From 9a3de193de70101c9e45acd32226637c237610dc Mon Sep 17 00:00:00 2001
From: Vincent Mazenod <vmazenod@gmail.com>
Date: Tue, 2 Jul 2019 15:29:24 +0200
Subject: [PATCH] slides 4 isima

---
 content/slides/cri/ansible-role.html  |  59 ++++++
 content/slides/cri/md/ansible-role.md |  49 +++++
 content/slides/cri/md/stack.md        |  50 ++++-
 content/slides/cri/md/vault.md        | 286 ++++++--------------------
 content/slides/index.html             |   1 +
 content/slides/privacy/md/vault.md    |   2 -
 6 files changed, 207 insertions(+), 240 deletions(-)
 create mode 100644 content/slides/cri/ansible-role.html
 create mode 100644 content/slides/cri/md/ansible-role.md

diff --git a/content/slides/cri/ansible-role.html b/content/slides/cri/ansible-role.html
new file mode 100644
index 0000000..e55b8c7
--- /dev/null
+++ b/content/slides/cri/ansible-role.html
@@ -0,0 +1,59 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
+
+    <title>ansible rôle</title>
+
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/reveal.css">
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/white.css">
+
+    <!-- Theme used for syntax highlighting of code -->
+    <link rel="stylesheet" href="../../node_modules/reveal.js/lib/css/zenburn.css">
+    <link rel="stylesheet" href="../../node_modules/font-awesome/css/font-awesome.min.css">
+    <link rel="stylesheet" href="../main.css">
+
+    <!-- Printing and PDF exports -->
+    <script>
+      var link = document.createElement( 'link' );
+      link.rel = 'stylesheet';
+      link.type = 'text/css';
+      link.href = window.location.search.match( /print-pdf/gi ) ? '../../node_modules/reveal.js/css/print/pdf.css' : '../../node_modules/reveal.js/css/print/paper.css';
+      document.getElementsByTagName( 'head' )[0].appendChild( link );
+    </script>
+  </head>
+  <body>
+    <div class="reveal">
+      <div class="slides">
+        <section data-markdown="md/ansible-role.md"
+         data-separator="^\n\n\n"
+         data-separator-vertical="^\n\n"
+         data-separator-notes="^Note:"
+         data-charset="utf-8">
+       </section>
+      </div>
+    </div>
+
+    <script src="../../node_modules/reveal.js/lib/js/head.min.js"></script>
+    <script src="../../node_modules/reveal.js/js/reveal.js"></script>
+
+    <script>
+      // More info about config & dependencies:
+      // - https://github.com/hakimel/reveal.js#configuration
+      // - https://github.com/hakimel/reveal.js#dependencies
+      Reveal.initialize({
+        controls: true,
+        progress: true,
+        history: true,
+        center: false,
+        dependencies: [
+          { src: '../../node_modules/reveal.js/plugin/markdown/marked.js' },
+          { src: '../../node_modules/reveal.js/plugin/markdown/markdown.js' },
+          { src: '../../node_modules/reveal.js/plugin/notes/notes.js', async: true },
+          { src: '../../node_modules/reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }
+        ]
+      });
+    </script>
+  </body>
+</html>
diff --git a/content/slides/cri/md/ansible-role.md b/content/slides/cri/md/ansible-role.md
new file mode 100644
index 0000000..80913d5
--- /dev/null
+++ b/content/slides/cri/md/ansible-role.md
@@ -0,0 +1,49 @@
+## boilerplate
+
+[ansible-role-boilerplate](https://gitlab.isima.fr/cri/ansible-role-boilerplate)
+
+* Tous les rôles dervaient se tester aussi simplement que ça, en standalone, sans avoir peur de rien casser
+* En pratique il faut parfois y réfléchir un peu
+    * path vault
+    * point de montage
+    * dépendance à des services existants
+
+
+## Directory Layout
+
+[Directory Layout (ansible best practice)](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#directory-layout)
+
+```shell
++ tasks/            #
+  - main.yml        #  <- tasks file can include smaller files if warranted
++ handlers/       #
+  - main.yml      #  <- handlers file
++ templates/      #  <- files for use with the template resource
+  - ntp.conf.j2   #  <- templates end in .j2
++ files/          #
+  - bar.txt       #  <- files for use with the copy resource
+  - foo.sh        #  <- script files for use with the script resource
++ vars/           #
+  - main.yml      #  <- variables associated with this role
++ defaults/       #
+  - main.yml      #  <- default lower priority variables for this role
++ meta/           #
+  - main.yml      #  <- role dependencies
++ library/        # roles can also include custom modules
++ module_utils/   # roles can also include custom module_utils
++ lookup_plugins/ # or other types of plugins, like lookup in this case
+```
+
+
+## Directory Layout Bonus
+
+* Vagrantfile -> cross OS
+* vagrant.rb
+* role.yml
+* .gitignore
+* README.md
+
+
+## TODO
+
+pacakger les box vagrant de manière synchrone avec les templates pve
\ No newline at end of file
diff --git a/content/slides/cri/md/stack.md b/content/slides/cri/md/stack.md
index a6b16e2..8adce1b 100644
--- a/content/slides/cri/md/stack.md
+++ b/content/slides/cri/md/stack.md
@@ -5,22 +5,50 @@
 aka **B** rew **W** ired **S** tack
 
