- 18
- 31 298
Bryan Krausen
เข้าร่วมเมื่อ 13 ต.ค. 2010
Embracing External Plugins for HashiCorp Packer
Hi. @HashiCorp has made a welcome change to the Packer workflow. Packer 1.10+ no longer bundles all the plugins with Packer Core. Instead, you must include the `required_plugins` block and run a `packer init` command to download the plugins that you need.
If you're learning about Packer and need more information, make sure to check out my full Packer online training course at btk.me/p. Coupons are always out on btk.me/btk.
If you're learning about Packer and need more information, make sure to check out my full Packer online training course at btk.me/p. Coupons are always out on btk.me/btk.
มุมมอง: 296
วีดีโอ
HashiCorp Nomad - How to Bootstrap and Configure the ACL System
มุมมอง 2446 หลายเดือนก่อน
This video is taken from my HashiCorp Nomad Fundamentals: The Ultimate Beginner's Guide course. You can find links and coupons at btk.me/btk. This demonstration showcases how to secure your Nomad cluster using the built-in ACL system to create policies and tokens.
Amazon S3 - Static Website Hosting with Custom Domain and TLS
มุมมอง 18K10 หลายเดือนก่อน
The course can be found here - www.udemy.com/course/amazon-s3-deep-dive/?referralCode=67EE4691D3E31B616CFC Coupons always available at btk.me/btk In this demonstration using the AWS Management Console (UI), I'll showcase how to create a bucket, upload your static content, and enable static website hosting. Then, we'll add a custom domain to access your website, along with using CloudFront and T...
Migrate HashiCorp Vault Seal to AWS KMS
มุมมอง 1.2Kปีที่แล้ว
Looking for more training like this for you or your organization? Check out my courses at btk.me/btk In this video, I'll show how you can migrate HashiCorp Vault from the default seal type of shamir (using unseal keys) to using AWS KMS to enable auto unseal configurations. Check out my GitHub repo for configuration files and permissions needed for this: github.com/btkrausen/hashicorp
Rotating the Gossip Encryption Key in HashiCorp Nomad
มุมมอง 176ปีที่แล้ว
This video is taken from my HashiCorp Nomad Fundamentals: The Ultimate Beginner's Guide course. You can find links and coupons at btk.me/btk. This demonstration showcases how to rotate your gossip encryption key. This is more of a Day 2 operations task in Nomad where your organization might require you to rotate encryption keys once a year or so.
Securing HashiCorp Nomad with TLS
มุมมอง 444ปีที่แล้ว
This video is taken from my HashiCorp Nomad Fundamentals: The Ultimate Beginner's Guide course. You can find links and coupons at btk.me/btk. This demonstration showcases how to secure your Nomad cluster using TLS certificates. In the demo, the certs were minted from a HashiCorp Vault cluster running the PKI secrets engine.
HashiCorp Vault - Dynamic Database Credentials
มุมมอง 2.4Kปีที่แล้ว
This video is taken from my HashiCorp Vault: Operations Professional course. You can find links and coupons at btk.me/btk. This demonstration showcases how to generate dynamic credentials against a database. This strategy would replace providing your applications with long-lived static credentials.
Promoting a HashiCorp Vault DR Cluster to a Primary
มุมมอง 210ปีที่แล้ว
This video is taken from my HashiCorp Vault: Operations Professional course. You can find links and coupons at btk.me/btk. This demonstration showcases how to use keys to create a DR operations token and promote a secondary cluster to a primary. This is helpful for Enterprise customers in the event that the primary cluster has become unavailable.
