### Example: Bootstrap Command for Cloud Installation Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Example command to start a platform installation with cluster deployment in a cloud environment. ```shell dhctl bootstrap \ --ssh-user= --ssh-agent-private-keys=/tmp/.ssh/id_rsa \ --config=/config.yaml --config=/resources.yaml ``` -------------------------------- ### Example Installation Configuration File Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md This example demonstrates the structure and content of a typical YAML installation configuration file, including ClusterConfiguration, ModuleConfig, AzureClusterConfiguration, and other module-specific configurations. ```yaml apiVersion: deckhouse.io/v1 kind: ClusterConfiguration clusterType: Cloud cloud: provider: Azure prefix: cloud-demo podSubnetCIDR: 10.111.0.0/16 serviceSubnetCIDR: 10.222.0.0/16 kubernetesVersion: "Automatic" clusterDomain: cluster.local --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: deckhouse spec: enabled: true settings: releaseChannel: Stable bundle: Default logLevel: Info version: 1 --- apiVersion: deckhouse.io/v1 kind: AzureClusterConfiguration layout: Standard sshPublicKey: vNetCIDR: 10.241.0.0/16 subnetCIDR: 10.241.0.0/24 masterNodeGroup: replicas: 3 instanceClass: machineSize: Standard_D4ds_v4 urn: Canonical:UbuntuServer:18.04-LTS:18.04.202010140 enableExternalIP: true provider: subscriptionId: clientId: clientSecret: tenantId: location: westeurope --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: cni-flannel spec: enabled: true --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: global spec: enabled: true settings: modules: publicDomainTemplate: "%s.k8s.example.com" version: 1 --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: node-manager spec: version: 1 enabled: true settings: allowedBundles: ["ubuntu-lts"] --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: prometheus spec: version: 2 enabled: true # Specify if using dedicated monitoring nodes. # settings: # nodeSelector: # node.deckhouse.io/group: monitoring ``` -------------------------------- ### Example: Running Installer for CE Edition Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Example command to run the installer container for the Community Edition (CE) with specific volume mounts. ```shell docker run -it --pull=always \ -v "$PWD/config.yaml:/config.yaml" \ -v "$PWD/resources.yaml:/resources.yaml" \ -v "$PWD/dhctl-tmp:/tmp/dhctl" \ -v "$HOME/.ssh/:/tmp/.ssh/" registry.deckhouse.io/deckhouse/ce/install:stable bash ``` -------------------------------- ### Example of a Script Displaying the Load Balancer's IP Address... Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Example of a script that displays the load balancer's IP address after the cluster deployment in the cloud and the platform installation: ```shell #!/usr/bin/env bash set -e set -o pipefail INGRESS_NAME="nginx" echo_err() { echo "$@" 1>&2; } # declare the variable lb_ip="" # get the load balancer IP for i in {0..100} do if lb_ip="$(d8 k -n d8-ingress-nginx get svc "${INGRESS_NAME}-load-balancer" -o jsonpath='{.status.loadBalancer.ingress[0].ip}')"; then if [ -n "$lb_ip" ]; then break fi fi lb_ip="" sleep 5 done if [ -n "$lb_ip" ]; then echo_err "The load balancer external IP: $lb_ip" else echo_err "Could not get the external IP of the load balancer" exit 1 fi outContent="{"frontend_ips":[\"$lb_ip\"]}" if [ -z "$OUTPUT" ]; then echo_err "The OUTPUT env is empty. The result was not saved to the output file." else echo "$outContent" > "$OUTPUT" fi ``` -------------------------------- ### Example of running the installer container for CE edition Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/removing.md Example command for running the installer container for the Community Edition. ```shell docker run -it --pull=always \ -v "$PWD/dhctl-tmp:/tmp/dhctl" \ -v "$HOME/.ssh/:/tmp/.ssh/" registry.deckhouse.io/deckhouse/ce/install:stable bash ``` -------------------------------- ### Example Installation Resources File Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md An optional YAML file of installation resources contains Kubernetes resource manifests that the installer will apply after the successful installation of the platform. This file can be useful for additional configuration of the cluster post-installation. ```yaml --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: global spec: version: 1apiVersion: deckhouse.io/v1 kind: IngressNginxController metadata: name: main spec: ingressClass: "nginx" controllerVersion: "1.1" inlet: "LoadBalancer" nodeSelector: node.deckhouse.io/group: worker --- apiVersion: deckhouse.io/v1 kind: ClusterAuthorizationRule metadata: name: admin spec: subjects: - kind: User name: