keithball.net

Some blatherings by Keith Ball

View my projects on GitHub

Blog Posts

  • 28 Oct 2016 » Top tip

    Top tip!

    • Sometimes it is ok to throw money at a problem. Especially when travelling.
  • 19 Oct 2016 » How to add a private docker registry to k8s

    If you are getting problem with ImagePullBackOff and the detailed error:

    Failed to pull image “{MYREPO/myservice}”: Error response from daemon: {“message”:”Get https://{SERVER}:{PORT}/v1/_ping: x509: certificate signed by unknown authority”}

    There are a couple of things you can do. The easy way:

    vi /etc/docker/daemon.json
    {
      "insecure-registries": ["{SERVER}:{PORT}"]
    }
    systemctl restart docker

    Or add the certifcate to the trusted list. This example is for ubuntu.

    Add the secret

    kubectl create secret docker-registry dockerkey --docker-username={USER} --docker-password={PASSWORD} --docker-email=r{EMAIL} --docker-server={SERVER}:{PORT}

    On the hosts get the self signed cert (if needed):

    ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect {SERVER}:{PORT}) -scq > cert.crt

    Add the cert to the list.

    cp dev-reg.crt /usr/local/share/ca-certificates

    Update the ca-certificates.

    List catalog:

    sudo update-ca-certificates

    Check the cert is trusted:

    curl https://{SERVER}:{PORT}
  • 12 Oct 2016 » Top tip

    I have decided to keep a collection of tips. I will compile them and then give these tips to my children before I die…

    Top tip!

    • Spend money on good toilet paper
  • 09 Oct 2016 » How to query a remote docker registry

    If you are having problems with kubernetes reporting ErrImageNotFound when pulling an image, you can eliminate the obvious by checking the registry in the following way.

    Do a docker login:

    docker login -u {USERNAME} -p {PASSWORD} {REGISTRY}

    Get your docker authentication token. Take the value for your registry url:

    cat ~/.docker/config.json

    Do some curl operations.

    List catalog:

    curl -X GET -H "Authorization: Basic {YOURTOKEN}" "https://{REGISTRY}/v2/_catalog"

    List tags on an image:

    curl -X GET -H "Authorization: Basic {YOURTOKEN}" "https://{REGISTRY}/v2/{IMAGENAME}/tags/list"
  • 14 Apr 2016 » Base

    “If human nature were not base, but thoroughly honourable, we should in every debate have no other aim than the discovery of truth” - Arthur Schopenhauer

  • 01 Mar 2016 » Go Gotcha

    Go is lexically scoped…

    What is wrong with the following code?

    // Item
    var item *Item
    
    itemID := u.Query().Get("itemID")
    
    if itemID != "" {
    item, err := repository.GetItem(itemID)
    }
    
    log.Printf("The item %v", item)

    The code shows how Item is being redeclared in the scope of the if.

    Further reading here: Declarations and scope

  • 28 Feb 2016 » Meditations

    “Be like a rocky promontory against which the restless surf continually pounds; it stands fast while the churning sea is lulled to sleep at its feet. I hear you say, “How unlucky that this should happen to me!” Not at all! Say instead, “How lucky that I am not broken by what has happened and am not afraid of what is about to happen. The same blow might have struck anyone, but not many would have absorbed it without capitulation or complaint.” - Marcus Aurelius

  • 28 Feb 2016 » Dream Job

    I like this…

    Image of Dream Job

  • 27 Feb 2016 » Go-KMS

    What is GO-KMS?

    GO-KMS is a encryption Key Management Service in GO. Modelled extensively on AWS KMS behaviour, the API is used for symmetrical key management. It offers Cryptography as a Service (CaaS) functionality such as encryption/decryption/reencryption without exposing keys.

    The crypto provider is based on AES and a key size of 256bits using the GCM cipher to provide confidentiality as well as authentication.

    Keys are encrypted and stored on disk, using a master key which is derived using PBKDF2 from a passphrase when run in pure software mode. It is also possible to combine GO-KMS with a Hardware Security Module (HSM) which can be leveraged to create and encrypt a master key using the HSM for generation and protection. HSM support is done using the PKCS#11 standard.

    GO-KMS authentication is done using HMAC-SHA256 over HTTPS.

    // AesGCMEncrypt Encrypt data using AES with the GCM cipher mode (Gives Confidentiality and Authenticity)
    func AesGCMEncrypt(plaintext []byte, key []byte) ([]byte, error) {
    	block, err := aes.NewCipher(key)
    	if err != nil {
    		return nil, err
    	}
    
    	gcm, err := cipher.NewGCM(block)
    	if err != nil {
    		return nil, err
    	}
    
    	nonce := make([]byte, gcm.NonceSize())
    	if _, err := rand.Read(nonce); err != nil {
    		return nil, err
    	}
    
    	ciphertext := gcm.Seal(nil, nonce, plaintext, nil)
    
    	return append(nonce, ciphertext...), nil
    }

    Checkout go-kms on github for more info.