Access K8S rest API using curl command

 To get all the pods from a namespace,

curl -k --cacert ca.crt -H "Authorization: Bearer <The token>" https://172.19.0.3:6443/api/v1/namespaces/metallb-system/pods

Where the IP address and port should be the k8s api server IP and port, then the url should follow the naming convention which should be always

/api/<version>/namespaces/<namespace>/<resourcetype>

in the example above, the version is v1, namespace is metallb-system and we are trying to get all the pods.

Use --cacert to indicate an ca certificate file and use -k to allow insecure server connections when use ssl.

how does kubernetes_sd_configs actually work?

 When a job is configured like the following:

- job_name: 'kubernetes-pods'
  kubernetes_sd_configs:
  - role: pod
  relabel_configs:
  - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
    action: keep
    regex: true
  - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
    action: replace
    target_label: __metrics_path__
    regex: (.+)
  - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
    action: replace
    regex: ([^:]+)(?::\d+)?;(\d+)
    replacement: $1:$2
    target_label: __address__
  - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
    action: replace
    target_label: __scheme__
    regex: (.+)

This is hard to figure out what it is saying. it turns out that this job basically

create a new url based on the formula of 

   ${__scheme__}://${__address__}/${__metrics_path__}

which in many cases __scheme__, __address__, __metrics_path__ are all use

the default value, it makes things even more confusing.

for example scheme is normally http if it is not specified

__metrics_path__ normally defaults to /metrics

__address__ normally defaults to the object IP address.

So for pod type, we are looking at http://${POD_IP}:8080/metrics by default

So, it is up to the person who configure this job to make up the part

of the url by using various actions. For example, in the above configuration

target_label: __metrics_path__ actually uses the pod annotation's

prometheus.io/path value if the pod has such annotation. if a pod does not

have such annotation, then the value of __metrics_path__ obviously will

be an empty string, which most likely wont produce a valid url for prometheus to 

retrieve any metrics.

For target_label __scheme__ in the above example, the action is to replace,

so the scheme will be basically whatever the annotation's prometheus.io/scheme

indicates.

where __address__ will be made up by two parts which was made up by the

regular expression using __address__ and pod annotation prometheus.io/port

if that pod indeed has that annotation. The default __address__ is the pod IP

address if nothing get changed. 

Deploy Kiali with Istio external control plane

 When your Istio is using external control plane, deploying Kiali is not difficult but you will need to make sure the following

1. Deploy prometheus into namespace istio-system, otherwise, Kiali seems hard coded (or default configuration) will always look for prometheus in istio-system namespace

2. Change the sample kiali deployment file so that the Kiali goes into istio installed namespace, in our example, istio external control plane will be in namespace external-istiod. So make changes to the sample deployment file (which comes with istio package), replace istio-system with external-istiod in the entire file, so that kiali and its services, configmaps etc will all be in external-istiod, then deploy it.

3. Expose the kiali service with a loadbalancer, then access Kiali using the load balancer.

Istio mesh config, config cluster, remote cluster

 When a cluster contains istio custom resource definitions (CRDs) only, then that cluster is called istio config cluster. Which really just means the cluster at least contains Istio CRDs. A cluster can be just an Istio config cluster. If a cluster contains more than the CRDs, but also Istiod, then it is both config cluster and control plane. If a cluster really only contains Istio roles definitions such as istio-reader-clusterrole-external-istiod (that is the namespace) and clusterrolebinding (maybe the same name), and the mutating webhook configuration, most likely that cluster should be called remote istio cluster which should have been used for workload.

k8s webhooks

Retrieve all the validating webhooks in the cluster

 kg --context kind-cluster1  ValidatingWebhookConfiguration -A

 

 Retrieve all the mutating webhooks in the cluster

kg --context kind-cluster1  MutatingWebhookConfiguration -A

Config VSCode to debug istio using vscode debug codelens

 VS Code debug test codelens is great to just run a particular test, however specify necessary arguments have been a bit mystery. However, manipulate settings.json file, one can get things done.

 

Open settings.json file, and add the following section, you will be able to specify flags for both build and test.

"go.buildTags": "integ",

"go.testFlags":["-args", "--istio.test.kube.topology=${workspaceFolder}/localtests.external-istiod.json", "--istio.test.skipVM"],

 Notice that the go.buildTags are needed to make sure that build actually work.

go.testFlags gets used to specify parameters for build and test. anything before "-args" is considered for build and anything after "-args" is considered test parameters. So in istio integration test, we will simply specify whatever necessary parameters after "-args", then click on the debug button of some of the tests and set up break point, you can step through the code in debug mode.

backup and restore iPhone onto mac

 backup entire phone onto mac, then click on Manage Backups, then right click on one of the backup, select Show in folder, find the backup folder, copy the entire folder to another location, then remove the folder to save space on mac. 

To restore the backup to a phone, copy the entire folder back to this folder:

/Users/tongli/Library/Application Support/MobileSync/Backup

Then the phone manager will be able to find the backup, then you can restore that backup to an iPhone.