Top 3 Things I Wish I Knew About HashiCorp Nomad
มุมมอง 1.6Kปีที่แล้ว
In this video, I'll quickly explain the top three things I wish I had known about HashiCorp Nomad before I started to learn it. For more information about Nomad, check out my course at btk.me/n
Generating a Root Token on HashiCorp Vault using
มุมมอง 709ปีที่แล้ว
In this video, I'll demonstrate how to generate a root token on HashiCorp Vault using our recovery keys. For more information about HashiCorp Vault or other tools, check out a list of my courses and coupons at: btk.me/btk
Using the HashiCorp Vault API Explorer
มุมมอง 1.6Kปีที่แล้ว
Thanks to @DevOpsRob for turning me onto this "hidden" feature about 4 years ago. I don't use it often, but it's a nice feature to know about. Check out my courses and coupons at btk.me/btk
HashiCorp Vault - Okta Integration
มุมมอง 1.6Kปีที่แล้ว
This demo is from my Getting Started with HashiCorp Vault course and demonstrates how to use Okta to authenticate to Vault. And don't worry, the API token in this video is LONG gone :) Check out my courses and coupons at btk.me/btk
Secure HashiCorp Vault Initialization
มุมมอง 7282 ปีที่แล้ว
This demo is from my Vault Operators Professional course available on Udemy and KodeKloud. Links and coupons can be found at github.com/btkrausen/hashicorp
HashiCorp Consul on HashiCorp Cloud Platform (HCP)
มุมมอง 1663 ปีที่แล้ว
HashiCorp Consul on HashiCorp Cloud Platform (HCP)
HashiCorp Vault - Integrated Storage Auto Snapshot Demo
มุมมอง 1.1K3 ปีที่แล้ว
HashiCorp Vault - Integrated Storage Auto Snapshot Demo
HashiCorp Vault - Configuring Performance Replication
มุมมอง 6333 ปีที่แล้ว
HashiCorp Vault - Configuring Performance Replication
real question is how to enable oidc connection with it so you can login without email and password and just by clicking a button... there's no info on it at all
Thank you, this video was helpful, for me I'm using Cloudflare for domains so I had to copy the NS records from the Route 53 > Hosted Zones and add them to Cloudflare under DNS for the domain, and changed the SSL/TLS settings from Full to Flexible (not sure why it was not working for Full) and one more thing the bucket name has to be the same as the domain name amazon doc search for ( I can't route traffic to an Amazon S3 bucket that's configured for website hosting) good luck
Thanks bro🤟🤟🤟🤟
Thanks Can you suggest if we lost the master keys but we have unsealed our vault then any way to regenerate master keys without data distruption and also suggest you performed to generate in empty vault so if we generate where we might have a lot of data then any issue?
Great video. Helps a lot when you are starting from scratch.
Thank you for the video, saved me a bunch of time!
I’m not able to create a CNAME. It’s gives me an error about dns apex. Any help is appreciated!
Were you able to figure this out?
nice video. 3 questions 1) what IP to use if i want to use my main domain not the sub domain 2) what if you click other links and pages, will it still show the domain name ? 3) s3 bucket name, does it has to be the exact domain name ? i have an existing bucket, do i need to create a new with exact name ?
Thanks for the video very good video, can you suggest on below Can we use the same scenario for production applications which required RDS database if yes then after or before expiring the credential whether application will retrieve new credentials to keep a continue connectivity with database without any downtime ?
Awsome content! help me a lot. Thank you~
whats the cost for hosting from Amazon?
Following
100% depends on how much storage you consume on S3, how many API requests are made. You'l also encounter costs if you host your DNS on Route53 as well. All in all, you're probably looking at an average of $5/month or less
Thank you Bryan. You helped me a lot with this video.
Very welcome
I get this error while trying to access my hosted site "Forbidden You don't have permission to access this resource. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request." Please do you know what causes it and how it can be fixed?
You probably need to check the bucket policy and ensure it allows proper permissions for public access. Check the one that is shown in the video and ensure it matches yours exactly.
good tutorial until 7:30 - bro immediately assumed we had a hosted zone. Havenet even touched R53 since this is for other people that know how to do this
Yep, there are some assumptions in this video. It wasn't intended to teach all the AWS services and how to get started with them, only how to integrate them.
How to verify AWS Account. It is preventing me from creating a cloud front
Dude your god
Here is the bucket policy so you don't have to manually type it in { "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::Bucket-Name/*" ] } ] }
I also keep it here: github.com/btkrausen/aws/tree/master/AmazonS3
Wow, spread based scheduling. I didn't know it was possible
Yeah, it is easy to set it at the cluster level in the server config file, so it's the default scheduling algorithm. Alternatively, you can keep the default of bin packing and set individual jobs to spread if you need high availability.
Great tutorial! What happened when kms key expired? Do you have to update vault config periodically?
