Skip to content

Instantly share code, notes, and snippets.

View developer-guy's full-sized avatar
🐾
Every artifact can be verifiably traced to Source Code and Hardware

Batuhan Apaydın developer-guy

🐾
Every artifact can be verifiably traced to Source Code and Hardware
848 followers · 1.7k following
View GitHub Profile
@developer-guy
developer-guy / Dockerfile
Created March 31, 2022 12:46
Cross-compilation support enabled Dockerfile for Go applications
# syntax = docker/dockerfile:1.4.0
FROM --platform=${BUILDPLATFORM} golang:1.17.8-alpine AS base
WORKDIR /src
ENV CGO_ENABLED=0
COPY go.* .
# https://go.dev/ref/mod#module-cache
RUN --mount=type=cache,target=/go/pkg/mod go mod download
COPY . .
FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
@developer-guy
developer-guy / Dockerfile
Last active March 31, 2022 12:45
Dockerfile cross-compilation helper tonistiigi/xx
FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
FROM base AS build
COPY --from=xx / /
ARG TARGETPLATFORM
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
xx-go build -o /out/example .
@developer-guy
developer-guy / Dockerfile
Created March 31, 2022 09:06
mount cache types
..
# will cache go packages while downloading packages
RUN --mount=type=cache,target=/go/pkg/mod go mod download
# will cache build ouputs and go packages while building the binary
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \
go build -o /out/example .
..
@developer-guy
developer-guy / docker-buildx-cache.sh
Created March 30, 2022 19:51
Docker Buildx remote registry cache
$ docker buildx build -t devopps/hello-world-multi-arch:v1 \
--push=true \
--cache-from type=registry,ref=devopps/hello-world-multi-arch:cache \
--cache-to type=registry,ref=devopps/hello-world-multi-arch:cache,mode=max \
--platform linux/amd64,linux/arm64 .
@developer-guy
developer-guy / cosign-verify-blob.sh
Created March 23, 2022 10:40
cosign verify blob
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig
checksums.txt \
tlog entry verified with uuid: "e42743bbbc1d06058ff7705a00bdf5046d920ede73e1fec7f313d19f5f3513b8" index: 977012
Verified OK
@developer-guy
developer-guy / cosign-verify.sh
Created March 23, 2022 10:38
cosign verify
$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/goreleaser/supply-chain-example:v1.2.0
@developer-guy
developer-guy / run-signed-image.sh
Created March 22, 2022 14:16
run signed image
$ kubectl run signed --image=gcr.io/$PROJECT_ID/alpine:3.15.0
pod/signed created
@developer-guy
developer-guy / create-gke-cluster.sh
Created March 22, 2022 14:15
create gke cluster with workload identity enabled
$ export PROJECT_ID=$(gcloud config get-value project)
$ export CLUSTER_NAME="gke-wif"
$ gcloud container clusters create $CLUSTER_NAME \
 --workload-pool=$PROJECT_ID.svc.id.goog --num-nodes=2
@developer-guy
developer-guy / create-sa.yml
Created March 22, 2022 14:15
create GCP SA
$ export GSA_NAME=kyverno-sa
$ gcloud iam service-accounts create $GSA_NAME
$ gcloud iam service-accounts add-iam-policy-binding \
 --role roles/iam.workloadIdentityUser \
 --member "serviceAccount:${PROJECT_ID}.svc.id.goog[kyverno/kyverno]" \
${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
@developer-guy
developer-guy / give-perms.sh
Created March 22, 2022 14:14
give necessary permissions to GCP SA
$ gcloud projects add-iam-policy-binding ${PROJECT_ID} \
 --role roles/cloudkms.verifier \
 --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com
$ gcloud projects add-iam-policy-binding ${PROJECT_ID} \
 --role roles/cloudkms.viewer \
 --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com