admin@deckhouse.io accessLevel: SuperAdmin portForwarding: true --- apiVersion: deckhouse.io/v1 kind: User metadata: name: admin spec: email: admin@deckhouse.io password: '$2a$10$isZrV6uzS6F7eGfaNB1EteLTWky7qxJZfbogRs1egWEPuT1XaOGg2' --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: deckhouse-admin spec: enabled: true settings: modules: publicDomainTemplate: "%s.example.com" https: certManager: clusterIssuerName: selfsigned mode: CertManager --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: user-authn spec: version: 2 enabled: true settings: controlPlaneConfigurator: dexCAMode: FromIngressSecret --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: stronghold spec: enabled: true version: 1 settings: management: mode: Automatic administrators: - type: Group name: admins --- apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: secrets-store-integration spec: enabled: true version: 1 --- apiVersion: deckhouse.io/v1 kind: IngressNginxController metadata: name: main spec: inlet: HostPort enableIstioSidecar: true ingressClass: nginx hostPort: httpPort: 80 httpsPort: 443 nodeSelector: node-role.kubernetes.io/master: '' tolerations: - effect: NoSchedule operator: Exists --- apiVersion: deckhouse.io/v1 kind: ClusterAuthorizationRule metadata: name: admin spec: subjects: - kind: User name: admin@deckhouse.io accessLevel: SuperAdmin portForwarding: true --- apiVersion: deckhouse.io/v1 kind: User metadata: name: admin spec: email: admin@deckhouse.io password: '$2a$10$isZrV6uzS6F7eGfaNB1EteLTWky7qxJZfbogRs1egWEPuT1XaOGg2' --- apiVersion: deckhouse.io/v1alpha1 kind: Group metadata: name: admins spec: name: admins members: - kind: User name: admin ``` -------------------------------- ### Example usage Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/backups/inspect.md An example of the basic usage command. ```shell stronghold operator raft snapshot inspect raft.snap ``` -------------------------------- ### Bootstrap Command for Platform Installation Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Command to initiate platform installation with cluster deployment. ```shell dhctl bootstrap ``` -------------------------------- ### Storage Section - Generic Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/configuration.md A generic example of how to configure a storage backend in Stronghold. ```hcl storage [NAME] { [PARAMETERS...] } ``` -------------------------------- ### Token Creation Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md Example of creating a token with specific policies using the Stronghold CLI. ```shell d8 stronghold token create -policy=dev-readonly -policy=logs ``` -------------------------------- ### Start Stronghold Service Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/installation.md Initiates the Stronghold service on the server. Ensure the service is enabled to start on boot. ```shell systemctl start stronghold ``` -------------------------------- ### Globbing example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md This example only allows a parameter named "bar" with a value starting with "foo-*". ```hcl path "secret/foo" { capabilities = ["create"] allowed_parameters = { "bar" = ["foo-*"] } } ``` -------------------------------- ### Path Matching Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md Example demonstrating path-based matching for exact paths and glob patterns. ```json # Permit reading only "secret/foo". # An attached token cannot read "secret/food" or "secret/foo/bar". path "secret/foo" { capabilities = ["read"] } # Permit reading everything under "secret/bar". ``` -------------------------------- ### Example: Enabling the 'mykv' secret plugin Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/plugins/dkp.md Specific example of enabling the 'mykv' secret plugin at the 'test-kv' mount path. ```bash d8 stronghold secrets enable -path test-kv mykv ``` -------------------------------- ### Token Format Examples Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/tokens.md Examples of service, batch, and recovery tokens, illustrating the prefix and body structure. ```shell b.n6keuKu5Q6pXhaIcfnC9cFNd r.JaKnR2AIHNk3fC4SGyyyDVoQ9O s.raPGTZdARXdY0KvHcWSpp5wWZIHNT ``` -------------------------------- ### Start Stronghold with HSM configuration Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/kms-hsm/hsm.md Command to start the Stronghold server using the specified configuration file. ```shell export SOFTHSM2_CONF=/home/stronghold/softhsm2.conf stronghold server -config config.hcl ``` -------------------------------- ### Okta DexProvider Manifest Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/platform-management/access-control/user-management.md Example of a manifest for configuring a DexProvider to integrate with