Testing the Panasonic Advance Series Link Plus smart light switches

We are building a house, and I recently looked into smart lighting and light switches concluding that the best option for us is likely Panasonic’s Advance Series Link Plus switches (アドバンスシリーズ リンクプラス). I got my hands on two of the switches and in this post I’ll share what I learned from testing them out.

Read more

Fuzzing with Bazel: cc_fuzz_test

Recently I have been fuzzing C/C++ projects built with Bazel using libfuzzer, so I thought to share my learnings on some of the details on how to do this.

Read more

Smart lighting options in Japan

We are in the process of building our house, and I want to use this opportunity to add some smart home solutions. Right now my focus is on ensuring that the things that come with the house are capable of “being smart” (controlled with automation). Big part of this is lighting, and in this post I’ll review what I learned about smart lighting options available in Japan.

Read more

A low-effort way of getting paid well

I work in IT, which generally means great salaries, but there is still a difference between companies. Moreover changing jobs leads to higher compensation on average, as one is in a better negotiation position when joining a company compared to when simply asking for a raise.

However constantly looking for jobs and interviewing requires substantial efforts, so I have a more passive approach to it.

Read more

Tech that helped us during the first months with a newborn baby

I work in tech, and while I try to maintain a healthy work-life balance, I still use many gadgets, so I thought to share which tech solutions helped us during the first month with our newborn baby.

Read more

Transient network issue at container start when using istio (solution: holdApplicationUntilProxyStarts)

I was setting up an app on a kubernetes cluster that had istio configured as a service mesh, and I run into an issue: as the application starts, it attempts to communicate to another service over the network (doesn’t matter if it’s an external service or something running on the same cluster), and it fails. However when I kubectl exec into the container, I can successfully reach the same service. What’s going on and how to solve it?

Read more

istio-proxy 'NR filter_chain_not_found' / upstream connect error or disconnect/reset before headers. reset reason: connection termination

I deployed a vendor’s software on kubernetes and the website showed this error message:

upstream connect error or disconnect/reset before headers. reset reason: connection termination

Looking at the istio-proxy sidecar logs on the Pod I could see an error message:

kubectl logs -c istio-proxy app-ui-543875cf14-a2b33
[2023-08-09T06:06:22.268Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.20.223.206:8080 10.20.221.213:42304 - -
Read more

How to get all repositories of an enterprise on GitHub Enterprise Cloud

GitHub Enterprise Cloud is an enterprise version of GitHub.com “designed for large businesses or teams who collaborate on GitHub.com”(source). There is a strong emphasis on security, which extends to strong limits on programmatic access, especially to enterprise-wide resources, so getting all organizations or all repositories of the enterprise becomes non-trivial. This guide will describe how to do just these.

Read more

Using vault-plugin-secrets-artifactory to generate short-lived Artifactory tokens with a non-admin user

How to use the HashiCorp Vault Secrets Plugin for Artifactory to create short-lived Artifactory tokens scoped to a specific user, without the need for an admin token. The main usecase for this is CI workflows (e.g. Github actions) that can authenticate to vault (e.g. Github’s workflow OIDC) and need access to Artifactory.

Read more

Authenticating Github workflows with oauth2-proxy

oauth2-proxy is often used to handle user authentication for apps, however non-human users (e.g. CI workflows) are often unable to complete the OIDC flow. In this post I will show how to configure oauth2-proxy to trust Github’s OIDC provider and use that JWT to authenticate workflows and give them access to the app behind the proxy.

Read more

How to use the vault terraform provider locally and in a Github action ci workflow at the same time

In one of my the projects I manage vault resources via terraform. The main terraform pipeline runs in a Github action workflow and uses Github’s JWT to connect to vault. Meanwhile user authentication is done using vault’s OIDC auth method.

This post will show how to setup the vault terraform provider so that it uses the Github signed JWT when running in CI, and OIDC authentication when running locally.

Read more

Accessing the Github token from a Github action

For each Github action workflow, Github creates a unique Github token. This can accessed a either via the GITHUB_TOKEN secret (${{ secrets.GITHUB_TOKEN }}) or via the github context (${{ github.token }}). The docs also note that

An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action.

However the docs fall short of showing how to do it, and it took me a while to figure it out, so I’m sharing it here.

Read more

snyk test docker --fail-on= workaround

I’m running Snyk to scan docker images and break the build if they have high or critical vulnerabilities:

snyk test --severity-threshold=high --docker $IMAGE_NAME

However sometimes the upstream image has high or critical vulnerabilities (e.g. at the times of writing this, debian), so there is very little action one can take (other than moving to a different base image, which is usually not easy). Thus I only want to break the build if there are high or critical vulnerabilities AND they can be fixed by ugrading the base image.

