cdelashmutt-pivotal

$(om -t <opsman-host> -u <admin-user> -p <admin-password> curl -s --path /api/v0/deployed/director/manifest | convertfrom-json | select -expand instance_groups | where {$_.name -eq 'bosh'} | select -expand properties | select -expand director | select -expand trusted_certs).Trim() -split '(?<!^)(?=-----BEGIN CERTIFICATE-----)' | where {$_ -ne ''} | foreach {$i=0} { $i++; $certArray = $_.Trim() -split '\n'; $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate; $cert.Import([System.Convert]::FromBase64String(-join $certArray[1..($certArray.Length-2)])); Write-Host "Cert[$i]: $($cert.Subject) - $($cert.GetExpirationDateString())" }

cdelashmutt-pivotal

What does this GIST do or not do

1. Shows you how to use Istio 1.4 on Kubernetes 1.14+ with a modicum of runtime security for your workloads.
2. Specifically it installs Istio with CNI support, and allows the use of restrictive PodSecurityPolicies for your workloads.
3. It is designed for VMware PKS, but doesn't require it ... (just change the CNI bin dir and excluded namespaces in values-cni.yml, also swap the ClusterRole pks-privileged and pks-restricted mentioned throughout these files with your own PSP roles).
4. It doesn't fix the need for Istio itself to run as root, but that should be fixed in a future Istio release as it's already fixed in trunk.

Prerequisites

1. You are logged into your cluster as a cluster admin, K8s 1.14 at least

cdelashmutt-pivotal

#!/bin/bash

opsman_host_or_ip=YOUR_OPSMAN_IP_OR_HOSTNAME
uaac target "https://$opsman_host_or_ip/uaa" --skip-ssl-validation

uaac token owner get opsman <OPS-MAN-ADMIN-USER>
#Client secret: JUST_PRESS_ENTER
#Password: YOUR_PASSWORD_HERE

access_token=$(uaac context | grep access_token | tr -d " " | cut -d ':' -f 2)

cdelashmutt-pivotal

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Get the IP of the PCF Dev instance and put the Windows cell on the same subnet
# PCFDev creates a host only network in a predictable pattern
subnet = `vboxmanage list hostonlyifs`.split("\n").select { |i| i.start_with?('Name') }.map { |i| i.split(' ')[1] }.sort.reverse![0][7].to_i * 11 + 11
pcfdev_public_ip = ENV['PCFDEV_IP'] || "192.168.#{subnet}.11"
wincell_public_ip = ENV['WIN_PCFDEV_IP'] || "#{pcfdev_public_ip}1"

# Configure the PCFDev instance to support a Windows cell

cdelashmutt-pivotal

---
- "Web Profile":
    app_type: java
    file_type: config
    refactor_rating: 0
    description: "Web application config file"
    files:
        - "persistence.xml": { description: "JPA based ORM" }
        - "web.xml"
        - "applicationContext.xml": { description: "Spring application config file" }

cdelashmutt-pivotal

package io.pivotal.demo.slimwebsocket;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class AppInitializer 
extends AbstractAnnotationConfigDispatcherServletInitializer {

    protected Class<?>[] getRootConfigClasses() { return new Class[] {AppConfig.class};}

    protected Class<?>[] getServletConfigClasses()  { return new Class[] {WebConfig.class, WebSocketConfig.class};}

cdelashmutt-pivotal

PLATFORM='unknown'
UNAMESTR=`uname`
if [[ "$UNAMESTR" == 'Darwin' ]]; then
  platform='Mac'
fi

CF_USER="payment-services"
CF_ORG="payment-services"
CF_SPACE="danger zone"
CF_DOMAIN="apps-np.homedepot.com"

cdelashmutt-pivotal

#!/bin/sh
# Example of how to run a single errand in BOSH

# Password is what you set in the web UI when you first set up Ops Manager
ssh tempest@<ops-man-vm-ip>
 
cd /var/tempest/workspaces/default/deployments
 
# The actual file you use below depends on the product you want to target 
# (usually the Elastic Runtime), and the number of times you have installed.

cdelashmutt-pivotal

require 'yaml'

data_hash = YAML.load_file(ARGV[0])
data_hash["job_types"].each { |job|
  job_name = job["name"]
  resource_hash = {}
  job["resource_definitions"].each { |resdef|
    resource_hash[resdef["name"]] = resdef["default"]
  }
  print job_name, resource_hash