNWtQTWt6bnhTdENQMzg3S2dQWWhYa0wKZGVlVkpwWFFURzZkNGx5blBUNDZmbmFvSjRoU052Y1RZdHUweXFBT3NqdEhuM2NMeW1GbS96L1U4cEZONWtTVApocUdSanhWbldQN09scW5hQ0txSjJuZDFwUUlMcWp5bFNScURrYzI0WXhHcVRPM3cyRndPS2VPbmhPelRpWk0yCk83WFVGMmE0cnNHQUdEejNQMEVENlJJZFpaWWRwQWwyN2VrZTJsSXFHTHBBcGJGMHJjUVg0aEdIUkZqaUt3WTgKU2F6YWM2cm8zRThIN3h3SwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||
|
||||
@ -1,32 +1,46 @@
|
||||
|
||||
|
||||
cd ./hashicorp/vault/tls/
|
||||
|
||||
docker run -it --rm -v ${PWD}:/work -w /work debian:buster bash
|
||||
apt-get update && apt-get install -y curl &&
|
||||
curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl && \
|
||||
curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson && \
|
||||
chmod +x /usr/local/bin/cfssl && \
|
||||
chmod +x /usr/local/bin/cfssljson
|
||||
|
||||
#generate certificate
|
||||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-hostname="vault-example,vault-example.vault-example.svc.cluster.local,vault-example.vault-example.svc,localhost,127.0.0.1" \
|
||||
-profile=default \
|
||||
vault-csr.json | cfssljson -bare vault-example
|
||||
|
||||
#get values to make a secret
|
||||
cat ca.pem | base64 | tr -d '\n'
|
||||
cat vault-example.pem | base64 | tr -d '\n'
|
||||
cat vault-example-key.pem | base64 | tr -d '\n'
|
||||
|
||||
#TEST
|
||||
vault operator init #grab keys
|
||||
vault operator unseal #unseal 3 times
|
||||
|
||||
vault login
|
||||
vault kv put cubbyhole/hello foo=world
|
||||
|
||||
|
||||
cd ./hashicorp/vault/tls/
|
||||
|
||||
docker run -it --rm -v ${PWD}:/work -w /work debian:buster bash
|
||||
apt-get update && apt-get install -y curl &&
|
||||
curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl && \
|
||||
curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson && \
|
||||
chmod +x /usr/local/bin/cfssl && \
|
||||
chmod +x /usr/local/bin/cfssljson
|
||||
|
||||
#generate certificate
|
||||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-hostname="vault-example,vault-example.vault-example.svc.cluster.local,vault-example.vault-example.svc,localhost,127.0.0.1" \
|
||||
-profile=default \
|
||||
vault-csr.json | cfssljson -bare vault-example
|
||||
|
||||
#get values to make a secret
|
||||
cat ca.pem | base64 | tr -d '\n'
|
||||
cat vault-example.pem | base64 | tr -d '\n'
|
||||
cat vault-example-key.pem | base64 | tr -d '\n'
|
||||
|
||||
#linux - make the secret automatically
|
||||
cat <<EOF > ./server-tls-secret.yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: vault-example-tls-secret
|
||||
type: Opaque
|
||||
data:
|
||||
vault-example.pem: $(cat vault-example.pem | base64 | tr -d '\n')
|
||||
vault-example-key.pem: $(cat vault-example-key.pem | base64 | tr -d '\n')
|
||||
ca.pem: $(cat ca.pem | base64 | tr -d '\n')
|
||||
EOF
|
||||
|
||||
|
||||
#TEST
|
||||
vault operator init #grab keys
|
||||
vault operator unseal #unseal 3 times
|
||||
|
||||
vault login
|
||||
vault kv put cubbyhole/hello foo=world
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user