I work in tech, and while I try to maintain a healthy work-life balance, I still use many gadgets, so I thought to share which tech solutions helped us during the first month with our newborn baby.
Read moreI was setting up an app on a kubernetes cluster that had istio configured as a service mesh, and I run into an issue: as the application starts, it attempts to communicate to another service over the network (doesn’t matter if it’s an external service or something running on the same cluster), and it fails.
However when I kubectl exec into the container, I can successfully reach the same service.
What’s going on and how to solve it?
I deployed a vendor’s software on kubernetes and the website showed this error message:
upstream connect error or disconnect/reset before headers. reset reason: connection termination
Looking at the istio-proxy sidecar logs on the Pod I could see an error message:
kubectl logs -c istio-proxy app-ui-543875cf14-a2b33
[2023-08-09T06:06:22.268Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.20.223.206:8080 10.20.221.213:42304 - -
GitHub Enterprise Cloud is an enterprise version of GitHub.com “designed for large businesses or teams who collaborate on GitHub.com”(source). There is a strong emphasis on security, which extends to strong limits on programmatic access, especially to enterprise-wide resources, so getting all organizations or all repositories of the enterprise becomes non-trivial. This guide will describe how to do just these.
Read moreHow to use the HashiCorp Vault Secrets Plugin for Artifactory to create short-lived Artifactory tokens scoped to a specific user, without the need for an admin token. The main usecase for this is CI workflows (e.g. Github actions) that can authenticate to vault (e.g. Github’s workflow OIDC) and need access to Artifactory.
Read moreoauth2-proxy is often used to handle user authentication for apps, however non-human users (e.g. CI workflows) are often unable to complete the OIDC flow. In this post I will show how to configure oauth2-proxy to trust Github’s OIDC provider and use that JWT to authenticate workflows and give them access to the app behind the proxy.
Read moreIn one of my the projects I manage vault resources via terraform. The main terraform pipeline runs in a Github action workflow and uses Github’s JWT to connect to vault. Meanwhile user authentication is done using vault’s OIDC auth method.
This post will show how to setup the vault terraform provider so that it uses the Github signed JWT when running in CI, and OIDC authentication when running locally.
Read moreFor each Github action workflow, Github creates a unique Github token. This can accessed a either via the GITHUB_TOKEN secret (${{ secrets.GITHUB_TOKEN }}) or via the github context (${{ github.token }}).
The docs also note that
An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action.
However the docs fall short of showing how to do it, and it took me a while to figure it out, so I’m sharing it here.
Read moreI’m running Snyk to scan docker images and break the build if they have high or critical vulnerabilities:
snyk test --severity-threshold=high --docker $IMAGE_NAME
However sometimes the upstream image has high or critical vulnerabilities (e.g. at the times of writing this, debian), so there is very little action one can take (other than moving to a different base image, which is usually not easy). Thus I only want to break the build if there are high or critical vulnerabilities AND they can be fixed by ugrading the base image.
Recently I was working on setting up istio in a multi-cluster setup following the Install Multi-Primary on different networks guide on EKS clusters. Everything seemed to work (no errors in logs), until I reached the verification step, where requests didn’t go to the other mesh: in CLUSTER1 I always got a response from Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv, while in CLUSTER2 always from Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8.
I’m creating a new kubernetes_secret via Terraform for an existing service account like this:
resource "kubernetes_secret" "my_service_account_token" {
metadata {
name = "my-service-account-token"
namespace = "example"
annotations = {
"kubernetes.io/service-account.name" = "my-service-account"
}
}
type = "kubernetes.io/service-account-token"
}
so that then I can use this token elsewhere like: kubernetes_secret.my_service_account_token.data["token"].
I recently worked on setting up Azure Active Directory (AAD from now) authentication with kubernetes clusters running on AWS EKS (Amazon Elastic Kubernetes Service). The goal was to let users of the kubernetes cluster authenticate using their AAD identities, and assing permissions using the usernames and also AAD groups. Here is how I did it.
Read moreWe often want to download the latest release of an application from Github, however it used to be hard without knowing the latest version. But now we can do the followings:
https://github.com/<user>/<repo>/releases/latest takes you to the latest release page, e.g. https://github.com/Azure/kubelogin/releases/latesthttps://github.com/<user>/<repo>/releases/latest/download/<filename> gets you a binary from the latest release, e.g. https://github.com/Azure/kubelogin/releases/latest/download/kubelogin-linux-amd64.zipThis blog is hosted on Github pages, which I end up liking a lot, so I decided to move my other blog (originally hosted on Wordpress) too. I was already planning to update the domain of that blog, so I took the opportunity to do both at the same time. Here are the steps I did.
Read morePermissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.
Read moreI’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:
If an Android app accepts Intents to open a URL in a WebView, then a malicious app installed on the same device might open a javascript:alert(1)-like URL, which will run the provided JavaScript in the context of the victim app’s site (that is currently loaded in the WebView). This vulnerability is called Cross-app Scripting.
Google Apps Script is a rapid application development platform that makes it fast and easy to create business applications that integrate with Google Workspace. You write code in modern JavaScript and have access to built-in libraries for favorite Google Workspace applications like Gmail, Calendar, Drive, and more.
Google Apps Script provide an easy way to automate repetitive tasks in the Google ecosystem (e.g. Drive). It is somewhat similar to macros in Microsoft Office. An App Script will ask for permissions before it can interact with any document of the user, and by default these permissions are unnecessarily wide. This write up is meant to help restricting these permissions.
Read moreLastPass generally handles common login pages with a username and password well, but it breaks on login forms that have more than those two fields. But there is a solution.
Here is the site I’ll use as an example: the login page of the SMBC bank: [https://direct.smbc.co.jp/aib/aibgsjsw5001.jsp]
The first line gives 2 options for identifying your user: either specify your bank account number (branch code and account number) or use your contractor number. I’m using the first one, so let’s focus on that. The problem is that the branch code and the account numbers are two separate text boxes, thus when I fill them out and login, then LastPass will only save one of them as username.
Read moreI have a super common family name in Hungary: Szabo. It means tailor, and appr. 2% of Hungarians have this family name (203,126 out of 9,730,000). Thus szabo.hu, szabo.eu, szabo.com, szabo.net, szabo.info, szabo.me, szabo.xyz etc. are mostly taken. However I recently checked and szabo.jp was available! Following a Tokyo Cheapo guide I found Star Domain and bought the domain there for 2560 yen/year. (Star Domain has a referral program, so if you use this link, I might earn a little money.)
I already had hosting elsewhere, so I only needed the domain and Star Domain has a pretty straightforward DNS configurator. I read that only people in Japan can register .jp domains, so I expected some verification, but only my phone number was checked and after I paid for the domain, I could use it immediately.
Most part of the site is text based, so Google Translate makes it possible to use it without knowing too much Japanese.