k8s_name=kind-$(date +"%y%m%d%H%M")
cat <<EOF | kind create cluster --config -
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: ${k8s_name}
nodes:
Alan McGinlay amcginlay
amcginlay
/ smallstep-tlspk.md
Last active
February 20, 2023 17:44
amcginlay
/ k8s-vault-pki.md
Last active
March 14, 2023 11:54
How to enable PKI in K8s Vault for specified subdomains
amcginlay
/ cert-manager-vault-tlspc.md
Last active
February 10, 2023 09:49
The following instructions have been tested using a KinD cluster and uses the Venafi Secrets Engine for HashiCorp Vault
install vault (dev mode)
helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace \
--set "server.dev.enabled=true" \
--set "server.extraArgs=-dev-plugin-dir=/vault/plugins/" \
amcginlay
/ kind-csi-driver-tlspc.md
Last active
December 22, 2022 15:37
amcginlay
/ pomerium_okta.md
Last active
December 21, 2022 16:09
Okta authentication through the Pomerium Ingress Controller
- Head to https://dev-NNNNNNNN-admin.okta.com/admin/apps/active
- Click "Create App Integration", leaving ALL as default except the following:
- Sign-in method: "OIDC - OpenID Connect"
- Application Type: "Web Application"
- App integration name: "pomerium-test" (or similar)
- Grant type: select "Refresh Token"
- Sign-in redirect URIs: "https://authenticate./oauth2/callback"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # From https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux | |
| sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: www081050-jetstack-mcginlay-net | |
| spec: | |
| secretName: www081050-jetstack-mcginlay-net-tls | |
| dnsNames: | |
| - www081050.jetstack.mcginlay.net | |
| issuerRef: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: cert-manager.io/v1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: self-signed | |
| spec: | |
| selfSigned: {} |
amcginlay
/ policy.yaml
Last active
November 11, 2022 12:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: policy.cert-manager.io/v1alpha1 | |
| kind: CertificateRequestPolicy | |
| metadata: | |
| name: accept-all | |
| spec: | |
| allowed: | |
| dnsNames: | |
| values: | |
| - "*" |
amcginlay
/ kind-cluster-enterprise-tlspk.md
Last active
February 16, 2023 11:42
Adding a new cluster to Enterprise Jetstack Secure