2020-05-12

Cert-Manager Error presenting challenge: GoogleCloud API call failed: googleapi: Error 403: Request had insufficient authentication scopes.

It missed https://www.googleapis.com/auth/cloud-platform

So, what you need to do is adding “Cloud Platform” scope.

2020-03-17

Test and validate dnssec in dnsmasq by docker-compose

Example code: https://github.com/RammusXu/toolkit/tree/master/docker/dnsmasq

安裝 dnsmasq-dnssec

apk add dnsmasq-dnssec

在 foreground 執行，印出所有 log

dnsmasq --no-daemon --log-queries

Let’s go

Start containers

docker-compose up

Debug in another container

docker exec -it dnsmasq_runner_1 sh          
/ #

Result

With dnssec

dig @dnsmasq +dnssec swag.live


; <<>> DiG 9.14.8 <<>> @dnsmasq +dnssec swag.live
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57890
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;swag.live.                     IN      A

;; ANSWER SECTION:
swag.live.              21599   IN      A       35.227.233.133
swag.live.              21599   IN      RRSIG   A 8 2 86400 20200406104653 20200315104653 19866 swag.live. al64n9p4EyKjVQLXawYf3gCnoZIyoZM5jI+yyY0virxuGXmSzRGvvl70 0cKBHmdPyXZThWzY2ZAQVW3RJVPrUFBNQ2bPR2WbC/8GI3S/pESMEboN r8nyVllydj00My//PA1JNxv06gn6zpH/gMN56xZDJhv/HDJ0PqPGcZ77 Aw8=

;; Query time: 87 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Tue Mar 17 04:07:30 UTC 2020
;; MSG SIZE  rcvd: 223

Record: RRSIG。如果你的 domain 有啟用 dnssec，將會有這組 Resource Record Signature。
flags: ad。正確驗證 dnssec 的 domain 會拿到這個 flag。

Without dnssec

dig @dnsmasq +dnssec google.com


; <<>> DiG 9.14.8 <<>> @dnsmasq +dnssec google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34327
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             232     IN      A       172.217.27.142

;; Query time: 43 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Tue Mar 17 04:07:32 UTC 2020
;; MSG SIZE  rcvd: 55

Reference

2020-03-04

letsencrypt is revoking certificates on 2020-03-05 03:00 UTC

目前預計 2020-03-04 20:00 UTC 開始撤銷憑證

原文: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

因為 2020.02.29 CAA Rechecking Bug，letsencrypt 將會撤銷某些憑證。大約有 2.6% 發出的憑證，高達 300 多萬個憑證會受影響，最晚將在 2020-03-05 03:00 UTC 撤銷所有受影響的憑證。

可以用以下網站或 curl 檢查自己的網站憑證是否受影響：
https://checkhost.unboundtest.com/

$ curl -XPOST -d 'fqdn=letsencrypt.org' https://checkhost.unboundtest.com/checkhost
The certificate currently available on letsencrypt.org is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is 03a1c95bdaa36a8268327f2253cbd3ba243

如果你有很多 domain 要檢查的話，可以使用這個工具: https://github.com/hannob/lecaa

Solution

certbot renew --force-renewal

2020-02-24

HPA not working in Mac docker-desktop

I found errors when I try to apply HPA in Mac docker-desktop. It cause by metrics-server.

Solution

helm install my-metrics-server --set "args={--kubelet-insecure-tls}" stable/metrics-server --namespace kube-system

Problems

the server could not find the requested resource (get services http:heapster:)

ScalingActive  False   FailedGetResourceMetric  the HPA was unable to compute the replica count: unable to get metrics for resource cpu: no metrics returned from resource metrics API

Warning  FailedGetResourceMetric       9m49s (x160 over 73m)  horizontal-pod-autoscaler  unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io)
Warning  FailedComputeMetricsReplicas  5m1s (x179 over 73m)   horizontal-pod-autoscaler  failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server could not find the requested

$ kubectl top pods --all-namespaces
Error from server (NotFound): the server could not find the requested resource (get services http:heapster:)
$ kubectl top nodes
Error from server (NotFound): the server could not find the requested resource (get services http:heapster:)

Reference

https://poweruser.blog/tweaking-docker-desktops-kubernetes-on-win-mac-7a20aa9b1584

2020-02-11

Cloudflare Worker - Get API Token

本篇文章將示範如何取得 wrangler 需要的 API_TOKEN

Step 1: Click `My Profile`

Step 2: Click `Create Token`

Step 3: Use template `Edit Cloudflare Workers`

Step 4: Edit detail permissions

這邊會使用:

Workers KV Storage: Key-Value 儲存服務。
Workers Scripts: Serverless Code。
Workers Routes: DNS 到 worker scripts 這段的 route。

Account Resources: 你要使用哪個 Account/Group 的 domain。
Zone Resources: 你要使用哪個 zone (domain)。

Let’s go

Result

With dnssec

Without dnssec

Reference

Solution

Solution

Problems

Reference

Step 1: Click My Profile

Step 2: Click Create Token

Step 3: Use template Edit Cloudflare Workers

Step 4: Edit detail permissions

Step 1: Click `My Profile`

Step 2: Click `Create Token`

Step 3: Use template `Edit Cloudflare Workers`