-
Notifications
You must be signed in to change notification settings - Fork 103
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'alonitac:main' into Networking-nishant
- Loading branch information
Showing
55 changed files
with
1,642 additions
and
513 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
pipeline { | ||
agent any | ||
|
||
environment { | ||
PATH = "/var/lib/jenkins/.local/bin:${env.PATH}" | ||
ANSIBLE_HOST_KEY_CHECKING = 'False' | ||
} | ||
|
||
parameters { | ||
string(name: 'serverGroup', defaultValue: 'all') | ||
choice(name: 'region', choices: ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-north-1']) | ||
} | ||
|
||
stages { | ||
stage("Init") { | ||
steps { | ||
sh 'python3 -m pip install ansible' | ||
sh 'ansible-galaxy collection install community.general' | ||
} | ||
} | ||
|
||
stage("Generate Inventory") { | ||
steps { | ||
sh 'aws ec2 describe-instances --region ${region} --filters "Name=tag:serverGroup,Values=${serverGroup}" --query "Reservations[].Instances[]" > hosts.json' | ||
sh 'python3 ansible_inv_gen.py' | ||
} | ||
} | ||
|
||
stage('Check') { | ||
steps { | ||
sh '' | ||
} | ||
} | ||
|
||
stage('Play') { | ||
steps { | ||
withCredentials([sshUserPrivateKey(credentialsId: '<ssh-credentials-id>', usernameVariable: 'ssh_user', keyFileVariable: 'privatekey')]) { | ||
sh ''' | ||
ansible-playbook site.yaml --extra-vars "hosts=${serverGroup}" --user=${ssh_user} -i hosts --private-key ${privatekey} | ||
''' | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[webserver] | ||
web1 ansible_host=13.51.201.17 ansible_user=ec2-user ansible_port=23 | ||
web2 ansible_host=16.171.29.176 ansible_user=ec2-user ansible_port=23 |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/ -F key=touching_root | ||
-a always,exit -F arch=b64 -F euid=0 -S execve -F key=using_sudo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | ||
|
||
# This is the sshd server system-wide configuration file. See | ||
# sshd_config(5) for more information. | ||
|
||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin | ||
|
||
# The strategy used for options in the default sshd_config shipped with | ||
# OpenSSH is to specify options with their default value where | ||
# possible, but leave them commented. Uncommented options override the | ||
# default value. | ||
|
||
# If you want to change the port on a SELinux system, you have to tell | ||
# SELinux about this change. | ||
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER | ||
# | ||
Port {{ sshd_port }} | ||
#AddressFamily any | ||
#ListenAddress 0.0.0.0 | ||
#ListenAddress :: | ||
|
||
HostKey /etc/ssh/ssh_host_rsa_key | ||
#HostKey /etc/ssh/ssh_host_dsa_key | ||
HostKey /etc/ssh/ssh_host_ecdsa_key | ||
HostKey /etc/ssh/ssh_host_ed25519_key | ||
|
||
# Ciphers and keying | ||
#RekeyLimit default none | ||
|
||
# Logging | ||
#SyslogFacility AUTH | ||
SyslogFacility AUTHPRIV | ||
#LogLevel INFO | ||
|
||
# Authentication: | ||
|
||
#LoginGraceTime 2m | ||
PermitRootLogin {{ permit_root_login }} | ||
#StrictModes yes | ||
MaxAuthTries {{ max_auth_tries }} | ||
#MaxSessions 10 | ||
|
||
#PubkeyAuthentication yes | ||
|
||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
# but this is overridden so installations will only check .ssh/authorized_keys | ||
AuthorizedKeysFile .ssh/authorized_keys | ||
|
||
#AuthorizedPrincipalsFile none | ||
|
||
|
||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
#HostbasedAuthentication no | ||
# Change to yes if you don't trust ~/.ssh/known_hosts for | ||
# HostbasedAuthentication | ||
#IgnoreUserKnownHosts no | ||
# Don't read the user's ~/.rhosts and ~/.shosts files | ||
#IgnoreRhosts yes | ||
|
||
# To disable tunneled clear text passwords, change to no here! | ||
PermitEmptyPasswords {{ empty_pass }} | ||
PasswordAuthentication {{ pass_auth }} | ||
|
||
# Change to no to disable s/key passwords | ||
#ChallengeResponseAuthentication yes | ||
