DEV Community: timtsoitt

How to create local wildcard domains in MacOS using dnsmasq?

timtsoitt — Sun, 19 Mar 2023 12:25:45 +0000

Introduction

Recently I was looking around for tutorials to setup local wildcard domains in MacOS for development purpose. Most tutorials were similar and I just could not resolve the local domains. If you are having the same issue, your should take a look of your DNS server settings.

Preparation

Install dnsmasq

Dnsmasq is a DNS server which allows you to create DNS records locally. Besides, it also forwards domain queries to upstream servers, such that we can resolve public domains as well.

By default, dnsmasq looks for upstream servers in /etc/resolv.conf.



brew install dnsmasq

Verify your homebrew prefix

Dnsmasq service is installed in a different location based on your Mac's chip (Intel / Apple Silicon). You can check it by running command brew --prefix.

Since I am using M1 Macbook, the installation path is /opt/homebrew. If you are using intel Macbook, be careful of the path settings and make changes accordingly.

Modify the dnsmasq.conf file



vi $(brew --prefix)/etc/dnsmasq.conf

Go to the end of the file, uncomment the line conf-dir=/opt/homebrew/etc/dnsmasq.d/,*.conf.

Now dnsmasq will look for local DNS records in /opt/homebrew/etc/dnsmasq.d/.

Create a DNS record

I will use test as my local domain name. And I want dnsmasq to resolve any test domain queries to IP 127.0.0.1. Dnsmasq will also try to resolve subdomain records as well, such as a.test, b.c.test, which is very convenient.



bash -c "echo 'address=/test/127.0.0.1' > $(brew --prefix)/etc/dnsmasq.d/test.conf"

The name of the conf file does not matter, it is just good for management, having one file for each domain.

Setup DNS servers

To let your Macbook knows sending query to dnsmasq. Left click your wifi icon in the menu bar -> "Wi-Fi settings" -> "Details" -> go to "DNS" section.

Take a record of your existing DNS servers and remove all of them. Then add "127.0.0.1" as your topmost entry such that DNS query will be sent to dnsmasq first.

It is very important because if your query is send to other DNS servers first, it may respond with record is not found which explains why you are unable to query local domains.

Lastly you can add back all your existing DNS servers.

Now if you take a look of the /etc/resolv.conf file, you can see that it is actually generated from the settings of the "DNS" section.

(Re)start dnsmasq

To reflect your dnsmasq changes, you need to restart it.



  
  
  brew services start dnsmasq


brew services restart dnsmasq

Conclusion

It is a short article. Thanks for reading!

Argo CD and Sealed Secrets is a perfect match

timtsoitt — Sat, 11 Jun 2022 08:51:10 +0000

TL;DR

Sealed Secrets can works perfectly well with Argo CD. It is one of the very best secret managment approachs that you should consider.

The same idea can apply to both Helm, Kustomize or other GitOps tools.

Introduction

There is no golden standard about secret management in Argo CD. Instead, Argo CD provides you a list of solutions here and you have to think it yourself.

Although I opt-in for Sealed Secrets, I also want to show you how my decision making process guides me to such a conclusion.

To start with, we need to think of two questions.

Where to store your secret?

Although there are many solutions available, basically there are just two ways to store secrets, i.e. store in secret management platforms or git repositories.

Secret management platform approach

I don't prefer to use secret management platforms.

No matter what platform you use, it won't be K8S native because the platform lives outside of your cluster. You always needs to install some plugins in your Kubernetes clusters to read the secrets from your platform .

If you opt-in for this approach, you have to manage the platforms, plugins and integrating everything together. It introduces too much complexity and we know that complexity means more errors, bugs, human mistakes...

Git repository approach

You can upload encrypted secrets together with your Kubernetes manifests to your repository. Then Argo CD will decrypt the secret when it syncs your application. Everything is bundled together which is good for management.

Sealed Secrets is one of the solution based on this approach.

How to ingest your secret?

Now we are moving forward to git repository approach. Let us review what solutions are available.

Helm Secrets

To most people who use Helm, Helm Secrets is a popular choice. Users can encrypt values files and then Argo CD will decrypt these files accordingly.

However it is also too complicated to me.

First of all, to integrate Helm Secrets with ArgoCD, you have to do certain modifications, which you can see their tutoral. Again these complexities always leads to many issues.

Moreover, there is no way to simply avoid someone committs unencrypted values files as these files are normal YAML files.

Lastly, we know that ArgoCD allow us to specify multiple values files. So now you got a set of values files and encrypted values files. How to tell there is no unintended value overriding issue happen? Ideally, we want to avoid decrypting secrets files but now we may have to do so.

Sealed Secrets

Sealed Secrets is a general usage secret management solution. Even if you don't use Argo CD, you can also use it to encrypt secrets.

It is simple to use

When you install Sealed Secrets to your cluster, it creates a controller that manages a RSA certificate internally.
Then you use kubeseal utility, a cli tool provided by Sealed Secrets, to encrypt Secret resources to SealedSecret resources.
Whenever you apply SealedSecret resources, the controller will decrypt it as Secret resources.

# Sample usage
echo -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin > mysecret.yaml
kubeseal --format yaml -f mysecret.yaml > mysealedsecret.yaml
kubectl create -f mysealedsecret.yaml

Let discuss the benefits of using Sealed Secrets.

Firstly, everything is K8S native. When you are doing development work, you can simply reference Secret resources. When you are ready to commit your code, you just need to use kubeseal to encrypt it by using an one-off command.

Secondly, committing Secret resources can be blocked by setting pre-commit hook.

Thirdly, it can avoid value overriding issue. Secrets remains to be secrets.

You can bring you own key. I find it is quite useful because it allows you to share the same secret to multiple clusters.

How to use Sealed Secrets with Argo CD?

If you are familiar with Argo CD, you know it only allows you to set some values or values files. Actually, this restriction can be easily bypass by creating a proxy chart.

Inside the Chart.yaml, you specify the target chart in the dependency section. Then you put all the SealedSecret resources to the templates folder.

# Example proxy chart
├── Chart.yaml
├── templates
│   └── sealed-secret.yaml
└── values.yaml

In Argo CD, values files need to be stored in the same repository with the Helm charts. It is violating the best practice, as explained by Argo CD documentation itself.

So ideally, you will setup at least two repositories, which makes using proxy charts a natural move.

