- Working Directory: Documents/Courses/Pluralsight-GettingStartedWithAnsible
-
Sample Code: https://github.com/g0t4/course-ansible-getting-started
- Install homebrew
- Install bat
- Install tree
- tree -C alias
- jq
- httpie
- curl
- wget
Ad-hoc
Commands run:
ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" localhost
ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" --check --diff localhost
ansible -m shell -a "hostname" -vvvv localhost
Managing Mac with Ansible
- install homebrew
- download linux setup from gitlab
ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" --check --diff localhost
- Manage these types of file with git repo
ansible -m homebrew -a "name=bat state=latest" localhost
- install bat command from homebrew
ansible -m homebrew -a "name=jq state=latest" localhost
Playbooks
ansible-playbook playbook.yaml
spin up a quick docker container
docker run --rm -it python bash
connect to multiple machines using ansible
ansible-console containers
- containers is defined in the inventory file as 3 docker containers
Module 4
Basic Auth
Vault Policies
- Govern: Who, What, How for access
- Policy is in HCL or JSON
- Variables available for identities in path logic for dynamic policies
- can specify parameters
- two out of box policies: default & root policies
Policy Document:
path “path_of_secret_data/[*]” { capabilities = [“create”,”read”,”update”…] required parameters = [“param_name”] allowed parameters = { param_name = [“list”,”of”,”values”] } denied_paramters = { param_name = [“list”,”of”,”values”] } }
Working with policies
list all policies
vault policy list
create a policy
vault policy write [policy] [policy_file.hcl]
update a policy
vault write sys/policy/[policy] policy=[policy_file.hcl]
delete a policy
vault delete sys/policy[policy]
Client Tokens
- Policies are added to tokens
- updates to policies have an immediate affect on existing tokens
- creating new policies does not update existing tokens
- tokens are the foundation of access within vault
- even if you auth via LDAP or something else it just gives you a token
Module 5 - How to setup Configure & Operate Vault Server as an Admin
Vault Server Architecture
Storage
- over 19 options currently supported
- consul is kinda the default
Installation Process for prod
- Installation Scenario
- Virtual Network
- Vault Subnet
- Vault VM
- HTTPS on 8200 default port
- Public IP in front of vault server
- talks on 8201 for clustering
- Consul Agent for storage
- Gossip & RPC protocols
- Consul agent runs server on 8500
- vault configured in HA with another vault server
- Vault VM
- Consul Subnet
- Consul VM
- Replication on port 8300
- Consul VM
- Communication between the two
- Vault Subnet
- Virtual Network
storage and configuration
Server Operations
Conclusion
- nothing leaves the barrier unencrypted
- everything in the barrier is audited
- plan your pilot to support HA
Module 6 - Audting Actions in Vault
- everything is audited
- auditing must be available
- sensitive data is hashed by default