Fabiola  Auma

Fabiola Auma

1667728620

Ansible Vault: Ansible Lookup Plugin for Secrets Stored in Vault

ansible-vault lookup module 

This is a lookup module for secrets stored in HashiCorp Vault. Supports Ansible 1.9.x and 2.x

Deprecation notice

ansible-vault has been deprecated due to lack of personal usage of ansible and vault over the last years. There are other plugins such as hashivault which provide the same functionality and are better maintained.

Installation

lookup plugins can be loaded from several different locations similar to $PATH, see lookup_plugins. An example setup can be found in the tests directory.

The source for the plugin can be pointed to via a requirements.yml file, and accessed via ansible-galaxy.

Configuration

The address to the Vault server:

export VAULT_ADDR=http://192.168.33.10:8200/

The plugin supports both Vault auth token and GitHub auth token. To use Vault auth token:

export VAULT_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

If your Vault server is configured to use GitHub auth token:

export VAULT_GITHUB_API_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

The plugin also supports Vault's CA-related environment variables, to enable use of a server certificate issued by a not-widely-trusted Certificate Authority. Use of this feature in the plugin requires Python 2.7.9.

export VAULT_CACERT=/etc/ssl/certs/localCA.pem
export VAULT_CAPATH=/etc/ssl/localCA

The Vault address, CA certificate, and path can also be set via the Ansible variables vault_addr, vault_cacert, and vault_capath, respectively.

export VAULT_CAHOSTVERIFY="no"

This avoid the hostname check for Vault certificate (useful with self-signed certicates). This option can also be set via the Ansible variable vault_cahostverify.

export VAULT_SKIP_VERIFY=1

This will disable ssl certs validation. VAULT_CACERT, VAULT_CAPATH and VAULT_CAHOSTVERIFY have to be unset. Can also be set via Ansible variable vault_skip_verify: <bool>.

For more information on setting variables in Ansible, see the variables docs.

The Vault token intentionally can not be set via an Ansible variable, as this is generally checked into revision control and would be a bad security practice somewhat defeating the purpose of using Vault. The token can be read from the file $HOME/.vault-token, as documented at Vault environment variables.

If any such parameter is set by both an environment variable and an alternative means, the environment variable takes precedence.

Caching

By default secrets fetched from Vault will be cached in memory, unless you specify

export ANSIBLE_HASHICORP_VAULT_USE_CACHE=no

Note that secrets will be fetched once per fork (defaults to 5). If you turn off this feature by toggling above variable, all lookups will be done per node instead.

Approle support

If you want to use the Approle auth backend, you can do this by setting the follwing environment variables. If those vars are set, it is tried to get an approle token. If caching is enabled, the token is stored in the cache, so that it can be reused.

export ANSIBLE_HASHICORP_VAULT_ROLE_ID=ba78195c-12c9-557f-f8e2-75705b9b52ec
export ANSIBLE_HASHICORP_VAULT_SECRET_ID=5a4d079b-e6aa-ad54-8b0c-09dd35b740ee

Per default the authentication will be done against ${YOUR_HOST}/v1/auth/approle/login You can change this to fit your layout by setting the following var to your value:

export ANSIBLE_HASHICORP_VAULT_ROLE_PATH=v1/auth/my/role/path/approle/login

Usage

ansible-vault works as any other lookup plugin.

- debug: msg="{{ lookup('vault', 'secret/foo', 'value') }}"
# templates/example.j2

# Generic secrets
{{ lookup('vault', 'secret/hello').value }} # world
# Generic secrets with parameters
{{ lookup('vault', 'pki/issue/example-dot-com common_name=foo.example.com format=pem_bundle').certificate }}
# Specify field inside lookup
{{ lookup('vault', 'secret/hello', 'value') }} # world
# This syntax for Ansible 1.9.x
{{ lookup('vault', ['secret/hello', 'value']) }} # world

# Dynamic secrets
{% set aws = lookup('vault', 'aws/creds/deploy') %}
access_key = {{ aws.access_key }} # AKSCAIZSFSYHFGA
secret_key = {{ aws.secret_key }} # 4XSLxDUS+hyXgoIHEhCKExHDGAJDHFiUA/adi

If the desired value is stored within Vault with the key 'value' (like 'value=world' shown above), within a task, the lookup can be performed with:

with_vault:
- secret/hello

And then referenced with "{{ item.value }}"

Alternatively, the lookup can be performed with:

with_vault:
- secret/hello
- value

And then referenced with "{{ item }}"

Both of these forms work with both Ansible 1.9.x and 2.x. They only work within tasks, though. You can not use the with_vault: syntax within a variable definition file.