Base charts repository
All your target charts store in here and your proxy charts will will use these charts as sub-charts.

Proxy charts repository
This is where Argo CD sync with your proxy charts, which is representing the desired application state.

Using proxy chart is a very useful technique. Sometimes if you want to customise the chart but directly modify the target chart is not an ideal choice (maybe you are referencing a public chart), then you can use this technique to tailor-made your chart.

There are many more tricks you can do with this pattern, let say in some cases you want to share the same secret to multiple deployments, you can do something like this.

# Maybe you want to reuse the same database credential for deployments in all regions?
├── Chart.yaml
├── templates
│   └── sealed-secret.yaml
├── region-a-values.yaml
└── region-b-values.yaml

Exercise

I have setup a minimal setup for you to experience my approach.

You can checkout my repository https://github.com/timtsoitt/argocd-proxy-charts and follow the instructions.

Conclusion

While there is no one size fit all shoes solution, keep things as simple is always a best practice. Rather than introducing many dependencies or complexities, we see a great value of using Sealed Secret with Argo CD.

If you have any ideas or questions, free feel to comment here. Also please do spend a little time to like, bookmark and share it. Thank you.

My approach to manage enterprise private CA with AWS

timtsoitt — Thu, 02 Jun 2022 14:33:04 +0000

Story

A long time ago, the company I was working do not have any private CA. When people deployed internal applications, they created with a self-signed certificates themselves. Every time I accesses these applications, my browser always showed a "Your connection is not private warning". It was annoying, and indeed also a security risk. As a DevSecOps engineer, this was a time that I should stand out and addressed this issue.

We need a private CA to issue certificates for internal applications.

Overview

Our operation is based on AWS. Luckily, AWS has a service called ACM Private CA, which allows us to create private CA hierarchies, including root and subordinate CAs.

The idea is simple.

Create a root CA using ACM Private CA.
Install the root CA to every employee's computer to make it to be trusted.
Create a list of subordinate CAs for each department using ACM Private CA.
Use the root CA to sign these subordinate CAs.
Share these subordinate CAs to different AWS accounts through AWS Resource Access Manager (RAM), where these AWS accounts are managed by a particular department.
Issue private certificates with their owned subordinate CAs using AWS Certificate Manager (ACM)
Everyone gets rid of the warning.

Tutorial

Step 1

There are two options to create private CA. For the root CA, click the first one. For the subordinate CAs, click the second one.

Step 2

Fill in the blank as your like.

Step 3

Choose RSA 4096 for root CA, RSA 2048 for subordinate CAs. You can also explore other options.

Step 4

These are some advanced features you can explore. For the tutorial purpose we just skip it.

Step 5

Always a good practice to tag your resource.

Step 6

Allow AWS to auto renew your private CAs.

Step 7

Check the checkbox before you have reviewed all the information.

Step 8

For your subordinate CAs, remember to sign it with your root CA.

Click the install CA certificate button. Then choose the ACM private CA option.

Select your root CA as the Parent private CA.

Notice that you will need to adjust the Path length per your need. Since a subordinate CA can be the parent of another subordinate CA, path length sets the number of subordinate CA certificates that may exist in the chain below it.

For example, if you don't want people to use this subordinate CA to sign another subordinate CA, choose 0 as the value.

You can find the definition in AWS documentation.
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-pathlength

Step 9

Now you can share your subordinary CAs to different accounts using AWS RAM.

Keep the default setting.

Set the AWS account ID. Then review and create.

Step 10

From the destination account, you need to accept the shared subordinary CA.

Step 11

Now if you go to the AWS ACM and request a private certificate, you will be able to use the shared subordinary CA to issue your certificate.

Step 12

After you issue a certificate, you can export the certificate if you need.

Step 13

Lastly do not forget to install the root CA certificate to employees' computer. There are multiple way to do so, depends on your OS, which you can search it online.

Download your root CA certificate in here.

Conclusion

In security perspective, we have a private CA now, everyone expects they won't see the warning again. If they do see the warning, then we know the certificate in use is not properly issued, or maybe it is even a bogus website.

In operation perspective, everything is managed properly. We have a place to manage CAs and a place to manage our certificates. No messy self-signed certificates anymore.

Crossplane is better than Terraform in K8S world

timtsoitt — Sat, 28 May 2022 19:16:36 +0000

TL;DR

Crossplane is a solution you should consider when your infrastructure is to serve your k8s applications.

Story

I have been using Terraform for a very long time. It is simple to use with a very huge community support. However every solution has its shortcomings. Terraform is not really a nice solution when you have to work with k8s.

My AWS infrastructure is closely related to my K8S applications. Maybe I have to upload objects to S3, or store my data in RDS. If you are using AWS EKS, you should be very familiar with IRSA (IAM roles for service accounts) feature, it grants your service accounts with AWS permissions. Then you pods can reference these service accounts and interact with AWS APIs.

So IAM roles are AWS stuffs, and service accounts are K8S stuffs. You have to create both IAM roles and service accounts using some methods.

I can use Terraform to create both IAM roles and service accounts but it is very operational unfriendly. K8s deployments not just only have service accounts need to be applied. How about using Terraform to deploy all AWS infrastructure and k8s manifests? IMO, DO NOT DO IT. Argo CD, Flux CD or any GitOps tools are much better than Terraform.

Never solve a small problem by bringing another big trouble.

Now back to my question, how I should integrate IAM roles with service accounts? How about doing the opposite, use k8s to provision IAM roles?

And then Crossplane comes into my eyes. Simply speaking, Crossplane is a k8s style of Terraform.

Tutorial

Now I am going to show you how to use Crossplane.

Prerequisite

You need to have an admin privilege in your AWS account.
A k8s cluster

1. Define your variables

Specify any value you like.

EKS_CLUSTER_NAME=""
AWS_REGION=""
AWS_IAM_ROLE_NAME="${EKS_CLUSTER_NAME}-crossplane-controller"

2. Install Crossplane using helm charts

Everyone loves helm chart :)

helm repo add crossplane https://charts.crossplane.io/master/
helm install --create-namespace --namespace crossplane-system crossplane crossplane/crossplane --version 1.9.0-rc.0.9.g243f1f47

3. Install AWS provider

Crossplane can provision infrastructure in many platforms. Let say if you want to deploy to Azure, you can install Azure provider.

cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: aws-config
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_IAM_ROLE_NAME}
spec:
  podSecurityContext:
    fsGroup: 2000
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: crossplane/provider-aws:v0.27.0
  controllerConfigRef:
    name: aws-config
EOF

4. Create IAM role for IRSA

Again it is a Chicken or the egg problem. Crossplane controller needs to have permissions to provision AWS resources. So we need to manually provision a IAM role for once.