 
-## requirement
+## soyons honnête!
 
-* proxmox aka pve
-* ansible
-* terraform
-  * [proxmox-provisionner](https://github.com/Telmate/terraform-provider-proxmox)
-  * [proxmox-api](https://github.com/Telmate/proxmox-api-go)
-*  du love <3
+Tout repose sur
 
+* [proxmox-provisionner - pulse](https://github.com/Telmate/terraform-provider-proxmox/pulse)
+* [proxmox-api - pulse](https://github.com/Telmate/proxmox-api-go/pulse)
 
-## soyons honnête
+et sur les produits [HashiCorp](https://github.com/hashicorp)
 
-Tous repose sur
 
-* [proxmox-provisionner - pulse](https://github.com/Telmate/terraform-provider-proxmox/pulse)
-* [proxmox-api - pulse](https://github.com/Telmate/proxmox-api-go/pulse)
+## Directory Layout
+
+[Directory Layout (ansible best practice)](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#directory-layout)
+
+```shell
++ ansible/
+  - inventory.ini     # inventory file for staging environment
+
++ group_vars/
+  - group1.yml     # here we assign variables to particular groups
+  - group2.yml
+
++ host_vars/
+   - service1.yml   # here we assign variables to particular systems
+   - service2.yml
+
++ library/          # if any custom modules, put them here (optional)
++ module_utils/     # if any custom module_utils to support modules, put them here (optional)
++ filter_plugins/   # if any custom filter plugins, put them here (optional)
+
++ playbooks/
+  + cluster/
+    - service1.yml  # master playbook
+    - service2.yml  # playbook for dbserver tier
+
++ roles/            # empty folder remotes roles only
+                  # inherited from ansible-boiler-plate
+    
+```
+
+
+## How to
+
+[https://gitlab.isima.fr/cri/stack](https://gitlab.isima.fr/cri/stack)
 
 
 ## PCA / PRA
diff --git a/content/slides/cri/md/vault.md b/content/slides/cri/md/vault.md
index 1938c7a..8cd9352 100644
--- a/content/slides/cri/md/vault.md
+++ b/content/slides/cri/md/vault.md
@@ -1,45 +1,32 @@
-# vault
+## Vault en bref!
 
-![vault](images/vault.png "vault")<!-- .element width="30%" -->
+![vault](../cri/images/vault.png "vault")<!-- .element width="30%" -->
 
-**By HashiCorp**
+#### Des secrets, des apps, des tokens, des équipes, un séquestre 
 
 
-## Installation
+## Vault
 
-* téléchargement d'un binaire
+* By HashiCorp
+  * [écrit en go](https://github.com/hashicorp/hcl)
+  * cross plateform
+  * [hcl](https://github.com/hashicorp/hcl)
+  * intégration avec [consul](https://www.consul.io) & [terraform](https://www.terraform.io/)
+* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
+* [documenté](https://www.vaultproject.io/docs/)
+* ... couteau suisse
 
-  * [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
-  * décompresser dans /usr/local/bin
-  * configurer les permissions
-  * serveur
-    * créer un service systemd
-  * cli
-    * `/usr/local/bin/vault `
 
+## Vault
 
-## Systemd 
+* Un binaire [vault](https://releases.hashicorp.com/vault/) qui fait
+  * serveur  
+    * [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
+    * UI web
+  * cli 
 
 ```shell
-setcap CAP_IPC_LOCK=+ep /usr/local/bin/vault
-setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/vault
-```
-
-```ini
-[Unit]
-Description=a tool for managing secrets
-Documentation=https://vaultproject.io/docs/
-After=network.target
-ConditionFileNotEmpty=/etc/vault/vault.hcl
-
-[Service]
-User=vault
-Group=vault
-ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.hcl
-ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
+$ export $VAULT_ADDR=https://10.0.0.1
 ```
 
 
@@ -62,12 +49,11 @@ listener "tcp" {
 ```
 
 
-## Initialisation
+## initialisation SSS 
+### Shamir's Secret Sharing
 
 ```shell
-export VAULT_ADDR=https://10.0.0.1
-export VAULT_SKIP_VERIFY=True
-vault operator init -key-shares=3 -key-threshold=2
+$ vault operator init -key-shares=3 -key-threshold=2
 ```
 
 ```shell
@@ -84,254 +70,100 @@ before it can start servicing requests.
 
