Skip to content

Commit

Permalink
Cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
@REBELinBLUE
REBELinBLUE committed Oct 6, 2019
1 parent 416ffa8 commit df50670
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 56 deletions.
62 changes: 30 additions & 32 deletions setup/12-Secrets/consul.yaml
View file
Expand Up @@ -13,31 +13,29 @@ data:
apiVersion: v1
kind: ConfigMap
metadata:
name: consul-server-config
name: consul-config
namespace: vault
labels:
app: consul
data:
server.json: |-
{
"primary_datacenter": "dc1",
"skip_leave_on_interrupt": true,
"leave_on_terminate" : false,
"rejoin_after_leave": true,
"log_level": "INFO",
"addresses": {
"https": "0.0.0.0"
},
"ports": {
"http": 8500,
"server": 9300,
"https": -1
},
"performance": {
"raft_multiplier": 1
},
"disable_remote_exec": true
consul.hcl: |-
addresses = {
https = "0.0.0.0"
}
ports = {
http = 8500,
server = 9300,
https = -1
}
performance = {
raft_multiplier = 1
}
primary_datacenter = "dc1"
skip_leave_on_interrupt = true,
leave_on_terminate = false
rejoin_after_leave = true
log_level = "INFO"
disable_remote_exec = true
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -196,7 +194,7 @@ spec:
- "-datacenter=$(CONSUL_DATACENTER_NAME)"
- "-data-dir=/var/lib/consul"
- "-config-dir=/consul/config"
- "-config-file=/etc/consul/config/server.json"
- "-config-file=/etc/consul/config/consul.hcl"
- "-log-level=INFO"
- "-client=0.0.0.0"
- "-bind=0.0.0.0"
Expand All @@ -207,14 +205,14 @@ spec:
- "-retry-join=$(CONSUL_STATEFULSET_NAME)-1.$(CONSUL_STATEFULSET_NAME).$(POD_NAMESPACE).svc.$(CONSUL_DOMAIN)"
- "-retry-join=$(CONSUL_STATEFULSET_NAME)-2.$(CONSUL_STATEFULSET_NAME).$(POD_NAMESPACE).svc.$(CONSUL_DOMAIN)"
- "-encrypt=$(CONSUL_GOSSIP_ENCRYPTION_KEY)"
livenessProbe:
exec:
command:
- consul
- members
- -http-addr=http://127.0.0.1:8500
initialDelaySeconds: 60
timeoutSeconds: 5
# livenessProbe:
# exec:
# command:
# - consul
# - members
# - -http-addr=http://127.0.0.1:8500
# initialDelaySeconds: 60
# timeoutSeconds: 5
lifecycle:
preStop:
exec:
Expand All @@ -232,10 +230,10 @@ spec:
volumes:
- name: config
configMap:
name: consul-server-config
name: consul-config
items:
- key: server.json
path: server.json
- key: consul.hcl
path: consul.hcl
volumeClaimTemplates:
- metadata:
name: datadir
Expand Down
34 changes: 14 additions & 20 deletions setup/12-Secrets/notes.md
View file
@@ -1,41 +1,35 @@

kubectl -n vault port-forward vault-0 8200:8200


set -xg VAULT_ADDR http://127.0.0.1:8200
set -xg VAULT_TOKEN s.bgQ6lJnj5yYDcfgf6ZsGXx8P
set -xg VAULT_TOKEN s.S6pC3b6kgbofZ09XbouITC8r
set -xg VAULT_TOKEN (curl --slient --data '{ "role_id": "68cee7b8-b8bb-ec1e-20b9-88d87a510833", "secret_id": "d33377fe-41b6-f54e-1063-b440301256b8" }' --request POST "${VAULT_ADDR}/v1/auth/approle/login")

vault audit enable file file_path=stdout
vault secrets enable -path=apps kv
vault auth enable approle
vault auth enable userpass