SERVICE_ACCOUNT_NAME=$(kubectl get providers.pkg.crossplane.io provider-aws -o jsonpath="{.status.currentRevision}")
OIDC_PROVIDER=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --region $AWS_REGION --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

read -r -d '' TRUST_RELATIONSHIP <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:crossplane-system:${SERVICE_ACCOUNT_NAME}"
        }
      }
    }
  ]
}
EOF
echo "${TRUST_RELATIONSHIP}" > trust.json

aws iam create-role \
    --role-name "${IAM_ROLE_NAME}" \
    --assume-role-policy-document file://trust.json \
    --description "IAM role for Crossplane provider-aws"

aws iam attach-role-policy --role-name "${IAM_ROLE_NAME}" --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess

rm trust.json

cat <<EOF | kubectl apply -f -
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: aws-provider
spec:
  credentials:
    source: InjectedIdentity
EOF

6. Try it out

Let try to deploy something.

apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: crossplane-sample-role
  annotations:
spec:
  deletionPolicy: Delete
  forProvider:
      description: "A role created by Crossplane"
      assumeRolePolicyDocument: |
        {
          "Version": "2012-10-17",
          "Statement": [
              {
                "Effect": "Allow",
                "Principal": {
                  "Service": "ec2.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
              }
          ]
        }
  providerConfigRef:
    name: aws-provider

---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Policy
metadata:
  name: crossplane-sample-policy
spec:
  deletionPolicy: Delete
  forProvider:
    name: crossplane-sample-policy
    description: A policy created by Crossplane
    document: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster"
            ],
            "Resource": "*"
          }
        ]
      }
  providerConfigRef:
    name: aws-provider
---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: RolePolicyAttachment
metadata:
  name: crossplane-sample-role-policy-attachment
spec:
  deletionPolicy: Delete
  forProvider:
    roleNameRef:
      name: crossplane-sample-role
    policyArnRef: 
      name: crossplane-sample-policy
  providerConfigRef:
    name: aws-provider

6. Cleanup

Always a good practice to do cleanup.

helm uninstall crossplane --namespace crossplane-system
kubectl delete ns crossplane-system
kubectl get crd -o name | grep crossplane.io | xargs kubectl delete

aws iam detach-role-policy --role-name ${AWS_IAM_ROLE_NAME} --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess
aws iam delete-role --role-name "${AWS_IAM_ROLE_NAME}"

Discussion

Imagine you need to deploy an application that needs an ALB, RDS. Now you can package all the things using k8s manifests. No more Terraform is involved and much less management overheads.

Take a step forward, you can use Crossplane to replace Terraform to provision any infrastructure. Crossplane allows you to write Crossplane version Terraform modules, which are called Configurations.

So do I still recommend people to use Terraform? Yes I do. Developers might not really comfortable with k8s while writing Terraform is like writing a simple program to them. And Terraform has a large community supporting, new features will be supported quicker and bug fixes will be sooner.

Conclusion

In short, if you are going to deploy some infrastructure that are only for your k8s deployments, e.g. load balancers, IAM Roles for IRSA. Consider Crossplane.

If you are going to deploy some shared infrastructure or it is not relevant to your k8s deployments, e.g. Network, EC2 bastions. Use Terraform.

One technique to save your AWS EKS IP addresses 10x

timtsoitt — Fri, 20 May 2022 21:01:01 +0000

Story

When I was doing a research to design AWS EKS clusters from the ground up. Networking aspect was a part of my considerations. One problem was that how many IP addresses I need in a long run. While it had no simple answer, instead I could tell you that how to save your IP addresses.

Prerequsites

The technique I am going to introduce is based on AWS CNI plugin (Amazon VPC Container Network Interface plugin for Kubernetes), which is also the default CNI of your EKS cluster.

From the offical documentation, Using this plugin allows Kubernetes pods to have the same IP address inside the pod as they do on the VPC network. This is why your pods can communicate to computing resources outside your clusters, or even in other VPCs.

And let me roughly explain the real-world scenerio:

Each node group provisons a group of EC2 instances. Each instance has multiple ENIs, and one ENI contains multiple IP addresses. AWS CNI plugin helps you to manage these IP addresses and associate to your EKS pods.

EKS features

Assign address prefixes to your ENI

By default, the number of IP addresses available to assign to pods is based on the number of IP addresses assigned to Elastic network interfaces, and the number of network interfaces attached to your Amazon EC2 node, i.e. AWS CNI plugin assigns IP addresses to ENIs.

EKS offers your another options, let AWS CNI plugin to assign / 28 IP address prefixes to ENIs.

Let me show you a simple example.

Consider that a ENI has ten slots:

If you use the default mode, you can assign 10 IP addresses to it.
If you use the prefixes mode, you can assign 10 /28 prefix blocks to it, i.e. 10 * 16 IP addresses = 160 IP addresses.

If you find out your instances have not fully utilized, you have a choice to optimize the pod-to-instance ratio, such that you can create fewer instances.

If it does not sound useful to you, prefixes mode has an addtional advantage. You can make less API calls to configure the network interfaces and IP addresses necessary for pod connectivity.

In the situation of rapidly scaling, API throttling might happen. Your EKS will stuck in a dead loop when it scales too quick.

Your pods need IP addresses, AWS VPC CNI will call APIs to allocate IP addresses for your pods. However API throttling prevent CNI to allocate IP addresses, then AWS VPC CNI keeps sending API calls ....

In the default mode, you are assigning a single IP addresses each time. Now you can assign 16 IP addresses each time. While it is not 100% correct, you can roughly assuming that it saves 16x API calls.

CNI custom networking

By default, when new network interfaces are allocated for pods, AWS CNI plugin uses the security groups and subnet of the node's primary network interface, i.e. ** both pods and nodes are created in the same subnet.**

Normally, we use RFC 1918 CIDR ranges (10.0.0.0/8, 172.16.0.0/12 and 192.16.0.0/16) to allocate our IP addresses.
However, many of you might not know, EKS supports additional IPv4 CIDR blocks in the 100.64.0.0/10 and 198.19.0.0/16 ranges.

