Readit News logoReadit News
qrkourier commented on Launch HN: Moonglow (YC S24) – Serverless Jupyter Notebooks    · Posted by u/tmychow
williamstein · a year ago
Is it possible to use OpenZiti with Runpod? Their execution environment is very locked down, which might make ssh the only option.
qrkourier · a year ago
At a glance, the RunPod's serverless and pod options would probably work well with OpenZiti. I didn't explore their vLLM option.

Using OpenZiti w/ Serverless probably means integrating an OpenZiti SDK with your serverless application. That way, it'll connect to the OpenZiti network every time it spawns.

The SDK option works anywhere you can deploy your application because it doesn't need any sidecar, agent, proxy, etc, so it's definitely the most flexible and I can give you some examples if you mention the language or framework you're using.

The pod option says "container based" so it'll take some investigation to find out if an OpenZiti sidecar or other tunneling proxy is an option. Would you be looking to publish something running in RunPod (the server is in RunPod), or access something elsewhere from a RunPod pod (the client is in RunPod), or both?

qrkourier commented on Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard    · Posted by u/jamilbk
hardwaresofton · a year ago
> You could use OpenZiti together with Cilium/Calico, there are some distros, eg., https://kubezt.com/ which do that (though in truth, KubeZT has moved to Istio for E-W, uses OpenZiti for N-S. OpenZiti does a lot of things that service mesh technologies do not, for example, extending outside of the cluster (incl. to non-K8S workloads), allowing closing of inbound FW ports, providing a private DNS outside of cluster, removing the need for VPNs, L4 loadbalancers, MPLS, SDWAN, public DNS etc.

Yeah Istio is a hard no for me... And yeah I definitely appreciate that OpenZiti does a lot more than service meshes do! I personally try to avoid service meshes (if I were to use one, I'd go with linkerd).

I'm just not convinced that many people need a service mesh -- I haven't really needed one yet, but maybe I'm just not at the right scale/etc.

> Oh, I should note too, while we have a bunch of ways to deploy OpenZiti on K8S today, we are in the process of building/releasing an admission controller and an ingress controller for OpenZiti.

This is awesome -- I really like my current admission controller though (Traefik), it's FANTASTIC. I think moving ingress controllers might be a large lift for people (it would be for me).

> Whats the project you work on?

I don't really work on it actively these days (haven't in a while) but https://nimbusws.com

Looking forward to picking it back up more actively in the future though, for now I use it for some small background services.

qrkourier · a year ago
> This is awesome -- I really like my current admission controller though (Traefik), it's FANTASTIC. I think moving ingress controllers might be a large lift for people (it would be for me).

Clarification: You could use Traefik's ingress controller in tandem with a hypothetical OpenZiti ingress controller. You'd set `ingressClass: openziti` on those Ingress resources you wish OpenZiti to handle. Nothing would prevent you from creating two Ingress resources for the same ClusterIP service: one each for Traefik and OpenZiti.

Deleted Comment

Posted by u/qrkourier 2 years ago
How to Run OpenZiti in Kubernetes in Dockerblog.openziti.io/deploy-o...
qrkourier commented on Show HN: Pico: An open-source Ngrok alternative built for production traffic   github.com/andydunstall/p... · Posted by u/andydunstall
andydunstall · 2 years ago
Yep I checked out overlay networks, its definitely a very cool project. However it also seems pretty complex to host. I think they are different use cases
qrkourier · 2 years ago
I worked on a minimal self-hosted ziti for Docker here https://github.com/openziti/ziti/tree/release-next/quickstar... and minimal self-hosted zrok (includes ziti) for Docker here https://docs.zrok.io/docs/guides/self-hosting/docker/

...so, basically:

wget https://get.openziti.io/dock/all-in-one/compose.yml docker compose up

qrkourier commented on Ziti: Programmable network overlay and edge components for zero-trust networking   github.com/openziti... · Posted by u/talonx
tyingq · 3 years ago
All of this somewhat recent new activity that exposes easier user defined networking makes me wonder about corporate Cybersec departments. Are they trying to keep all this stuff in a box, control it, etc? I know none of it is really new per se, but it is certainly easier to do now.

I know that some of it is fairly easy to detect, but Cyber also can't use the same old stranglehold techniques[1] they have in the past, because remote developers need to be able to use docker and other tools that use network overlays.

