#office-hours (2024-08)
“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours
Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!
https://cpco.io/slack-office-hours
Meeting password: sweetops
2024-08-01
@managedkaos saved the day!! Thanks so much Michael for sharing your recording. In all the years of office hours, this was the first one that we missed.
Oh noooooooo!
2024-08-05
Interesting technique for spreading malicious PyPi packages by posting answers to StackExchange: https://www.bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers/
2024-08-06
Anyone here using github container registry as a OCI repository with helm charts?
I’m interested to know more about this.. (Dropped a msg for watch later )
same. not using but interested.
No but aws oci using
Since, this sparked my interest I’ve done a quick POC around it.
You can use ghcr as OCI registry for hosting your helm charts.
- You need to generate a PAT token with following scopes
(read:org, repo, write:packages) - Login to ghcr via helm
CR_PAT=YOUR_TOKEN ; echo $CR_PAT | helm registry login [ghcr.io/GITHUB_USERNAME](http://ghcr.io/GITHUB_USERNAME) -u GITHUB_USERNAME --password-stdin - I’ve used a tool
helmperto download helm charts/images to theghcrrepo. It is compatible with other OCI registries too. - Generate helmper config and run
helmper --f config.yamlk8s_version: 1.27.9 import: enabled: true charts: - name: prometheus version: 25.8.0 valuesFilePath: /workspace/in/values/prometheus/values.yaml # (Optional) repo: name: prometheus-community url: <https://prometheus-community.github.io/helm-charts/> registries: - name: ghcr url: ghcr.io/GITHUB_USERNAMEHelmper output: ``` ❯ helmper –f config.yml
_ _ | |_ _ | | ___ _ ___ ___ | || -|| || || . || -|| | |||||||||||| ||_||| |_| version 0.1.13 (commit fb537925fa03ff2bdbef970e94ccd48eba91c86a, built at 2024-07-26T13:20:18Z)
{“time”:”2024-08-08T14:16:02.546160477+05:30”,”level”:”INFO”,”msg”:”Updated all Helm repositories ✅”}
+—+———-+————+———+—————-+——–+———+————————–+———+———————————-+———+
| # | TYPE | CHART | VERSION | LATEST VERSION | LATEST | VALUES | SUBCHART | VERSION | CONDITION | ENABLED |
+—+———-+————+———+—————-+——–+———+————————–+———+———————————-+———+
| 0 | Chart | prometheus | 25.8.0 | 25.25.0 | ❌ | default | | | | |
| 1 | Subchart | | | | | parent | alertmanager | 1.7.* | alertmanager.enabled | ✅ |
| 2 | Subchart | | | | | parent | kube-state-metrics | 5.15.* | kube-state-metrics.enabled | ✅ |
| 3 | Subchart | | | | | parent | prometheus-node-exporter | 4.24.* | prometheus-node-exporter.enabled | ✅ |
| 4 | Subchart | | | | | parent | prometheus-pushgateway | 2.4.* | prometheus-pushgateway.enabled | ✅ |
+—+———-+————+———+—————-+——–+———+————————–+———+———————————-+———+
100% [===============] (5/5) Parsing charts…
+—+————————–+—————+———————————————+—————————————————————-+
| # | HELM CHART | CHART VERSION | HELM VALUE PATH | IMAGE |
+—+————————–+—————+———————————————+—————————————————————-+
| 0 | prometheus | 25.8.0 | server.image.repository | quay.io/prometheus/prometheus:v2.48.0 |
| | | | server.image.tag | |
| | | | server.image.digest | |
| 1 | prometheus | 25.8.0 | configmapReload.prometheus.image.digest | quay.io/prometheus-operator/prometheus-config-reloader:v0.67.0 |
| | | | configmapReload.prometheus.image.repository | |
| | | | configmapReload.prometheus.image.tag | |
| 2 | alertmanager | 1.7.* | image.repository | quay.io/prometheus/alertmanager:v0.26.0 |
| | | | image.tag | |
| 3 | kube-state-metrics | 5.15.* | image.registry | registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.1 |
| | | | image.repository | |
| | | | image.sha | |
| | | | image.tag | |
| 4 | prometheus-node-exporter | 4.24.* | image.repository | quay.io/prometheus/node-exporter:v1.7.0 |
| | | | image.tag | |
| | | | image.digest | |
