DevOps Principles & Best Practices by Kayan Azimov
One of the issues when using personal secrets in vault is the admin/root user being able to access everything in vault, thus making usage of personal secret less secure.
In order to protect the personal secret from root/admin access we can however keep secret in an encrypted way, using private key, gpg, or just a password. Below is an example how to protect the secret with a password.
Comments closed
Today I will show you how to use vault for your personal secrets. Normally you would auth and get access to some path in vault where everyone in your team have access too, but in some cases you may want to use vault for your own secrets as well, i.e for storing passphrase for the ssh private key or email or something similar.
So here is a list of commands that needs to be run, first as an admin to set up auth and policies, and then as a user, auth and read/write secrets.
Create a policy that allows actions under ones identity:
cat <<EOF | vault policy write identity -
path "secret/data/{{identity.entity.id}}/*" {
capabilities = ["create", "read", "update", "delete"]
}
EOF
Comments closed This blog post demonstrates how anything in Jenkins could be configured as a code through Java API using groovy code, and how changes could be applied right inside Jenkins job. I particularly will demo how to configure Kubernetes plugin and credentials, but the same concept could be used later to configure any Jenkins plugin you are interested in. We will also look at how to create custom config which could be used either for all
or only specific Jenkins instances so you can setup different instances differently based on security policy or any other criteria.
The Why…
Recently I have been working on a task to improve deployment of our master Jenkins instances on Kubernetes.
On of the requirements was to improve the speed, as we have more than 40 Jenkins masters running on different
environments like test, dev, pre-prod, perf, prod etc and deployed in Kubernetes over AWS cluster. The deployment job took around an hour, involved downtime and required multiple steps.
Today we will look at how to setup EC2 instance with Terraform.
1. Set up Terraform
So first thing first, quick installation guide, visit https://www.terraform.io/downloads.html , pick up right version and download:
➜ apps wget https://releases.hashicorp.com/terraform/0.11.1/terraform_0.11.1_darwin_amd64.zip\?_ga\=2.1738614.654909398.1512400028-228831855.1511115744 --2017-12-04 15:16:06-- https://releases.hashicorp.com/terraform/0.11.1/terraform_0.11.1_darwin_amd64.zip?_ga=2.1738614.654909398.1512400028-228831855.1511115744 Resolving releases.hashicorp.com... 151.101.17.183, 2a04:4e42:4::439 Connecting to releases.hashicorp.com|151.101.17.183|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 15750266 (15M) [application/zip] Saving to: ‘terraform_0.11.1_darwin_amd64.zip?_ga=2.1738614.654909398.1512400028-228831855.1511115744’ terraform_0.11.1_darwin_amd64.zip?_ga=2.17386 100%[=================================================================================================>] 15.02M 499KB/s in 30s 2017-12-04 15:16:36 (517 KB/s) - ‘terraform_0.11.1_darwin_amd64.zip?_ga=2.1738614.654909398.1512400028-228831855.1511115744’ saved [15750266/15750266]
Then unzip:
➜ apps unzip terraform_0.11.1_darwin_amd64.zip\?_ga=2.1738614.654909398.1512400028-228831855.1511115744 Archive: terraform_0.11.1_darwin_amd64.zip?_ga=2.1738614.654909398.1512400028-228831855.1511115744 inflating: terraform
Finally make sure location added to PATH:
➜ ~ export PATH=~/apps:$PATH
Check installation works:
➜ ~ terraform -v Terraform v0.11.1
2. Spin up EC2
The plan is to spin up latest Ubuntu.
Comments closed