The trick is simple. You can create your nodes in RFC 1918 CIDR ranges and then create your pods in 100.64.0.0/10 and 198.19.0.0/16 ranges. You can much more IP addresses to allocate now.

Please be reminded that 100.64.0.0/10 and 198.19.0.0/16 are not common IP ranges. Proper routing needs to be configured if you want the pods created in 100.64.0.0/16 and 192.19.0.0/16 to be able to have outbound connections to RFC 1918 CIDR ranges through VPC peering, transit gateway peering.

Why I emphasis outbound connections? Here is another trick, you can place load balancers in RFC-1918 ip ranges, and forward traffic to non RFC-1918 ip ranges pods. This way your clients only need to have route to your load balancers, without need to know anything of your pods.

Conclusion

Depends on your use cases, you can enable either or both Assign address prefixes to your ENI and CNI custom networking feature.

I also encourage you to understand what AWS VPC CNI plugin does if you are not familiar it before. It can help you to design EKS cluster in a better way.

If you are interested to use these features, AWS documentation has a very detailed explanation, which I have attached below. You should also checkout considerations and prerequisites in the documentation.

Reading

cni-increase-ip-addresses
cni-custom-network
Using additional IPv4 IP ranges
eni-max-pods

Python 101 - annoying UnboundLocalError

timtsoitt — Sun, 10 Apr 2022 14:40:03 +0000

UnboundLocalError is an error you must have encountered when you learn Python. Let us try to understand this error.

Starting Point

This code snippet can run. Although we do not assign variable x inside inner_function(), it searches variable x from enclosed scope, which is simple_function().

def simple_function():
    x = 10

    def inner_function():
        return x

    return inner_function()


print(simple_function()) # 10

Now we try do assignment to variable x. This time we face UnboundLocalError. Why is that?

# Unable to run
def simple_function():
    x = 10

    def inner_function():
        x = x + 10
        return x

    return inner_function()


print(simple_function()) # UnboundLocalError: local variable 'x' referenced before assignment

When we do an assignment to a variable, this variable is treated as local variable to that scope. Python will shadow any variable in outer scope. For example, it will not care variable x in the simple_function.

When Python interprets the part x + 10, it tries to reference variable x, and then add value 10 to it. However, it does not know where the variable x is in local scope, i.e. the inner_function block. So Python prompts the UnboundLocalError error.

Solution

If you want to reference variable x from the simple_function scope, you need to use the nonlocal keyword.

The nonlocal keyword means the variables are neither global nor local to the function. It instructs Python to look for the variables in outer scope, the simple_function block in our case.

def simple_function():
    x = 10

    def inner_function():
        nonlocal x
        x = x + 10
        return x

    return inner_function()


print(simple_function()) # 20

Python 101 - what happens when you instantiate a class?

timtsoitt — Sat, 09 Apr 2022 14:18:52 +0000

Introduction

Python is a simple language. Many people pick Python as their first language to learn. While you are coding in Python happily, have you ever curious about how a class is instantiated?

TL;DR: Learn how Python instantiate a class from concept level to reading source code.

Starting Point

Let take a look of this code snippet. We define a method that return an integer. And then we call the method to get the value.

def my_method():
    return 1

a = my_method()

Then we take a look of this code snippet. We define a class, and then we instantiate the class.

class MyClass:
    def __init__(self):
        pass


myclass = MyClass()

Inside the method, we need to use return to get the value. But for the class, there is no return statement. Why we can get the instance of the class? There must be something hidden.

The hidden base class

Python is a OOP language, i.e. we can use inheritance.

In Python, we implement inheritance like this, which the derived class MyClass is inherited from the base class SuperClass.

class SuperClass():
   pass

class MyClass(SuperClass):
   pass

Now I want you to know every class has a default base class in Python 3, which is called object.

If you have been using Python for a while, you might have an idea seeing people define a class in this way. This is because Python 2 does not auto apply class object as the base class.

class MyClass(object):
   pass

We can use dir method to verify it. The dir method returns all attributes and methods of the specified object, without the values.

>>> dir(object)
['__class__', '__delattr__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__']

>>> dir(MyClass)
['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__']

We can confirm that the class MyClass inherits all the things from class object.

You can also use issubclass(MyClass, object) to verify it.

From the result of dir method, there is one method we need to be aware of, which is __new__. __new__ method is responsible to create instance from the class by allocating memory and initialising necessary fields,

Now we know the hidden return statement is inside __new__ method.

# Conceptual representation. 
class object:
    def __new__(cls):
        instance = create_and_initialise(cls)
        return instance

Ok. You should spot out two points. I will answer these points one-by-one.

Where is the cls.__init__ method called?
What you mean by conceptual?

Introduction of metaclass

I mentioned every class has a hidden base class Object.

Now I also want you to know every class has a hidden metaclass, which is called type.

Generally speaking metaclass is a class of the class that defines the behaviour of its class instances. When you create an instance from a class, Python needs to create the class itself first, as a form of instances of the metaclass.

Inside the metaclass, it defines how the class creates instances of itself in the __call__ method, which triggers __new__ method and then __init__ method from the class.

# Conceptual representation. 
class type:
    def __call__(cls, *args, **kwargs):
        instance = cls.__new__(cls)
        cls.__init__(cls, *args, **kwargs)
        return instance

Now we have the full picture of how __init__ method is triggered.

Deep dive into Python implementation source code

We know Python is an interpreted programming language, it needs an interpreter to translate your Python code to bytecode and get it running.

Interpreter is a program. So we need to ask how Python interpreter is developed? The answer is CPython.

CPython is the official implementation of the interpreter. As the name implies, it is written in C language. When you download Python in the official page, you are using CPython based interpreter.

There are other Python implementations, such as Jython (Java based implementation), PyPy (Python based implementation).

How CPython is related to our topic?

CPython does not only translate your Python source code, it also included Python standard libraries.

Let say when you use print command in Python, do you notice that you never need to import any library, while in C you need to import standard library . This is because Python interpreter (CPython) help you to do so.

The implementation of class object and class type are part of the CPython. It is not written in Python directly, which is why I mention it as conceptual implementation in pythonic way.

