I have a Vuejs app and I want to pass some Okta authentication secrets such as clientId at runtime. The following is my Auth setup:
Vue.use(Auth, {
issuer: process.env.VUE_APP_ISSUER,
clientId: process.env.VUE_APP_CLIENT_ID,
redirectUri: process.env.VUE_APP_HOST_URL + '/implicit/callback', // Handle the response from Okta and store the returned tokens.
scopes: ['openid', 'profile', 'email'],
pkce: true
})
Right now I have .env file that contains those variables with their values:
VUE_APP_HOST_URL=http://localhost:8080
VUE_APP_ISSUER=https://dev-12345.okta.com/oauth2/default
VUE_APP_CLIENT_ID=12345
I have been able to dockerize my Vuejs app and run it with that setup. But now I want to externalize those 3 secrets. If I remove those 3 variables from my .env file and inject them from docker run command the VUE_APP_HOST_URL value is undefined based on my console log.
The following is my docker run command:
docker run -e VUE_APP_HOST_URL=http://localhost:8080
-e VUE_APP_ISSUER=https://dev-12345.okta.com/oauth2/default
-e VUE_APP_CLIENT_ID=1234
-p 8080:8080 ghcr.io/myapp:latest
Related
When I enable kubernetes auth method at default path (-path=kubernetes) it works. However, if it is enabled at custom path, the vault init and sidecar containers don't start.
kubernetes auth method enable at auth/prod
vault auth enable -path=prod/ kubernetes
vault write auth/prod/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_ca_cert=#/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/prod/role/internal-app \
bound_service_account_names=internal-app \
bound_service_account_namespaces=default \
policies=internal-app \
ttl=24h
What could be wrong with these auth configurations?
Not sure how you have deployed the vault but if your injector is true
injector:
enabled: true
vault will be injecting the sidecars and init container. You should check the logs of side car or init container which is failing.
If you are using the K8s method to authenticate you should check out below annotation example and use them
annotations:
vault.hashicorp.com/agent-image: registry.gitlab.com/XXXXXXXXXXX/vault-image/vault:1.4.1
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-secrets: kv/secret-path-location
vault.hashicorp.com/auth-path: auth/<K8s-cluster-auth-name>
vault.hashicorp.com/role: app
You can keep the multiple auth-path for different K8s clusters to authenticate with a single vault instance also.
If the vault is injecting the sidecar you should check the logs of it.
https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar
I am building a Restful API client using .NET core framework. The APIs are OpenStack API, however, because of the network configuration, I cannot access the API from my local computer (also development computer), I have to ssh into a machine that can ssh into the OpenStack infrastructure when accessing OpenStack normally.
Bearing this in mind, is it possible to use SSH tunnel for the API endpoints and then call it in the implemented Web API client? I have tried to do this, but the call to the endpoint returns error 401 - content length is required.
Basically its possible to call the Openstack API endpoint through an SSH-tunnel without any public accessible API-endpoints. Bacause I have no experience with .NET core framework this answer is really generic without C# code. I hope it helps you anyway.
IMPORTANT: You can use the following steps only, when you have a admin-login to the openstack-deployment and you should ONLY!!! use this way, when the openstack-deployment is a test-deployment, where breaking the deployment doesn't affect other users.
1. SSH-tunnel
You can forward ports with the command:
ssh -L 127.0.0.1:<PORT>:<IP_REMOTE>:<PORT> <USER_JUMPHOST>#<IP_JUMPHOST> -fN
<PORT> = Port of the Openstack-Component you want to access remotely (for example 5000 for keystone)
<IP_REMOTE> = IP of the host, where your openstack deployment is running
<USER_JUMPHOST>#<IP_JUMPHOST> = ssh-access to the jumphost, which is between you and your openstack deployment
This has to be done for each openstack component. If you don't want this command in the backgroup remove the -fN at the end.
Here at first you have to forward Keystone with port 5000.
example: ssh -L 127.0.0.1:5000:192.168.62.1:5000 deployer#192.168.67.1 -fN
You can test the access via curl or webbrowser from your local pc:
curl http://127.0.0.1:5000
{"versions": {"values": [{"id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [{"rel": "self", "href": "http://127.0.0.1:5000/v3/"}], "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]}}
2. change openstack-endpoints
To be also able to login on the openstack deployment through the tunnel, you have to change the endpoints to listen to the localhost on the remote system too, where your openstack depoyment is:
Login normally on your openstack deployment as admin-user.
