-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcamp2023-57025-eng-The_magic_behind_one-click_deployments_opus.srt
2284 lines (1713 loc) · 44.6 KB
/
camp2023-57025-eng-The_magic_behind_one-click_deployments_opus.srt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1
00:00:00,000 --> 00:00:10,000
[MUSIC]
2
00:00:10,000 --> 00:00:20,000
[MUSIC]
3
00:00:20,000 --> 00:00:38,640
The next talk is from Jadyn and she will tell us about the magic behind one-click deployments.
4
00:00:38,640 --> 00:00:46,000
I think it's wonderful to just when you do server infrastructure, you do one click and the server is just there.
5
00:00:46,000 --> 00:00:51,280
And you don't have the hassle of managing it by yourself as normal.
6
00:00:51,280 --> 00:00:54,640
We also have a signal angel for your questions later.
7
00:00:54,640 --> 00:00:59,920
You can post with the hashtag #CCCamp23NortX.
8
00:00:59,920 --> 00:01:02,000
Then we will see your questions.
9
00:01:02,000 --> 00:01:04,400
And now have fun for this talk.
10
00:01:04,400 --> 00:01:12,080
Okay, let's just head back to the first slide.
11
00:01:12,080 --> 00:01:16,480
And then we can start.
12
00:01:16,480 --> 00:01:20,400
Well, it's buggy.
13
00:01:20,400 --> 00:01:23,520
Okay, welcome to my talk.
14
00:01:23,520 --> 00:01:26,960
The magic behind auto deployments.
15
00:01:26,960 --> 00:01:34,320
As Leon already said, auto deployments is something that most of us have interacted with before.
16
00:01:34,320 --> 00:01:38,560
Yeah, but let's start.
17
00:01:38,560 --> 00:01:40,880
First thing, I'm Jadyn.
18
00:01:40,880 --> 00:01:42,560
My pronouns are she/her.
19
00:01:42,560 --> 00:01:43,600
I'm 22.
20
00:01:43,600 --> 00:01:45,760
I work in cyber security.
21
00:01:45,760 --> 00:01:51,120
And I do lots of things with computers and hardware and stuff.
22
00:01:51,120 --> 00:01:54,880
You can find me on chaos social, Jadyn @ chaos social.
23
00:01:54,880 --> 00:02:01,360
And on my website, as you've already seen, where you can also find the slides.
24
00:02:01,360 --> 00:02:03,360
What is an auto deployment?
25
00:02:03,360 --> 00:02:07,280
And what is a one click deployment?
26
00:02:07,280 --> 00:02:11,280
We will have about four parts in this talk.
27
00:02:11,280 --> 00:02:13,600
First, what even is it?
28
00:02:13,600 --> 00:02:15,240
Then how does it work?
29
00:02:15,240 --> 00:02:22,440
Then we will try to demonstrate it right here with real hardware and real data centers.
30
00:02:22,440 --> 00:02:28,280
And afterwards, there will be a Q&A session where I can hopefully answer most of your
31
00:02:28,280 --> 00:02:29,880
questions.
32
00:02:29,880 --> 00:02:37,920
And if I can't, just hit me up after the talk or on social media or via email or whatever.
33
00:02:37,920 --> 00:02:39,920
Okay.
34
00:02:39,920 --> 00:02:43,400
One click deployments are fully automated deployments.
35
00:02:43,400 --> 00:02:44,760
What does it mean?
36
00:02:44,760 --> 00:02:53,480
It means that we can spawn anything like VM or container, IP addresses, DNS entries, and
37
00:02:53,480 --> 00:03:01,720
much, much more, like user management, firewall, software configuration, monitoring, and anything
38
00:03:01,720 --> 00:03:04,200
you can imagine.
39
00:03:04,200 --> 00:03:09,840
The whole thing is pretty easy.
40
00:03:09,840 --> 00:03:13,760
But you have to get some key ingredients first.
