I hereby claim:
- I am developer-guy on github.
- I am developerguy (https://keybase.io/developerguy) on keybase.
- I have a public key ASBH5MyQO5bJeRxfCQiXt6BXvQ9pz6lIJ8i8XdLEStuZnQo
To claim this, I am signing this object:
Batuhan Apaydın developer-guy
🐾
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - uses: anchore/sbom-action/[email protected] # installs syft |
developer-guy
/ main.go
Created
February 28, 2022 10:36
A code sample for storing Kyverno policy on OCI registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "errors" | |
| "fmt" | |
| "github.com/google/go-containerregistry/pkg/authn" | |
| "github.com/google/go-containerregistry/pkg/name" | |
| "github.com/google/go-containerregistry/pkg/v1/empty" | |
| "github.com/google/go-containerregistry/pkg/v1/mutate" | |
| "github.com/google/go-containerregistry/pkg/v1/remote" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: your-webhook | |
| namespace: platform | |
| spec: | |
| volumes: | |
| - name: tls-volume | |
| secret: | |
| defaultMode: 420 |
developer-guy
/ vault-issuer.yaml
Created
January 4, 2022 18:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: Issuer | |
| metadata: | |
| name: vault-issuer | |
| namespace: platform | |
| spec: | |
| vault: | |
| server: http://vault.default:8200 | |
| path: pki/sign/config-admission-webhook | |
| auth: |
developer-guy
/ config-sidecar-injector-service-cert.yaml
Created
January 4, 2022 18:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: config-sidecar-injector-service | |
| namespace: platform | |
| spec: | |
| secretName: config-admission-webhook-tls | |
| issuerRef: | |
| name: vault-issuer | |
| dnsNames: |
developer-guy
/ deploy-vault-with-helm-dev-mode-enabled.sh
Created
January 4, 2022 18:45
Deploy Vault with Helm dev mode enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ helm repo add hashicorp https://helm.releases.hashicorp.com | |
| $ helm repo update | |
| $ helm upgrade --install vault hashicorp/vault \ | |
| --set "injector.enabled=false" \ | |
| --set "server.dev.enabled=true" |
developer-guy
/ configure-k8s-auth-method-notes.sh
Created
January 4, 2022 18:21
Configure Kubernetes Authentication Method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token. | |
| # Enable the Kubernetes authentication method. | |
| $ vault auth enable kubernetes | |
| Success! Enabled kubernetes auth method at: kubernetes/ | |
| # Configure the Kubernetes authentication method to use location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+). | |
| $ vault write auth/kubernetes/config \ | |
| kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ | |
| token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ | |
| kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable the PKI secrets engine at its default path. | |
| $ vault secrets enable pki | |
| Success! Enabled the pki secrets engine at: pki/ | |
| # By default the KPI secrets engine sets the time-to-live (TTL) to 30 days. A certificate can have its lease extended to ensure certificate rotation on a yearly basis (8760h). | |
| # Configure the max lease time-to-live (TTL) to 8760h. | |
| $ vault secrets tune -max-lease-ttl=8760h pki | |
| Success! Tuned the secrets engine at: pki/ | |
| # Vault can accept an existing key pair, or it can generate its own self-signed root. In general, we recommend maintaining your root CA outside of Vault and providing Vault a signed intermediate CA. |
developer-guy
/ demo.md
Last active
January 3, 2022 18:29
Experimental Keyless Cosign verify-blob command to verify signature that is exported by the skopeo tool to the directory
Experimental Keyless Cosign verify-blob command to verify the signature that is exported by the skopeo tool to the directory
Let's assume that we have an image called devopps/busybox:glibc, we gain this image by copying the real busybox:glibc image from DockerHub by issuing the following command:
$ crane copy busybox:glibc devopps/busybox:glibccrane is a tool for interacting with remote images and registries. https://github.com/google/go-containerregistry/tree/main/cmd/crane