Update - resolved here -> hashicorp/consul#7024
The goal of this test was to be able to demonstrate a productionised version of a Consul Connect Envoy Service.
All online examples today rely on Docker and no TLS - many customers still don't allow Docker in production (I know, unbelieveable!). So I was attempting to running the Envoy proxy directly on Ubuntu without Docker.
| Certificate Authority (CA) Server | Host Server(s) | Client(s) |
|---|---|---|
| Host Server Certificate Configuration | ||
| This is the server typically managed by a security team. The root CA private keys are held on this server and should be protected. If these keys are compromised it will be necessary to Revoke & Rotate/Recreate ALL Certificates!! | These are the servers that are being built or reprovisioned. The Host CA Signed Certificate is used to prove Host Authenticity to clients. It is sent to the ssh client during the initial handshake when a ssh client attempts to login. | The user laptop or server that's runing the ssh client. The Client CA Signed Certificate is used to prove Client Authenticity to the Host Server |
Step 1. Create HOST CA signing keys : Example ssh-keygen -t rsa -N '' -C HOST-CA -b 4096 -f host-ca |
Step 2. Let's generate a fresh set of ssh RSA HOST keys with 4096 bits. Typically the keys are generated by default |
| #!/usr/bin/env bash | |
| set -x | |
| update_key_in_json_file () { | |
| cat ${1} | |
| mv ${1} temp.json | |
| jq -r "${2} |= ${3}" temp.json > ${1} | |
| rm temp.json | |
| cat ${1} |
I quite often hit the following issue when building new servers and then trying to download repositiories from github.com
graham@leader01:~ $ git clone [email protected]:allthingsclowd/web_page_counter.git
Cloning into 'web_page_counter'...
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
#HASHICORP VAULT TRANSIT KEYS with ENCRYPTION and DECRYPTION example
Policy to create, update a transit key and encrypt/decrypt data
name: shared_transit_create
``` hcl
path "shared/transit/*" {
leader01: + echo 'Creating factory user to run the factory service'
leader01: Creating factory user to run the factory service
leader01: + sudo useradd --system --home /etc/factory.d --shell /bin/false factory
leader01: + sudo mkdir --parents /opt/factory /usr/local/factory /etc/factory.d
leader01: + sudo chown --recursive factory:factory /opt/factory /etc/factory.d /usr/local/factory
leader01: + sudo tee /etc/systemd/system/factory.service
leader01: ### BEGIN INIT INFO
leader01: # Provides: factory
leader01: # Required-Start:
Built base environment using HashiCorp's Learn Website
ubuntu@ip-192-168-100-194:~$ export VAULT_ADDR=http://127.0.0.1:8200
ubuntu@ip-192-168-100-194:~$ vault status
I hereby claim:
To claim this, I am signing this object:
vault_approle_demo $ git clone [email protected]:allthingsclowd/vault_approle.git .
Cloning into '.'...
remote: Counting objects: 56, done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 56 (delta 13), reused 52 (delta 12), pack-reused 0
Receiving objects: 100% (56/56), 11.34 KiB | 829.00 KiB/s, done.
Resolving deltas: 100% (13/13), done.
vault_approle_demo $ vagrant up
Bringing machine 'vault01' up with 'virtualbox' provider...
VYOS 1.1.8 image pre-wrapped for use/import into Fujitsu Cloud Service K5 IaaS
Log into the Fujitsu K5 IaaS Portal, navigate to storage -> object storage and create a new container to hold the vyos vmdk image
Upload the included vyos_1.1.8.vmdk image into the container created above
Now select Import/Export -> VMImport, and select the container where the image has just been uploaded and complete the remaining fields