41
00:03:13,760 --> 00:03:21,420
To allow access for an automated system on all your devices and access to APIs, you usually
42
00:03:21,420 --> 00:03:27,560
need some kind of root access, usually done with FSH.
43
00:03:27,560 --> 00:03:33,540
And you need your deployment sources, which are usually from just a repository where you
44
00:03:33,540 --> 00:03:36,120
have your config files and your scripts.
45
00:03:36,120 --> 00:03:41,740
And then there's your source of truth, which is in my case Netbox.
46
00:03:41,740 --> 00:03:45,800
And then you have the big issue of secret storage.
47
00:03:45,800 --> 00:03:53,280
You have to generate secrets on demand for root passwords, user passwords, and a lot
48
00:03:53,280 --> 00:03:56,680
of other things, databases, everything.
49
00:03:56,680 --> 00:04:06,320
And that is mostly done with a utility called pass, which is just using GPG to store your
50
00:04:06,320 --> 00:04:11,920
credentials and encrypt them so you can just put them in a repository and everything is
51
00:04:11,920 --> 00:04:13,720
fine.
52
00:04:13,720 --> 00:04:18,000
The easiest way to get that is just get a dedicated host.
53
00:04:18,000 --> 00:04:19,400
It doesn't have to be in a data center.
54
00:04:19,400 --> 00:04:22,160
In my case, it is.
55
00:04:22,160 --> 00:04:24,760
And you just plug in a small Yubi key.
56
00:04:24,760 --> 00:04:27,560
Most of you probably know what that is.
57
00:04:27,560 --> 00:04:35,360
It's a small device you plug in via USB into your computer, which can store your encryption
58
00:04:35,360 --> 00:04:42,480
keys, your private keys, in a fashion that doesn't allow them to get off there.
59
00:04:42,480 --> 00:04:47,560
They are on that small USB stick and nobody can get them.
60
00:04:47,560 --> 00:04:52,880
Well, you could, but it's really, really, really hard.
61
00:04:52,880 --> 00:04:54,760
Okay.
62
00:04:54,760 --> 00:04:56,900
Inner workings.
63
00:04:56,900 --> 00:05:01,280
You need to gather some data before we can even start with your deployment.
64
00:05:01,280 --> 00:05:06,440
This data is usually provided by some kind of source of truth.
65
00:05:06,440 --> 00:05:12,840
This is my favorite way of doing that because handling config files is, to be honest, quite
66
00:05:12,840 --> 00:05:20,000
a pain to get them everywhere and writing config files isn't that easy either.
67
00:05:20,000 --> 00:05:26,760
And as I said, we want that to work with one click via a web UI, so writing config files
68
00:05:26,760 --> 00:05:31,000
is not that easy.
69
00:05:31,000 --> 00:05:37,400
And in your source of truth, you usually store things like your host name, network interfaces,
70
00:05:37,400 --> 00:05:44,240
IP addresses, gateways, DNS servers, your hypervisor config like memory, or if you get
71
00:05:44,240 --> 00:05:51,760
your machine from some provider like AWS or something, you need to know how many cores
72
00:05:51,760 --> 00:05:55,840
you need, how much memory and such things.
73
00:05:55,840 --> 00:06:00,960
And you also want to know which services you want to install.
74
00:06:00,960 --> 00:06:04,080
The second step is gathering the secrets.
75
00:06:04,080 --> 00:06:11,200
I've implemented a very easy way which is based on the password utility.
76
00:06:11,200 --> 00:06:14,560
As mentioned before, it uses GPG.
77
00:06:14,560 --> 00:06:22,440
And I've written an Ansible module to dynamically generate secrets and store them in an encrypted
78
00:06:22,440 --> 00:06:24,680
way.
79
00:06:24,680 --> 00:06:26,600
This is just an example.
80
00:06:26,600 --> 00:06:35,160
You have your Ansible secret storage which contains your host secrets which are individually
81
00:06:35,160 --> 00:06:44,240
for each host and also your secrets like databases, super user passwords, and the host password,
82
00:06:44,240 --> 00:06:45,800
of course.