Okta. ```yaml apiVersion: deckhouse.io/v1 kind: DexProvider metadata: name: okta spec: type: OIDC displayName: My Company Okta oidc: issuer: https://my-company.okta.com clientID: plainstring clientSecret: plainstring insecureSkipEmailVerified: true getUserInfo: true ``` -------------------------------- ### File audit backend example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/audit/overview.md Example command to enable the file audit backend. ```shell stronghold audit enable file file_path=/var/log/stronghold_audit.log ``` -------------------------------- ### Storage Section - Filesystem Backend Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/configuration.md Example configuration for the filesystem storage backend, specifying the data path. ```hcl storage "file" { path = "/mnt/vault/data" } ``` -------------------------------- ### Write data using the example policy Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/user/secrets-engines/kv/kv-v2.md Example of writing data using a previously defined password policy. ```shell $ d8 stronghold kv put -mount=secret my-generated-secret \ password=$(d8 stronghold read -field password sys/policies/password/example/generate) ``` -------------------------------- ### Globbing example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md This example demonstrates the use of globbing in `allowed_parameters`. It allows the creation, update, or patching of `secret/foo` with a parameter named `bar`, where values must start with `baz/`. ```hcl path "secret/foo" { capabilities = ["create", "update", "patch"] allowed_parameters = { "bar" = ["baz/*"] } } ``` -------------------------------- ### Start Sealwrap Rewrap Process Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/kms-hsm/sealwrap.md Example curl command to initiate the sealwrap rewrap process. ```shell curl \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ --request POST \ "${VAULT_ADDR}/v1/sys/sealwrap/rewrap" ``` -------------------------------- ### Retrieve Specific Password Policy via API Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/password-policy.md Example using `curl` to get information about a specific password policy by its name via the Stronghold API. ```bash curl \ --header “X-Vault-Token: ...” \ https://stronghold.example.com/v1/sys/policies/password/my-policy ``` -------------------------------- ### Example Stronghold Configuration Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/configuration.md An example configuration file for Stronghold servers in HCL format, demonstrating settings for UI, cluster and API addresses, storage, listeners, and telemetry. ```hcl ui = true cluster_addr = "https://127.0.0.1:8201" api_addr = "https://127.0.0.1:8200" disable_mlock = true storage "raft" { path = "/path/to/raft/data" node_id = "raft_node_id" } listener "tcp" { address = "127.0.0.1:8200" tls_cert_file = "/path/to/full-chain.pem" tls_key_file = "/path/to/private-key.pem" } telemetry { statsite_address = "127.0.0.1:8125" disable_hostname = true } ``` -------------------------------- ### Allowed parameters example: allowing specific values for a parameter Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md This example allows the user to create or update an encryption key for the transit secrets engine enabled at "transit/". When doing so, the "auto_rotate_period" parameter value can be set so that the key gets rotated. However, the rotation period must be "8h", "24h", or "5d". Any other value will result in an error. ```hcl path "transit/keys/*" { capabilities = ["create", "update"] allowed_parameters = { "auto_rotate_period" = ["8h", "24h", "5d"] } } ``` -------------------------------- ### Example: Registering the 'mykv' secret plugin Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/plugins/dkp.md Specific example of registering the 'mykv' secret plugin with its command, SHA256, version, type, and name. ```bash d8 stronghold plugin register \ -command mykvplugin \ -sha256 "${PLUGIN_SHA}" \ -version "v1.0.1" \ secret \ mykv ``` -------------------------------- ### Install Deckhouse in Existing Cluster Command Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Command to install Deckhouse into an already existing cluster. ```shell dhctl bootstrap-phase install-deckhouse ``` -------------------------------- ### Running the Installer Container Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md General command to run the Deckhouse installer container from the public registry. ```shell docker run --pull=always -it [] registry.deckhouse.io/deckhouse//install: bash ``` -------------------------------- ### Example configuration for TCP listener section Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/configuration.md Listening on multiple