The old school approach of trying to block it all is based on, I assume, old style networks where the corporate office floor network has too much access to production. And so, the corporate VPN inherits too much access also, so it works similarly to your desk.

Perhaps this pushes more effort to make the VPN and office floor networks completely separate from anything important.

[1] For example, popular corporate VPN software products, like AnyConnect and GlobalProtect, are somewhat notorious for blocking things like Docker overlay networks by default.

qrkourier · 3 years ago
True, the tools used by risk managers will have to adapt to overlays if overlays (software defined networks that look like encrypted noise on the wire) are as inevitable as they appear to be. It's kind of an arms race and it only makes sense to embrace what's happening and invest in those tools that bring the controls and insights that are needed by defensive security interests to do their job.

At the same time overlays move security closer to the app which shifts the purview left even further toward the developer. This might mean that developers will bear more of the burden of ensuring a secure deployment by choosing a good overlay and effectively operating that overlay in a way that satisfies Security and Compliance.

qrkourier commented on Show HN: Send a GitHub webhook to a private URL   github.com/openziti-test-... · Posted by u/qrkourier
0xbadcafebee · 3 years ago
Hi @qrkourier, you mention using the Python SDK, but it is not shown in the list of SDKs here, FYI: https://openziti.github.io/ And also there's only a couple listed here: https://openziti.github.io/api/index.html I therefore assumed there was no Python SDK...
qrkourier · 3 years ago
I see what you mean. I'll make sure to suggest adding it in those places, then! There's another post about the Python SDK in https://news.ycombinator.com/item?id=32923851 and the repo is https://github.com/openziti/ziti-sdk-py/#readme
qrkourier commented on Show HN: Send a GitHub webhook to a private URL   github.com/openziti-test-... · Posted by u/qrkourier
hangonhn · 3 years ago
We ended up implementing an API Gateway in AWS that just proxies the request to our CI server after a simple authentication (and also checking the signature of the request as suggested by GH).

Another related option is that you can run GitHub Runners in your own environment and they will connect to GitHub to accept "jobs" from GitHub Actions. This is another thing we've started doing as we look to pare down our self managed CI. This is a very solid choice I think. In case anyone is interested: https://docs.github.com/en/actions/hosting-your-own-runners/...

qrkourier · 3 years ago
That's a neat angle. I reckon you could position the self-hosted runner network-adjacent a private CI server and poke it directly from behind the firewall with a GitHub Actions job.
qrkourier commented on Show HN: Send a GitHub webhook to a private URL   github.com/openziti-test-... · Posted by u/qrkourier
scottydelta · 3 years ago
Github rarely changes it's hooks IPs.

The current list has 4 IPv4 IP range and upon checking my server firewall(last updated 3 years ago), I can see I have the first 3 entries in there.

So in the last 3 years, Github has added 1 new IP range which is missing from my server but even then, no webhook call has ever failed to my CI server.

As a precaution I just updated my server firewall right now.

You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.

qrkourier · 3 years ago
Glad you got it updated before you missed an event! That's the worry that made me look for something flexible and software-defined that I could run in GitHub Actions.
qrkourier commented on Show HN: Send a GitHub webhook to a private URL   github.com/openziti-test-... · Posted by u/qrkourier
caseysoftware · 3 years ago
Have you considered ngrok? You can open up a private tunnel from your local environment (local machine, container, device, whatever) to the public internet in seconds. Then you can layer on IP restrictions and even webhook verification to block any traffic not from your provider of choice. It's as simple as:

ngrok http 80 --verify-webhook=slack --verify-webhook-secret=[secret]

with a ton of providers out of the box: https://ngrok.com/docs/cloud-edge#webhook-verification

Also, we recently launched https://webhooks.fyi/ to serve as a community resource to capture patterns & practices around webhook implementations. That's a github pages site so pull requests welcome!

Disclosure: I work at ngrok and helped create webhooks.fyi :)

qrkourier · 3 years ago
That's useful that ngrok has centralized webhook verification! It's meaningful security for the first hop from GitHub to ngrok.
q

u/qrkourier

KarmaCake day42November 14, 2017
About
[ my public key: https://keybase.io/kourier; my proof: https://keybase.io/kourier/sigs/dUbFDbMGinzyf1KxLp1knUnUa1URkyUqIcky-FMo284 ]

[ linktree: https://linktr.ee/qrkourier ]

View Original