List all endpoints: openstack endpoint list
Change the public and internal-endpoint of keystone to localhost:
openstack endpoint set --url http://127.0.0.1:5000 <ID_OF_INTERNAL_KEYSTONE_ENDPOINT>
After changing the internal endpoint it will break the openstack-login on the remotesystem for now, but don't worry.
Now you can login to the openstack via openstack-client from your local pc. Here you have to authorize against local-host. If you use an rc-file to login, you have to change the auth-url to export OS_AUTH_URL=http://127.0.0.1:5000/v3
Change the nova endpoints by running on your local pc openstack endpoint set --url "http://127.0.0.1:8774/v2.1" <ID> for the internal and public endpoint of nova to run commands like openstack server list through your ssh-tunnel (of course you need also an ssh-tunnel for port 8774) to do this.
3. Authorize against the openstack-deployment
When you send HTTP-Requests without the openstack-client, you have to manually request an authentication token from the deployment:
Login normally on your openstack deployment
Make a Token-Request:
curl -v -s -X POST "$OS_AUTH_URL/auth/tokens?nocatalog" -H "Content-Type: application/json" -d '{ "auth": { "identity": { "methods": ["password"],"password": {"user": {"domain": {"name": "'"$OS_USER_DOMAIN_NAME"'"},"name": "'"$OS_USERNAME"'", "password": "'"$OS_PASSWORD"'"} } }, "scope": { "project": { "domain": { "name": "'"$OS_PROJECT_DOMAIN_NAME"'" }, "name": "'"$OS_PROJECT_NAME"'" } } }}' --stderr - | grep X-Subject-Token
This command can be used without changes. The Value after the Key X-Subject-Token is the token from Keystone. Copy this value and export the token as the environment variable OS_TOKEN. For example like the following line
export OS_TOKEN=gAAAAABZuj0GZ6g05tKJ0hvihAKXNJgzfoT4TSCgR7cgWaKvIvbD66StJK6cS3FqzR2DosmqofnR_N-HztJXUcVhwF04HQsY9CBqQC7pblGnNIDWCXxnJiCH_jc4W-uMPNA6FBK9TT27vE5q5AIa487GcLLkeJxdchXiDJvw6wHty680eJx3kL4
Make requests with the token.
For example GET-Requests with curl:
curl -s -X GET -H "X-Auth-Token: $OS_TOKEN" http://127.0.0.1:5000/v3/users | python -m json.tool
The scene is: I want to exec docker run & push in docker runner, and the docker registry and docker runner is in same server. so I want to pass host ip as variable into drone pipeline container so I can push docker image without a remote registry server. But it seem that only drone allowable environment variable can be used in ‘${}’. I try to export EXTERNALIP in host machine and try to get ${EXTERNALIP} but got nothing.
so Is there some way I can get external ip for communicating to localhost or another way to achieve this?
You should be able to push to localhost if its on the same host, that said, I was not able to do this using the packages plugin but was able to to replicate using direct docker:
steps:
- name: docker-${DRONE_EVENT}
image: docker:19.03
when:
event: [ push, pull_request ]
status: [ success ]
environment:
DOCKER_PASSWORD:
from_secret: docker_password
commands:
- echo $DOCKER_PASSWORD | docker login --username user_name --password-stdin localhost
- docker build -t localhost/demo-web:latest .
- if [ "${DRONE_EVENT}" == "push" ]; then docker push localhost/demo-web:latest; fi;
volumes:
- name: docker-socket
path: /var/run/docker.sock
volumes:
- name: docker-socket
host:
path:
/var/run/docker.sock
Couple caveats, obviously you will need to have trusted access in the repo configuration or --trusted if using local exec. Enjoy!
I am trying to add Docker registry for Spinnaker using the below command:
hal config provider docker-registry account add docker-registry-test
--address docker.xyz.com --repositories dept-test/test-apps/testsvc/test-service,dept-test/test-apps/testsvc1/test-service1
--username user --password
I would like to add more repositories under the same account.
How can I add repositories?
Also, I want all of my repositories available under dept-test. Whatever the repos available now and should display repos as and when it gets added.
