Skip to content

Instantly share code, notes, and snippets.

View incfly's full-sized avatar

Jianfei Hu incfly

69 followers · 7 following
  • ClickHouse
  • San Francisco Bay Area
View GitHub Profile
@incfly
incfly / func-conve.go
Created December 9, 2021 04:52
package main
import "fmt"
type Config struct {
name string
}
type translator func(arg ...interface{}) *Config
@incfly
incfly / authz.yaml
Created October 12, 2021 18:33
ipblock-authz
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
namespace: istio-system
name: deny-protect-all
spec:
action: DENY
rules:
- from:
- source:
@incfly
incfly / script.sh
Created September 28, 2021 20:44
openssl-verify-tetrate-docs.
cat ./server.json| jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > output.pem
awk 'BEGIN {counter=0;} /BEGIN CERT/{if(counter==0)counter++} { print > "tt-" counter ".pem"}' < output.pem
# I am not good at AWK, in theory we just need to split the output to two parts, one the top one (workload cert), and the rest.
# that's below we concate all rest to a single ca file.
cat ./proxy-cert-2.pem ./proxy-cert-3.pem ./proxy-cert-4.pem >> ca-chain.pem
openssl verify -CAfile ./ca-chain.pem ./proxy-cert-1.pem
# output as below
./proxy-cert-1.pem: OK
@incfly
incfly / config-dump-before.json
Created September 3, 2021 01:30
{
"configs": [
{
"@type": "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump",
"bootstrap": {
"node": {
"id": "sidecar~10.10.0.108~echo-v1-96d97bcdb-9grmf.echo-7-26482~echo-7-26482.svc.cluster.local",
"cluster": "echo.echo-7-26482",
"metadata": {
"sidecar.istio.io/userVolume": "[\n {\"name\": \"authz-certs\", \"configMap\":{\"name\":\"authz-ca-certs\"}},\n {\"name\": \"authz-client-cred\", \"secret\":{\"secretName\":\"authz-client-cred\"}},\n {\"name\": \"shady-authz-client-cred\", \"secret\":{\"secretName\":\"shady-authz-client-cred\"}}\n ]",
@incfly
incfly / istioapi.yaml
Last active July 30, 2021 00:15
sleep.sidecar-to-nginx-https
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: nginx-se
spec:
hosts:
- "my-nginx.bar.svc.cluster.local"
ports:
- number: 443
name: http
@incfly
incfly / awk.sh
Last active May 6, 2021 00:32
# https://unix.stackexchange.com/questions/25122/how-to-use-regex-with-awk-for-string-replacement
# second answer.
awk 'match($0, /VIR.*/) { $0 = "HERE=\"$(cd \"...\")" } 1 { print } ' ./input.sh
@incfly
incfly / sleep-auto.json
Created July 9, 2020 20:12
{
"configs": [
{
"@type": "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump",
"bootstrap": {
"node": {
"id": "router~10.40.1.10~istio-egressgateway-bdfc78ff9-lqr25.istio-system~istio-system.svc.cluster.local",
"cluster": "istio-egressgateway",
"metadata": {
"NAMESPACE": "istio-system",
@incfly
incfly / api.yaml
Last active June 10, 2020 08:26
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "authz"
namespace: default
spec:
selector:
matchLabels:
app: httpbin
rules:
@incfly
incfly / prow-checker.py
Created June 8, 2020 21:49
#!/usr/bin/python3
import urllib.request
# url =
# 'https://storage.googleapis.com/istio-prow/logs/integ-distroless-k8s-tests_istio_postsubmit/1418/build-log.txt'submit/1418/build-log.txt'
def download_url(run: int, suite='integ-distroless-k8s-tests_istio_postsubmit'):
return f'https://storage.googleapis.com/istio-prow/logs/{suite}/{run}/build-log.txt'
@incfly
incfly / elastic.json
Created March 31, 2020 07:19
{
"bootstrap": {
"node": {
"id": "sidecar~10.1.0.245~elasticsearch-logging-0.kubeprod~kubeprod.svc.cluster.local",
"cluster": "elasticsearch.kubeprod",
"metadata": {
"CLUSTER_ID": "Kubernetes",
"CONFIG_NAMESPACE": "kubeprod",
"EXCHANGE_KEYS": "NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT",
"INSTANCE_IPS": "10.1.0.245",