| | | | image.registry | |
| 5 | prometheus-pushgateway | 2.4.* | image.repository | quay.io/prometheus/pushgateway:v1.6.2 |
| | | | image.tag | |
+—+————————–+—————+———————————————+—————————————————————-+
+—+————————–+—————+—————————————————————-+——+——–+
| # | HELM CHART | CHART VERSION | IMAGE | GHCR | IMPORT |
+—+————————–+—————+—————————————————————-+——+——–+
| 0 | prometheus | 25.8.0 | quay.io/prometheus/prometheus:v2.48.0 | ❌ | ✅ |
| 1 | prometheus | 25.8.0 | quay.io/prometheus-operator/prometheus-config-reloader:v0.67.0 | ❌ | ✅ |
| 2 | alertmanager | 1.7.* | quay.io/prometheus/alertmanager:v0.26.0 | ❌ | ✅ |
| 3 | kube-state-metrics | 5.15.* | registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.1 | ❌ | ✅ |
| 4 | prometheus-node-exporter | 4.24.* | quay.io/prometheus/node-exporter:v1.7.0 | ❌ | ✅ |
| 5 | prometheus-pushgateway | 2.4.* | quay.io/prometheus/pushgateway:v1.6.2 | ❌ | ✅ |
+—+————————–+—————+—————————————————————-+——+——–+
| | | | | | 6 |
+—+————————–+—————+—————————————————————-+——+——–+
100% [===============] (5/5) Pushing charts…
100% [===============] (6/6) Pushing images…
```
You can navigate to https://github.com/GITHUB_USERNAME?tab=packages to check your recently pushed charts/images. Alternatively, You can pull the chart locally with helm or image with docker
helm pull <oci://ghcr.io/GITHUB_USERNAME/charts/prometheus> --version 25.8.0
docker pull ghcr.io/akhan4u/prometheus/prometheus:v2.48.0
For letting your package available for others to consume, change the Package Visibility to public on GitHub,
For using it on k8s cluster
helm upgrade --install ghcr-prom <oci://ghcr.io/GITHUB_USERNAME/charts/prometheus> --version 25.8.0
Outstanding example!
Will take a look at all of this over the weekend. Thanks for sharing @akhan4u!
This is pretty cool. I don’t know if i’ll use it for packaging my helm charts/publishing them, but i think i’ll use it for it’s other features such as being able to replicate images into a registry of my choice.
2024-08-07
Apple is indeed adding a new system prompt reminding users when an app has permission to access their computer’s screen and audio. This prompt is designed to appear on a weekly basis. The first time you attempt to use the app each week, you’ll see this prompt and have to decide whether to “Continue To Allow” or change the permission settings. The prompt will also appear each time (for each app) when you use that app for the first time after rebooting your Mac. https://9to5mac.com/2024/08/06/macos-sequoia-screen-recording-privacy-prompt/
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://www.bbc.com/news/articles/c0k44x6mge3o.amp https://aws-icons.com/ https://www.linkedin.com/posts/choff_if-you-unfurl-this-thread-and-look-at-the-ugcPost-7226271880163250176-Kgyj?utm_source=share&utm_medium=member_desktop https://github.com/ynqa/logu https://www.linkedin.com/posts/natanyellin_new-k8s-feature-coming-soon-the-ability-activity-7224756850796187648-LU5v?utm_source=share&utm_medium=member_desktop https://news.ycombinator.com/item?id=41127446 https://thenewstack.io/could-ebpf-save-us-from-crowdstrike-style-disasters/ https://helm.sh/docs/topics/registries/#helm-chart-manifest https://helm.sh/docs/topics/registries/#migrating-from-chart-repos https://github.com/cloudposse/atmos/blob/main/.github/workflows/test.yml#L119 https://cloud-provider-aws.sigs.k8s.io/service_controller/ https://www.balena.io/ https://github.com/balena-io
2024-08-08
In office hours we talked about the security risks of security checkers (cough, Crowdstrike and its super duper unchecked kernel magic). Discussed eBFP for Linux kernel and whether that was the same, or a risk-reducer because of its limited reach and implicit validation (the consensus). But what does Hacker News bring but news of fixing eBFP kernel vulnerabilities.
