Kubernetes service for gRPC xDS loadbalancing that allows even distribution of k8s gRPC service->service api calls.

gRPC loadbalancinng can take many different schemes as described here Load Balancing in gRPC. The particular scheme described here is pretty unique and experimental: xDS server for gRPC.

Note, normally kubernetes services are exposed as a single destination endpoint where clients connect to. Kubernetes will basically proxy a connection from one client to one destination pod to handle any given request. This isn’t usually a problem for HTTP/REST clients since its a simple request/response model. For gRPC, however, one grpc connection that terminates at…


For some reason on a day i took off from work, i needed to use openssl to run a plain Key derivation function before i have to mow the lawn.

At first i found the man page here about that but it turns out its only available in openssl3+.

So, her’es a docker file with openssl3.0...you can access it here:

docker.io/salrashid123/openssl:3

Usage

while you’re here, also see OpenSSL docker with TLS trace enabled

now to go take care of the weeds…

— -


A simple client-server for TPM RemoteAttestation

TPM Remote attestation allows a remote server to “trust” that a specific TPM has signed some data or assert system state. Its cryptographically secure way to transfer secrets and do many more things.

The first step to establish trust is to setup a way a remote system can “prove” that a specific TPM is resident on a client. Once thats established through a specific flow, a remote server can repeatedly ‘verify’ the clients system state though various mechanisms like Quote/Verify though PCR values.

This article and accompanying git repo here includes client/server to do many things.

It basically an implementation…


A simple terraform provider that does HTTP POST and mTLS.

Hashicorp published a convenient HTTP datasource which i use time to time but realized its just for GET request.

Yesterday was a bit slow so i decided to modify the HTTP provider and add on a couple of extra features: HTTP POST with JSON payload and mTLS support.

With these modifications, you can use the HTTP provider to get arbitrary data from an external source. These maybe authentication tokens for use later in the module or simply some arbitrary data from some other service.

Anyway, the registry and repo are…


Samples in golang that enables the following where the private key or hmac secret is embedded with a TPM (Trusted Platform Module)

HMAC SignedURLs:

  • Import a GCS HMAC secret and use it to generate a SignedURL

RSA SignedURL:

  • Generate an RSA Private Key on a TPM
  • Use RSA Private Key on TPM to create either:
  • a) Certificate Signing Request (CSR) for signing by another CA
  • b) Self Signed x509 Certificate
  • Associate Certificate with a ServiceAccount
  • Generate SignedURL using TPM
  • Access GCS Object

Oauth2 AccessToken

  • Generate Certificate on TPM (step2)
  • Generate GCP oauth2 token using TPM based service account
  • Access GCS…

Sample procedure to encrypt AWS Access Secret Access Key using GCP Tink and a way to embed the the Key into an HSM device supporting PKCS #11.

AWS secret key and ID can be thought of as a username/password and should be carefully managed, rotated, secured as described in Best practices for managing AWS access keys. However, if you need to invoke AWS from remote systems which do not provide ambient federation (eg on GCP using OIDC tokens), then you must either utilize an AWS credentials file or set them dynamically as an environment variable.

This repo provides two ways…


Shell alias script that will print the active in-use account for GCP application default credentials (ADC).

For example, if you run either

  • gcloud config list
  • gcloud auth list

this script will print the gcloud cli credentials as well as the application default credentials that are in use. This script will also transparently pass and apply parameters to the actual gcloud cli (meaning the alisas it acts as if its gcloud)

This script is not supported by Google

As background, users can configure gcloud to use two different credential sets: one for the gcloud cli and one for any google cloud…


…or how to get way more info from a TLS connection than you ever wanted to know….now with FIPS (sort of)

This article basically talks about a simple docker container with openssl 1.1.1i which has TLS trace flags enabled.

What that allows you to do see is the very low-level TLS traffic between a client and server for both TLS, mTLS and OCSP traffic.

I recently needed to find out if the TLS Server i was connecting to would unilaterally support client-side certificate stapling (which is in of itself incredibly rare)…but in the course of doing that bit, i create the following repo and here the corresponding article:

The dockerhub image for the bit above is docker.io/salrashid123/openssl s_server

Anyway, before you…


I spent the last day trying to setup and test Secure Boot locally on a VM with debain 10

The real goal i had in mind it so use my own keypairs to ensure and bootstrap my own signed OS….As a first step, i’ll just setup Debian 10 with Secure Boot locally.

Consider this post as just a log and setup for your own testing

for ref: SecureBoot VirtualMachine

To use this, first download debian 10 and have KVM QEMU installed locally somewhere

Testing Secure Boot with qemu and debian 10.8.0

This repo is scratchpad for setting up and testing SecureBoot VirtualMachine with QEMU. Its…


JSON logging on GKE with various golang logging libraries.

This is just a simple http application which emits JSON strings to stdout/stderr from go using

For each log type, there is an endpoint to invoke them where the various handler will emit a JSON string:

{
"str": "foo",
"num": 100,
"bool": false,
"null": null,
"array": [
"foo",
"bar",
"baz"
],
"obj": {
"a": 1,
"b": 2
}
}

References

Setup

gcloud container  clusters create cluster-1 --machine-type "n1-standard-2" \
--zone us-central1-a \
--num-nodes 2 --enable-ip-alias \
--cluster-version "1.19"
$…

salmaan rashid

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store