Use docker to test GCP service account permission (No personal docker image used)

本篇文章會使用 google public image: gcr.io/cloud-builders/gsutil,並用 bash -c 將 token 傳入 container。示範如何不安裝 google sdk 測試 gcp service account。

docker run -it --rm --entrypoint bash <image> 與 container 互動。

#docker #docker-tips #gcp #service-account #gcloud-auth #gcs

Preparation

  • 從 GCP export service-account.json
  • Docker

Let’s Go

SA=$(cat service-account.json | base64)
docker run -it --rm --entrypoint bash gcr.io/cloud-builders/gsutil -c "
echo $SA | base64 -d > sa.json
gcloud auth activate-service-account --key-file=sa.json
bash
"

用 gsutil 測試看看權限

echo hello > test.txt
gsutil cp test.txt gs://<replace_this_with_your_bucket>

如果 service account 沒有 bucket permission:

AccessDeniedException: 403 xxxxx@xxxx.iam.gserviceaccount.com does not have storage.objects.create access to xxxxx.xxx/test.txt.

使用 Hubot 整合 Slack 與 Grafana

起因:老闆想要用手機看 Grafana 的某個 Panel,叫我想個辦法 (・ε・)

本篇文章將會使用 hutbot-grafana 整合 Slack 和 Grafana,使用者可以透過 Chatbot 將 Grafana 的數據直接存成圖片,上傳 Slack。
如下圖展示:

本篇文章不會提到:

  • Grafana Setup
  • NodeJS Setup

使用到的工具:

Project Setup

mkdir grafana-bot
cd grafana-bot

npm install -g yo generator-hubot
yo hubot
npm install hubot-grafana --save

Add hubot-grafana in external-scripts.json

[
...
"hubot-grafana"
]

Read More

Kubernetes: Use .crt and .key in Ingress

記錄如何在 Kubernetes 中使用 GoDaddy 申請的 .crt .keys,以及使用 curl, openssl 檢查 certificate。

本篇文章會用到的 resources:

  • Nginx Ingress Controller: 才能夠使用 Ingress
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
  • Deployment,Service,Ingress: 可以參考 https://github.com/RammusXu/toolkit/tree/master/k8s/ingress
    kubectl apply -k .
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
    name: demo-ingress
    annotations:
    kubernetes.io/ingress.class: nginx
    spec:
    tls:
    - secretName: rammus-tls
    rules:
    - http:
    paths:
    - path: /
    backend:
    serviceName: helloweb-service
    servicePort: 8080
    host: rammus.tw

當你從 GoDaddy 拿到 certificate,應該會有這些檔案:

  • xxxx.crt: 你申請的 domain 的 cert
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  • xxxx.pem: 跟 xxxx.crt 一樣的東西
  • gd_bundle-g2-g1.crt: GoDaddy 的 Intermediate cert
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

  • xxxx.key: 和 xxxx.crt 一對的私鑰
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----

接下來只要將 Intermediate cert 接在 domain cert 後面,產生 chain.crt,並匯入 kubernetes 的 Secret。

cat xxxx.crt gd_bundle-g2-g1.crt > chain.crt
kubectl create secret tls --cert chain.crt --key xxxx.key rammus-tls

測試 Certificate 是否正確



Read More

Kubernetes: Deleting Namespace Stuck at Terminating State

Problem

有時候會發現 namespace 一直在 teminating,不會結束。

Error from server (Conflict): Operation cannot be fulfilled on namespaces "demo":
The system is ensuring all content is removed from this namespace. Upon completion,
this namespace will automatically be purged by the system.

Solution

開啟一個 terminal 執行:

~ kubectl proxy
Starting to serve on 127.0.0.1:8001

另一個 terminal 執行:

把 ns=demo 換成你想要刪除的 namespace

ns=demo
kubectl get namespace $ns -o json |sed 's/"kubernetes"//g' > tmp.json
curl -k -H "Content-Type: application/json" -X PUT --data-binary @tmp.json http://127.0.0.1:8001/api/v1/namespaces/$ns/finalize

or

ns=demo
curl -X PUT \
--data-binary @<(kubectl get namespace $ns -o json | sed 's/"kubernetes"//g') \
-H "Content-Type: application/json" \
http://127.0.0.1:8001/api/v1/namespaces/$ns/finalize

Inspired by

https://github.com/kubernetes/kubernetes/issues/60807#issuecomment-408599873

Github Action - 更換成 beta v2 新的格式 (yaml)

Tips

只在 master branch 才會執行 job。

if: github.ref == 'refs/heads/master'

因為 push event 會發生在所有 branch,可以透過這個方式限制:只有在 master 才要 publish。

ref:https://github.community/t5/GitHub-Actions/GitHub-Actions-branch-conditional/m-p/29825#M171


目前限制 2019-10-09

Not cache artifacts and packages: We appreciate the feedback, it’s clear to us that this is necessary. We’re working on caching packages and artifacts between workflow executions, we’ll have it by mid-November.

目前還無法在 workflows 之間快取檔案,所以每次的 build,都需要重新拉取 dependency packages。當然 docker layer 也不會快取,所以都要重頭開始 build。

No Team Level Secret: This is something that is on our backlog for a future update.

目前還不支援 Team/Organization Level Secret,所以要到每個 repository 裡面設定 Secret,相當麻煩。

Reference