@Andrew Madsen I think you asked the question
2024-08-10
2024-08-12
Wish something like this was around when I started
2024-08-14
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://www.ft.com/content/3faa79a5-f1a6-4d44-ba92-9b138bae0561 https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds https://github.com/actions/attest?tab=readme-ov-file https://techcrunch.com/2024/08/12/best-hacks-security-research-black-hat-def-con-2024/ https://news.ycombinator.com/item?id=41224286 https://postgres.new/db/1jaxsvndvfam3jr2 https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-29-07-2024-en#section2.a https://www.infoq.com/news/2024/08/slack-kubernetes-operator-bedroc/?utm_source=email&utm_medium=devops&utm_campaign=newsletter&utm_content=08132024 https://www.bejarano.io/terraform-plan-light/ https://github.com/opentofu/opentofu/issues/1703 http://docs.cloudposse.com/ https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Special-Use_Domains https://www.reddit.com/r/homelab/comments/1eryjrv/psa_zero_click_rce_vulnerability_on_ms_windows/#<i class="em em-~"</i>text=Go%20to%20homelab-,PSA%3A%20Zero%20click%20RCE%20vulnerability%20on%20MS%20Windows%2C%20CVE%20Score,if%20you%20are%20using%20IPv6&text=Microsoft%20has%20released%20a%20patch,consumer%20and%20server>)%20are%20affected. https://github.com/marketplace/actions/gitops-automatic-versioning https://docs.gitea.com/usage/actions/overview https://earthly.dev/ https://imgflip.com/i/7oqe8u
2024-08-17
Oops, missed this
2024-08-21
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://www.synacktiv.com/en/publications/github-actions-exploitation-dependabot?utm_source=tldrinfosec https://github.com/container-registry/helm-charts-oci-proxy https://www.zdnet.com/article/switzerland-now-requires-all-government-software-to-be-open-source/ https://github.com/orgs/community/discussions/18055#discussioncomment-10362166 https://aws.amazon.com/blogs/containers/announcing-karpenter-1-0/ https://aws.amazon.com/about-aws/whats-new/2024/08/amazon-s3-http-403-access-denied-error-messages/ https://ionanalytics.com/insights/mergermarket/hashicorp-ibms-regulatory-scrutiny-could-focus-on-cloud-infrastructure-management-solutions-attorneys/ https://www.thoughtworks.com/radar/tools/summary/opentofu https://docs.aws.amazon.com/eks/latest/userguide/workloads-add-ons-available-eks.html https://hamzabouissi.github.io/posts/transform-aws-1/ https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html https://joachim8675309.medium.com/devops-concepts-pets-vs-cattle-2380b5aab313 https://x.com/DevopsDiscu/status/1826062764894273551 https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
2024-08-23
https://github.com/mycarrysun/terraform-aws-policy-actions Pretty neat idea, should be nice when the VSCode Gods decide that it’s your lucky day and TF autocomplete works.
2024-08-28
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ https://devopsweeklyarchive.com/700/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/ErrorCodeBilling.html https://aws.amazon.com/about-aws/whats-new/2024/08/amazon-ec2-status-checks-reachability-health-ebs-volume/ https://github.com/ned1313/terrahash https://www.bleepingcomputer.com/news/security/stackexchange-abused-to-spread-malicious-pypi-packages-as-answers/ https://9to5mac.com/2024/08/06/macos-sequoia-screen-recording-privacy-prompt/ https://joachim8675309.medium.com/devops-concepts-bake-vs-fry-6fedb8d60056 https://developer.hashicorp.com/terraform/cli/commands/providers/lock#specifying-target-platforms https://www.systeminit.com/blog-open-source/ https://atmos.tools/core-concepts/components/terraform/providers/#provider-configuration-in-terraform https://github.com/mycarrysun/terraform-aws-policy-actions