As potential of Docker & Kubernetes are promising, be it consistency, efficiency, speed, declarative configuration, community adoption and support, & what not, enterprises are shifting their application from VM based to containerized ones.

Similarly, Go lang has gained a lot popularity in last few years and major enterprises are developing their products in go lang.

Let’s get started.

0. Create a Go lang project

Create a directory with name uuid & run go mod init inside id.

mkdir uuid
cd uuid
go mod init

1. Create main.go Go Lang file

Create a main.gofile inside uuid folder which uses net/http to make an API call to fetch requests and prints quote, every min.

package main

import (
 "fmt"
 "strings"
 "time"

 "github.com/pborman/uuid"
)

func main() {
 genUUidFunc := func() {
  uuidWithHyphen := uuid.NewRandom()
  uuid := strings.Replace(uuidWithHyphen.String(), "-", "", -1)
  fmt.Println(uuid)
 }

 for {
  genUUidFunc()
  time.Sleep(1 * time.Minute)
 }
}

Let’s deploy this locally to make sure application is running without any errors. To run this application locally, execute below command.

go mod tidy # This command will download all the dependencies that are 
# required in your source files and update go.mod file with that dependency.
go run main.go
# Ctrl + C to end the program

2. Dockerize Go lang application

Now, since our uuid application is ready. We will have to create Dockerfile for this app to create docker container image.

FROM golang:1.19.8 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download

# Copy the go source
COPY . .

# Build
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o uuid main.go

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM alpine:latest

RUN apk update
RUN apk add --no-cache bash curl jq
WORKDIR /
COPY --from=builder /workspace/uuid .
ENTRYPOINT ["/uuid"]

In above example, we are using docker multi-stage building to build docker image.

Docker Build Stage-1

• Use golang 1.19.8 as base image.
• Set the working directory.
• Copy go.mod and go.sum
• Run go mod download to download application dependencies
• Once dependencies are downloaded, copy application source code
• Build application binary

Docker Build Stage-2

• Use base image as desired (base image is the one in which your application would be running at runtime), I am using alpine image
• Add bash, curl etc, based on your requirements
• Set the working directory
• Copy application binary which we have generated in stage-1
• Define the entry point

Next step is to run docker build command to create docker image.

docker build -t chroottech/golang-uuid:v0.0.1 .

In above docker-build command, with -t, we can specify docker image tag with which image will be generated and the context of docker build by specifying . which mean current folder.

Login to docker registry if you haven’t logged in already.

docker login

Once you are logged, push your docker image by running below command.

docker push chroottech/golang-uuid:v0.0.1

Now you have created docker image of your application and you can run it as docker containers or in kubernetes as a pod.

4. Run application in docker

To run application in docker, we will have to create container with above generated image.

(chroot-tech) rishi@chroot uuid $ docker run -it --rm chroottech/golang-uuid:v0.0.1
> 6c6536f435094fc58b7721cd5fe1c8e9

Your application is running inside docker container.

5. Running application in kubernetes cluster

We can deploy any application in kubernetes cluster by creating a pod or deployment (K8s maintains lifecycle of pod, if it is deployed as an Deployment)

Let’s create a manifest.yamlfile to deploy it in kubernetes cluster.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: chroot-tech-golang-uuid
  labels:
    app: uuid
spec:
  replicas: 1
  selector:
    matchLabels:
      app: uuid
  template:
    metadata:
      labels:
        app: uuid
    spec:
      containers:
      - name: uuid
        image: chroottech/golang-uuid:v0.0.1

Once, we have manifest file created, we can deploy this app in kubernetes cluster by running below kubectl command.

kubectl apply -f manifest.yaml

Once above command is executed successfully, kubernetes will find a node and will schedule this pod and in few mins, image will be pulled and application will start running.

(chroot-tech) rishi@chroot uuid $ kubectl get pods
NAME                                        READY   STATUS    RESTARTS   AGE
chroot-tech-golang-uuid-6jk78c598-xclfz   1/1     Running   0          45s

By now, my go lang application is deployed in kubernetes and your’s will be too. Let me know by comments if you face any issues.

1. Create quotes.py python file

Create a quotes.pyfile which uses requeststo make an API call to fetch requests and prints quote, every min.

import requests
import time


def main():
    api_url = "https://zenquotes.io/api/quotes"

    while True:
        response = requests.get(api_url)

        if response.status_code == 200:
            data = response.json()
            if data:
                first_item = data[0]
                print(first_item['q'])
            else:
                print("No items in the response.")
        else:
            print("API request failed with status code:", response.status_code)

        time.sleep(60)


if __name__ == "__main__":
    main()

2. Create requirements.txt file

Create a file named requirements.txt in the same directory as your hello.py file, and add the following line to it

requests==2.26.0

This specifies that you want to use the requests library in version 2.26.0.

3. Dockerize python application

Now, since our python application is ready. We will have to create Dockerfile for this app to create docker container image.

