-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #44 from IBM/app-on-boarding
Script to help on-boarding application, containerized several scripts, added pod and daemonset examples, redesigned policy format
- Loading branch information
Showing
34 changed files
with
1,070 additions
and
323 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,4 +27,4 @@ def get(): | |
return str(out) | ||
except Exception as e: | ||
print e.output | ||
return "",503 | ||
return "",403 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,13 +9,6 @@ RUN cd /usr/local/bin && \ | |
|
||
COPY init-node.sh /usr/local/bin/ | ||
|
||
|
||
# Default values for JWT, issuer and token expiration in seconds | ||
#ARG DEFAULT_ISS="[email protected]" | ||
#ARG DEFAULT_TTL_SEC=30 | ||
#ENV ISS=${DEFAULT_ISS} | ||
#ENV TTL_SEC=${DEFAULT_TTL_SEC} | ||
|
||
ARG DEFAULT_PRIVATE_DIR="/host/tsi-secure" | ||
ENV PRIVATEDIR=${DEFAULT_PRIVATE_DIR} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
FROM ubuntu:18.04 | ||
RUN apt update && \ | ||
apt install -y wget unzip && \ | ||
apt install -y curl jq vim && \ | ||
apt install -y openssl | ||
|
||
# install yq required for xform YAML to JSON | ||
RUN apt-get install -y software-properties-common && \ | ||
add-apt-repository ppa:rmescandon/yq && \ | ||
apt update && apt install -y yq | ||
|
||
RUN cd /usr/local/bin && \ | ||
curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \ | ||
chmod +x kubectl | ||
|
||
RUN wget https://releases.hashicorp.com/vault/1.4.2/vault_1.4.2_linux_amd64.zip && \ | ||
unzip vault_1.4.2_linux_amd64.zip && \ | ||
mv vault /usr/local/bin/ && \ | ||
rm -f vault_1.4.2_linux_amd64.zip | ||
|
||
COPY secret-maker.sh /usr/local/bin/ | ||
COPY getClusterInfo.sh /usr/local/bin/ | ||
COPY load-sample-policies.sh /usr/local/bin/ | ||
COPY vault-tpl/ /vault-tpl | ||
COPY vault-setup.sh /usr/local/bin/ | ||
|
||
# run it forever | ||
CMD ["/bin/bash", "-c", "tail -f /dev/null"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
TSI_VERSION=$(shell cat ../../tsi-version.txt) | ||
GIT_COMMIT_SHA="$(shell git rev-parse --short HEAD 2>/dev/null)" | ||
GIT_REMOTE_URL="$(shell git config --get remote.origin.url 2>/dev/null)" | ||
BUILD_DATE="$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")" | ||
BINARY_NAME="tsi-util" | ||
REPO ?= trustedseriviceidentity | ||
IMAGE := $(REPO)/$(BINARY_NAME):$(GIT_COMMIT_SHA) | ||
MUTABLE_IMAGE := $(REPO)/$(BINARY_NAME):$(TSI_VERSION) | ||
LATEST := $(REPO)/$(BINARY_NAME):latest | ||
|
||
all: docker timestamp | ||
|
||
allpush: docker docker-push timestamp | ||
|
||
fastpush: fast docker-push timestamp | ||
|
||
fast: | ||
docker build -t $(IMAGE) . | ||
docker tag $(IMAGE) $(MUTABLE_IMAGE) | ||
docker tag $(IMAGE) $(LATEST) | ||
date | ||
|
||
docker: | ||
docker build --no-cache -t $(IMAGE) . | ||
docker tag $(IMAGE) $(MUTABLE_IMAGE) | ||
docker tag $(IMAGE) $(LATEST) | ||
|
||
docker-push: | ||
docker push $(IMAGE) | ||
docker push $(MUTABLE_IMAGE) | ||
docker push $(LATEST) | ||
|
||
timestamp: | ||
date | ||
|
||
.PHONY: all fast allpush fastpush docker docker-push timestamp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#!/bin/bash | ||
|
||
## create help menu: | ||
helpme() | ||
{ | ||
cat <<HELPMEHELPME | ||
This script returns cluster information | ||
syntax: | ||
$0 [cluster-info.yaml] | ||
where: | ||
[cluster-info.yaml] - cluster info, otherwise defaults to '/tmp/clusterinfo' | ||
HELPMEHELPME | ||
} | ||
|
||
# validate the input arguments | ||
if [[ "$1" == "-?" || "$1" == "-h" || "$1" == "--help" ]] ; then | ||
helpme | ||
exit 1 | ||
fi | ||
|
||
if [[ "$1" == "" ]] ; then | ||
CLUSTER_YAML="/tmp/clusterinfo" | ||
else | ||
CLUSTER_YAML="$1" | ||
fi | ||
|
||
|
||
### Get Cluter Information | ||
|
||
# extract cluster and region info from provided data | ||
CLYM1="/tmp/cl1.$$" | ||
cat ${CLUSTER_YAML} > ${CLYM1} | ||
CLJS1=$(yq r -j ${CLYM1} |jq -r '.data."cluster-config.json"') | ||
rm "${CLYM1}" | ||
CLUSTER=$(echo "$CLJS1" | jq -r '.name') | ||
# DC=$(echo "$CLJS1" | jq -r '.datacenter') | ||
|
||
# Confirmed with Armada team that CRN format should stay consistent for a while | ||
# CRN format example: | ||
# crn:v1:bluemix:public:containers-kubernetes:eu-de:586283a9abda5102d46e1b94b923a6c5:5f4306a2738d4cdd89ff067c9481555e | ||
REGION=$(echo "$CLJS1" | jq -r '."crn"' | cut -d":" -f6) | ||
