Skip to content

Instantly share code, notes, and snippets.

View christian-posta's full-sized avatar

Christian Posta christian-posta

View GitHub Profile
ams0 /
Last active October 18, 2023 22:03
Install Istio Ambient Mesh with Helm
# Install Ambient Mesh with Helm Charts
helm_opts="upgrade -i --namespace istio-system --create-namespace --repo ${REPO} --version ${VERSION}"
# base
helm $(echo $helm_opts) istio-base base
# istiod
asayah / gist:73c62872cac04b606fd643c18fb6a0a0
Last active September 6, 2022 16:14
multi region routing/failover with gloo edge
kind: Upstream
name: green-cell1
namespace: gloo-system
- timeout: 1s
interval: 1s
unhealthyThreshold: 1
set -x #echo on
## PREREQ: SET CONTEXTS for management-plane-context and remote-cluster-context
#### Cleanup
kubectl config use-context management-plane-context
meshctl uninstall
kubectl -n service-mesh-hub delete secret -l
kubectl delete istiooperator istiocontrolplane-default -n istio-operator --context management-plane-context
dougbtv /
Last active May 11, 2023 16:31
Istio + Multus CNI: Annotation clobbering, replication and fix

Istio + Multus CNI: Annotation clobbering, replication and fix

This details a reference deployment of Istio w/ Multus CNI to demonstrate a problem where annotations are being clobbered by the Istio webhook. It also provides a patch and workflow for a possible fix.

This article first demonstrates how to reproduce the article, then proposes a patch, and demonstrates a way to build and deploy Istio with the modified code.

NOTE: Ignore the 1.5.1 through the install, I replicate it with latest (Nov 2021), and provide further steps following the rest of the installation.

Suggested system

samsch /
Last active September 14, 2024 08:21
Stop using JWTs

Stop using JWTs!

TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.

If you've got a bit of time to watch a presentation on it, I highly recommend this talk: (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)

A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens:

The reason to avoid JWTs comes down to a couple different points:

  • The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions

In a terminal start a server.

$ python -m SimpleHTTPServer 8000

In another terminal set up the cgroups freezer.

jmound /
Last active August 7, 2023 10:33
Bash function to refresh all pods in all deployments by namespace
# based on the "patch deployment" strategy in this comment:
# requires jq
# $1 is a valid namespace
function refresh-all-pods() {
DEPLOYMENT_LIST=$(kubectl -n $1 get deployment -o json|jq -r .items[]
echo "Refreshing pods in all Deployments"
for deployment_name in $DEPLOYMENT_LIST ; do
jmprusi / Dockerfile
Last active December 21, 2017 15:59
Building Istio dockers from macOS
FROM ubuntu:xenial
# This Dockerfile has been taken from:
RUN apt-get update \
&& apt-get install -y openjdk-8-jdk make libtool m4 autoconf uuid-dev cmake golang-go curl python python-pip git \
&& echo "deb [arch=amd64] stable jdk1.8" | tee /etc/apt/sources.list.d/bazel.list \
&& curl | apt-key add - \
&& apt-get update \
rshriram /
Last active May 17, 2017 15:03
Envoy - Proof of Concept with Zipkin Tracing

Download the files to a directory and start services using Docker Compose.

docker-compose up -d

Generate some load (run few times with different trace IDs)

curl -H "x-client-trace-id: 23423sfdf3" http://localhost:8000
christian-posta / f8binarys2i.txt
Last active February 16, 2017 23:09
Using f8 s2i-java for binary builds
so... first make a dir $ROOT_DIR
then make $ROOT_DIR/deployments
copy spring-boot.jar to $ROOT_DIR/deployments
then from $ROOT_DIR run this:
oc import-image --from=fabric8/s2i-java:1.3 s2i-java --confirm
oc new-build --binary=true --strategy=source --image-stream=s2i-java --name=sample-foo
oc start-build sample-foo --from-dir=.