Monday, March 8, 2021

Install tekton and its dashboard on IBM Cloud

1. Install tekton 0.21.0 
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.21.0/release.yaml
2. Install latest tekton dashboard 
kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/openshift-tekton-dashboard-release.yaml --validate=false
3. Expose the dashboard UI 
kubectl patch svc tekton-dashboard -n tekton-pipelines -p '{"spec": {"type": "LoadBalancer"}}'
4. Access the dashboard by using the external IP (hostname) and port 9097 
kubectl get svc tekton-dashboard -n tekton-pipelines

The external IP or hostname may take a bit of time to be available.

 

For tectoncd/pipeline development, to use ko, set the docker repo env to be the full path like below

export KO_DOCKER_REPO=registry.hub.docker.com/email4tong

 The short name no longer works.

Posted by at No comments:

Thursday, March 4, 2021

Expose TCP traffic examples

After istio is installed, follow these steps:

0. Label the default namespace for istio sidecar injection
kubectl label namespace default istio-injection=enabled --overwrite


1. Patch istio-ingressgateway service so that the new port is supported.

Create a file named patch-service.yaml with the following content: 

spec:
  ports:
  - name: tcp-31400
    protocol: TCP
    port: 31400
    targetPort: 31400
Run the following command 
kubectl -n istio-system patch service istio-ingressgateway --patch "$(cat patch-service.yaml)"

2. Create deployment, service, gateway and virtual service 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world-deployment
spec:
  selector:
    matchLabels:
      greeting: hello
      department: world
  replicas: 1
  template:
    metadata:
      labels:
        greeting: hello
        department: world
    spec:
      containers:
      - name: hello
        image: "email4tong/pathecho:latest"
        imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
spec:
  selector:
    greeting: hello
    department: world
  ports:
  - protocol: TCP
    port: 7000
    targetPort: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tcp-echo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 31400
      name: tcp
      protocol: TCP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tcp-echo
spec:
  hosts:
  - "*"
  gateways:
  - tcp-echo-gateway
  tcp:
  - match:
    - port: 31400
    route:
    - destination:
        host: hello-world.default.svc.cluster.local
        port:
          number: 7000


3. Now use the istio-ingressgateway service external endpoint (IP or hostname) and port 31400 to access the service. In above example, it is a simple http echo, so use curl to test is fine. If the actual service is not http but using any other tcp protocols, then you cannot use curl to test
Posted by at No comments:

Wednesday, March 3, 2021

Istio tcp ingress traffic

 To allow tcp traffic on a specific port using Istio, one will have to patch the istio-ingressgateway service to add the new port if the port is not 80 or 443. Then one will have to create a gateway, a virtual service, and also make sure that the deployments have the sidecar injected automatically. So to summarize:

1. Patch istio-ingressgateway to add new tcp port

2. Create gateway resource

3. Create virtual service resource

4. Make sure that the actual pod is injected with sidecar.

It is very important that the tcp port to be added before the gateway and virtual service resource were created, otherwise, it wont work.

Posted by at No comments:

Sunday, January 31, 2021

k8s ambassador and tls cert management

 With brand new google k8s, do the followings:

1. Set up kubeconfig by using the google connect command found from google cloud console, something similar to this.

gcloud container clusters get-credentials tongedge --zone us-east1-b --project odin-network-301700
2. Run the following command to deploy Ambassador

kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml &&
kubectl wait --for condition=established --timeout=90s crd -lproduct=aes&&
kubectl apply -f https://www.getambassador.io/yaml/aes.yaml &&
kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes
Now, get the external ip address 

 kubectl get -n ambassador service ambassador -o
 "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}"
3. Deploy kubernetes cert-manager

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml 
Verify cert manager is working correctly 

kubectl get pods --namespace cert-manager

k8s cert manager reference link https://cert-manager.io/docs/installation/kubernetes/ 

Now create a mapping and a service to make sure cert-manager created ingress can meet the http01 chanllenge. 

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  service: acme-challenge-service
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-service
spec:
  ports:
  - port: 80
    targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"
The ambassador external ip now can be used to configure your dns entry via whatever the dns providers. The end result will be your domain name can be resolved into the ambassador external IP address.
To request a certificate, one has to set up an issuer first, using the follow yaml file to accomplish that. 

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"
    privateKeySecretRef:
      name: letencrypt-secret
    solvers:
    - http01:
        ingress:
          class: nginx
      selector: {}


apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tonglitls
  namespace: default
spec:
  dnsNames:
    - tongli.myddns.me
  secretName: tonglitls-secret
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt

 

 

Posted by at No comments:

Friday, January 8, 2021

4K Video Download app is the tool to help everyone

We are using a lot of free online videos for study, singing. Due to network issues, sometimes it is a big distraction when we use these videos online, with 4K video download, we can download these videos before we need them, this helped us a lot, it also allowed us to skip unwanted/unexpected ads during the real session which in some cases causes big embarrassment.

 

4KDownload performed really well when you download videos, I have not experienced any failures downloading videos regardless the video quality or my internet speed. The user interface is extremely easy to use, there is no learning curves to overcome, as soon as you see the user interface, one who can click a mouse will be able to use it. It not only works on Windows but also on OS X so that you would not have to worry about if your computer supports such nice tool. I've been using the free version for awhile, cannot wait to experience the load of features with paid version. I highly recommend anyone to try this free app. To get more information, please follow one of the links below.  

 


https://www.4kdownload.com/products/product-videodownloader/?r=free_license https://www.4kdownload.com/products/product-youtubetomp3/?r=free_license https://www.4kdownload.com/products/product-stogram/?r=free_license

Posted by at No comments:

Friday, November 13, 2020

Verify cert and private key of pair created using EC algorithm

 

Retrieve the public key from cert and do a md5

openssl x509 -in server.crt -pubkey -noout | openssl md5

 

Retrieve the public key from private key and do a md5

openssl pkey -pubout -in server.key | openssl md5


If the outputs from two commands match, then the certificate must be created from the private key.

Posted by at No comments:

Thursday, October 15, 2020

Hyperledger Fabric event listener

 Function to listen to chaincode event

func listenEvents() {
cnfg := config.FromFile("./connection.json")
fmt.Println(reflect.TypeOf(cnfg))
sdk, err := fabsdk.New(cnfg)
if err != nil {
fmt.Printf("Failed to create new SDK: %s", err)
}
defer sdk.Close()
clientChannelContext := sdk.ChannelContext(channelID, fabsdk.WithUser(orgAdmin), fabsdk.WithOrg(orgName))
eventClient, err := event.New(clientChannelContext, event.WithBlockEvents(),
event.WithSeekType(seek.Oldest))
if err != nil {
fmt.Printf("Not be able to create new events client: %s", err)
}

reg, notifier, err := eventClient.RegisterChaincodeEvent("offering", "OFFERING SUBMITTED")
defer eventClient.Unregister(reg)

donechannel := make(chan string)
go func() {
// Just a function to demostrate that we can send signal to end the listening loop
time.Sleep(1 * time.Minute)
donechannel <- "QUIT NOW"
}()

defer close(donechannel)
end:
for {
select {
case ccEvent := <-notifier:
fmt.Printf("Received cc event: %#v", ccEvent)
fmt.Printf("The payload is %v", ccEvent.Payload)
fmt.Printf("TxID is %s", ccEvent.TxID)
case msg := <-donechannel:
fmt.Printf(msg)
break end
}
}
fmt.Println("Process finished")
}
Posted by at No comments:
Subscribe to: Posts (Atom)