vault read auth/approle/role/kuard/role-id
vault write auth/userpass/users/stephen password="???" policies="admin"

vault audit enable file file_path=stdout
vault token create -policy=metrics -display-name=prometheus -no-default-policy
curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET "$VAULT_ADDR/v1/sys/metrics?format=prometheus"

vault write -force auth/approle/role/kuard/secret-id

curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
-H "Content-Type: application/json" \
-X POST \
-d '{ "data": { "foo": "world" } }' \
$VAULT_ADDR/v1/apps/data/hello

vault write auth/approle/role/kuard secret_id_ttl="" token_num_uses=0 token_ttl="" token_max_ttl="" secret_id_num_uses=0 policies="kuard"
vault read auth/approle/role/kuard/role-id
vault write -force auth/approle/role/kuard/secret-id

curl -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" -X POST -d '{ "data": { "foo": "world" } }' $VAULT_ADDR/v1/apps/data/hello
curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/apps/data/hello

vault write auth/approle/role/kuard secret_id_ttl="" token_num_uses=0 token_ttl="" token_max_ttl="" secret_id_num_uses=0 policies="kuard"
vault write auth/userpass/users/stephen password="???" policies="admin"
vault audit enable file file_path=stdout

admin.hcl
path "*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

metrics.hcl
path "sys/metrics*"
{
path "sys/metrics*" {
capabilities = ["read", "list"]
}

vault token create -policy=metrics -display-name=prometheus -no-default-policy
curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET "$VAULT_ADDR/v1/sys/metrics?format=prometheus"
8 changes: 5 additions & 3 deletions setup/12-Secrets/vault.yaml
View file
Expand Up @@ -41,9 +41,11 @@ metadata:
name: vault-unseal-keys
type: Opaque
data:
VAULT_UNSEAL_KEY_1: RlJFNHlxbEIyNUYzRllHYlUwNUt2MXFQckpLakRTYnBrUEg0bWVaOEJsdVY=
VAULT_UNSEAL_KEY_2: Wk1tMGViNk1tMnZpTUo0clNRaUUzT3AyUEZOSUdNS1JNS2VtQkVxaG10WSs=
VAULT_UNSEAL_KEY_3: S3dGNzYzMVFIWkRnVndoLzljMnhPaWczVEt3bjl5Ukt1Nm8raFJjdDgwTHk=
VAULT_UNSEAL_KEY_1: Zk9LSU1yTnNzSVhKdWZLZFoxQUg2aW5PaCtsZXdFYjkxbGJ3TjlVaExtSVkK
VAULT_UNSEAL_KEY_2: SEtSTitEakp3clVhUXpON05ialpDMTBHdFFxb1pvNThXNUl3aXdCVEwrWVEK
VAULT_UNSEAL_KEY_3: a3c1R3dMbzk3NTRYRlZ0ek5zZjJBalpic1RMcWhmY2sxei8wR29ZbmZQTHUK
VAULT_UNSEAL_KEY_4: amNBSjg3UkZPZWJEYkNKZ2NUY1dvYUNkeGhWYjQybU1LZmR6WUE0Q2Z1QWIK
VAULT_UNSEAL_KEY_5: bUxFL1VrQkhYdVBPd3hvSDB6eVlsamNrL0VVMmM0N0hrZU9vbkhXdFI4cWEK
---
apiVersion: v1
kind: ServiceAccount
Expand Down
2 changes: 1 addition & 1 deletion setup/9-Monitoring/prometheus/prometheus.yaml
View file
Expand Up @@ -36,7 +36,7 @@ scrape_configs:
metrics_path: "/v1/sys/metrics"
params:
format: ['prometheus']
bearer_token: s.WzEjYfyRBvdXZ6GoW7nBnW9h
bearer_token: s.brVZ623SwKfiYg1WjVWqDcS6

- job_name: prometheus
kubernetes_sd_configs:
Expand Down

0 comments on commit df50670

Please sign in to comment.