INT 21h

Hi, I am Vladimir Smagin, SysAdmin and Kaptain. Telegram Email / GIT / Thingiverse / RSS / GPG

Credentials and other secrets from Vault to your containers at startup

№ 11183 В разделах: Programming Sysadmin от January 2nd, 2021,
В подшивках: , , , ,

What if you stored your database credentials in Vault and want to make ENV variables with them for your application at container startup? You can do it for Kubernetes deployments or plain Docker containers with my small program vault-envs.

Add to your Dockerfile additional steps:

  • install my vault-envs programs that “converts” secret to ENV variables
  • create\modify entrypoint script where or call vault-envs and other pre-startup actions

Add to your Dockerfile steps:

...
...
# add Ubuntu\Debian repo and install vault-envs with fresh certificates
RUN curl http://deb.blindage.org/gpg-key.asc | apt-key add - && \
    echo "deb http://deb.blindage.org bionic main" | tee /etc/apt/sources.list.d/21h.list && \
    apt update
RUN apt install -y ca-certificates vault-envs

# copy entrypoint script
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

Your entrypoint script will look like:

#!/bin/bash

...
...

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_postgres -envs-prefix "PG_"`

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_mysql -envs-prefix "MYSQL_"`

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_api`

...
...

exec "$@"

If some vars names is identical they will be overwritten at next vault-envs call, so I used prefix.

Now build image and run

docker run --rm -e VAULT_TOKEN=s.QQmLlqnHnRAEO9eUeoggeK1n crm printenv

and see results at container console:

...
VAULT_RETRIEVER=vault-envs
PG_DB_PASS=postgres
PG_DB_PORT=5432
PG_DB_USER=postgres
PG_DB_HOST=db-postgres
PG_DB_NAME=crm
MYSQL_DB_HOST=mysql.wordpress
MYSQL_DB_PASS=
MYSQL_DB_PORT=3306
MYSQL_DB_USER=root
MYSQL_DB_NAME=wordpress
API_HOST=http://crm/api
API_TOKEN=giWroufpepfexHyentOnWebBydHojGhokEpAnyibnipNirryesaccasayls4
...

Wooh! You did it.

Нет комментариев »

GNUK

№ 11163 В разделах: Electronics Sysadmin от December 31st, 2020,
В подшивках: , ,

Замутил себе GNUK в качестве хранилища ключей для дешифровки писем, бэкапов и прочего хлама, а также ssh авторизации на серверах. Стоит оно всего 140 руб, что гораздо дешевле аналогов за 50 баксов 🙂 На отлично работает под линуксами с GnuPG.

https://wiki.debian.org/GNUK
https://blog.danman.eu/2-usb-crypto-token-for-use-with-gpg-and-ssh/
https://nx3d.org/gnuk-st-link-v2/

Заказал тут https://aliexpress.ru/item/32792925130.html Для прошивки нужен второй такой или любой другой прошивальщик STM32.

Нет комментариев »

Centralize fail2ban blacklisting with ip-blocker-db

№ 11031 В разделе "Sysadmin" от June 17th, 2020,
В подшивках: ,

My own IP storage for fail2ban. Written to blacklist fucking botnets bruteforcing my servers. It centalize information about blocks across all my servers in one single watch tower.

https://git.blindage.org/21h/ip-blocker-db

Нет комментариев »

Vault secret retrieve and save to JSON file

№ 10280 В разделах: Programming Sysadmin от September 1st, 2019,
В подшивках: , ,

I wrote small program to retrieve secrets from Vault and provide them to my PHP and Python apps. ENV variables with connection credentials is useful with Docker containers and even Kubernetes, list of secrets to retrieve can be stored inside Docker image.

Secret stored in Vault

Result file on disk

Source code and binary release https://git.blindage.org/21h/vault-retriever

Нет комментариев »

Tracking in kubedb for Kubernetes

№ 9595 В разделе "Sysadmin" от November 26th, 2018,
В подшивках: , , , ,

Me and my colleague seriously rewriting kubedb to remove bash pornography and implement new functions required by our production and today I found code with… google tracking and it turned on by default! Whhyyy they did it and no said about it??! I think patch of this file will not be accepted to upstream.

Нет комментариев »

Яндекс.Метрика

Fortune cookie: "Laughter does not seem to be a sin, but it leads to sin." [St. John Chrysostom, "Homilies"]