Here is the most exciting part, we are going to look into the CPython source code

The CPython implementation of new method

Let us visit CPython Github repository.

At the time I write this article, it is Python version 3.11.0 alpha 7.

The first file we need to look for is /include/object.h file. It defines a struct called _object. Every instance of class is _object in C implementation.

struct _object {
    _PyObject_HEAD_EXTRA
    Py_ssize_t ob_refcnt;
    PyTypeObject *ob_type;
};

There are three fields:

_PyObject_HEAD_EXTRA
It is for debug usage. We can skip it.
Py_ssize_t ob_refcnt
Storing reference counter for garbage collection management.
PyTypeObject *ob_type
The type of the object, i.e. the class of the object.

In /include/pytypedefs.h file. We can see it defines an alias name PyObject to struct _object. All other CPython source code always references PyObject instead of _object.

typedef struct _object PyObject;

In /Objects/object.c file, we can find the actual implementation of the __new__ method.

It returns a PyObject, such as instance of class.

PyObject *
_PyObject_New(PyTypeObject *tp)
{
    PyObject *op = (PyObject *) PyObject_Malloc(_PyObject_SIZE(tp));
    if (op == NULL) {
        return PyErr_NoMemory();
    }
    _PyObject_Init(op, tp);
    return op;
}

In /Objects/call.c file, we can find the actual implementation of the __call__ method.

PyObject *
_PyObject_Call(PyThreadState *tstate, PyObject *callable,
               PyObject *args, PyObject *kwargs)
{
    ternaryfunc call;
    PyObject *result;

    /* PyObject_Call() must not be called with an exception set,
       because it can clear it (directly or indirectly) and so the
       caller loses its exception */
    assert(!_PyErr_Occurred(tstate));
    assert(PyTuple_Check(args));
    assert(kwargs == NULL || PyDict_Check(kwargs));

    vectorcallfunc vector_func = _PyVectorcall_Function(callable);
    if (vector_func != NULL) {
        return _PyVectorcall_Call(tstate, vector_func, callable, args, kwargs);
    }
    else {
        call = Py_TYPE(callable)->tp_call;
        if (call == NULL) {
            _PyErr_Format(tstate, PyExc_TypeError,
                          "'%.200s' object is not callable",
                          Py_TYPE(callable)->tp_name);
            return NULL;
        }

        if (_Py_EnterRecursiveCall(tstate, " while calling a Python object")) {
            return NULL;
        }

        result = (*call)(callable, args, kwargs);

        _Py_LeaveRecursiveCall(tstate);

        return _Py_CheckFunctionResult(tstate, callable, result, NULL);
    }
}

The line result = (*call)(callable, args, kwargs); is actually calling another function called type_call, which is defined in /Objects/typeobject.c file.

static PyObject *
type_call(PyTypeObject *type, PyObject *args, PyObject *kwds)
{
    PyObject *obj;
    PyThreadState *tstate = _PyThreadState_GET();

#ifdef Py_DEBUG
    /* type_call() must not be called with an exception set,
       because it can clear it (directly or indirectly) and so the
       caller loses its exception */
    assert(!_PyErr_Occurred(tstate));
#endif

    /* Special case: type(x) should return Py_TYPE(x) */
    /* We only want type itself to accept the one-argument form (#27157) */
    if (type == &PyType_Type) {
        assert(args != NULL && PyTuple_Check(args));
        assert(kwds == NULL || PyDict_Check(kwds));
        Py_ssize_t nargs = PyTuple_GET_SIZE(args);

        if (nargs == 1 && (kwds == NULL || !PyDict_GET_SIZE(kwds))) {
            obj = (PyObject *) Py_TYPE(PyTuple_GET_ITEM(args, 0));
            Py_INCREF(obj);
            return obj;
        }

        /* SF bug 475327 -- if that didn't trigger, we need 3
           arguments. But PyArg_ParseTuple in type_new may give
           a msg saying type() needs exactly 3. */
        if (nargs != 3) {
            PyErr_SetString(PyExc_TypeError,
                            "type() takes 1 or 3 arguments");
            return NULL;
        }
    }

    if (type->tp_new == NULL) {
        _PyErr_Format(tstate, PyExc_TypeError,
                      "cannot create '%s' instances", type->tp_name);
        return NULL;
    }

    obj = type->tp_new(type, args, kwds);
    obj = _Py_CheckFunctionResult(tstate, (PyObject*)type, obj, NULL);
    if (obj == NULL)
        return NULL;

    /* If the returned object is not an instance of type,
       it won't be initialized. */
    if (!PyObject_TypeCheck(obj, type))
        return obj;

    type = Py_TYPE(obj);
    if (type->tp_init != NULL) {
        int res = type->tp_init(obj, args, kwds);
        if (res < 0) {
            assert(_PyErr_Occurred(tstate));
            Py_DECREF(obj);
            obj = NULL;
        }
        else {
            assert(!_PyErr_Occurred(tstate));
        }
    }
    return obj;
}

Let translate this function in pythonic style:

Trigger __new__ method to get instance of the class.
Check the returned instance is an instance of the class.
If no, return the instance immediately. If yes, call __init__ method and then return the instance.

Summary

Reading CPython source code is not a trivial task. There are lots of details I do not cover. Anyway I hope you can learn more about Python after reading my article.

If you like my article, please give me some reactions as an encouragement. Thank you :)

Reference

CPython source code guide
Python object creation sequence

Use Cluster API to provision Kubernetes clusters in anywhere!

timtsoitt — Sat, 26 Mar 2022 15:13:36 +0000

TL;DR

Learn how to use Cluster API to provision multiple EKS clusters.

What is Cluster API?

Provisioning Kubernetes clusters is never an easy task. When there are 1000+ clusters, you definitely want to have a standardised approach to ease your life. If you have this concern, you come to the right place! Cluster API is what you need!

Some of you might know tools like kOps, Kubespray. You can imagine Cluster API as their alternative solution, but more powerful!

According to the official page, "Cluster API is a Kubernetes sub-project focused on providing declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters."

Here are some highlighted points of Cluster API:

Pure YAML-based. Kubernetes style. Super handy.
Support any mainstream infrastructure provider. Provision your Kubernetes clusters in cloud/on-premise environments in the same place.
Managed Kubernetes services support. AWS EKS, Azure AKS, GCP GKE all are supported.
Bring your own infrastructure. Reuse existing infrastructures. Focus on provisioning Kubernetes clusters.