83
00:06:45,800 --> 00:06:53,520
And your static secrets like API tokens, DNS access, and things that you don't want to
84
00:06:53,520 --> 00:07:00,560
generate on demand because the secrets will stay the same in your environment.
85
00:07:00,560 --> 00:07:08,160
Second step is to configure your hypervisor or your VM of some sort.
86
00:07:08,160 --> 00:07:13,400
For that, I'm using Proxmox, but you can use AWS or Hatsnow or whatever.
87
00:07:13,400 --> 00:07:18,280
It's pretty much just an implementation detail.
88
00:07:18,280 --> 00:07:24,400
You need to spawn and configure the hardware which usually is done with a simple API request
89
00:07:24,400 --> 00:07:29,320
to your favorite provider or your own services.
90
00:07:29,320 --> 00:07:34,000
Then you already get the first issue, network configuration.
91
00:07:34,000 --> 00:07:41,080
You need to probably set things from your IP addresses to your MAC addresses and all
92
00:07:41,080 --> 00:07:43,200
of that.
93
00:07:43,200 --> 00:07:49,680
That is usually handled by your provider or by your hypervisor and Netbox just or your
94
00:07:49,680 --> 00:07:55,880
configuration management just tells you which IPs do I want, which IPs are free, which MAC
95
00:07:55,880 --> 00:08:00,820
addresses are free, and you just generate that data on demand.
96
00:08:00,820 --> 00:08:02,760
And you already set your default password.
97
00:08:02,760 --> 00:08:08,160
Usually you either get a default password from your API request or you send one with
98
00:08:08,160 --> 00:08:14,440
it or you send your SSH public key.
99
00:08:14,440 --> 00:08:21,680
After that, your device is spawned, and the first thing is we SSH in using our root user
100
00:08:21,680 --> 00:08:24,240
that we just created.
101
00:08:24,240 --> 00:08:27,640
Then we run things, the usual set up.
102
00:08:27,640 --> 00:08:36,000
Everyone does it probably, like you're installing your packages and your default packages, you're
103
00:08:36,000 --> 00:08:43,720
upgrading, installing firewalls, making firewall rules like allowing SSH and allowing your
104
00:08:43,720 --> 00:08:48,840
services that you want to install, for example, a web server which would need port 80 and
105
00:08:48,840 --> 00:08:55,560
SSL ports, and then you ensure that your root password is matching the one that you have
106
00:08:55,560 --> 00:09:01,440
in your database, in your password database, and then you configure stuff like sudo.
107
00:09:01,440 --> 00:09:06,040
That's the easiest and basic things.
108
00:09:06,040 --> 00:09:10,680
You could stop at this point and then you just have a machine that is running somewhere
109
00:09:10,680 --> 00:09:16,880
on the internet or on your own network, and you have a root password, your SSH keys are
110
00:09:16,880 --> 00:09:23,980
deployed, and you can start from there doing your stuff via SSH.
111
00:09:23,980 --> 00:09:26,920
But then we have things like DNS.
112
00:09:26,920 --> 00:09:34,960
So we gather, for example, our SSH fingerprints and put them in DNS, which is a neat security
113
00:09:34,960 --> 00:09:38,620
feature for those who haven't heard of it.
114
00:09:38,620 --> 00:09:46,840
You can put your SSH fingerprint onto your DNS, and SSH will contact your DNS server
115
00:09:46,840 --> 00:09:57,400
and validate that the host matches those keys, which will just ensure that your DNS isn't
116
00:09:57,400 --> 00:10:03,080
doing something weird or you're connecting to the wrong host or something.
117
00:10:03,080 --> 00:10:08,720
Then of course we set our A and quad A records, our CNAMES if we need them, and everything
118
00:10:08,720 --> 00:10:10,920
else.