Troubleshooting

If you use the version of Ansible shipped with Ubuntu 16.04 (2.0.0.2-2ubuntu1) and get the error Error was sequence item 0: expected string, dict found then you should install Ansible from the PPA instead. Related to this Ansible PR

What's the difference between ansible-vault and hashi_vault

  • (Ansible Vault) No external dependencies; (hashi_vault) requires hvac
  • (Ansible Vault) Uses the same environment variables as vault itself
  • (Ansible Vault) Quicker update cycle
  • (Ansible Vault) Supports dynamic secrets
  • (Ansible Vault) Supports custom fields

Download Details:

Author: jhaals
Source Code: https://github.com/jhaals/ansible-vault

License: BSD-3-Clause license

#ansible 

What is GEEK

Buddha Community

Ansible Vault: Ansible Lookup Plugin for Secrets Stored in Vault
Christa  Stehr

Christa Stehr

1602964260

50+ Useful Kubernetes Tools for 2020 - Part 2

Introduction

Last year, we provided a list of Kubernetes tools that proved so popular we have decided to curate another list of some useful additions for working with the platform—among which are many tools that we personally use here at Caylent. Check out the original tools list here in case you missed it.

According to a recent survey done by Stackrox, the dominance Kubernetes enjoys in the market continues to be reinforced, with 86% of respondents using it for container orchestration.

(State of Kubernetes and Container Security, 2020)

And as you can see below, more and more companies are jumping into containerization for their apps. If you’re among them, here are some tools to aid you going forward as Kubernetes continues its rapid growth.

(State of Kubernetes and Container Security, 2020)

#blog #tools #amazon elastic kubernetes service #application security #aws kms #botkube #caylent #cli #container monitoring #container orchestration tools #container security #containers #continuous delivery #continuous deployment #continuous integration #contour #developers #development #developments #draft #eksctl #firewall #gcp #github #harbor #helm #helm charts #helm-2to3 #helm-aws-secret-plugin #helm-docs #helm-operator-get-started #helm-secrets #iam #json #k-rail #k3s #k3sup #k8s #keel.sh #keycloak #kiali #kiam #klum #knative #krew #ksniff #kube #kube-prod-runtime #kube-ps1 #kube-scan #kube-state-metrics #kube2iam #kubeapps #kubebuilder #kubeconfig #kubectl #kubectl-aws-secrets #kubefwd #kubernetes #kubernetes command line tool #kubernetes configuration #kubernetes deployment #kubernetes in development #kubernetes in production #kubernetes ingress #kubernetes interfaces #kubernetes monitoring #kubernetes networking #kubernetes observability #kubernetes plugins #kubernetes secrets #kubernetes security #kubernetes security best practices #kubernetes security vendors #kubernetes service discovery #kubernetic #kubesec #kubeterminal #kubeval #kudo #kuma #microsoft azure key vault #mozilla sops #octant #octarine #open source #palo alto kubernetes security #permission-manager #pgp #rafay #rakess #rancher #rook #secrets operations #serverless function #service mesh #shell-operator #snyk #snyk container #sonobuoy #strongdm #tcpdump #tenkai #testing #tigera #tilt #vert.x #wireshark #yaml

Fabiola  Auma

Fabiola Auma

1667728620

Ansible Vault: Ansible Lookup Plugin for Secrets Stored in Vault

ansible-vault lookup module 

This is a lookup module for secrets stored in HashiCorp Vault. Supports Ansible 1.9.x and 2.x

Deprecation notice

ansible-vault has been deprecated due to lack of personal usage of ansible and vault over the last years. There are other plugins such as hashivault which provide the same functionality and are better maintained.

Installation

lookup plugins can be loaded from several different locations similar to $PATH, see lookup_plugins. An example setup can be found in the tests directory.

The source for the plugin can be pointed to via a requirements.yml file, and accessed via ansible-galaxy.