It is awesome, right?

To demonstrate how to use Cluster API, I am going to show you how to use it to create AWS EKS clusters.

Concept

Before you continue, there are some concepts you need to understand first.

Infrastructure Provider
Cluster API project defines a set of APIs in the form of Custom Resource Definitions (CRDs). Each provider has to follow the API to specify how to provision infrastructure accordingly.

You can use clusterctl config repositories command to get a list of supported providers and their repository configuration.

For AWS, its implementation is Cluster API Provider AWS (CAPA).

Management Cluster
A Kubernetes cluster that manages the lifecycle of Workload Clusters. In this cluster, you use Cluster API to further provision Workload Clusters in any infrastructure provider.

Creating Management Cluster is a "the chicken or the egg first" problem. There are two methods available:

Find an existing Kubernetes cluster and transform it as Management Cluster.
"Bootstrap & Pivot" method. Bootstrap a Kubernetes cluster as a temporary Management Cluster, then use Cluster API inside the temporary Management Cluster to provision a target Management Cluster. Finally move all the Cluster API resources from the temporary Management Cluster to the target Management Cluster.

To show you the comprehensive usage of Cluster API, I am going to use the "Bootstrap & Pivot" method. In which you can learn how to migrate Management Cluster.

Workload Cluster
A Kubernetes cluster whose lifecycle is managed by a Management Cluster.

Prerequisite

Installation

Obviously, there are some tools you need to install first:

kubectl - Everyone should know it so well :)
Kind - A tool for running local Kubernetes clusters using Docker container "nodes".
clusterctl - CLI tool of Cluster API (CAPI)
clusterawsadm - CLI tool of Cluster API Provider AWS (CAPA)

brew install kubectl clusterctl kind

wget -O /usr/local/bin/clusterawsadm /usr/local/bin/ https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/download/v1.3.0/clusterawsadm-darwin-amd64 
chmod +x /usr/local/bin/clusterawsadm

Setup your AWS credential

I won't talk much about it as there are multiple ways to setup your credential.

However there are two things need to be reminded:

Your credential must have administrative permissions. Creating EKS cluster involve IAM resources creation.
Use a permanent credential. Your credential will be stored inside the Management Cluster. And it will use the credential to monitor status of Workload Clusters.

Implementation

All the used codes can be found in my Github repository

Bootstrap a temporary Management Cluster

We will use Kind to create the temporary Management Cluster.

Run these commands to create the cluster.

kind create cluster --name kind
kubectl config use-context kind-kind

You can use alternative distributions, such as minikube, microk8s, k3s, k0s. It is up to your preference, the concept is pretty much the same.

Create AWS IAM resources

Create or update an AWS CloudFormation stack for bootstrapping Kubernetes Cluster API and Kubernetes AWS Identity and Access Management (IAM) permissions.

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_REGION=

clusterawsadm bootstrap iam create-cloudformation-stack --region ${AWS_REGION}

(Optional) Create AWS network resources

EKS is based on several network infrastructure elements.

You can:

Let CAPA to provision network infrastructures for you. Good for people who want to experiment how to use Cluster API.
Bring your own network infrastructure. Basically you have to create a VPC, NAT gateways, Internet gateways, route tables and subnets.

No worry, I will cover both approaches in this tutorial.

Install CAPI and CAPA to your Management Cluster

Use cluster init to install core Cluster API resources, along with CAPA resources in your Kind cluster.

Since managed node group creation is an experimental feature, your need to enable it before installation.

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_REGION=

# Allow CAPA to create EKS managed node groups
export EXP_MACHINE_POOL=true
export EKSEnableIAM=true

# Create the base64 encoded AWS credentials using clusterawsadm.
export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile --region ${AWS_REGION})

clusterctl init --infrastructure aws

Now the Management Cluster will use the AWS_B64ENCODED_CREDENTIALS to provision EKS resources.

To enable experimental features in an existing Management Cluster, please visit here for the instructions.

Security Trick

Since the credential is already loaded into the CAPA controller, you can delete it by using clusterawsadm controller zero-credentials.

When your CAPA controller is restarted, or your Management Cluster is migrated to a new Kubernetes Cluster, you need to update it by using these commands.

export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
clusterawsadm controller update-credentials
clusterawsadm controller rollout-controller

Create the target Management Cluster in AWS EKS

You need to remind of two things.

Choose an EKS supported Kubernetes version.
As of now, latest version that EKS supports is 1.21
Name your EKS cluster based on EKS naming rules.
You can use any of the following characters: the set of Unicode letters, digits, hyphens and underscores.

I have prepared two yaml files for two options respectively:

I want Cluster API to manage everything for me -> use managed-management-cluster.yaml
I want to bring my own infrastructure -> use byoi-management-cluster.yaml.

Be careful that you may need to modify some fields in the YAML file, such as AWS account ID, vpc id and subnet ids.

Run kubectl apply -f byoi-management-cluster.yaml to provision your Management Cluster.

Now we need to get the kubeconfig file to access our newly created Management Cluster.

Cluster API provides a native method to export the kubeconfig file. However there is a minor incompatible issue. We can use sed to solve it.

export CLUSTER_API_CLUSTER_NAME=byoi-mgnt-cl

kubectl --namespace=capi get secret ${CLUSTER_API_CLUSTER_NAME}-user-kubeconfig \
   -o jsonpath={.data.value} | base64 --decode \
   > ${CLUSTER_API_CLUSTER_NAME}.kubeconfig

sed -i '' -e 's/v1alpha1/v1beta1/' ${CLUSTER_API_CLUSTER_NAME}.kubeconfig

Pivot

If you create your Management Cluster in your desired target Kubernetes cluster. You can stop in here.

If you are using temporary Management Cluster, now it is the time to move our Cluster API resources from the bootstrap temporary cluster to the target EKS cluster.

Indeed, the Cluster API resources we are moving is the target Management Cluster itself.

# Remember to enable experimental features
export EXP_MACHINE_POOL=true
export EKSEnableIAM=true

# Before you move the resources, you need to install Cluster # API in the target Management Cluster first.
clusterctl init --infrastructure aws --kubeconfig ${CLUSTER_API_CLUSTER_NAME}.kubeconfig 

clusterctl move -n capi --to-kubeconfig=${CLUSTER_API_CLUSTER_NAME}.kubeconfig

Clusterctl move

If you create Cluster API managed clusters across multiple namespaces, you need to run the clusterctl move command for each namespace.