119
00:10:10,920 --> 00:10:19,440
For example, we saw that, for example, you can also set the PROMETHERS DNS records, which
120
00:10:19,440 --> 00:10:29,520
are just SOV records that allow your monitoring to learn about new hosts.
121
00:10:29,520 --> 00:10:32,440
We will see that in action soon.
122
00:10:32,440 --> 00:10:34,960
Yeah.
123
00:10:34,960 --> 00:10:36,340
Monitoring records.
124
00:10:36,340 --> 00:10:46,820
And then we get into the nitty-gritty of the whole thing, configuring and installing services.
125
00:10:46,820 --> 00:10:53,460
In my example, I just want to install a Netbox instance, so we need to ensure that we have
126
00:10:53,460 --> 00:10:59,380
a Postgres database so that your service can store all its data.
127
00:10:59,380 --> 00:11:05,340
After the database is created, we have to install all our dependencies, and we just
128
00:11:05,340 --> 00:11:08,440
do that via Ansible.
129
00:11:08,440 --> 00:11:11,320
And after that, we configure our service.
130
00:11:11,320 --> 00:11:18,920
And then we run some other small stuff, and then you bring it up, the whole thing is running,
131
00:11:18,920 --> 00:11:28,120
you connect via your admin software of trace, and then you create your super user, and in
132
00:11:28,120 --> 00:11:33,760
the end, your password database will just have admin and your randomly generated pseudo
133
00:11:33,760 --> 00:11:38,340
user password or admin password for the service you need, and you never have to touch that
134
00:11:38,340 --> 00:11:43,740
host with SSH yourself, everything is just in your password database, which you can integrate
135
00:11:43,740 --> 00:11:47,840
into your password manager, and it's done.
136
00:11:47,840 --> 00:11:51,160
You don't have to connect to the host manually.
137
00:11:51,160 --> 00:11:54,520
Afterwards, we also want monitoring.
138
00:11:54,520 --> 00:12:01,480
Monitoring is a very important but often under looked thing in IT security and also in IT
139
00:12:01,480 --> 00:12:02,480
in general.
140
00:12:02,480 --> 00:12:08,160
I don't only need the service to be up and running, I also need to know if it's well,
141
00:12:08,160 --> 00:12:13,600
and if it's having issues or the drives are getting full and stuff like that.
142
00:12:13,600 --> 00:12:21,840
So you usually have something using Prometheus and Grafana or some variation of that.
143
00:12:21,840 --> 00:12:30,800
And as we've seen before, we just add the SRV record to our Prometheus zone, and Prometheus
144
00:12:30,800 --> 00:12:35,320
will automatically discover our new host, and we don't have to do anything on that part
145
00:12:35,320 --> 00:12:37,520
either.
146
00:12:37,520 --> 00:12:42,560
Then even more overlooked part is what do you want to do when you get rid of the whole
147
00:12:42,560 --> 00:12:44,160
thing?
148
00:12:44,160 --> 00:12:50,640
There are DNS records and monitoring things you have to remove, and also your secret storage
149
00:12:50,640 --> 00:12:53,080
has to be cleaned up.
150
00:12:53,080 --> 00:12:59,440
So we will unregister the whole thing from monitoring, delete the DNS entries, and then
151
00:12:59,440 --> 00:13:06,560
remove the VM or container from our hypervisor and everything is removed, and it's done.
152
00:13:06,560 --> 00:13:14,040
I sped through this part quite a bit because now we're going to see it happen in real time.
153
00:13:14,040 --> 00:13:15,040
Hopefully.
154
00:13:15,040 --> 00:13:19,200
So we start with our Netbox instance.
155
00:13:19,200 --> 00:13:23,320
That is the way I have it configured.
156
00:13:23,320 --> 00:13:25,840
It's really loud over there.
157
00:13:25,840 --> 00:13:34,200
So I've created a new virtual machine with the name CCCCAM23.Jupiter.CafinatedLabs.net.