Configuration

The address to the Vault server:

export VAULT_ADDR=http://192.168.33.10:8200/

The plugin supports both Vault auth token and GitHub auth token. To use Vault auth token:

export VAULT_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

If your Vault server is configured to use GitHub auth token:

export VAULT_GITHUB_API_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

The plugin also supports Vault's CA-related environment variables, to enable use of a server certificate issued by a not-widely-trusted Certificate Authority. Use of this feature in the plugin requires Python 2.7.9.

export VAULT_CACERT=/etc/ssl/certs/localCA.pem
export VAULT_CAPATH=/etc/ssl/localCA

The Vault address, CA certificate, and path can also be set via the Ansible variables vault_addr, vault_cacert, and vault_capath, respectively.

export VAULT_CAHOSTVERIFY="no"

This avoid the hostname check for Vault certificate (useful with self-signed certicates). This option can also be set via the Ansible variable vault_cahostverify.

export VAULT_SKIP_VERIFY=1

This will disable ssl certs validation. VAULT_CACERT, VAULT_CAPATH and VAULT_CAHOSTVERIFY have to be unset. Can also be set via Ansible variable vault_skip_verify: <bool>.

For more information on setting variables in Ansible, see the variables docs.

The Vault token intentionally can not be set via an Ansible variable, as this is generally checked into revision control and would be a bad security practice somewhat defeating the purpose of using Vault. The token can be read from the file $HOME/.vault-token, as documented at Vault environment variables.

If any such parameter is set by both an environment variable and an alternative means, the environment variable takes precedence.

Caching

By default secrets fetched from Vault will be cached in memory, unless you specify

export ANSIBLE_HASHICORP_VAULT_USE_CACHE=no

Note that secrets will be fetched once per fork (defaults to 5). If you turn off this feature by toggling above variable, all lookups will be done per node instead.

Approle support

If you want to use the Approle auth backend, you can do this by setting the follwing environment variables. If those vars are set, it is tried to get an approle token. If caching is enabled, the token is stored in the cache, so that it can be reused.

export ANSIBLE_HASHICORP_VAULT_ROLE_ID=ba78195c-12c9-557f-f8e2-75705b9b52ec
export ANSIBLE_HASHICORP_VAULT_SECRET_ID=5a4d079b-e6aa-ad54-8b0c-09dd35b740ee

Per default the authentication will be done against ${YOUR_HOST}/v1/auth/approle/login You can change this to fit your layout by setting the following var to your value:

export ANSIBLE_HASHICORP_VAULT_ROLE_PATH=v1/auth/my/role/path/approle/login

Usage

ansible-vault works as any other lookup plugin.

- debug: msg="{{ lookup('vault', 'secret/foo', 'value') }}"
# templates/example.j2

# Generic secrets
{{ lookup('vault', 'secret/hello').value }} # world
# Generic secrets with parameters
{{ lookup('vault', 'pki/issue/example-dot-com common_name=foo.example.com format=pem_bundle').certificate }}
# Specify field inside lookup
{{ lookup('vault', 'secret/hello', 'value') }} # world
# This syntax for Ansible 1.9.x
{{ lookup('vault', ['secret/hello', 'value']) }} # world

# Dynamic secrets
{% set aws = lookup('vault', 'aws/creds/deploy') %}
access_key = {{ aws.access_key }} # AKSCAIZSFSYHFGA
secret_key = {{ aws.secret_key }} # 4XSLxDUS+hyXgoIHEhCKExHDGAJDHFiUA/adi

If the desired value is stored within Vault with the key 'value' (like 'value=world' shown above), within a task, the lookup can be performed with:

with_vault:
- secret/hello

And then referenced with "{{ item.value }}"

Alternatively, the lookup can be performed with:

with_vault:
- secret/hello
- value

And then referenced with "{{ item }}"

Both of these forms work with both Ansible 1.9.x and 2.x. They only work within tasks, though. You can not use the with_vault: syntax within a variable definition file.

Troubleshooting

If you use the version of Ansible shipped with Ubuntu 16.04 (2.0.0.2-2ubuntu1) and get the error Error was sequence item 0: expected string, dict found then you should install Ansible from the PPA instead. Related to this Ansible PR

What's the difference between ansible-vault and hashi_vault

  • (Ansible Vault) No external dependencies; (hashi_vault) requires hvac
  • (Ansible Vault) Uses the same environment variables as vault itself
  • (Ansible Vault) Quicker update cycle
  • (Ansible Vault) Supports dynamic secrets
  • (Ansible Vault) Supports custom fields

Download Details:

Author: jhaals
Source Code: https://github.com/jhaals/ansible-vault

License: BSD-3-Clause license

#ansible 

Awesome Ansible List

Awesome Ansible

A collaborative curated list of awesome Ansible resources, tools, Roles, tutorials and other related stuff.

