Kubernetes service for gRPC xDS loadbalancing that allows even distribution of k8s
gRPC service->service api calls.
Note, normally kubernetes services are exposed as a single destination endpoint where clients connect to. Kubernetes will basically proxy a connection from one client to one destination pod to handle any given request. This isn’t usually a problem for HTTP/REST clients since its a simple request/response model. For gRPC, however, one grpc connection that terminates at…
For some reason on a day i took off from work, i needed to use openssl to run a plain Key derivation function before i have to mow the lawn.
At first i found the man page here about that but it turns out its only available in openssl3+.
So, her’es a docker file with
openssl3.0...you can access it here:
while you’re here, also see OpenSSL docker with TLS trace enabled
now to go take care of the weeds…
TPM Remote attestation allows a remote server to “trust” that a specific TPM has signed some data or assert system state. Its cryptographically secure way to transfer secrets and do many more things.
The first step to establish trust is to setup a way a remote system can “prove” that a specific TPM is resident on a client. Once thats established through a specific flow, a remote server can repeatedly ‘verify’ the clients system state though various mechanisms like Quote/Verify though PCR values.
This article and accompanying git repo here includes client/server to do many things.
It basically an implementation…
A simple terraform provider that does HTTP POST and mTLS.
Hashicorp published a convenient HTTP datasource which i use time to time but realized its just for GET request.
Yesterday was a bit slow so i decided to modify the HTTP provider and add on a couple of extra features: HTTP POST with JSON payload and mTLS support.
With these modifications, you can use the HTTP provider to get arbitrary data from an external source. These maybe authentication tokens for use later in the module or simply some arbitrary data from some other service.
Anyway, the registry and repo are…
Samples in golang that enables the following where the private key or hmac secret is embedded with a TPM (Trusted Platform Module)
AWS secret key and ID can be thought of as a username/password and should be carefully managed, rotated, secured as described in Best practices for managing AWS access keys. However, if you need to invoke AWS from remote systems which do not provide ambient federation (eg on GCP using OIDC tokens), then you must either utilize an AWS credentials file or set them dynamically as an environment variable.
This repo provides two ways…
Shell alias script that will print the active in-use account for GCP application default credentials (ADC).
For example, if you run either
gcloud config list
gcloud auth list
this script will print the gcloud cli credentials as well as the application default credentials that are in use. This script will also transparently pass and apply parameters to the actual gcloud cli (meaning the alisas it acts as if its gcloud)
This script is not supported by Google
As background, users can configure gcloud to use two different credential sets: one for the gcloud cli and one for any google cloud…
This article basically talks about a simple docker container with openssl
1.1.1i which has TLS trace flags enabled.
What that allows you to do see is the very low-level TLS traffic between a client and server for both TLS, mTLS and OCSP traffic.
I recently needed to find out if the TLS Server i was connecting to would unilaterally support client-side certificate stapling (which is in of itself incredibly rare)…but in the course of doing that bit, i create the following repo and here the corresponding article:
The dockerhub image for the bit above is docker.io/salrashid123/openssl s_server
Anyway, before you…
I spent the last day trying to setup and test Secure Boot locally on a VM with debain 10
The real goal i had in mind it so use my own keypairs to ensure and bootstrap my own signed OS….As a first step, i’ll just setup Debian 10 with Secure Boot locally.
Consider this post as just a log and setup for your own testing
for ref: SecureBoot VirtualMachine
To use this, first download debian 10 and have KVM QEMU installed locally somewhere
This repo is scratchpad for setting up and testing SecureBoot VirtualMachine with QEMU. Its…
JSON logging on GKE with various golang logging libraries.
This is just a simple http application which emits JSON strings to stdout/stderr from go using
For each log type, there is an endpoint to invoke them where the various handler will emit a JSON string:
gcloud container clusters create cluster-1 --machine-type "n1-standard-2" \
--zone us-central1-a \
--num-nodes 2 --enable-ip-alias \