Faunadb dev: fixed secret key - faunadb

I’m using the dev container and I need to have a fixed secret key.
Here’s my current script to create the container and the db.
#!/usr/bin/env bash
docker pull fauna/faunadb
docker container stop faunadb || true && docker container rm faunadb || true
docker run --name faunadb -d \
--health-cmd="faunadb-admin status" --health-interval=5s \
-p 8443:8443 \
-p 8084:8084 \
fauna/faunadb
./docker/wait-for-healthy.sh faunadb 30
echo n | fauna add-endpoint http://localhost:8443/ --alias localhost --key secret
fauna create-database generator_dev --endpoint=localhost
fauna create-key generator_dev --endpoint=localhost
curl -u secret: http://localhost:8084/import --data-binary "#functions/schemas/schema.graphql"
I would like this command to always return the same secret key
fauna create-key generator_dev --endpoint=localhost
Is that possible?
I need a fixed secret key because I need to import the schema in the next step, so the easy way is to have a known secret key
Any idea is appreciated

By default, the Fauna Dev Docker image uses secret as the root-level admin key's secret. That would provided the consistency you seek without requiring additional key generation.
When you create a key, the BCrypt algorithm is employed, and the Snowflake-inspired document id is incorporated into the hash. That means that there is no way to "generate" a consistent key multiple times.
For most situations, where you are simulating a production workload, you would have to create a new key, capture the returned secret, and use the secret in subsequent queries. How you do that is up to you.

Related

How to delete a Jelastic environment through the API?

I tried to delete one of my Jelastic environments by means of the following API call:
curl -k \
-H "${CONTENT_TYPE}" \
-A "${USER_AGENT}" \
-X POST \
-fsS ${HOSTER_URL}/1.0/environment/control/rest/deleteenv -d "password=${password}&session=${session}&envName=${envName}
where I am sure that the session and envName are correct, as I have other commands running perfectly well with them. In particular, I get the session in the following way:
getSession() {
local login=$1
local password=$2
local hosterUrl=$3
echo "Signing in..." >&2
local cmd=$(curl -k -H "${CONTENT_TYPE}" -A "${USER_AGENT}" -X POST \
-fsS "$hosterUrl/1.0/users/authentication/rest/signin" -d "login=$login&password=$password");
exitOnFail $cmd
echo "Signed in" >&2
echo $(jq '.session' <<< $cmd | sed 's/\"//g')
}
In the call to deleteenv, I provide the very same password as that of my Jelastic provider account. Indeed, when I want to delete an environment through Jelastic's dashboard, this is the password I need to provide to make the deletion happen. However, I get the following error:
{"result":801,"source":"hx-core","error":"invalid password"}
Because the password field is documented as optional in Jelastic's API documentation, I tried not to set the password. This yields the following error:
{"result":3,"source":"JEL","error":"invalid parameter [password] for method [DeleteEnv] in service [ControlService]"}
I tried to use other secrets as that password, like the APPID, without any success.
Does anyone have a clue what password I need to put there?
We used the same oneliner based on API you used, your script to get a session and the same Jelastic version but were not able to reproduce this issue. Environment were successfully deleted.
Does anyone have a clue what password I need to put there?
This is the same password as you used to get session or to enter Dashboard. Make sure there are no additional symbols in your password variable.
Because the password field is documented as optional
Indeed, it's optional if use token instead of session. In case of session, password is an obligatory parameter.

How do I use the drone secret command in the current version?

I want to add an ssh key to my drone secrets, but can't get the command to work. I've tried many versions of the command found on various stackoverflow/documentation pages, but none of them work. The command help also gives an entirely different syntax than the one in the documentation...
From the documentation:
drone secret add \
--repository <registry> \
--image <image> \
--name <name> \
--value <value>
This just doesn't work for me.
Then I've found this Stackoverflow question about adding ssh keys to secrets. The answer shows again a different syntax, I tried this way, still doesn't work.
When I try to use the command, I get this:
Incorrect Usage.
NAME: drone secret add - adds a secret
USAGE: drone secret add [command options] [repo] [key] [value]
OPTIONS: --event [--event option --event option] inject the secret
for these event types --image [--image option --image
option] inject the secret for these image types --input input
secret value from a file --skip-verify skip verification for the
secret --conceal conceal secret in build logs
Which suggests it should be used like this:
drone secret add user/repo SSH_KEY <my_id_rsa>
But that doesn't work either.
So what's the actual way of using this command?
Turns out there is an option to add secrets in the web interface, in the settings page of a repo. I completely missed it and the documentation doesn't mention it.
So no need to use the command line.

