Skip to content

Instantly share code, notes, and snippets.

View bentito's full-sized avatar

Brett Tofel bentito

8 followers · 5 following
  • Red Hat
  • Shelburne, VT
View GitHub Profile
@bentito
bentito / Demo_Preflight_for_OCP.md
Last active May 6, 2025 14:42

Demo: Preflight RBAC Check in Action (OpenShift Example)

To solidify these concepts, let’s walk through a real example on OpenShift. We will attempt to install the OpenShift Pipelines Operator as a cluster extension, but we’ll initially misconfigure its RBAC to trigger the preflight checks. Then we’ll fix the permissions.

Step 1: Create a Service Account with limited RBAC. In this example, we create a service account pipelines-installer in the pipelines project, and give it a deliberately minimal ClusterRole that is missing some permissions we know the operator will need:

apiVersion: v1
kind: ServiceAccount
metadata:
@bentito
bentito / tilt-podman-how-to.md
Last active May 7, 2024 14:54
Hack podman to work with tilt

Following is for an M1 MacBook Pro (not sure how much that matters but)

Other specs (again, not sure how much they matter):

podman --version
podman version 5.0.1
tilt version
v0.33.12, built 2024-03-28

start Kind with a local registry. Just use the regular Kind with registry script

@bentito
bentito / copyright_change_log.txt
Created March 14, 2024 12:53
Carvel repo copyright update log
@bentito
bentito / print_operator_dockerfile.sh
Created December 6, 2023 20:20
print operator bundle Dockerfiles
#!/bin/bash
# Check if an image reference is provided
if [ -z "$1" ]; then
echo "Usage: $0 <image-reference>"
exit 1
fi
IMAGE_REF=$1
@bentito
bentito / scratch_1.go
Last active November 16, 2023 16:17
fips reporting go code
func GetDataFromFBC(report index.Data) (index.Data, error) {
root := "./output/" + actions.GetVersionTagFromImage(report.Flags.IndexImage) + "/configs"
fileSystem := os.DirFS(root)
fbc, err := declcfg.LoadFS(fileSystem)
if err != nil {
return report, fmt.Errorf("unable to load the file based config : %s", err)
}
model, err := declcfg.ConvertToModel(*fbc)
if err != nil {
@bentito
bentito / quay-from-rh-rh-4.14.md
Created November 13, 2023 17:37
Quay Operator package update graphs

create this graph with: opm alpha render-graph registry.redhat.io/redhat/redhat-operator-index:v4.14 --package-name quay-operator

@bentito
bentito / index.json
Created October 20, 2023 11:49
pruned FBC index
This file has been truncated, but you can view the full file.
{
"schema": "olm.package",
"name": "amq-streams",
"defaultChannel": "stable",
"icon": {
"base64data": "iVBORw0KGgoAAAANSUhEUgAAAQAAAAEACAYAAABccqhmAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAIj5JREFUeNrsnX1wVOW9x5/dBBIgLxvAKFFkGape0Zo4tFNfppLcueKlRQlzi0A7HRKsdG5va5Iy3r96b7Ktf9w71Ztgp+OI1Sx3Wt/wDol2ZLRqFjuibaEktmClRQJULOElGxKSAHm553dyTrpJNpvz9pzzPOd8vzPbDUKzZ3fP5/v8fr/neX5PiEHS6qPrWUR5KtP+WK49L1EeUe3n1L+3qnblkdR+7lQex7WfE/rf33xi/O8hyRTCRyAF6GUa1PRcqoFdLthlJjSj6NBMo1MxhnZ8ezAAyDzs5RroZQ6M4J6qcMOW9qJvfqd94MC+jv7f/jpx3VO7YAowACgF+HIN+JUCjur24P9aFVv0RPOE/3bpsML/rNmJ4XNde/s/2Ju4qq4hgbsABhDEEX6t34CfCf50uvLXTjYy0J8Y+vR4a/LlZkQIMABfQl+pjfCV7O8FOhZ0+NPpcudfOofPn2np2RXfu+i/drTg7oEByAz9Wg36SFDetx34p0QHJz5JhnLntPS99Vpr0Te+DTOAAUgR3tcEDXoe8Kczg0t/PtwyOjiwvWDNg0gTYADCQE+gV2ngR4P6OfCEf7IG2n/TmRVZsP2TlTfEsQYBBuAV+OXK02YN/kDLTfhTNXIhyUYGB+LJ53fsxGwCDMAt8An4+iCP9iLAP1lUPLx06GBMSQ/i+FZgADzC/FotzI/gExEL/lQN93QnL33Usf3EhoompAcwALvgRzXoqwC++PBPNoLR/ovx5EvPblfSg058YzAAs+DXI7+XE/7JdYLLx4/G+97+ZQxGAAMwGurX49OQH/7JR
@bentito
bentito / java_kubernetes_operators_report.md
Last active September 26, 2023 14:28
Creating Java-Based Kubernetes Operators: A Comparative Report with Code Examples
@bentito
bentito / sa_key_rotation_notes.md
Created March 21, 2023 16:23
SA Key Rotation Notes 
cd ~/workspace/sa-key-rotation
cd jwks
go run jwks.go ../../aws-pod-identity-webhook/sa-signer-pkcs8.pub ../../cloud-credential-operator/new/serviceaccount-signer.public
cat keys.json
S3_BUCKET_NAME=btofel-sts-test &&  aws s3 cp keys.json s3://${S3_BUCKET_NAME} --profile redhat-openshift-dev --acl public-read
PRIVKEY=`base64 -i ../cloud-credential-operator/new/serviceaccount-signer.private`
PUBKEY=`base64 -i ../cloud-credential-operator/new/serviceaccount-signer.public`
oc patch secret next-bound-service-account-signing-key -n openshift-kube-apiserver-operator --type=json -p '[{"op":"replace","path":"/data/service-account.key","value":"'"$PRIVKEY"'"},{"op":"replace","path":"/data/service-account.pub","value":"'"$PUBKEY"'"}]'
@bentito
bentito / steps-to-crc-dev.md
Last active March 20, 2023 16:51
Steps to be able to do local dev on OpenShift Local (CRC)

To enable faster dev process with OpenShift Local (CRC) where you can push dev images to the local internal registry included with OpenShift and pull those same images internally in the cluster you need to follow these steps:

Push images to OpenShift Local's image registry, must be labeled like:

REGISTRY=$(oc get route/default-route -n openshift-image-registry -o=jsonpath='{.spec.host}'); \
IMAGE_PUSH=$($REGISTRY/openshift/pod-identity-webhook:0.4) \

or simpler and actually working: