kainlite
/ snippet.sh
Last active
April 27, 2019 20:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ aws lambda invoke --function-name$ test_lambda --invocation-type RequestResponse --log-type Tail - | jq '.LogResult' -r | base64 --decode | |
| START RequestId: 760a31c6-8ba4-48ac-9a8f-0cf0ec7bf7ac Version: $LATEST | |
| 2019-04-27T20:14:23.630Z 760a31c6-8ba4-48ac-9a8f-0cf0ec7bf7ac Hello world! | |
| END RequestId: 760a31c6-8ba4-48ac-9a8f-0cf0ec7bf7ac | |
| REPORT RequestId: 760a31c6-8ba4-48ac-9a8f-0cf0ec7bf7ac Duration: 75.06 ms Billed Duration: 100 ms Memory Size: 128 MB Max Memory Used: 48 MB |
kainlite
/ snippet.sh
Created
April 27, 2019 20:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ terraform destroy | |
| data.archive_file.lambda_zip: Refreshing state... | |
| aws_iam_role.iam_for_lambda_tf: Refreshing state... (ID: iam_for_lambda_tf) | |
| aws_lambda_function.test_lambda: Refreshing state... (ID: test_lambda) | |
| An execution plan has been generated and is shown below. | |
| Resource actions are indicated with the following symbols: | |
| - destroy | |
| Terraform will perform the following actions: |
kainlite
/ snippet.sh
Created
April 27, 2019 21:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ minikube start | |
| 😄 minikube v1.0.0 on linux (amd64) | |
| 🤹 Downloading Kubernetes v1.14.0 images in the background ... | |
| 💡 Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one. | |
| 🔄 Restarting existing virtualbox VM for "minikube" ... | |
| ⌛ Waiting for SSH access ... | |
| 📶 "minikube" IP address is 192.168.99.102 | |
| 🐳 Configuring Docker as the container runtime ... | |
| 🐳 Version of container runtime is 18.06.2-ce | |
| ⌛ Waiting for image downloads to complete ... |
kainlite
/ snippet.sh
Created
April 27, 2019 21:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate the CA | |
| $ cfssl gencert -initca certs/config/ca-csr.json | cfssljson -bare certs/ca | |
| # Generate the certificate for Consul | |
| $ cfssl gencert \ | |
| -ca=certs/ca.pem \ | |
| -ca-key=certs/ca-key.pem \ | |
| -config=certs/config/ca-config.json \ | |
| -profile=default \ | |
| certs/config/consul-csr.json | cfssljson -bare certs/consul |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ consul tls ca create | |
| ==> Saved consul-agent-ca.pem | |
| ==> Saved consul-agent-ca-key.pem | |
| $ consul tls cert create -server -additional-dnsname server.dc1.cluster.local | |
| ==> WARNING: Server Certificates grants authority to become a | |
| server and access all state in the cluster including root keys | |
| and all ACL tokens. Do not distribute them to production hosts | |
| that are not server nodes. Store them as securely as CA keys. | |
| ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create secret for the gossip protocol | |
| $ export GOSSIP_ENCRYPTION_KEY=$(consul keygen) | |
| # Create kubernetes secret with the certificates and the gossip encryption key | |
| # This will be used by all consul servers to make them able to communicate | |
| # And also join the cluster. | |
| $ kubectl create secret generic consul \ | |
| --from-literal="gossip-encryption-key=${GOSSIP_ENCRYPTION_KEY}" \ | |
| --from-file=certs/consul-agent-ca.pem \ | |
| --from-file=certs/dc1-server-consul-0.pem \ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Store the certs for vault | |
| $ kubectl create secret generic vault \ | |
| --from-file=certs/consul-agent-ca.pem \ | |
| --from-file=certs/dc1-client-consul-0.pem \ | |
| --from-file=certs/dc1-client-consul-0-key.pem | |
| secret/vault created | |
| # Store the config as a configmap | |
| $ kubectl create configmap vault --from-file=vault/config.json | |
| configmap/vault created |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For this to work we need to enable the path /secret with kv version 1 | |
| vault secrets enable -path=secret -version=1 kv | |
| # Then create a separate certificate for our client (Important in case we need or want to revoke it later) | |
| $ consul tls cert create -client -additional-dnsname vault | |
| ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem | |
| ==> Saved dc1-client-consul-1.pem | |
| ==> Saved dc1-client-consul-1-key.pem | |
| # And store the certs as a kubernetes secrets so our pod can use them |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat vault-auth-service-account.yml | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: role-tokenreview-binding | |
| namespace: default | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole |
kainlite
/ snippet.sh
Last active
April 28, 2019 22:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a policy file, myapp-kv-ro.hcl | |
| $ tee myapp-kv-ro.hcl <<EOF | |
| # If working with K/V v1 | |
| path "secret/myapp/*" { | |
| capabilities = ["read", "list"] | |
| } | |
| # If working with K/V v2 | |
| path "secret/data/myapp/*" { | |
| capabilities = ["read", "list"] |