Cert-Manager in Production: Automated Certificate Management

Core Components ClusterIssuer Configuration apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: [email protected] privateKeySecretRef: name: letsencrypt-prod-account-key solvers: - http01: ingress: class: nginx - dns01: cloudflare: email: [email protected] apiTokenSecretRef: name: cloudflare-api-token key: api-token Certificate Management Wildcard Certificate apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-cert namespace: cert-manager spec: secretName: wildcard-tls commonName: "*.example.com" dnsNames: - "*.example.com" - "example.com" issuerRef: name: letsencrypt-prod kind: ClusterIssuer usages: - digital signature - key encipherment - server auth Production Implementation # Complete cert-manager setup apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: production-certs namespace: production spec: secretName: production-tls duration: 2160h # 90 days renewBefore: 360h # 15 days subject: organizations: - Example Corp commonName: api.example.com dnsNames: - api.example.com - web.example.com - admin.example.com issuerRef: name: letsencrypt-prod kind: ClusterIssuer keystores: jks: create: true passwordSecretRef: name: jks-password key: password --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secured-ingress annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: tls: - hosts: - api.example.com - web.example.com secretName: production-tls rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 80

1 min · Me

Container and Infrastructure Security Scanning: A Comprehensive Guide

Trivy Implementation Container Scanning Pipeline # GitLab CI Pipeline Configuration container_scan: image: aquasec/trivy:latest variables: TRIVY_NO_PROGRESS: "true" TRIVY_CACHE_DIR: ".trivycache/" script: - trivy image --exit-code 1 --severity HIGH,CRITICAL --no-progress --format template --template "@/contrib/sarif.tpl" -o trivy-results.sarif $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA artifacts: reports: security: trivy-results.sarif Kubernetes Manifest Scanning apiVersion: batch/v1 kind: CronJob metadata: name: trivy-cluster-scan spec: schedule: "0 0 * * *" jobTemplate: spec: template: spec: serviceAccountName: trivy-scanner containers: - name: trivy image: aquasec/trivy:latest args: - k8s - --report=summary - --severity=HIGH,CRITICAL - all volumeMounts: - name: results mountPath: /results volumes: - name: results persistentVolumeClaim: claimName: scan-results Snyk Integration GitHub Action Integration name: Snyk Security Scan on: pull_request jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: Container Scan uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: your-registry/app:latest args: --file=Dockerfile - name: IaC Scan uses: snyk/actions/iac@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high Wiz Implementation Cloud Configuration Scanning # Terraform configuration for Wiz resource "wiz_automation_rule" "critical_vuln" { name = "Critical Vulnerability Alert" description = "Alert on critical vulnerabilities in production" enabled = true trigger { type = "VULNERABILITY" vulnerabilities { severity = ["CRITICAL"] has_fix = true } } actions { create_issue { provider = "JIRA" project = "SEC" type = "Bug" } send_notification { channels = ["SLACK"] template = "critical-vuln" } } } Production Implementation Multi-Scanner Integration # ArgoCD Application for Security Scanning apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: security-scanners spec: project: security source: repoURL: https://github.com/org/security-configs.git targetRevision: HEAD path: scanners/ destination: server: https://kubernetes.default.svc namespace: security syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true --- # Scanner Configuration apiVersion: v1 kind: ConfigMap metadata: name: scanner-config data: trivy.yaml: | severity: CRITICAL,HIGH ignore-unfixed: true timeout: 10m snyk.yaml: | severity-threshold: high fail-on: upgradable wiz.yaml: | scan-interval: 6h alert-threshold: CRITICAL compliance-frameworks: - SOC2 - PCI

2 min · Me

Implementing Fastly WAF: Security Best Practices

WAF Configuration Fundamentals Rule Set Implementation # Custom VCL for WAF integration sub vcl_recv { # Enable WAF for specific paths if (req.url.path ~ "^/api/") { set req.http.X-Fastly-WAF-Enabled = "true"; } # Custom headers for WAF logging set req.http.X-Environment = "production"; set req.http.X-Application = "api-gateway"; } Advanced Security Rules Custom Rule Configuration { "rule_id": "custom-sqli-protection", "severity": "critical", "conditions": { "operator": "and", "conditions": [ { "parameter": "REQUEST_URI", "operator": "contains", "value": "sql" }, { "parameter": "REQUEST_METHOD", "operator": "equals", "value": "POST" } ] }, "action": "block" } Logging and Monitoring Real-time Alert Configuration { "name": "waf-alerts", "endpoint_type": "https", "url": "https://alerts.example.com/webhook", "content_type": "application/json", "format": { "timestamp": "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", "client_ip": "%{req.http.Fastly-Client-IP}V", "request_id": "%{req.http.Fastly-Request-ID}V", "rule_id": "%{waf.rule_id}V", "severity": "%{waf.severity}V", "action": "%{waf.action}V", "message": "%{waf.message}V" } } Production Implementation # Terraform configuration for Fastly WAF resource "fastly_service_waf_configuration" "production" { name = "production-waf" rule_set { type = "owasp" version = "latest" } rule { rule_id = "1010020" status = "log" threshold = 10 } rule { rule_id = "1010030" status = "block" threshold = 5 } logging { name = "waf-logs" format = "${jsonencode({ timestamp = "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", client_ip = "%{req.http.Fastly-Client-IP}V", request_id = "%{req.http.Fastly-Request-ID}V", rule_id = "%{waf.rule_id}V", severity = "%{waf.severity}V", action = "%{waf.action}V", message = "%{waf.message}V" })}" } }

1 min · Me