FROM python:3.8
WORKDIR /code
COPY requirements.txt .
ENV PYTHONUNBUFFERED=1
RUN pip install -r requirements.txt
COPY quotes.py .
CMD [ "python", "./quotes.py" ]

• Use a Python base image.
• Set the working directory.
• Copy requirements.txt
• Set python buffered to 1 (allows the Python output to be sent straight to the terminal)
• Install dependencies.
• Copy the app code.
• Define the entry point.

Next step is to run docker build command to create docker image.

docker build -t chroottech/python-quotes:v0.0.1 .

In above docker-build command, with -t, we can specify docker image tag with which image will be generated and the context of docker build by specifying . which mean current folder.

Login to docker registry if you haven’t logged in already.

docker login

Once you are logged, push your docker image by running below command.

docker push chroottech/python-quotes:v0.0.1

Now you have created docker image of your application and you can run it as docker containers or in kubernetes as a pod.

4. Run application in docker

To run application in docker, we will have to create container with above generated image.

(chroot-tech) rishi@chroot quotes $ docker run -it --rm chroottech/python-quotes:v0.0.1
> Everyone you admire was once a beginner.

Your application is running inside docker container.

PS: I am enlightened by above quote. Hope it will make an impact in your life too

5. Running application in kubernetes cluster

We can deploy any application in kubernetes cluster by creating a pod or deployment (K8s maintains lifecycle of pod, if it is deployed as an Deployment)

Let’s create a manifest.yamlfile to deploy it in k8s.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: chroot-tech-python-qyotes
  labels:
    app: quotes
spec:
  replicas: 1
  selector:
    matchLabels:
      app: quotes
  template:
    metadata:
      labels:
        app: quotes
    spec:
      containers:
      - name: quotes
        image: chroottech/python-quotes:v0.0.1

Once, we have manifest file created, we can deploy this app in kubernetes cluster by running below kubectl command.

kubectl apply -f manifest.yaml

Once above command is executed successfully, kubernetes will find a node and will schedule this pod and in few mins, image will be pulled and application will start running.

(chroot-tech) rishi@chroot quotes $ kubectl get pods
NAME                                        READY   STATUS    RESTARTS   AGE
chroot-tech-python-qyotes-8cb89c598-bl2sb   1/1     Running   0          23s

By now, my python application is deployed in kubernetes and your’s will be too. Let me know by comments if you face any issues.

In this article, we will be taking kind to GoLand Operation Theatre and rip it apart by expert Chroot Tech 😉 to loop into inner beauty of kind’s code.

First thing first, what the heck is kind?

Kind is cli application which creates kubernetes cluster using docker container as kubernetes nodes. Since you know how easy it is to create and dispose off docker containers. It makes kind very developer friendly tool to create kubernetes clusters and test application changes on it.

Before I start, hat’s off to the maintainers & contributors of this project for writing such an awesome tool and making developer’s life easier.

Github Repo Link: https://github.com/kubernetes-sigs/kind

Website: https://kind.sigs.k8s.io

What happens when we run command ‘kind create cluster’?

“What a dumb question? that’s a simple one, isn’t it that kind cluster gets created” 🤔

ok.. let’s deep dive

Kind supports docker (no introduction needed) & Podman (open source tool to manage, run containers, developed by RedHat along with OpenSource contributors) to create containers which will work as kubernetes node and eventually will start kubernetes cluster within these containers.

1. kind cli detects provider type (docker or podman)

2. Validate provider settings and check if node container can be created

3. Kind code execution then configures default values in kind config and starts cluster creation workflow which involves various actions and create node container is one of it

kind cluster create workflow then invoke provider to create container.

3.a. Provision Node Container: Provider interface will call docker or Podman based on what is installed on the host, to create a container with kindest/node image which is pre-created with all necessary files to bootstrap kubernetes services inside that container

kind/pkg/cluster/internal/providers/docker/provision.go at main · kubernetes-sigs/kind

3.b. Kubeadm-Init Action: Node container is created with specific image which is pre-created with kubeadm and all required manifests to bootstrap kubernetes cluster. Once container is running, kind cli runs below kubeadm-init command with this kubeadm config inside that container which starts etcd and api-server inside container.

Based on node configurations, nodes are tainted.

3.c. Install CNI (Container Network Interface) : Once kubeadm-init phase is completed, kubernetes cluster gets started and it is accessible but since there is no CNI installed, we can’t use it to deploy any workloads as networking is required to run any pod.

kind/pkg/cluster/internal/create/actions/installcni/cni.go at main · kubernetes-sigs/kind

3.d. Install CSI (Container Storage Interface): Once CNI is installed then we can deploy stateless applications inside it which doesn’t persist any data locally and thus doesn’t need any external volume. But, kind also deploys local-path-provisioner CSI which provisions volume in host path, which means inside docker node container which was created in step 3.a.

kind/pkg/cluster/internal/create/actions/installstorage/storage.go at main · kubernetes-sigs/kind

4. Kubeadm Join (Optional): Once CSI is installed, if there are worker-nodes defined in kind-configuration then kind will run kubeadm-join command in containers created for worker-nodes.

kind/pkg/cluster/internal/create/actions/kubeadmjoin/join.go at main · kubernetes-sigs/kind

Voila!!!! You got yourself a kubernetes cluster in few mins. Isn’t that awesome 👏🏻😇

In today’s digital landscape, where cyber threats are ever-evolving, ensuring the security of data and applications is of paramount importance.

