• Using AWS Secrets Manager secrets and Systems Manager parameters in Kubernetes with KES

    4 min read

    By using the Kubernetes External Secrets we can use external secret management systems, like AWS Secrets Manager or Vault, to securely add secrets in Kubernetes.

    This is achieved by by using the ExternalSecret object which declares how to fetch the secret data, while the KES controller converts the ExternalSecrets to Secrets. The conversion is completely transparent to Pods that can access Secrets normally.

    29/11/2021

    Read more...

  • Helm: Usage of definitions across files

    1 min read

    helm template definition

    Sometimes writting helm charts can be very challenging due to the weird errors we might get:

    <sha256sum>: wrong type for value; expected string; got chartutil.Values

    26/11/2021

    Read more...

  • How to retrieve one of the elements of an array on a Helm template

    2 min read

    helm template array index element

    While working on Helm charts we might be interested on using a particular element of an array (most likely the first). To achieve this we won't be able to use the regular square brackets approach, instead we will have to use the index function

    25/11/2021

    Read more...

  • IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    AWS EKS Kubernetes IRSA

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"
        }
      }
    }
  ]
}

    Let's take a look on how to create this role using Terraform

    24/11/2021

    Read more...

  • How to enable GUI mode for the aws-azure-login docker container

    2 min read

    If you use Azure Active Directory to provide SSO login you might be using aws-azure-login to use the normal Azure AD login (including MFA) from the command line to create a federated AWS session, placing the temporary credentials for the AWS CLI and other tools like Terraform to use them

    If the tool is failing you might need to use the GUI mode to check what's going on, but if you are using the docker container you will get the following error instead:

    $ aws-azure-login --profile prod --mode=gui
Logging in with profile 'prod'...
Using AWS SAML endpoint https://signin.aws.amazon.com/saml
Error: Failed to launch the browser process!
Fontconfig warning: "/etc/fonts/fonts.conf", line 100: unknown element "blank"
[16:16:1122/083057.367058:ERROR:browser_main_loop.cc(1425)] Unable to open X display.


TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md

    at onClose (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:194:20)
    at ChildProcess.<anonymous> (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:185:79)
    at ChildProcess.emit (events.js:387:35)
    at ChildProcess.emit (domain.js:470:12)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)

    23/11/2021

    Read more...

  • Encode and decode passwords and other Jenkins settings

    1 min read

    On the Jenkins configuration files and the credentials.xml we can find some encoded strings, like usernames and passwords. We can use the Jenkins itself to decode them

    17/11/2021

    Read more...

  • Helm: Include definitions on templates

    2 min read

    helm template include define

    Sometimes we might need to add the same content twice on the same Helm chart. A tipical example would be the labels on the Pods that need to match the selectos on the Service. For this when you create a helm chart there are already some default definitions, for example:

    {{/*
Common labels
*/}}
{{- define "pet2cattle.labels" -}}
helm.sh/chart: {{ include "pet2cattle.chart" . }}
{{ include "pet2cattle.selectorLabels" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "pet2cattle.selectorLabels" -}}
app.kubernetes.io/name: {{ include "pet2cattle.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

    16/11/2021

    Read more...

  • Helm template: Array to a comma separated string

    2 min read

    helm template array comma separated

    While writing Helm charts we might need to transform some values that are going to be defined as an array as a value into a comma separated string

    12/11/2021

    Read more...

  • AWS Secrets Manager on Kubernetes using AWS Secrets CSI driver Provider

    2 min read

    On the AWS Secrets Manager documentation we can find how AWS recommends to integrate it with AWS EKS using ASCP and a Secrets Store CSI Driver

    11/11/2021

    Read more...

  • Kubernetes: Quality of Service for Pods

    2 min read

    Pod QoS

    On Kubernetes there are three QoS (Quality of Service) classes that a Pod can use. We can check what's the class it's using by checking the qosClass under status:

    $ kubectl get pod pet2cattle-swag-746956854c-62psn -n website -o jsonpath='{.status.qosClass}'
Burstable

    10/11/2021

    Read more...

Older content...

From pet to cattle
Treat your kubernetes clusters like cattle, not pets