How to deploy from CircleCI to Google Compute Engine?

I want to deploy CircleCi's artifacts to Google Compute Engine after CI test,
but I got stuck in SSH key issues.
When gcloud compute copy-files ran, gcloud will ask for ssh key generating during CircleCI's deployment process, which I don't know how to handle.
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
I've looked into document here and here, but none of them mentioned SSH related topics. So what SSH key should I use and how can I pass it to gcloud securely?
[UPDATED]
Here's my commands in the deployment step.
- echo $GCLOUD_SERVICE_KEY | base64 --decode --ignore-garbage > ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
- sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud config set project $GCLOUD_PROJECT_ID
- sudo /opt/google-cloud-sdk/bin/gcloud compute copy-files ./dist instance-1:/tmp/ --zone $GCLOUD_INSTANCE_ZONE
First error:
Enter passphrase (empty for no passphrase):
You have to add the --quiet flag.
gcloud compute copy-files
This command ensures that the user's public SSH key is present in the project's metadata. If the user does not have a public SSH key, one is generated using ssh-keygen(1) (if the --quiet flag is given, the generated key will have an empty passphrase).
https://cloud.google.com/sdk/gcloud/reference/compute/copy-files
Second error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
add a user before the instance name 338234243-compute#instance-1:/tmp
remove the last / of the instance path instance-1:/tmp
Check the owner of the tmp directory (user you choose should have a R&W right)
It seems that the user by default of my generated ssh key was root, and GCC sshd is not allowing root connection...
I had the same issue, and upon tinkering more and reading the google cloud docs, I realized I needed to generate an ssh key.
I use CircleCI (this also works with TravisCI) and this was the command I added to my circle.yml file to generate the ssh key:
- ssh-keygen -q -N "" -f ~/.ssh/google_compute_engine

Generating new (not renewed) SSL Certificates with "letsencrypt certonly" in non-interactive mode

The following command leads to a series of reasonable prompts for information such as company information, contact info, etc... I'd like to be able to run it but pass that information as either parameters or a config file but I can't find out how from the docs (https://certbot.eff.org/docs/using.html#command-line-options). Any ideas?
letsencrypt certonly \
--webroot -w /letsencrypt/challenges/ \
--text --renew-by-default --agree-tos \
$domain_args \
--email=$EMAIL
Note that I am not trying to renew but to generate fresh new certificates.
Thank you
You should pass the --noninteractive flag to letsencrypt. According to the document that you linked to, that will produce an error telling you which other flags are necessary.
When using ployst/letsencrypt the initial certificate creation can be done using their internal scripts. Those scripts already pass all the right arguments to make this an automated process and not an interactive one. The documentation has the following two steps that both create the certificate and apply it as a secret.
If your environment variables are already set properly, you don't even have to pass -c 'EMAIL=.... etc.
Generate a new set of certs
Once this container is running you can generate new certificates
using:
kubectl exec -it <pod> -- bash -c 'EMAIL=fred#fred.com DOMAINS=example.com foo.example.com ./fetch_certs.sh'
Save the set of certificates as a secret
kubectl exec -it <pod> -- bash -c 'DOMAINS=example.com foo.example.com ./save_certs.sh'

ssh-add when ssh-agent fails

I am trying to write a script that makes use of {ssh,gpg}-agents effortless (like keychain, but I discovered it too late). This script will be run in a sensitive environment, so I set a timeout in order to remove the keys from the agent after some time.
I managed to write the spawn/reuse part but now, I want ssh-add to be called automatically when the user is opening a ssh connection if the agent has no proper key.
Is there any way to make ssh-agent call ssh-add on failure or something better ?
What I am doing (assuming the key has a distinctive name)
I have a script in ~/bin/ (which is in my PATH)
!/bin/bash
if ! ssh-add -l | grep -q nameOfmyKey
then
ssh-add -t 2h ~/path-to-mykeys/nameOfmyKey.key
fi
ssh myuser#myserver.example.net
ssh -l lists all keys currently active in the agent.
The parameter -t ensures that the key is enabled for a restricted time only.