158
00:13:34,200 --> 00:13:39,840
Jupiter is my hypervisor, and this is the host name of the virtual machine we want to
159
00:13:39,840 --> 00:13:42,880
create.
160
00:13:42,880 --> 00:13:47,400
As you can see here, we have our network interface already.
161
00:13:47,400 --> 00:13:51,400
Very nice!
162
00:13:51,400 --> 00:13:54,320
Do we have broken IPv6?
163
00:13:54,320 --> 00:13:55,320
Maybe.
164
00:13:55,320 --> 00:13:56,320
Yeah.
165
00:13:56,320 --> 00:13:59,040
No IPv6 over here.
166
00:13:59,040 --> 00:14:03,200
Very nice.
167
00:14:03,200 --> 00:14:04,200
Let's check.
168
00:14:04,200 --> 00:14:05,200
Yeah.
169
00:14:05,200 --> 00:14:12,800
Well, no IPv6 for me.
170
00:14:12,800 --> 00:14:14,680
It's a modern standard.
171
00:14:14,680 --> 00:14:19,680
It's way too new to be supported everywhere.
172
00:14:19,680 --> 00:14:21,920
I shouldn't have expected it to work.
173
00:14:21,920 --> 00:14:24,920
I'm sorry.
174
00:14:24,920 --> 00:14:27,840
Okay.
175
00:14:27,840 --> 00:14:36,720
That is really distracting over there.
176
00:14:36,720 --> 00:14:46,200
Well.
177
00:14:46,200 --> 00:14:50,680
Do we have IPv6 now?
178
00:14:50,680 --> 00:14:52,000
Hmm.
179
00:14:52,000 --> 00:14:58,000
Well, that's embarrassing.
180
00:14:58,000 --> 00:15:03,600
I'm on the Wi-Fi right now, so I'm trying to get a connection.
181
00:15:03,600 --> 00:15:08,360
Let me just test this.
182
00:15:08,360 --> 00:15:13,000
Yeah, I've unplugged it.
183
00:15:13,000 --> 00:15:17,760
And I'm on the Wi-Fi, but Wi-Fi doesn't have IPv6 either.
184
00:15:17,760 --> 00:15:21,160
Thanks.
185
00:15:21,160 --> 00:15:23,120
I'll try.
186
00:15:23,120 --> 00:15:25,400
Let me just try.
187
00:15:25,400 --> 00:15:30,640
Let's reconnect.
188
00:15:30,640 --> 00:15:38,760
Hmm.
189
00:15:38,760 --> 00:15:39,760
It's working.
190
00:15:39,760 --> 00:15:40,760
It's working again.
191
00:15:40,760 --> 00:15:46,760
Trying to get off and on again has worked.
192
00:15:46,760 --> 00:15:49,760
So let's see.
193
00:15:49,760 --> 00:16:04,640
Well.
194
00:16:04,640 --> 00:16:09,000
Internet is real fast today.
195
00:16:09,000 --> 00:16:13,280
Okay.
196
00:16:13,280 --> 00:16:17,880
We have our thing.
197
00:16:17,880 --> 00:16:18,880
It has worked.
198
00:16:18,880 --> 00:16:23,400
That's good.
199
00:16:23,400 --> 00:16:27,600
And the SSH connection is also up.
200
00:16:27,600 --> 00:16:28,920
Okay.
201
00:16:28,920 --> 00:16:35,840
We can see our ad on a device with our public IP address and our pre-configured MAC address.
202
00:16:35,840 --> 00:16:41,280
We can also render and be generated on demand, but I've pre-configured it so that it doesn't
203
00:16:41,280 --> 00:16:46,600
change quite as often and the op tables don't get full as much when we...
204
00:16:46,600 --> 00:16:49,600
Yeah, I can...
205
00:16:49,600 --> 00:16:52,400
Yes.
206
00:16:52,400 --> 00:16:54,280
Give me a second.
