• How to retrieve one of the elements of an array on a Helm template

    2 min read

    While working on Helm charts we might be interested on using a particular element of an array (most likely the first). To achieve this we won't be able to use the regular square brackets approach, instead we will have to use the index function


  • IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

      "Version": "2012-10-17",
      "Statement": [
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"

    Let's take a look on how to create this role using Terraform


  • How to enable GUI mode for the aws-azure-login docker container

    2 min read

    If you use Azure Active Directory to provide SSO login you might be using aws-azure-login to use the normal Azure AD login (including MFA) from the command line to create a federated AWS session, placing the temporary credentials for the AWS CLI and other tools like Terraform to use them

    If the tool is failing you might need to use the GUI mode to check what's going on, but if you are using the docker container you will get the following error instead:

    $ aws-azure-login --profile prod --mode=gui
    Logging in with profile 'prod'...
    Using AWS SAML endpoint https://signin.aws.amazon.com/saml
    Error: Failed to launch the browser process!
    Fontconfig warning: "/etc/fonts/fonts.conf", line 100: unknown element "blank"
    [16:16:1122/083057.367058:ERROR:browser_main_loop.cc(1425)] Unable to open X display.
    TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md
        at onClose (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:194:20)
        at ChildProcess.<anonymous> (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:185:79)
        at ChildProcess.emit (events.js:387:35)
        at ChildProcess.emit (domain.js:470:12)
        at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)


  • Encode and decode passwords and other Jenkins settings

    1 min read

    On the Jenkins configuration files and the credentials.xml we can find some encoded strings, like usernames and passwords. We can use the Jenkins itself to decode them


  • Helm: Include definitions on templates

    2 min read

    Sometimes we might need to add the same content twice on the same Helm chart. A tipical example would be the labels on the Pods that need to match the selectos on the Service. For this when you create a helm chart there are already some default definitions, for example:

    Common labels
    {{- define "pet2cattle.labels" -}}
    helm.sh/chart: {{ include "pet2cattle.chart" . }}
    {{ include "pet2cattle.selectorLabels" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- end }}
    Selector labels
    {{- define "pet2cattle.selectorLabels" -}}
    app.kubernetes.io/name: {{ include "pet2cattle.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    {{- end }}



More recent...

Older content...