interfaces. ```console listener "tcp" { address = "127.0.0.1:8200" } listener "tcp" { address = "10.0.0.5:8200" } # Advertise the non-loopback interface api_addr = "https://10.0.0.5:8200" cluster_addr = "https://10.0.0.5:8201" ``` -------------------------------- ### Install SoftHSM2 packages Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/kms-hsm/hsm.md Installs the necessary packages for SoftHSM2. ```shell apt install libsofthsm2 opensc ``` -------------------------------- ### List Cluster Nodes Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/access.md Verify platform resources are accessible by listing the cluster nodes. ```bash d8 k get nodes ``` -------------------------------- ### Run the Deckhouse installer container Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/removing.md Command to run the Deckhouse installer container. ```shell docker run --pull=always -it [] \ registry.deckhouse.io/deckhouse//install: bash ``` -------------------------------- ### Candidate Password Generation Example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/password-policy.md Illustrates the process of selecting characters from a charset based on random indices to form a candidate password. ```text 3, 2, 0, 8, 7, 3, 5, 1 ``` ```text [3, 2, 0, 8, 7, 3, 5, 1] => [d, c, a, i, h, d, f, b] ``` ```text dcaihdfb ``` -------------------------------- ### Run documentation site locally Source: https://github.com/deckhouse/website-stronghold/blob/main/README.md Command to run the documentation site locally. ```bash make up ``` -------------------------------- ### Populated template example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/user/secrets-engines/identity/token.md An example of a populated template after parameters have been replaced. ```json { "color": "green", "userinfo": { "username": "bob", "groups": ["web", "engr", "default"] }, "nbf": 1561411915 } ``` -------------------------------- ### Configure DNS Name Template with sslip.io Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/dkp/install/steps/install.md Command to obtain the load balancer IP and configure the DNS name template for platform services using sslip.io. ```bash BALANCER_IP=$(d8 k -n d8-ingress-nginx get svc nginx-load-balancer -o json | jq -r '.status.loadBalancer.ingress[0].ip') && \ echo "Balancer IP is '${BALANCER_IP}'." && d8 k patch mc global --type merge \ -p "{"spec": {"settings":{"modules":{"publicDomainTemplate":"%s.${BALANCER_IP}.sslip.io"}}}} " && echo && \ echo "Domain template is '$(d8 k get mc global -o=jsonpath='{.spec.settings.modules.publicDomainTemplate}')'." ``` -------------------------------- ### Enable Stronghold Service Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/install/standalone/installation.md Configures the systemd service to start automatically on boot. This ensures Stronghold is available after server restarts. ```shell systemctl enable stronghold.service ``` -------------------------------- ### Path Globbing Examples Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/policy.md Examples demonstrating path globbing with asterisks (*) for matching patterns in policies. ```HCL path "secret/bar/*" { capabilities = ["read"] } ``` ```HCL path "secret/zip-*" { capabilities = ["read"] } ``` -------------------------------- ### Socket audit backend example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/audit/overview.md Example command to enable the socket audit backend. ```shell stronghold audit enable socket address=127.0.0.1:9090 socket_type=tcp ``` -------------------------------- ### Enable an external plugin Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/plugins/standalone.md Example of enabling an external plugin at a desired mount path. ```shell stronghold secrets enable -path=my-secrets passthrough-plugin ``` -------------------------------- ### Syslog audit backend example Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/audit/overview.md Example command to enable the syslog audit backend. ```shell stronghold audit enable syslog tag="stronghold" facility="AUTH" ``` -------------------------------- ### List All Password Policies via API Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/concepts/password-policy.md Example using `curl` to list all password policies by sending a LIST request to the Stronghold API. ```bash curl \ --header “X-Vault-Token: ...” \ --request LIST \ https://stronghold.example.com/v1/sys/policies/password ``` -------------------------------- ### Initialize Stronghold with HSM Source: https://github.com/deckhouse/website-stronghold/blob/main/content/documentation/admin/kms-hsm/hsm.md Commands to start Stronghold and initialize it when using an HSM. ```shell systemctl start stronghold stronghold operator init ```