For example:

clusterctl move -n ${OTHER_NAMESPACE} --to-kubeconfig=${CLUSTER_API_CLUSTER_NAME}.kubeconfig

(Bonus) Create Workload Clusters

Remember of goal of using Cluster API is to provisioning, upgrading, and operating multiple Kubernetes clusters?

In my repo and you can see there is a file called byoi-workload-cluster.yaml. Now try to provision the EKS Workload Cluster from the EKS Management Cluster by running kubectl apply -f byoi-workload-cluster.yaml.

And notice that the EKS version of the Workload Cluster is v1.20. After you provision the Workload Cluster, you can modify the version to v1.21 and then apply the file again. Upgrading your EKS cluster is that simple!

Clean up resources

To delete the temporary Management Cluster, use kind delete cluster --name kind

To delete Cluster API provisioned cluster, use kubectl delete cluster {cluster name}

To delete EKS managed node groups, use kubectl delete machinepools.cluster.x-k8s.io {node group name}

Conclusion

Congratulation! You have moved the first step toward Cluster API. Feel free to do more cool stuffs, provision clusters in other providers.

If you like my article, please give me some reactions, or leave me message in below. Thank you.

Reading materials

CAPI - Concepts
CAPA - Enabling EKS managed Machine Pools
CAPI - Reference
CAPI free course

Firewalls cannot save you from DDoS attacks!

timtsoitt — Sat, 19 Mar 2022 18:45:59 +0000

You might argue that my headline is incorrect as WAFs can provide some level of DDoS protection. The reason I write this headline is that there are many people somehow treat firewall as panacea.

What is DDOS?

To start with, you have to understand there are two types of DDoS attack, they are volumetric DDoS attacks and non-volumetric DDoS attacks.

Non-volumetric DDoS attacks

If someone says firewall can help to protect you from DDoS attacks, they are actaully referring to non-volumetric DDoS attacks. Bascailly Attackers will try to send out a specifically crafted packets, causing your applications fail to respond to legitmative requests, or even crashing your applications.

One famous attack is called low & slow attack. When the server respond to the requests from the DDoS attack, attackers will manipulate the connection by send out response in a possible slowest rate, slightly under connection timeout to avoid connection reset. Since there is a connection limit, when these manupulated connection occupy all the available connections, legitmative request can neven establish connection to the server.

These kinds of non-volumetric DDoS attacks usually come with signitures, such as having the same source ip, same payload. Whenever Web Application Firewall (WAF) identify the signitures, it can block malicious requests from reaching your server.

Volumetric DDoS attacks

As the name implies, volumetric means the attacker is trying to send overwhelming traffic to your server. The objective of this attack is to exhaust your network bandwidth. There is no way to stop volumetric DDoS attacks. The golden rule is you have more available bandwidth than the bandwidth that attackers are capable to consume.

In reality, you won't have such amount of bandwidth available becuase you have to pay for it. While a big cooperation maybe owning 10Gb bandwidth, nowadays biggest DDoS attacks is talking about terabit level.

Think of a trillion of people (DDoS attacks) are surrounding your house (Server). Although they don’t have the key to enter your house (Firewall blocks the connections), your family members (Normal users) are also in trouble to enter your house because the road is super crowded now (Bandwidth exhausted). You can’t force these people to leave because the road is not owned by you. (Bandwidth is owned by ISP and you just pay for the right of using the bandwidth)

Where is the myth coming from?

To answer this question, I think of several possible reasons.

Firewall this word is too overloaded

There are many type of firewalls, it can be hardware firewalls, host firewalls (Windows Defender, iptables, ufw).

People sometimes interchange the word of WAF and firewall. However to laymans, most probably firewall means Windows Defender to them. It is common that the knowledge they preceived eventually becomes Windows Defender can mitigate DDoS attacks. It is a bit funny, the sad truth is that I have heard of similar statements multiple times in the past.

Use of inaccurate word

Use of Word should be accurate. However it does not always apply to real world conversation. To people who are familar with DDoS attacks, they often will use the word mitigate, i.e to mitigate DDoS attacks.

I have heard of many alternative words when people are talking about mitigating DDoS attacks, such as stop, prevent. These alternative words are really confusing (and also incorrect). It is not surprising that when people often say/hear stop DDoS attacks, they will really believe DDoS attacks can be stopped.

And now the statement becomes Windows Defender can stop DDoS attacks...

In practical there is no way to stop DDoS attacks, not to mention prevent DDoS attacks. Instead, DDOS protection focuses on minimizing the impact of DDoS attacks.

How to mitigate DDoS attacks?

Short version
Cloudflare.

Long version
There is a term called Script Kiddle. It refers to some amateur hackers using existing softwares to hack people for fun. There are lots of hacking tools off the shelf to initiate DDoS attacks. If you are suffering from volumetric ddos attacks, the truth is it might be just a young kid running hacking tools behind.

Initiating DDoS attacks is such easy and buying bandwidth is costly. Paying for companies (such as Cloudflare) who are specilaized in DDoS protection is a much more viable and cheaper choice. Moreover, these kind of DDoS protection ofter embedded with WAF capability. By subscribing to DDoS protection service, you have protection from both non-volumetric and volumetric DDoS attacks.

Conclusion

Please use these statements from now on.

WAFs can be used to mitigate non-volumetric DDoS attacks.

and

Contact DDoS protection service providers if you need to mitigate DDoS attacks.

Readings

Introduction of DDoS
Record high of DDOS

Choose Cosign over Notary

timtsoitt — Sat, 19 Mar 2022 15:20:32 +0000

Disclaimer

This article is not trying to compare the pros & cons between Cosign and Notary. Rather, it is a sharing that you should opt-in Cosign if you have some technical needs like I do.

I also attached some websites at the end of this article. I recommend you to read these websites before you move on.

Introduction

You might be heard of SolarWinds hack and you know what is Software Supply Chain Attack. And so-called software can include libraries, linux packages, plugins, etc.

As there are many softwares distributed every single second worldwide, it becomes a hot topic that how we can trust the software we downloaded is safe. One idea is that we want someone we trust to make a claim by signing their signiture to the software. And everytime we want to download/update the software, we will check whether the signiture exists.