Following configuration will get all images from your registry with 5 minutes cache refresh:
dockerRegistry:
enabled: true
accounts:
- name: docker-registry
providerVersion: V1
address: https://docker.cluster.local
cacheIntervalSeconds: 300
clientTimeoutMillis: 60000
cacheThreads: 1
paginateSize: 20
sortTagsByDate: true
trackDigests: false
username: docker
passwordFile: /data/accounts/docker-registry-password
I would like to use the Nexus 3 api to change the admin default password as well as the email address using groovy. But I don't understand how to set the password using the groovy api. Can someone provide an example of how to do this?
Summary
You can use the REST API to both update user information and change their password. This includes the admin user.
Nexus REST API: Update user information
The default admin user-data.json in my instance is the following:
{
"userId": "admin",
"firstName": "Administrator",
"lastName": "User",
"emailAddress": "admin#example.org",
"source": "default",
"status": "active",
"readOnly": false,
"roles": [
"nx-admin"
],
"externalRoles": []
}
Update the user-data.json to your desired values and use curl with the REST API.
NX_PASSWORD="admin user password"
curl -ifu admin:"${NX_PASSWORD}" \
-XPUT -H 'Content-Type: application/json' \
--data "$(< user-data.json)" \
<nexus base URL>/service/rest/v1/security/users/admin
Nexus REST API: Change password
You'll want to use the Security Management API.
See Nexus 3 backend source code.
OLD_PASSWORD="nexus admin password"
NEW_PASSWORD="your new password"
curl -ifu admin:"${OLD_PASSWORD}" \
-XPUT -H 'Content-Type: text/plain' \
--data "${NEW_PASSWORD}" \
<nexus base URL>/service/rest/v1/security/users/admin/change-password
Screenshot of Nexus documentation
This documentation is only available on a running Nexus instance. You can view this API on your own running Nexus instance by visiting:
Menu: System configuration > System > API.
Old way: Change password during initial onboarding
This only works during initial onboarding. You should definitely not use this method. Just documenting for completeness.
This section is for changing the initial password during onboarding.
Referencing Nexus source
Frontend code
Backend code
You can change the admin user password with a single curl command.
OLD_PASSWORD="initial nexus password"
NEW_PASSWORD="somepass"
curl -ifu admin:"${OLD_PASSWORD}" \
-XPUT -H 'Content-Type: text/plain' \
--data "${NEW_PASSWORD}" \
<nexus base URL>/service/rest/internal/ui/onboarding/change-admin-password
I originally thought changePassword was deprecated, but I was mistaken. Here is an example of updating admin email address and changing the password:
def user = security.securitySystem.getUser('admin')
user.setEmailAddress('admin#mycompany.com')
security.securitySystem.updateUser(user)
security.securitySystem.changePassword('admin','admin456')
Sonatype Nexus has change-admin-password internal api to update the admin password, but its not straight forward to use, it's using the session id that's created with the /service/rapture/session endpoint.
curl -v 'https://<hostname>/service/rapture/session' --data 'username=<base64 username>&password=<base64 password>'
curl -v -X PUT 'https://<hostname>/service/rest/internal/ui/onboarding/change-admin-password' -H 'cookie: <NXSESSIONID form the above response>' --data '<plain text password>'
Reference:
https://github.com/sonatype/nexus-public/blob/9b177ab50bd7f8470b08247b146da459170ecc8f/plugins/nexus-onboarding-plugin/src/main/resources/static/rapture/NX/onboarding/step/ChangeAdminPasswordStep.js#L50
Install the nexus3 cli:
pip install nexus3-cli
Get the first initial password (Assuming Nexus is running in docker):
docker exec nexus cat /nexus-data/admin.password
Set environment variables:
export NEXUS3_PASSWORD=<PASSWORD FROM PREVIOUS STEP>
export NEXUS3_USERNAME=<USERNAME>
export NEXUS3_URL=<URL>
Allow remote script execution by updating /nexus-data/etc/nexus.properties and appending the below line:
nexus.scripts.allowCreation=true
Restart nexus service to reload the last change:
docker container restart <nexus>
Create a file reset-password.groovy with the following contents (Thanks to #Dennis Hoer) :
def user = security.securitySystem.getUser('admin')
user.setEmailAddress('admin#mycompany.com')
security.securitySystem.updateUser(user)
security.securitySystem.changePassword('admin','admin456')
From command line create the script and run the script to reset the password of admin:
nexus3 script create --script-type groovy passreset reset-password.groovy
nexus3 script run passreset
The password is now reset