KMS keys in AWS don't expire....unless you schedule it for deletion. But...don't do that, haha. It's the equivalent of encrypting data with a PGP key and then losing the private key - you can't decrypt the data. For Vault, this means you will NOT be able to unseal Vault if the service gets restarted, and you should export/migrate data to a new cluster immediately.
Great video, thanks!
You bet! Thanks for checking it out
Hi! How do I make the setting properly if I want to access only through cloudfront , I don't want the site to be accessible through http link in s3 bucket?
Then you can restrict access to an Amazon S3 Origin with Origin Access Control (OAC)
It was working in http https not working I am using external dns help me please
Good tut. Is this setup possible if AWS Route 53 is not the one managing the domain i.e. NameServer? Thanks
Yep. Just replace the Route53 part with updating the records in whatever system is managing your DNS.
The CName set up you do at 08:00 wont work with a root domain
Did you find a solution for this?
@@StoiccGaming There's no solution, cnames have never worked for root domains, it's one of the rules of dns
@@StoiccGaming Yes, you need to have buckets named the same as your domain and then create an alias in Route 53
A very detailed video, thanks a lot!
Thank you!
followed the exact steps before the tls, but it's showing DNS address could not be found for my subdomain...
Did you update your domain to use the Route53 servers? I didn't include that but it should be completed before you can use Route53 for DNS on your custom domain
That was well explained, Thanks a lot
Much appreciated!!!
wow, after 5hrs of trying to setup all of these, you helped me out in the end. Tysm!
Glad I could help! Thanks for watching!
I have Launched the website but it shows Dangerous site please explain the Problem
It's likely an issue with the certificate that you used to secure the site. Make sure it matches the name exactly how you are typing it in your browser.
creating hosted zones is chargeable even in aws free tier.
Correct. It's not much but they do charge for a public hosted zone, unfortunately.
This was incredible. I don't know how many hours, even even days, this saved me. Thank you!
Glad it helped! Much appreciated!!!
Thank you for this video! Clear and concise.
Glad you enjoyed it!
I can't believe you've only gotten 11 likes. This is the only good documentation on how two do this that I've found out in the world. 1,000 thank yous.
Super happy it helped you!!! Thanks for the comment!
if you have a raft cluster, you need to do this "unseal -migrate" on followers, but do a "vault operator step-down" on the leader.
Right, each node needs to be migrated separately. You shouldn't have to do a "vault operator step-down" since the first node should automatically become the cluster leader.
We normally use a parent token to issue this creds under and authenticated backend. My lease period for that parent token is lower than the one that I was using for the actual creds store. The problem that I'm facing as you can imagine is that this token get revoked before the actual lease period expired and I'm using the lease period of the child token to renew the db creds. What do you suggest to address this so common use case? It will be k8s authentication (short lived token) -> database/creds/role (longer ttl)
This is really useful! thanks a lot! keep it up!
You're welcome!
This is really useful! thanks a lot! keep it up!
Glad it was helpful!
Amazing... You help save a significant amount of time. :D
Glad to hear that!
Thanks we are in exact situation. we just moved from onprem to EKS, we thought of using autounseal. Q: Do we have any kubernetes vault operator that does migration ?
I don't think the Vault Operator will help with migration in this case.
Thanks for the explanation!
Glad it was helpful!
at 4:41, i have created a vault instance in aws, and also created RDS databse (postgresql ) in aws, i followed same steps but unfortunately unable to connect to the databse. Cuuld you please let me know how to enable to ports to connect vault to AWS RDS (postgresql), created the both vault and AWS RDS instances in same regions only.
RDS should have the default PostgreSQL ports available. Make sure your security groups permit the connectivity and routing is configured between Vault and RDS.
It would be nice to do the rotation automatically using Vault... Only wondering which ACL I need to list, add, remove and delete keys to generate a token for consult-template but couldn't find any docs.
If ACLs are enabled, this command requires a token with the agent:write capability.
Vault doesn't support Gossip keys, unfortunately. You could probably use Vault to create a key and store it in the KV, but you'd still need some orchestrator to handle the rotation.
Lets gooo!!!!
Amazing explanation. Thanks a lot for sharing.
Glad it was helpful!
awesome, thank you!
You bet! Glad it was useful!!
Haha still one of my favourite hidden features of vault. It's great for developer experience
thank you! very helpful