For example:

Software authors can sign the software to claim that it is a authroized release.
Secuirty auditors can sign the software to claim that it has passed their secuirty audit.
Inhouse secuirty team can sign the software to claim that it is authroized to be used inside the company.

One of the major software type that we are so familar are container images. Cosign and Notary both are mainstream solutions for signing container images.

There are Notary/v1 and Notary/v2. Notary/v2 is not ready for general use so I won't talk much about it. In this article, when you see the term Notary, I am referring to Notary/v1.

Considerations

Able to sign any OCI artifacts

In the past, when we say we publish something to the registry, we always refer to container images. However it does not apply anymore. Nowadays many modern registries are OCI compatible, where we are free to store any OCI artifacts. And more amazingly, any arbitary file can be stored as an OCI artifact. Theotically, you can even store a video to OCI registries.

If you are working on K8S cluster, you should be familar with helm charts. And yes, you can store helm charts to OCI regitry. It is vital because we can reuse the CI/CD mindset that we apply to docker images, to helm charts. It works like a charm when we pair with GitOps.

So now you are so care about the safety of your software supply chain, and it is natural that you want all container images to be signed. What about helm charts? You probably want helm charts to be signed too. (I hope no one will think that unauthorized release of helm charts is trivial.)

Now I can tell you that you should just go for Cosign and leave Notary alone. Why? Notary only can be used to sign container images, not OCI artifacts.

In additional to helm charts, you can store SBOMs, image scanning results as OCI artifacts with your container images. The use cases of OCI are far more than you can imagine.

OK. You might tell me that you do not use helm charts at all. Then should you still consider Notary? Continue to read the following section.

Easy to use

So now you want to sign your container images. Definately you want to do it in a automation style (please agree on me). And I can tell you that Cosign is absolutely better than Notary with no doubt.

Cosign itself is a binary. You can install it using any package managers like homebrew and apt. It also means you can use it in any CI/CD solution like Github Actions, Azure Pipeline by adding a step to install it.

Using Cosign is super simple.

Use Cosign to generate a keypair in local environment.
Store the generated private key inside your CI/CD platform.
Use Cosign to sign your OCI artifacts.

cosign generate-key-pair
cosign sign --key cosign.key dlorenc/demo

On the contrary, Notary requires you to self-host a Notary service.

Here are some issues you should be aware of.

Learning Curve

Notary is based on the TUF framework. TUF is powerful. The alternative word of powerful is complicated. You have to understand how TUF works to make a proper use of Notary.

After you have spend (so much) time to understand TUF well, are you ready to educate your users what TUF is?

Setup complexity

A Notary service consists of Notary server, Notary signer, Notary client, MySQL database. And you also need to setup MTLS between Notary server and Notary signer. It might not be a big issue, but it is still an effort you should pay attention to.

Some people might argue that the setup is simple. However be mindful of Cosign, it just requires you to install a binary.

Operational burden

How are you going to handle if your Notary service is unavailable? Your pipelines might be broken when it can't verify signiture of the container images, and then all your downstream deployments screw up.

Some of you might be so experienced in designing a HA solution, and can taking a good care of the MySQL database in case of region outage. However I will prefer to use risk avoidance strategy by not using Notary.

Network connectivity

Notary service is critical. Unless you are releasing container images to the public, most probably you are hosting Notary as an internal-facing service to reduce attack surface.

If you are using public worker in your CI/CD solution, now you have to deploy some self-hosted workers such that it can reach your Notary service.

Cosign does not have this issue.

Secret management

You have to manage a set of secrets, such as TLS certificates and TUF keys.

For Cosign, you also need to manage the private key. It is obviously much simpler than Notary.

Now you can think about is the advantage of using Notary outweight the effort you spend on it?

To me, the answer is NO.

Conclusion

Although I opt in for Cosign, I do not think Notary is bad. As I have mentioned, TUF (Notary) is powerful. If your team have resources to well-study TUF and want to secure container image supply chain as much as possible, using Notary is a good choice to you. And I do encourage people to learn what TUF is even you do not use Notary.

In the future, I will write another article to explain how you can use Cosign to secure helm chart K8S deployment.

Fun

Status of Notary/v2

There are other issues come with Notary/v1. This is why Notary/v2 project is proposed. Notary/v2 has released its first alpha version, the implementation is called Notation. Personally, I think the user experience of using Notary/v2 is so similar to Cosign.

Try Notary/v1

DockerHub is hosting an offcical Notary server in https://notary.docker.io and you can verify all offical published images listed in here.

Verifying the offical alpine image
notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/library/alpine

Readings

What is OCI?
What is SBOMs?
Publish helm charts to AWS ECR
What is TUF?
Notary/v2 v.s Notary/v1
Notary/v2 v.s. Cosign

DEV Community: timtsoitt

How to create local wildcard domains in MacOS using dnsmasq?

Introduction

Preparation

Install dnsmasq

Verify your homebrew prefix

Modify the dnsmasq.conf file

Create a DNS record

Setup DNS servers

(Re)start dnsmasq

brew services start dnsmasq

Conclusion

Argo CD and Sealed Secrets is a perfect match

TL;DR

Introduction

Where to store your secret?

Secret management platform approach

Git repository approach

How to ingest your secret?

Helm Secrets

Sealed Secrets

How to use Sealed Secrets with Argo CD?

Exercise

Conclusion

My approach to manage enterprise private CA with AWS

Story

Overview

Tutorial

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Conclusion

Crossplane is better than Terraform in K8S world

TL;DR

Story

Tutorial

Prerequisite

1. Define your variables

2. Install Crossplane using helm charts

3. Install AWS provider

4. Create IAM role for IRSA

6. Try it out

6. Cleanup

Discussion

Conclusion

One technique to save your AWS EKS IP addresses 10x

Story

Prerequsites

EKS features

Assign address prefixes to your ENI

CNI custom networking

Conclusion

Reading

Python 101 - annoying UnboundLocalError

Starting Point

Solution

Python 101 - what happens when you instantiate a class?

Introduction

Starting Point

The hidden base class

Introduction of metaclass

Deep dive into Python implementation source code

How CPython is related to our topic?

The CPython implementation of __new__ method

Summary

Reference

Use Cluster API to provision Kubernetes clusters in anywhere!

TL;DR

What is Cluster API?

Concept

The CPython implementation of new method