salrashid123

Kernel TLS demo with python

• python https://docs.python.org/3.12/library/ssl.html#ssl.OP_ENABLE_KTLS
• golang: golang/go#44506
• references
  • https://blog.salrashid.dev/articles/2022/kernel_tls/
  • https://tinselcity.github.io/SSL_Sendfile/

Setup

salrashid123

Generate keypairs

gpg --full-generate-key

# use any email, i used [email protected], passphrase=123456

$ gpg --output public.pgp --armor --export [email protected]
$ gpg --output private.pgp --armor --export-secret-key  [email protected]

salrashid123

Snippet that uses openssl to verify a cosign signature

Demonstrates the manifest and image hash calculation using cosign

ref

• https://blog.sigstore.dev/cosign-image-signatures-77bab238a93/
• https://github.com/containers/image/blob/main/docs/containers-signature.5.md
• https://blog.salrashid.dev/articles/2022/cosign_tpm/

salrashid123

Sample of GCP Binary Authorization audit log and GPG verification.

also see Generate and verify cosign signatures using openssl

export IMAGE="us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
export PUBLIC_KEY_ID="5D8EA7261718FE5728BA937C97341836616BF511"

salrashid123

Simple demo to setup cloud load balancer for mTLS

the backend is python server listening on :8080 which just echo's back the inbound headers from the l7lb

you can use the certificates included here or create a new one.

to use this demo, just make a local copy of all the files at the end of this repo and run through the script

• server_tls_policy_chain.tmpl
• trust_config_chain.yaml

salrashid123

package main

/*
Using impersonation and quota projects for google apis


---

export GCLOUD_USER=`gcloud config get-value core/account`

salrashid123

https://cloud.google.com/service-directory/docs

HTTP

export PROJECT_ID=`gcloud config get-value core/project`

gcloud service-directory namespaces create ns1 --location us-central1

gcloud service-directory services create svc1 \

salrashid123

just a generic example of creating a private key and saving it to secret manager

the alternative is to create a csr and get gcp private ca to sign it

export PROJECT_ID=`gcloud config get-value core/project`
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`
export GCLOUD_USER=`gcloud config get-value core/account`

# create private key and csr

salrashid123

following setsup uses a fake oidc server for gcp workload federation...

The oidc server used here is from this example

• https://github.com/salrashid123/diy_oidc

which means it will issue any id_token if asked... since the id_token is used to authenticate, if you configure the following as-is, petty anyone who guesses your project id and the fact you've set this up can authenticate to your gcp resurces.

salrashid123

package main

import (
	"fmt"

	_ "cloud.google.com/go/compute/metadata"
	_ "cloud.google.com/go/kms/apiv1"

	_ "google.golang.org/genproto/googleapis/api/monitoredres"