ChallengeResponseAuthentication no | ||
|
||
# Kerberos options | ||
KerberosAuthentication no | ||
|
||
#KerberosOrLocalPasswd yes | ||
#KerberosTicketCleanup yes | ||
#KerberosGetAFSToken no | ||
#KerberosUseKuserok yes | ||
|
||
# GSSAPI options | ||
GSSAPIAuthentication yes | ||
GSSAPICleanupCredentials no | ||
#GSSAPIStrictAcceptorCheck yes | ||
#GSSAPIKeyExchange no | ||
#GSSAPIEnablek5users no | ||
|
||
# Set this to 'yes' to enable PAM authentication, account processing, | ||
# and session processing. If this is enabled, PAM authentication will | ||
# be allowed through the ChallengeResponseAuthentication and | ||
# PasswordAuthentication. Depending on your PAM configuration, | ||
# PAM authentication via ChallengeResponseAuthentication may bypass | ||
# the setting of "PermitRootLogin without-password". | ||
# If you just want the PAM account and session checks to run without | ||
# PAM authentication, then enable this but set PasswordAuthentication | ||
# and ChallengeResponseAuthentication to 'no'. | ||
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several | ||
# problems. | ||
UsePAM yes | ||
|
||
AllowAgentForwarding {{ agent_fwd }} | ||
AllowTcpForwarding {{ tcp_fwd }} | ||
#GatewayPorts no | ||
|
||
X11Forwarding {{ x11_fwd }} | ||
|
||
#X11DisplayOffset 10 | ||
#X11UseLocalhost yes | ||
#PermitTTY yes | ||
#PrintMotd yes | ||
#PrintLastLog yes | ||
#TCPKeepAlive yes | ||
#UseLogin no | ||
#UsePrivilegeSeparation sandbox | ||
|
||
PermitUserEnvironment {{ user_envs }} | ||
|
||
#Compression delayed | ||
#ClientAliveInterval 0 | ||
#ClientAliveCountMax 3 | ||
#ShowPatchLevel no | ||
#UseDNS yes | ||
#PidFile /var/run/sshd.pid | ||
#MaxStartups 10:30:100 | ||
|
||
PermitTunnel {{ permit_tunnel }} | ||
|
||
#ChrootDirectory none | ||
#VersionAddendum none | ||
|
||
# no default banner path | ||
#Banner none | ||
|
||
# Accept locale-related environment variables | ||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | ||
AcceptEnv XMODIFIERS | ||
|
||
# override default of no subsystems | ||
Subsystem sftp /usr/libexec/openssh/sftp-server | ||
|
||
# Example of overriding settings on a per-user basis | ||
#Match User anoncvs | ||
# X11Forwarding no | ||
# AllowTcpForwarding no | ||
# PermitTTY no | ||
# ForceCommand cvs server | ||
|
||
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f | ||
AuthorizedKeysCommandUser ec2-instance-connect |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
sshd_port: 22 | ||
permit_root_login: 'no' | ||
max_auth_tries: '3' | ||
empty_pass: 'no' | ||
pass_auth: 'no' | ||
agent_fwd: 'no' | ||
tcp_fwd: 'no' | ||
x11_fwd: 'no' | ||
user_envs: 'no' | ||
permit_tunnel: 'no' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# Final Project Extension Ideas | ||
|
||
### DevSecOps | ||
|
||
Embed DevSecOps tool to the CI/CD pipeline: | ||
|
||
- [safety](https://pyup.io/safety/) to scan vulnerabilities in Python packages. | ||
- [Bandit](https://bandit.readthedocs.io/en/latest/) to find security issues in your Python code. | ||
- [Pre-commit](https://pre-commit.com/) to enforce some policy before committing a new code. | ||
- [Black](https://github.com/psf/black) as a linting tool. | ||
- [Chef InSpec](https://docs.chef.io/inspec/) to apply security and compliance policies. | ||
|
||
|
||
### Jenkins | ||
|
||
- Implement load testing in the PR testing pipeline. | ||
- Create a [Jenkins shared library](https://www.jenkins.io/blog/2017/02/15/declarative-notifications/#moving-notifications-to-shared-library). | ||
- Send email notifications to users | ||
|
||
### AWS | ||
|
||
- Protect your service using [WAF](https://aws.amazon.com/waf/) or [Shield](https://aws.amazon.com/shield/). | ||
- Any other shiny service that interesting you... | ||
|
||
### K8S | ||
|
||
- Deploy some interesting Helm Chart in the cluster (Jenkins, etc...). | ||