We developers must adopt robust measures to protect sensitive data and safeguard applications against potential vulnerabilities. In this article, I will dive into essential components in software development and what security measures we can take while developing it.

Why do we need secure applications?

We all why we need secure applications. Don’t we?

In brief, keeping sensitive data secret, maintaining privacy, safeguarding against financial losses, compliance, regulations and there are numerous reasons to name here.

Let’s talk about different components and what measures, we can take at each component to make tech eco-system secure.

Firewalls: How to Protect the Perimeter?

Firewalls serve as the first line of defense, protecting applications from unauthorized access and malicious activities. They act as a barrier between an internal network and the external world, monitoring and controlling incoming and outgoing network traffic.

If you are an Infrastructure Security Engineer, Firewall Security Engineer or DevOps Engineer, responsible for configuring & maintaining firewalls, then here’s what you can do

• Determine your network requirements, consider factors such as scalability, performance, traceability & select right firewall solutions
• Plan your firewall rule sets according to requirements. Whitelist outbound and inbound connections to only those IPs & DNS which is required by the product. Common rules include allowing specific ports for required services (e.g., HTTP, HTTPS, SSH) and restricting access to sensitive resources
• Regularly update and patch your firewall but also be fully aware with firewall hardware & software’s new versions and try out all the use-cases before performing any upgrade
• Review firewall configurations regularly
• Establish a DMZ (Demilitarized Zone) to isolate publicly accessible servers or services from your internal network
• Set up VPN, Enable Intrusion Detection & Logging and Monitoring
• Perform security testing and audits to identify any weaknesses or misconfigurations in your firewall network

Remember, configuring a secure firewall network is an ongoing process. Stay informed about emerging threats, keep up with industry best practices, and be proactive in addressing security vulnerabilities to maintain the effectiveness of your firewall configuration.

API Gateways: Ensuring Secure Communication

API gateways provide a centralized entry point for client applications to interact with backend services and APIs. They play a crucial role in securing application interfaces and managing secure access to APIs.

• By implementing strong Authentication & Authorization protocols, such as OAuth or JSON Web Tokens (JWT), developers can authenticate and authorize clients securely
• Encryption and Transport Layer Security
• Rate limiting and throttling
• Request filtering and payload validation
• Security Headers and Response Validation
• Versioning and Deprecation

Management Server: Ensuring Secure Communication

Management servers is a central control point for monitoring, configuring, and securing applications. They provide an interface through which developers can manage security-related aspects of an application efficiently.

• If authentication is handled by Validate Auth & ACL Permissions for each requests if authentication & authorization is done by the backend service
• Input Validation and Sanitization
• User inputs should be considered as parameters instead of executable code
• Use secure session tokens, enable session expiration and session invalidation
• Securely handle File -Apply file type validation, limit file upload sizes, and store sensitive data in secure locations, following industry-standard practices
• Scan artifacts -There are many OpenSource & Proprietary tools like trivy, twistlock, to scan artifacts. Configure snyk to scan code changes and libraries during the Pull Request and during build time.

(base) rishi@Rishis-MacBook-Pro bin (main) $ trivy image nginx
2023-07-15T20:13:00.869-0700    INFO    Vulnerability scanning is enabled
2023-07-15T20:13:00.869-0700    INFO    Secret scanning is enabled
2023-07-15T20:13:00.869-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-15T20:13:00.869-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-07-15T20:13:05.019-0700    INFO    JAR files found
2023-07-15T20:13:05.020-0700    INFO    Downloading the Java DB...
442.94 MiB / 442.94 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 30.80 MiB p/s 15s

Above snippet is an example of artifact scan using trivy and based on image, trivy downloads java-db-plugin and scans the image.

Once image scan is done, it will present the result in desired format.

By this time, we know high level measures which we can take to secure the application.

In some application, there could be multiple micro-services in management plane, though these could be in internal network, still each service should authenticate with another service when invoking any of the rest endpoints.

Micro-services may communicate with each other over either one or many communications channels like HTTP, WebSockets, NATS, Message Queue & other ways. Each of these communication channel has different security measures based on the protocol being used for the communication.

In a nutshell, every component either has to be configured right or has to be developed right to be secure.

Hope, I was able to touch base on different components and this reminds you of all that you have done to keep your product secure.

Have a good time, all of you :)