Ansible is an open source toolkit, written in Python, it is used for configuration management, application deployment, continuous delivery, IT infrastructure automation and automation in general.

Official resources

Official resources by and for Ansible.

Community

Places where to chat with the Ansible community

Tutorials

Tutorials and courses to learn Ansible.

Books

Books about Ansible.

Videos

Video tutorials and Ansible training.

Tools

Tools for and using Ansible.

  • Ansible Tower - Ansible Tower by Red Hat helps you scale IT automation, manage complex deployments and speed productivity. Extend the power of Ansible to your entire team.
  • AWX - AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX.
  • Ansible Lint - Checks Playbooks for best practices and behavior that could potentially be improved.
  • Ansible Later - Another best practice scanner. Checks Playbooks and Roles for best practices and behavior that could potentially be improved.
  • Ansible Doctor - Simple annotation like documentation generator for Ansible roles based on Jinja2 templates.
  • Ansible cmdb - Takes the output of Ansible's fact gathering and converts it into a static HTML page.
  • ARA - ARA Records Ansible playbooks and makes them easier to understand and troubleshoot with a reporting API, UI and CLI.
  • Mitogen for Ansible - Speed up Ansible substantially with Mitogen.
  • Molecule - Molecule aids in the development and testing of Ansible roles.
  • Packer Ansible Provisioner - This Provisioner can be used to automate VM Image creation via Packer with Ansible.
  • Excel Ansible Inventory - Turn any Excel Spreadsheet into an Ansible Inventory.
  • terraform.py - Ansible dynamic inventory script for parsing Terraform state files.
  • ansible-navigator - A text-based user interface (TUI) for Ansible.
  • squest - Self-service portal for Ansible Tower job templates.
  • ansible-bender - Tool which bends containers using Ansible playbooks and turns them into container images.
  • ansible-runner - A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.
  • ansible-builder - Using Ansible content that depends on non-default dependencies can be tricky. Packages must be installed on each node, play nicely with other software installed on the host system, and be kept in sync.
  • kics - SAST Tool that scans your ansible infrastructure as code playbooks for security vulnverables, compliance issues and misconfigurations.
  • php-ansible Library - OOP-Wrapper for Ansible, making Ansible available in PHP.
  • TD4A - Design aid for building and testing jinja2 templates, combines data in yaml format with a jinja2 template and render the output.
  • Ansible Playbook Grapher - Command line tool to create a graph representing your Ansible playbook plays, tasks and roles.
  • ansible-doc-extractor - A tool that extracts documentation from Ansible modules in the HTML form.
  • Ansible Semaphore - Ansible Semaphore is a modern UI for Ansible.

Blog posts and opinions

Best practices and other opinions on Ansible.

German

Playbooks, Roles and Collections

Awesome production ready Playbooks, Roles and Collections to get you up and running.


Download Details:

Author: ansible-community
Source Code: https://github.com/ansible-community/awesome-ansible

License: CC0-1.0 license

#ansible 

How To Customize WordPress Plugins? (4 Easy Ways To Do)

This is image title
WordPress needs no introduction. It has been in the world for quite a long time. And up till now, it has given a tough fight to leading web development technology. The main reason behind its remarkable success is, it is highly customizable and also SEO-friendly. Other benefits include open-source technology, security, user-friendliness, and the thousands of free plugins it offers.

Talking of WordPress plugins, are a piece of software that enables you to add more features to the website. They are easy to integrate into your website and don’t hamper the performance of the site. WordPress, as a leading technology, has to offer many out-of-the-box plugins.

However, not always the WordPress would be able to meet your all needs. Hence you have to customize the WordPress plugin to provide you the functionality you wished. WordPress Plugins are easy to install and customize. You don’t have to build the solution from scratch and that’s one of the reasons why small and medium-sized businesses love it. It doesn’t need a hefty investment or the hiring of an in-house development team. You can use the core functionality of the plugin and expand it as your like.

In this blog, we would be talking in-depth about plugins and how to customize WordPress plugins to improve the functionality of your web applications.

What Is The Working Of The WordPress Plugins?

Developing your own plugin requires you to have some knowledge of the way they work. It ensures the better functioning of the customized plugins and avoids any mistakes that can hamper the experience on your site.

1. Hooks

Plugins operate primarily using hooks. As a hook attaches you to something, the same way a feature or functionality is hooked to your website. The piece of code interacts with the other components present on the website. There are two types of hooks: a. Action and b. Filter.

