-
IRSA: How to create an IAM role for a specific ServiceAccount
2 min read
On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa" } } } ] }Let's take a look on how to create this role using Terraform
24/11/2021
Read more... -
How to enable GUI mode for the aws-azure-login docker container
2 min read
If you use Azure Active Directory to provide SSO login you might be using aws-azure-login to use the normal Azure AD login (including MFA) from the command line to create a federated AWS session, placing the temporary credentials for the AWS CLI and other tools like Terraform to use them
If the tool is failing you might need to use the GUI mode to check what's going on, but if you are using the docker container you will get the following error instead:
$ aws-azure-login --profile prod --mode=gui Logging in with profile 'prod'... Using AWS SAML endpoint https://signin.aws.amazon.com/saml Error: Failed to launch the browser process! Fontconfig warning: "/etc/fonts/fonts.conf", line 100: unknown element "blank" [16:16:1122/083057.367058:ERROR:browser_main_loop.cc(1425)] Unable to open X display. TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md at onClose (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:194:20) at ChildProcess.<anonymous> (/aws-azure-login/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:185:79) at ChildProcess.emit (events.js:387:35) at ChildProcess.emit (domain.js:470:12) at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)23/11/2021
Read more... -
Encode and decode passwords and other Jenkins settings
1 min read
On the Jenkins configuration files and the credentials.xml we can find some encoded strings, like usernames and passwords. We can use the Jenkins itself to decode them
17/11/2021
Read more... -
Helm: Include definitions on templates
2 min read
Sometimes we might need to add the same content twice on the same Helm chart. A tipical example would be the labels on the Pods that need to match the selectos on the Service. For this when you create a helm chart there are already some default definitions, for example:
{{/* Common labels */}} {{- define "pet2cattle.labels" -}} helm.sh/chart: {{ include "pet2cattle.chart" . }} {{ include "pet2cattle.selectorLabels" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* Selector labels */}} {{- define "pet2cattle.selectorLabels" -}} app.kubernetes.io/name: {{ include "pet2cattle.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }}16/11/2021
Read more... -
Helm template: Array to a comma separated string
2 min read
While writing Helm charts we might need to transform some values that are going to be defined as an array as a value into a comma separated string
12/11/2021
Read more...