 Vault does not store the generated master key. Without at least 2 key to
 reconstruct the master key, Vault will remain permanently sealed!
-
-It is possible to generate new unseal keys, provided you have a quorum of
-existing unseal keys shares. See "vault operator rekey" for more information.
-```
-
-
-## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
-
-!["secrets engines"](images/vault-secrets-engines.png "secrets engines")
-
-<!--
-* [<i class="fa fa-book" aria-hidden="true"></i> Secrets Engines - getting started](https://learn.hashicorp.com/vault/getting-started/dynamic-secrets)
-* [<i class="fa fa-book" aria-hidden="true"></i> AWS Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
-* [<i class="fa fa-book" aria-hidden="true"></i> Active Directory Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
-* [<i class="fa fa-book" aria-hidden="true"></i> SSH Secrets Engine](https://www.vaultproject.io/docs/secrets/ssh/index.html)
-* [<i class="fa fa-book" aria-hidden="true"></i> KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv/index.html)
--->
-
-
-## KV
-
-```shell
-$ vault kv get cri/test
-====== Data ======
-Key          Value
----          -----
-password1    secret$
-
-$ vault kv put cri/test password2=secret!
-Success! Data written to: cri/test
-
-$ vault kv get cri/test
-====== Data ======
-Key          Value
----          -----
-password2    secret!
-```
-
-
-## KV2
-
-```shell
-vault secrets enable -path=cri kv
-vault kv enable-versioning cri/ # kv2
-```
-
-* les secrets sont versionnés
-* il est possible d'utiliser PATCH et pas seulement PUT
-
-```shell
-$ vault kv patch cri/test password1=secret$
-Success! Data written to: cri/test
-
-$ vault kv get cri/test
-====== Data ======
-Key          Value
----          -----
-password1    secret$
-password2    secret!
 ```
 
 
 ## Authentification
 
-!["authentification"](images/vault-auth.png "authentification")
+!["authentification"](../cri/images/vault-auth.png "authentification")
 
 
 ## Authentification
 
+par token
+
 ```shell
-vault login token=<root-token>
+$ vault login token=<root-or-app-token>
 ```
 
-* par token
-  * root
-  * d'application
+equivalent à 
 
 ```shell
-$ vault login -method=ldap username=vimazeno
+$ export VAULT_TOKEN token=<root-or-app-token>
 ```
 
-* par ldap
-  * stocke le token d'authentificayion dans ~/.vault-token
-
-
-## LDAP
+par ldap
 
 ```shell
-$ vault write auth/ldap/config \
-    url="ldaps://samantha.local.isima.fr" \
-    userattr="sAMAccountName" \
-    userdn="dc=local,dc=isima,dc=fr" \
-    groupattr="cn" \
-    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
-    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
-    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
-    bindpass="secret" \
-    insecure_tls="false" \
-    starttls="true"
+$ vault login -method=ldap username=mazenovi
 ```
 
-[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
+stocke le token dans `~/.vault-token` et `$VAULT_TOKEN`
 
 
-## Policy
-
-/etc/vault/users/cri.hcl
+## Policy (ACL)
 
 ```
-# Write and manage secrets in key-value secret engine
 path "cri/*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-
-# To enable secret engines
-path "sys/mounts/*" {
-  capabilities = [ "create", "read", "update", "delete" ]
-}
-
-path "cubbyhole/*" {
   capabilities = ["create", "read", "update", "delete", "list"]
 }
-
 ```
 
+écriture
+
 ```shell
-$ vault policy write cri /etc/vault/cri.hcl
+$ vault policy write cri `/etc/vault/cri.hcl`
 ```
+application à un groupe ldap
 
+```shell
+$ vault write auth/ldap/groups/cri policies=cri
+```
 
-## appliquer une policy à un groupe ldap
+création de token à partir de la policy
 
 ```shell
-$ vault write auth/ldap/groups/cri policies=cri
+$ vault token create -policy=cri
 ```
 
 
-## Utilisation
+## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
 
-* via la ligne de commande
-  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
-    * cross plateform
-    * deux variables d'environnement
-      * $VAULT_ADDR=https://vault.isima.fr
-      * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
+!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
 
 
-## Workflow
+## workflow
 