A. Action

If you want something to happen at a particular time, you need to use a WordPress “action” hook. With actions, you can add, change and improve the functionality of your plugin. It allows you to attach a new action that can be triggered by your users on the website.

There are several predefined actions available on WordPress, custom WordPress plugin development also allows you to develop your own action. This way you can make your plugin function as your want. It also allows you to set values for which the hook function. The add_ action function will then connect that function to a specific action.

B. Filters

They are the type of hooks that are accepted to a single variable or a series of variables. It sends them back after they have modified it. It allows you to change the content displayed to the user.

You can add the filter on your website with the apply_filter function, then you can define the filter under the function. To add a filter hook on the website, you have to add the $tag (the filter name) and $value (the filtered value or variable), this allows the hook to work. Also, you can add extra function values under $var.

Once you have made your filter, you can execute it with the add_filter function. This will activate your filter and would work when a specific function is triggered. You can also manipulate the variable and return it.

2. Shortcodes

Shortcodes are a good way to create and display the custom functionality of your website to visitors. They are client-side bits of code. They can be placed in the posts and pages like in the menu and widgets, etc.

There are many plugins that use shortcodes. By creating your very own shortcode, you too can customize the WordPress plugin. You can create your own shortcode with the add_shortcode function. The name of the shortcode that you use would be the first variable and the second variable would be the output of it when it is triggered. The output can be – attributes, content, and name.

3. Widgets

Other than the hooks and shortcodes, you can use the widgets to add functionality to the site. WordPress Widgets are a good way to create a widget by extending the WP_Widget class. They render a user-friendly experience, as they have an object-oriented design approach and the functions and values are stored in a single entity.

How To Customize WordPress Plugins?

There are various methods to customize the WordPress plugins. Depending on your need, and the degree of customization you wish to make in the plugin, choose the right option for you. Also, don’t forget to keep in mind that it requires a little bit of technical knowledge too. So find an expert WordPress plugin development company in case you lack the knowledge to do it by yourself.

1. Hire A Plugin Developer3
This is image title

One of the best ways to customize a WordPress plugin is by hiring a plugin developer. There are many plugin developers listed in the WordPress directory. You can contact them and collaborate with world-class WordPress developers. It is quite easy to find a WordPress plugin developer.

Since it is not much work and doesn’t pay well or for the long term a lot of developers would be unwilling to collaborate but, you will eventually find people.

2. Creating A Supporting Plugin

If you are looking for added functionality in an already existing plugin go for this option. It is a cheap way to meet your needs and creating a supporting plugin takes very little time as it has very limited needs. Furthermore, you can extend a plugin to a current feature set without altering its base code.

However, to do so, you have to hire a WordPress developer as it also requires some technical knowledge.

3. Use Custom Hooks

Use the WordPress hooks to integrate some other feature into an existing plugin. You can add an action or a filter as per your need and improve the functionality of the website.

If the plugin you want to customize has the hook, you don’t have to do much to customize it. You can write your own plugin that works with these hooks. This way you don’t have to build a WordPress plugin right from scratch. If the hook is not present in the plugin code, you can contact a WordPress developer or write the code yourself. It may take some time, but it works.

Once the hook is added, you just have to manually patch each one upon the release of the new plugin update.

4. Override Callbacks

The last way to customize WordPress plugins is by override callbacks. You can alter the core functionality of the WordPress plugin with this method. You can completely change the way it functions with your website. It is a way to completely transform the plugin. By adding your own custom callbacks, you can create the exact functionality you desire.

We suggest you go for a web developer proficient in WordPress as this requires a good amount of technical knowledge and the working of a plugin.

Read More

#customize wordpress plugins #how to customize plugins in wordpress #how to customize wordpress plugins #how to edit plugins in wordpress #how to edit wordpress plugins #wordpress plugin customization

Securing your secrets using vault in Kubernetes — Part 2

In Part 1 of this series, we have learned how to Install Vault-k8s and enable the Kubernetes Auth Mechanism. In this tutorial let’s learn how automatically inject these secrets into our Kubernetes Deployments/Pods.

I have used Helm to create the manifests files. Helm charts are easier to create, version, share, and publish. Copying-and-Pasting the same manifests across multiple environments can be avoided and the same charts can be re-used by maintaining a different final overrides file.

#hashicorp-vault #kubernetes #vault-k8s #vault #kubernetes-secret