Does anyone know how to pass a RSA private key through the deployment configuration file below to a Google Compute Engine (GCE) virtual machine? The reason I am doing this is because the software installed in my GCE virtual machine needs to SSH into some other virtual machines in which the corresponding RSA public key has already been installed.
resources:
- name: gml
type: gml.py
properties:
zones:
- us-east1-b
- europe-west1-b
- asia-east1-a
machineType: n1-standard-2
nodesPerZone: 5
diskSize: 10
privKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmjMePciwIBJYSWTE9CTF0o1xQt3sbIGrJO3HKTseR4Bs+zqI
HehgkWMCnXMnJeE+7YpF4JI1gXEIhaGH+9GkN3/Zxu8VMC5zHwXChg3b/Ew1Ws7c
PjIi+YKpyRg70v623UqGBMb58hPTCEAF91Q00zT95dxGUWBus9rovpZdgT0flp/8
X134qGp3bzvgZ1P0BGW6ZcLkmtPFgv6E/jDmV36eNzOEMmyhq7HvEcDaMMyT5PuD
i2HAGNE1u8rgFuIVgipN5SEZ5GcFGZF9boMXObr7JkeCvgt7masTUNVw2Ii5JxNB
GVFzpLNVxHeo7YBqhz5/8aaLdNY58LIbioRm3wIDAQABAoIBAHYxnIqLG8VZiman
YPgqf5+GXzx70s7RDZf+0lvePrVb0S04jkEub2bBV63MKEO2xX9aL3mVWIHhXEDh
sdPpu0/3JbyAYeNOl1s+FP6f/PEEkRkL2nGqCHjsGKxVcPWn3A7/In7i7Y8KdwWp
.....
.....
-----END RSA PRIVATE KEY-----
I think the only way to place a file would be with a startup script. Something like
metadata:
- key: startup-script
value: |
#!/usr/bin/env bash
# create file if not exist
...
or
metadata:
- key: startup-script-url
value: gs://my-secret-bucket/set-key.sh
Personally, I prefer the latter. If you need to update the script for some reason it will not require updating the deployment, and the key would not be visible cloud console.
In either case you should gauge for yourself where you want your private key to be visible.
Related
I am getting an error "ingress Failed build model due to couldn't auto-discover subnets: unable to discover at least one subnet" while deploying ingress in EKS.
Steps already taken:
Cluster Name is correct in Deployment file
below annotation is am using in Ingress-Resource file
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
kubernetes.io/ingress.class: alb
kubernetes.io/role/internal-elb: 1
alb.ingress.kubernetes.io/subnets: subnet-xxxx, subnet-yyy, subnet-zzz
kubernetes.io/cluster/<ClusterName>: owned ---> (I am using correct cluster name)
Key point:
I am using private subnet in EKS, Subnets were separately created with proper Tags.
2. below annotation is am using in Ingress-Resource file
...
kubernetes.io/role/internal-elb: 1
...
kubernetes.io/cluster/<ClusterName>: owned ---> (I am using correct
cluster name)
The above are tags and not for annotation usage. Try tag the 3 subnets in your question on the AWS console with kubernetes.io/role/internal-elb: 1 and kubernetes.io/cluster/<ClusterName>: owned; so that the LB controller can discover them.
I am looking at this article https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html and I understand how I could store the private key file on server using s3.
However, I am not sure as to how I can change the private key file to store in different environments.
How do I achieve the above?
You can store the private keys in S3 for the different environments, download them all, but then only access the one you need for your specific environment. For example:
files:
"/tmp/my_private_key.staging.json":
mode: "000400"
owner: webapp
group: webapp
authentication: "S3Auth"
source: https://s3-us-west-1.amazonaws.com/my_bucket/my_private_key.staging.json
"/tmp/my_private_key.production.json":
mode: "000400"
owner: webapp
group: webapp
authentication: "S3Auth"
source: https://s3-us-west-1.amazonaws.com/my_bucket/my_private_key.production.json
container_commands:
key_transfer_1:
command: "mkdir -p .certificates"
key_transfer_2:
command: "mv /tmp/my_private_key.$APP_ENVIRONMENT.json .certificates/private_key.json"
key_transfer_3:
command: "rm /tmp/my_private_key.*"
where you have set APP_ENVIRONMENT as an environment variable to be "staging" or "production", etc.
I don't have internet access when i'm connected to my vpn server.
I have tried manually to install debian on my home virtual machine and runs without problem, so is not the vpn server problem.