 ```shell
 $ vault secrets list
 $ vault kv list cri/
-$ vault kv get cri/services/vault/tokens
-$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
-$ vault kv get -format=json cri/services/vault/tokens
-$ vault kv get -format=json cri/services/vault/tokens | jq .data
-$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
-$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
-$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
+$ vault kv get cri/test
+$ vault kv get -format=json cri/test
+$ vault kv get -format=json cri/test | jq .data
+$ vault kv get -format=json cri/test | jq .data.data.root
+$ vault kv put cri/test password2=$(date | sha256sum)
+$ vault kv patch cri/test password1=$(date | sha256sum)
 $ vault delete cri/test
 ```
 
 
-## création de token
-
-my.hcl
-
-```
-path "secret/data/cri/apps/my" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-
-```shell
-$ vault policy write vault/hcl/apps/my.hcl
-$ vault token create -policy=my
-```
-
-
-## vault/ci/cd
-
-### en local
-
-authentification ldap
-
-### <i class="fa fa-gitlab" aria-hidden="true"></i> CI / CD
-
-![vault CI](images/vault-ci.png)
-
-
-## bin/setup
-
-```bash
-command -v "vault" >/dev/null 2>&1 || {
-  echo >&2 "I require vault to run see stack"
-  exit 1
-}
-if [[ -z "${VAULT_ADDR}" ]] ; then
-  export VAULT_ADDR=https://vault.isima.fr
-fi
-if [[ -z "${VAULT_TOKEN}" ]] ; then
-  if [[ -z "${VAULT_USERNAME}" ]] ; then
-    echo uca username
-    read username
-    export VAULT_USERNAME=${username}
-  fi
-  vault login -method=ldap username=$VAULT_USERNAME > /dev/null
-  echo " export VAULT_TOKEN=$(cat ~/.vault-token)"
-else
-  vault login token=${VAULT_TOKEN} > /dev/null
-fi
-```
-<!-- .element style="width: 100%;" -->
-
-
-## bin/configure
-
-```bash
-# lecture des clés vault avec python: la sortie est une liste python UTF8 (u'value')
-KV=$(vault read cri/my -format=json | python -c "import sys, json; print json.load(sys.stdin)['data'].keys()")
-# converison de la liste python en liste bash
-VAULT_KEYS=( $(echo ${KV} | sed -r "s/', u'/' '/g" | sed -r "s/\[u'/'/g" | sed -r "s/\]//g") )
-# copie du template de configuration en fichier de configuration
-cp config.sample.py config.py
-# itération sur les clés vault
-for i in "${VAULT_KEYS[@]}"
-do
-  # enlève le permier '
-  i=${i%\'}
-  # enlève le dernier '
-  i=${i#\'}
-  sed -i "s|$i|$(vault read cri/my -format=json | jq -r .data.$i | sed -r "s/\n//g")|g" config.py 2>/dev/null
-done
-```
-<!-- .element style="width: 100%;" -->
-
-
 ## avec ansible
 
 * lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
   * lecture uniquement
   * pas de support natif pour kv2 à ce jour
-  * [patch maison](https://gitlab.isima.fr/cri/stack/blob/master/ansible/plugins/module_utils/vault.py)
+
 * module "community" [hashivault](https://github.com/TerryHowe/ansible-modules-hashivault)
   * Reading and Writing
     * supporte kv2
   * Initialization, Seal, and Unseal
   * Policy
   * User Management
-  * ...
\ No newline at end of file
+
+
+## UI
+
+!["UI"](../privacy/images/vault/web.png "UI")
+
+
+!["carnets mots de passe"](../privacy/images/vault/password_management.jpg "carnets mots de passe")<!-- .element width="80%" -->
diff --git a/content/slides/index.html b/content/slides/index.html
index de713f2..44f3983 100644
--- a/content/slides/index.html
+++ b/content/slides/index.html
@@ -90,6 +90,7 @@
   <li><a href="cri/vagrant.html">vagrant</a></li>
   <li><a href="cri/ansible.html">ansible</a></li>
   <li><a href="cri/vault.html">vault</a></li>
+  <li><a href="cri/ansible-role.html">ansible role</a></li>
   <li><a href="cri/pve.html">pve</a></li>
   <li><a href="cri/terraform.html">terraform</a></li>
   <li><a href="cri/stack.html">stack</a></li>
diff --git a/content/slides/privacy/md/vault.md b/content/slides/privacy/md/vault.md
index dfbf545..f8115f0 100644
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
@@ -166,6 +166,4 @@ $ vault delete cri/test
 !["UI"](images/vault/web.png "UI")
 
 
-## Merci !!
-
 !["carnets mots de passe"](images/vault/password_management.jpg "carnets mots de passe")<!-- .element width="80%" -->
-- 
GitLab