- Write your app YAMLs as Helm Chart. | ||
- Run some [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) in the cluster. | ||
- Use [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) to deploy your app. | ||
- Implement some interesting [ArgoWF](https://argoproj.github.io/argo-workflows/). | ||
- Experimenting with [Calico](https://projectcalico.docs.tigera.io/about/about-calico) to implement network security in the cluster. | ||
- Experimenting with [Istio](https://istio.io/) to implement a service mesh. | ||
- Expose your app through a secured HTTPS. | ||
- Implement Pod identity in EKS instead using the EC2 IAM role. | ||
|
||
### Terraform | ||
|
||
- Provision the app infrastructure as a code. | ||
- Built a dedicated "IaaC" pipeline in Jenkins | ||
|
||
### Ansible | ||
|
||
- Use some [devsec.hardening Ansible](https://github.com/dev-sec/ansible-collection-hardening) collection to harden the system | ||
|
||
### Monitoring | ||
|
||
- Deploy [Prometheus](https://prometheus.io/) in K8S. | ||
- Enable backup/restore to from [ElasticSearch to S3](https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshot-restore.html). | ||
- Build some Kibana dashboard | ||
- Improve the logs stream from the k8s cluster to Elasticsearch | ||
- Create some [alerts in Grafana](https://grafana.com/docs/grafana/latest/alerting/) (e.g. high CPU rate, container restarts many times etc...) | ||
|
||
# DevOps Tools Bazaar | ||
|
||
- [Argo CD](https://argoproj.github.io/argo-cd/) | ||
- [Vault](https://www.vaultproject.io/docs) | ||
- [Nexus](https://help.sonatype.com/repomanager3) | ||
- [Argo Workflow](https://argoproj.github.io/argo/) | ||
- [Logstash](https://www.elastic.co/guide/en/logstash/current/index.html) | ||
- [Vagrant](https://www.vagrantup.com/docs) | ||
- [Prometheus Alertmanager](https://prometheus.io/docs/alerting/alertmanager/) | ||
- [Terraform with Azure](https://learn.hashicorp.com/collections/terraform/azure-get-started) | ||
- [Helm](https://helm.sh/docs/) | ||
- [KEDA](https://keda.sh/docs/) | ||
- [Istio](https://istio.io/latest/docs/) | ||
- [Calico](https://docs.projectcalico.org/) | ||
- [Chef](https://docs.chef.io/) | ||
- [SonarQube](https://docs.sonarqube.org/) | ||
- [Snyk](https://docs.snyk.io/) | ||
- [Karpenter](https://karpenter.sh/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: 2048-game | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: 2048-game | ||
replicas: 1 # tells deployment to run 2 pods matching the template | ||
template: | ||
metadata: | ||
labels: | ||
app: 2048-game | ||
spec: | ||
containers: | ||
- name: 2048-game | ||
image: alexwhen/docker-2048:latest | ||
ports: | ||
- containerPort: 80 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: mygame | ||
spec: | ||
selector: | ||
app: 2048-game | ||
ports: | ||
- port: 5858 | ||
targetPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
persistence: | ||
enabled: true | ||
size: 5Gi | ||
|
||
env: | ||
GF_DASHBOARDS_VERSIONS_TO_KEEP: '10' | ||
|
||
datasources: | ||
datasources.yaml: | ||
apiVersion: 1 | ||
datasources: | ||
- name: CloudWatch | ||
type: cloudwatch | ||
jsonData: | ||
authType: default | ||
defaultRegion: us-east-2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: simple-flask | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: simple-flask | ||
replicas: 6 | ||
template: | ||
metadata: | ||
labels: | ||
app: simple-flask | ||
spec: | ||
containers: | ||
- name: simple-flask | ||
image: 854171615125.dkr.ecr.us-east-2.amazonaws.com/alonit-simple-flask:0.1 | ||
ports: | ||
- containerPort: 8080 | ||
readinessProbe: | ||
httpGet: | ||
path: /status | ||
port: 8080 | ||
initialDelaySeconds: 5 | ||
periodSeconds: 3 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: myflask | ||
spec: | ||
selector: | ||
app: simple-flask | ||
ports: | ||
- port: 8080 | ||
targetPort: 8080 |
Oops, something went wrong.