I want GCE debian instance to get connect to openvpn and have internet access from that ip address
Let me know what i'm missing?
here is my .ovpn config
remote xxxxxxx 7777 tcp
verb 4
client
nobind
dev tun
cipher AES-128-CBC
key-direction 1
redirect-gateway def1
tls-client
remote-cert-tls server
# uncomment below lines for use with linux
script-security 2
# if you use resolved
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# if you use systemd-resolved first install openvpn-systemd-resolved package
#up /etc/openvpn/update-systemd-resolved
#down /etc/openvpn/update-systemd-resolved
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e2:7e:b0:e5:dd:37:33:6c:36:49:76:2f:ec:0e:73:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ca
Validity
Not Before: Nov 18 14:27:52 2021 GMT
Not After : Feb 21 14:27:52 2024 GMT
Subject: CN=gitlab
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d3:51:b2:....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
1B:56:09:AE:B4:5D:26:18:....
X509v3 Authority Key Identifier:
keyid:92:76:43:....
DirName:/CN=ca
serial:02:D6:....
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
52:32:ca:......
-----BEGIN CERTIFICATE-----
cert here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
key here
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
cert here
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
key here
-----END OpenVPN Static key V1-----
</tls-auth>
It's get connected to vpn successfully and nothing happens no access of the internet...
UPDATE :
I have edit and enabled net.ipv4.ip_forward, but that doesn't solve the issue.
Server config file :
# server 172.16.100.0 255.255.255.0
verb 3
tls-server
ca /etc/openvpn/easyrsa/pki/ca.crt
key /etc/openvpn/easyrsa/pki/private/server.key
cert /etc/openvpn/easyrsa/pki/issued/server.crt
dh /etc/openvpn/easyrsa/pki/dh.pem
crl-verify /etc/openvpn/easyrsa/pki/crl.pem
tls-auth /etc/openvpn/easyrsa/pki/ta.key
key-direction 0
cipher AES-128-CBC
#management 127.0.0.1 8989
keepalive 10 60
persist-key
persist-tun
topology subnet
#proto tcp
#port 1194
#dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
push "topology subnet"
push "route-metric 9999"
push "dhcp-option DNS 1.1.1.1"
I would try making this modification to push everything from the server. Topology is usually set on the server side, and not on the client side. And you want to push the redirect gateway from the server, not from the client. I added back the server subnet so that we knew the source ip addresses for masquerade / nat.
# push "topology subnet"
# push "route-metric 9999"
server 172.16.100.0 255.255.255.0
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
Lastly, you'll want to make sure you have masquerade turned on in iptables so that your traffic is natted on the way out of your openvpn server. Here is a link describing the process.
iptables -t nat -A POSTROUTING -s 172.16.100.0/24 -o eth0 -j MASQUERADE
You may have a different ethernet interface name, but you can find the correct name using ifconfig.
I want to change my istio ingress loadbalancer IP but when i try updating the yaml file it is not getting updated
NAME TYPE CLUSTER-IP EXTERNAL-IP
istio-ingressgateway LoadBalancer 10.123.196.149 52.174.141.126
I have to change my EXTERNAL-IP to different IP.
The easiest way is that copy the configuration of the service istio-ingressgateway and then delete the service. In the configuration file, delete the uuid, the creationTimestamp line, and delete the status property. Then recreate the service from the configuration file. It will work for you.
If the public IP that you own is A.B.C.D, you need to add this to the spec section of the istio-ingressgateway service:
loadBalancerIP: A.B.C.D
You probably need to save that service's yaml or json, add the loadBalancerIP line, then delete the service, and finally create it using the saved yaml/json.
Just run:
kubectl patch svc istio-ingressgateway --namespace istio-system --patch '{"spec": { "loadBalancerIP": "<your-reserved-static-ip>" }}'
Reference: https://knative.dev/docs/serving/gke-assigning-static-ip-address/#step-2-update-the-external-ip-of-istio-ingressgateway-service
I want to provide SSL CA cert for MySQL in my applications via envvars in Azure Kubernetes, but i keep getting the following error logs.
NAME: RollbackError
CODE: HANDSHAKE_SSL_ERROR
MESSAGE: unable to get local issuer certificate
I followed everything what they said in docs, I can connect to it with MySQL client from terminal, so the cert is okay.
Thats what I have in my deployment.yml:
....
env:
- name: database__connection__ssl__ca
value: "content_of_ssl_ca_cert_file"
....
According to MySQL & knexjs docs for NodeJS thats the correct way to do it, it accepts strings not files or path for the file.
Anyone any ideas?
So, I finally managed to solve this 'trivial' issue.
....
env:
- name: database__connection__ssl__ca
value: "-----BEGIN CERTIFICATE-----\n...\n...\n...-----END CERTIFICATE-----"
....
Breaklines were needed.
I already edited the question, but here is the solution:
....
env:
- name: database__connection__ssl__ca
value: "-----BEGIN CERTIFICATE-----\n...\n...\n...-----END CERTIFICATE-----"
....
Breaklines are needed, when you want to copy the content from the cert file and provide it via envvars as string. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- also have to be there.