Read more

Multi-cluster multi-primary istio on AWS EKS

Recently I was working on setting up istio in a multi-cluster setup following the Install Multi-Primary on different networks guide on EKS clusters. Everything seemed to work (no errors in logs), until I reached the verification step, where requests didn’t go to the other mesh: in CLUSTER1 I always got a response from Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv, while in CLUSTER2 always from Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8.

Read more

Terraform's kubernetes_secret giving 'Error: Provider produced inconsistent result after apply'

I’m creating a new kubernetes_secret via Terraform for an existing service account like this:

resource "kubernetes_secret" "my_service_account_token" {
  metadata {
    name = "my-service-account-token"
    namespace = "example"
    annotations = {
      "kubernetes.io/service-account.name" = "my-service-account"
    }
  }
  type = "kubernetes.io/service-account-token"
}

so that then I can use this token elsewhere like: kubernetes_secret.my_service_account_token.data["token"].

Read more

How to setup Azure AD authentication with AWS EKS kubernetes clusters

I recently worked on setting up Azure Active Directory (AAD from now) authentication with kubernetes clusters running on AWS EKS (Amazon Elastic Kubernetes Service). The goal was to let users of the kubernetes cluster authenticate using their AAD identities, and assing permissions using the usernames and also AAD groups. Here is how I did it.

Read more

How to download the latest release from a Github repository

We often want to download the latest release of an application from Github, however it used to be hard without knowing the latest version. But now we can do the followings:

Moving a blog from Wordpress to Github pages

This blog is hosted on Github pages, which I end up liking a lot, so I decided to move my other blog (originally hosted on Wordpress) too. I was already planning to update the domain of that blog, so I took the opportunity to do both at the same time. Here are the steps I did.

Read more

Authentication using kubernetes service account JWTs

Permissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.

Read more

Kubernetes: cannot get path "//.well-known/openid-configuration"

I’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:

Read more

Cross-app Scripting in Android apps

If an Android app accepts Intents to open a URL in a WebView, then a malicious app installed on the same device might open a javascript:alert(1)-like URL, which will run the provided JavaScript in the context of the victim app’s site (that is currently loaded in the WebView). This vulnerability is called Cross-app Scripting.

Read more

Restricting Google App Script permissions

Google Apps Script is a rapid application development platform that makes it fast and easy to create business applications that integrate with Google Workspace. You write code in modern JavaScript and have access to built-in libraries for favorite Google Workspace applications like Gmail, Calendar, Drive, and more.

https://developers.google.com/apps-script/overview

Google Apps Script provide an easy way to automate repetitive tasks in the Google ecosystem (e.g. Drive). It is somewhat similar to macros in Microsoft Office. An App Script will ask for permissions before it can interact with any document of the user, and by default these permissions are unnecessarily wide. This write up is meant to help restricting these permissions.

Read more

Using LastPass on login forms with more than 2 inputs

LastPass generally handles common login pages with a username and password well, but it breaks on login forms that have more than those two fields. But there is a solution.

The problem

Here is the site I’ll use as an example: the login page of the SMBC bank: [https://direct.smbc.co.jp/aib/aibgsjsw5001.jsp]

The first line gives 2 options for identifying your user: either specify your bank account number (branch code and account number) or use your contractor number. I’m using the first one, so let’s focus on that. The problem is that the branch code and the account numbers are two separate text boxes, thus when I fill them out and login, then LastPass will only save one of them as username.

Read more

Getting a .jp domain

I have a super common family name in Hungary: Szabo. It means tailor, and appr. 2% of Hungarians have this family name (203,126 out of 9,730,000). Thus szabo.hu, szabo.eu, szabo.com, szabo.net, szabo.info, szabo.me, szabo.xyz etc. are mostly taken. However I recently checked and szabo.jp was available! Following a Tokyo Cheapo guide I found Star Domain and bought the domain there for 2560 yen/year. (Star Domain has a referral program, so if you use this link, I might earn a little money.)

I already had hosting elsewhere, so I only needed the domain and Star Domain has a pretty straightforward DNS configurator. I read that only people in Japan can register .jp domains, so I expected some verification, but only my phone number was checked and after I paid for the domain, I could use it immediately.

Most part of the site is text based, so Google Translate makes it possible to use it without knowing too much Japanese.