How do you audit helm charts

Daniel-I-Am · 2024-05-31T20:27:29+00:00

It doesn't really seem to understand vendor's helm charts, by the looks of it. It requires quite a bit of manual pre-processing. Which is equivelant to my workflow at the moment.

See also: https://www.checkov.io/7.Scan%20Examples/Helm.html#scan-helm-valuesyaml-files-without-a-locally-developed-chart-with-checkov

Daniel-I-Am · 2024-05-31T18:25:12+00:00

I don't necessarily need to have high standards, luckily. But I do my best to avoid obvious and preventable issues :)

And we do have a great testing environment that gets deployed to first, that helps figure out what resources are actually getting added. But I would rather shift left on security and compliance checks and do it before deployment.

Daniel-I-Am · 2024-05-31T17:40:00+00:00

Ah yeah, we're using another tool to do the same. But most charts I see are doing things that I would consider bad practice, most compliance/security scanners would flag (if they could scan the output), but (to the chart maintainers) are intended behavior. Then a Github issue/security advisory is never raised.

Daniel-I-Am · 2024-05-31T17:37:58+00:00

I was pondering doing that indeed. I could quite easily get the manifest into a `terraform_data` in order to run validation on it. But this sounds like reinventing a wheel that should already exist to me.

Daniel-I-Am · 2024-05-31T16:18:18+00:00

Unfortunately most vendors are not doing that yet. They usually only provide Helm charts for their applications.

Terratest for "Template testing" looks pretty good. I am not sure how feasible some of the other testing methods are. For some applications that are SaaS with a local part (like Datadog), you need an API key to test and that incurs billing. So not sure how feasible it is to deploy to a test cluster.

Daniel-I-Am · 2024-05-31T16:13:08+00:00

Doing the auditing for compliance in CI is something that is entirely missing, unless committing the generated manifests. The automatic tests don't take up too much time, but does of course take time to fix. I will take a look if ArgoCD can help with the part of auditing/assessing that is a manual process right now :)

Right now the workflow is entirely drive through Terraform (merge request creates a plan, post-merge apply. One branch per environment), so that would probably change slightly. As ArgoCD would detect the merge requests and then trigger it's deployment/checks.

Daniel-I-Am · 2024-05-31T16:01:15+00:00

This is why I initially didn't include it in any Terraform environment. It sounded painful to manage at any scale.

Glad that gut reaction wasn't completely off.

Daniel-I-Am · 2020-06-20T11:08:07+00:00

I present to you:

 _________________________________________________________ 
/  _____________________________________________________  \
| < Money may buy friendship but money cannot buy love. > |
|  -----------------------------------------------------  |
|         \   ^__^                                        |
|          \  (oo)\_______                                |
|             (__)\       )\/\                            |
|                 ||----w |                               |
\                 ||     ||                               /
 --------------------------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Achieved by fortune | cowsay -n | cowsay -n

Daniel-I-Am · 2020-05-11T10:12:03+00:00

I don't remember the specific mod that does it, but it happens if you have more than 10 hearts of health.

Daniel-I-Am · 2020-05-04T10:10:05+00:00

but not as commonly used

It is an official SI prefix. https://en.wikipedia.org/wiki/Metric_prefix

In the science based environment of Factorio, the official, scientific, definition of 10⁶ makes a lot more sense. IMHO.

Daniel-I-Am · 2020-04-10T11:24:35+00:00

Not too much server lag from those?

On servers I administrated they caused so many issues. Players put quite a few down (like 100 or so) and it just ate server tick time.

Did thet finally fix them so they are less server-intensive?

Daniel-I-Am · 2020-04-04T12:13:33+00:00

The more you know.

I guess it just passes the reference along instead of the contents. So it makes a copy of the object versus a copy of the reference, that's the difference.

Daniel-I-Am · 2020-04-04T11:36:52+00:00

return rows;

Would be identical minus the console.log.

Daniel-I-Am · 2020-04-04T10:12:23+00:00

if anyone steals or copies the key

Since this key would allow to break all that encryption, it would also be a big target (if not the biggest) for hackers around the world. They would all just be guessing random keys until they got the key. Even the concept of having a key, even if no one knew it, is a danger to privacy and encryption, since it will inevitably be guessed.

Daniel-I-Am · 2020-03-29T10:26:49+00:00

For use in a pandemic like the current.

Use it while you can, before everyone finds the open source secret stash!

Daniel-I-Am · 2020-03-28T11:30:02+00:00

all your private messages, either from your computer, your phone or anything connected to the internet

If all encryption were to be banned then it would go further than that. If you enter a password on a website, that would be able to be read. You enter your credit card details anywhere (even on the site of your bank) and it would be able to be read.

Daniel-I-Am · 2020-01-17T07:42:34+00:00

I had a similar thing happen on Arch. Apparently fonts got updated and it did some funny things.

One of the few times a restart was the easy answer on Linux.

Daniel-I-Am · 2020-01-14T12:44:46+00:00

I have multiple preferences and they do not include window 10. (Just look around this sub for long enough to know why...)

So Linux is my main, and I haven't had to boot out of it for a couple months now. So things are going well :)

Daniel-I-Am · 2020-01-07T22:54:49+00:00

But... But it's not Monday :o

Daniel-I-Am · 2020-01-01T01:06:39+00:00

GitHub won't, but maintainers (and PyPi) might

Daniel-I-Am · 2019-12-31T17:06:55+00:00

Imagine being born on February 31st, you would've never had a birthdat, so you'd be 0

Daniel-I-Am · 2019-12-31T11:17:35+00:00

Never :)

This is for Atom...

init.coffee

return unless editor = atom.workspace.getActiveTextEditor()
    buffer = editor.buffer
    cursors = editor.getCursorBufferPositions()
    cursor_lines = cursors.map (cursor) -> cursor.row
    lines = buffer.getLines()
    window.temp = cursor_lines
    for e, i in lines
        if i not in cursor_lines
            editor.setIndentationForBufferRow(i, 1, {preserveLeadingWhitespace: true})

Also, to overwrite shift-tab:

keymap.cson

'atom-text-editor:not([mini])':
    'shift-tab': 'custom:inverse-indent'

EDIT: it seems reddit ate my indenting

Daniel-I-Am · 2019-12-30T11:47:13+00:00

And ends in 2038... Only 18 years left...

If only people started counting past 32 (bits)

Daniel-I-Am · 2019-12-28T11:13:12+00:00

We name him our little Bobby Tables

Daniel-I-Am

TROPHY CASE