207
00:16:54,280 --> 00:16:56,280
Is there light theme?
208
00:16:56,280 --> 00:16:59,480
Okay.
209
00:16:59,480 --> 00:17:01,280
Can you see it now?
210
00:17:01,280 --> 00:17:02,600
Okay.
211
00:17:02,600 --> 00:17:04,640
Perfect.
212
00:17:04,640 --> 00:17:06,640
Let's go back to the interfaces tab.
213
00:17:06,640 --> 00:17:09,520
And let me just close this.
214
00:17:09,520 --> 00:17:16,200
We have our MAC address and our ad on a device and our IP address.
215
00:17:16,200 --> 00:17:18,200
Then we can go over here.
216
00:17:18,200 --> 00:17:22,760
We can see this is our host name.
217
00:17:22,760 --> 00:17:26,880
The device is currently offline because we want to pre-configure it.
218
00:17:26,880 --> 00:17:33,520
Then we have selected our Debian 12 as a base image.
219
00:17:33,520 --> 00:17:37,240
Down here are some of the Proxmox features we want to configure.
220
00:17:37,240 --> 00:17:39,280
It should start at the hypervisor boot.
221
00:17:39,280 --> 00:17:45,160
It doesn't have a Proxmox VM ID yet, but we will see that this field will get populated
222
00:17:45,160 --> 00:17:48,160
once we have run our script.
223
00:17:48,160 --> 00:17:54,000
And we have configured on which clusters running, on which node, and all of that.
224
00:17:54,000 --> 00:18:01,080
And we've also configured our virtual CPUs, our 2 gigabytes of RAM, and the 8 gigabytes
225
00:18:01,080 --> 00:18:04,160
of storage.
226
00:18:04,160 --> 00:18:08,040
There's nothing else configured yet.
227
00:18:08,040 --> 00:18:12,880
So everything you see here is the config.
228
00:18:12,880 --> 00:18:18,320
Now we will go over to the SSH session.
229
00:18:18,320 --> 00:18:20,560
And run the whole thing.
230
00:18:20,560 --> 00:18:28,520
I'm currently connected to the host I've described before, which is -- has the UBIK key plugged
231
00:18:28,520 --> 00:18:33,640
into it, so I could even unplug this one if I wanted to.
232
00:18:33,640 --> 00:18:35,880
So let's go to our deployment.
233
00:18:35,880 --> 00:18:39,540
This will happen automatically with a webhook.
234
00:18:39,540 --> 00:18:43,780
But for demonstration, I will show it to you this way.
235
00:18:43,780 --> 00:18:52,900
And also the script will pause sometimes so I can explain what's happened.
236
00:18:52,900 --> 00:18:56,660
We have deploy and then our environment.
237
00:18:56,660 --> 00:18:59,940
And then we can just run deploy.
238
00:18:59,940 --> 00:19:01,820
Okay.
239
00:19:01,820 --> 00:19:05,220
Let's deploy this machine.
240
00:19:05,220 --> 00:19:08,520
First thing is we are decrypting our secrets.
241
00:19:08,520 --> 00:19:14,600
Then we are installing our Python dependencies for the Ansible controller.
242
00:19:14,600 --> 00:19:20,000
Then our Ansible script will talk to Netbox and figure out which machine we want to deploy
243
00:19:20,000 --> 00:19:24,380
and which -- with which settings.
244
00:19:24,380 --> 00:19:28,320
Then we are cloning our secret repository.
245
00:19:28,320 --> 00:19:31,760
And generating our secrets.
246
00:19:31,760 --> 00:19:36,680
As we can see, we have generated our root password, for example.
247
00:19:36,680 --> 00:19:40,140
Our root password has been generated.
248
00:19:40,140 --> 00:19:42,660
And where is it?
249
00:19:42,660 --> 00:19:43,660
Yeah.
250
00:19:43,660 --> 00:19:49,820
Our TC key for DNS challenges has been and DNS access has been generated.