echo "export CLUSTER_NAME=$CLUSTER" | ||
echo "export REGION=$REGION" | ||
# echo "export DATA_CENTER=$DC" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
#!/bin/bash | ||
|
||
# Trusted Service Identiy plugin name | ||
export PLUGIN="vault-plugin-auth-ti-jwt" | ||
|
||
## create help menu: | ||
helpme() | ||
{ | ||
cat <<HELPMEHELPME | ||
Syntax: ${0} <vault_addr> <vault_token> | ||
Where: | ||
vault_addr - vault address (or ingress) in format http://vault.server:8200 | ||
token - vault root token to setup the plugin | ||
Or make sure ROOT_TOKEN and VAULT_ADDR are set as environment variables. | ||
export ROOT_TOKEN= | ||
export VAULT_ADDR=(vault address in format http://vault.server:8200) | ||
HELPMEHELPME | ||
} | ||
|
||
loadVault() | ||
{ | ||
#docker run -d --name=dev-vault -v ${PWD}/local.json:/vault/config/local.json -v ${PWD}/pkg/linux_amd64/${PLUGIN}:/plugins/${PLUGIN} -p 127.0.0.1:8200:8200/tcp vault | ||
# echo "Root Token: ${ROOT_TOKEN}" | ||
vault login -no-print ${ROOT_TOKEN} | ||
RT=$? | ||
|
||
if [ $RT -ne 0 ] ; then | ||
echo "Vault login failed!" | ||
exit 1 | ||
fi | ||
|
||
export MOUNT_ACCESSOR=$(curl --header "X-Vault-Token: ${ROOT_TOKEN}" --request GET ${VAULT_ADDR}/v1/sys/auth | jq -r '.["trusted-identity/"].accessor') | ||
|
||
# Use policy templates to create policy files. | ||
# The example below uses 4 different policies with the following constraints: | ||
# - rcni - uses region, cluster-name, namespace and images | ||
# - rcn - uses region, cluster-name, namespace | ||
# - ri - uses region and images | ||
# - r - uses region only | ||
|
||
# replace mount accessor in policy | ||
sed "s/<%MOUNT_ACCESSOR%>/$MOUNT_ACCESSOR/g" /vault-tpl/tsi-policy.rcni.hcl.tpl > /vault-tpl/tsi-policy.rcni.hcl | ||
sed "s/<%MOUNT_ACCESSOR%>/$MOUNT_ACCESSOR/g" /vault-tpl/tsi-policy.rcn.hcl.tpl > /vault-tpl/tsi-policy.rcn.hcl | ||
sed "s/<%MOUNT_ACCESSOR%>/$MOUNT_ACCESSOR/g" /vault-tpl/tsi-policy.ri.hcl.tpl > /vault-tpl/tsi-policy.ri.hcl | ||
sed "s/<%MOUNT_ACCESSOR%>/$MOUNT_ACCESSOR/g" /vault-tpl/tsi-policy.r.hcl.tpl > /vault-tpl/tsi-policy.r.hcl | ||
|
||
# write policy to grant access to secrets | ||
vault policy write tsi-policy-rcni /vault-tpl/tsi-policy.rcni.hcl | ||
vault policy read tsi-policy-rcni | ||
vault policy write tsi-policy-rcn /vault-tpl/tsi-policy.rcn.hcl | ||
vault policy read tsi-policy-rcn | ||
vault policy write tsi-policy-ri /vault-tpl/tsi-policy.ri.hcl | ||
vault policy read tsi-policy-ri | ||
vault policy write tsi-policy-r /vault-tpl/tsi-policy.r.hcl | ||
vault policy read tsi-policy-r | ||
|
||
# create role to associate policy with login | ||
# we choosed to use one role, one policy association | ||
# *NOTE* the first role MUST include all the metadata that would be used by other roles/policies, not only the first one. | ||
vault write auth/trusted-identity/role/tsi-role-rcni bound_subject="[email protected]" user_claim="pod" metadata_claims="region,cluster-name,namespace,images" policies=tsi-policy-rcni | ||
vault read auth/trusted-identity/role/tsi-role-rcni | ||
|
||
vault write auth/trusted-identity/role/tsi-role-rcn bound_subject="[email protected]" user_claim="pod" metadata_claims="region,cluster-name,namespace" policies=tsi-policy-rcn | ||
vault read auth/trusted-identity/role/tsi-role-rcn | ||
|
||
vault write auth/trusted-identity/role/tsi-role-ri bound_subject="[email protected]" user_claim="pod" metadata_claims="region,images" policies=tsi-policy-ri | ||
vault read auth/trusted-identity/role/tsi-role-ri | ||
|
||
vault write auth/trusted-identity/role/tsi-role-r bound_subject="[email protected]" user_claim="pod" metadata_claims="region" policies=tsi-policy-r | ||
vault read auth/trusted-identity/role/tsi-role-r | ||
} | ||
|
||
# validate the arguments | ||
if [[ "$1" != "" && "$2" != "" ]] ; then | ||
export VAULT_ADDR="$1" | ||
export ROOT_TOKEN="$2" | ||
fi | ||
|
||
if [[ "$ROOT_TOKEN" == "" || "$VAULT_ADDR" == "" ]] ; then | ||
echo "ROOT_TOKEN and VAULT_ADDR must be set" | ||
helpme | ||
exit 1 | ||
else | ||
loadVault | ||
fi |
Oops, something went wrong.