- Head to https://dev-NNNNNNNN-admin.okta.com/admin/apps/active
- Click "Create App Integration", leaving ALL as default except the following:
- Sign-in method: "OIDC - OpenID Connect"
- Application Type: "Web Application"
- App integration name: "pomerium-test" (or similar)
- Grant type: select "Refresh Token"
- Sign-in redirect URIs: "https://authenticate./oauth2/callback"
Alan McGinlay amcginlay
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: www081050-jetstack-mcginlay-net | |
| spec: | |
| secretName: www081050-jetstack-mcginlay-net-tls | |
| dnsNames: | |
| - www081050.jetstack.mcginlay.net | |
| issuerRef: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # From https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux | |
| sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80 |
amcginlay
/ pomerium_okta.md
Last active
December 21, 2022 16:09
Okta authentication through the Pomerium Ingress Controller
amcginlay
/ kind-csi-driver-tlspc.md
Last active
December 22, 2022 15:37
amcginlay
/ cert-manager-vault-tlspc.md
Last active
February 10, 2023 09:49
The following instructions have been tested using a KinD cluster and uses the Venafi Secrets Engine for HashiCorp Vault
install vault (dev mode)
helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace \
--set "server.dev.enabled=true" \
--set "server.extraArgs=-dev-plugin-dir=/vault/plugins/" \
amcginlay
/ k8s-vault-pki.md
Last active
March 14, 2023 11:54
How to enable PKI in K8s Vault for specified subdomains
amcginlay
/ smallstep-tlspk.md
Last active
February 20, 2023 17:44
amcginlay
/ vei-tlspc-vault.md
Last active
March 8, 2023 13:07
Terminology:
- TLSPK: TLS Protect for Kubernetes (previously Jetstack Secure or JSS)
- TLSPC: TLS Protect Cloud (previously Venafi as a Service or VaaS)
- TLSP: TLS Protect Data Centre (previously Venafi Trust Protection Platform or TPP)
- VEI: Venafi Enhanced Issuer (not to be confused with the native cert-manager issuer for Venafi)
cert-manager's native Venafi issuer requires Kubernetes secrets to hold Venafi credentials (e.g. API keys). Ideally you wish to eliminate the use of all secrets as these create a potential attack vector.
amcginlay
/ openshift.md
Last active
September 26, 2023 11:25
Create a Cloud9 jumpbox using Step 01-03 here. This box will sufficient AWS privileges, for example, EC2 and Route53.
Inspired by Installing a cluster quickly on AWS
amcginlay
/ minimizing-jsctl.md
Last active
March 5, 2023 13:56
Minimizing the use of the jsctl CLI gives you more flexibility.
For example:
- You get to install whatever version of js-operator you desire
- You force yourself to get familiar with the controller's Installation manifest, which jsctl otherwise attempts to abstract away