Forem: Joseph D. Marhee The latest articles on Forem by Joseph D. Marhee (@jmarhee). https://forem.com/jmarhee https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F31737%2F454de5c2-2573-47ac-9609-c79ed677839f.jpg Forem: Joseph D. Marhee https://forem.com/jmarhee en Sampling Methods in Python Joseph D. Marhee Tue, 04 Jul 2023 04:06:09 +0000 https://forem.com/jmarhee/sampling-methods-in-python-3li8 https://forem.com/jmarhee/sampling-methods-in-python-3li8 <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FJlyGF-p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn-images-1.medium.com/max/1024/0%2AafKLe604qSAitSpb" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FJlyGF-p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://cdn-images-1.medium.com/max/1024/0%2AafKLe604qSAitSpb" width="800" height="640"></a><br> <em>Photo by Clay Banks on Unsplash</em></p> <p>Sampling is a fundamental concept in statistics and data analysis. It involves selecting a subset of individuals or data points from a larger population for analysis. In Python, there are various sampling methods available that allow us to extract representative samples from a population.</p> <p>In this document, we will explore different sampling methods in Python and provide code examples for each method. We will cover the following sampling methods:</p> <ol> <li>Simple Random Sampling</li> <li>Stratified Sampling</li> <li>Cluster Sampling</li> <li>Systematic Sampling</li> </ol> <p>Let’s dive into each method and see how it can be implemented in Python.</p> <h3> 1. Simple Random Sampling </h3> <p>Simple random sampling involves randomly selecting individuals from a population without any specific criteria. Each individual has an equal chance of being selected. This method is commonly used when the population is homogenous.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import random population = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] sample_size = 5 sample = random.sample(population, sample_size) print(sample) </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[3, 5, 9, 7, 1] </code></pre> </div> <h3> 2. Stratified Sampling </h3> <p>Stratified sampling involves dividing the population into distinct subgroups or strata based on certain characteristics. Then, a random sample is selected from each stratum proportionate to its size. This method ensures that each subgroup is adequately represented in the final sample.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>from sklearn.model_selection import train_test_split data = [...] # Your dataset labels = [...] # Labels for each data point # Stratified sampling using train_test_split from scikit-learn train_data, test_data, train_labels, test_labels = train_test_split(data, labels, test_size=0.2, stratify=labels) </code></pre> </div> <h3> 3. Cluster Sampling </h3> <p>Cluster sampling involves dividing the population into clusters or groups. Instead of selecting individuals, entire clusters are chosen randomly. This method is useful when it is difficult or expensive to access individual elements of the population.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import random clusters = [[1, 2, 3], [4, 5, 6], [7, 8, 9], [10, 11, 12]] cluster_sample_size = 2 selected_clusters = random.sample(clusters, cluster_sample_size) sample = [] for cluster in selected_clusters: sample.extend(cluster) print(sample) </code></pre> </div> <h3> 4. Systematic Sampling </h3> <p>Systematic sampling involves selecting individuals from a population at regular intervals after an initial random start. This method is useful when the population is large and ordered in some way.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>population = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] sample_size = 3 start_index = random.randint(0, sample_size - 1) sample = [population[i] for i in range(start_index, len(population), sample_size)] print(sample) </code></pre> </div> <p>These are just a few examples of sampling methods available in Python. Depending on your specific requirements and the characteristics of your data, you may need to adapt or combine these methods to achieve the desired sampling outcome.</p> <p>Remember that sampling is a powerful technique for analyzing large datasets and making inferences about a population. It allows us to draw meaningful conclusions while reducing computational costs and time.</p> datasceince statistics python biostatistics How to delete a Kubernetes namespace stuck at Terminating Status Joseph D. Marhee Wed, 17 Aug 2022 21:27:37 +0000 https://forem.com/jmarhee/how-to-delete-a-kubernetes-namespace-stuck-at-terminating-status-53o5 https://forem.com/jmarhee/how-to-delete-a-kubernetes-namespace-stuck-at-terminating-status-53o5 <p>After running a command like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete my-namespace </code></pre> </div> <p>and the command hangs indefinitely after accepting the deletion request, you might find it sitting at <code>Terminating</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get ns/my-namespace NAME STATUS AGE testing Terminating 113m </code></pre> </div> <p>This might be due to a <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/">Finalizer</a> in the spec, specific conditions to be met during deletion. You can view the finalizers for your namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">...</span><span class="w"> </span><span class="nl">"spec"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"finalizers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"kubernetes"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">...</span><span class="w"> </span></code></pre> </div> <p>This is what a standard namespace with no other conditions might otherwise look like, so if it's hanging, this is likely way.</p> <p>You can modify the resource using <code>kubectl edit ns/my-namespace</code>, and replace the finalizer with an empty array:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">...</span><span class="w"> </span><span class="nl">"spec"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"finalizers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">...</span><span class="w"> </span></code></pre> </div> <p>or use the Kube API to update the specification to allow it to finalize manually if this is unsuccessful by dumping the resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get ns/my-namespace <span class="nt">-o</span> json <span class="o">&gt;</span> my-namespace.json </code></pre> </div> <p>and editing that <code>my-namespace.json</code> to remove the finalizer, and then making a <code>PUT</code> request to the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl replace <span class="nt">--raw</span> <span class="s2">"/api/v1/namespaces/my-namespace/finalize"</span> <span class="nt">-f</span> ./my-namespace.json </code></pre> </div> <p>or using an HTTP client to issue the request (usually will require authentication if not exposing via <a href="https://kubernetes.io/docs/tasks/extend-kubernetes/http-proxy-access-api/"><code>kubectl proxy</code></a>) using that same json dump:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-k</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-X</span> PUT <span class="nt">--data-binary</span> @my-namespace.json <span class="s2">"https://&lt;Kube API Endpoint&gt;/api/v1/namespaces/my-namespace/finalize"</span> </code></pre> </div> <p>You can then confirm, once you receive a successful response, that the namespace is deleted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get ns/my-namespace </code></pre> </div> <p>which should return no resource. </p> kubernetes containers docker sysadmin Exporting images with Containerd CLI (ctr) Joseph D. Marhee Sun, 07 Aug 2022 03:29:55 +0000 https://forem.com/jmarhee/exporting-images-with-containerd-cli-ctr-5321 https://forem.com/jmarhee/exporting-images-with-containerd-cli-ctr-5321 <p>I recently found that a Docker image I use as a part of one of my Helm charts was no longer available on DockerHub, and I hadn't mirrored it in another location. It was running in a <a href="//k3s.io">K3s</a> cluster, meaning I couldn't <code>docker tag original-maintainer/image:tag me/image:tag</code> it and push to the Hub myself back on my local machine, which was running the Docker CLI. </p> <p>First, logging into a node with the image on it, I ran the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ctr <span class="nt">-n</span> k8s.io images <span class="nb">export </span>bind9:9.11.tar docker.io/internetsystemsconsortium/bind9:9.11 <span class="nt">--platform</span> linux/amd64 </code></pre> </div> <p>which exported the image to a tarball. This is similar to <a href="https://docs.docker.com/engine/reference/commandline/image_save/"><code>docker image save</code></a>. </p> <p>Then, pulling it down to my Docker CLI machines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp jdmarhee@192.168.0.60:bind9:9.11.tar <span class="nb">.</span> </code></pre> </div> <p>I then <a href="https://docs.docker.com/engine/reference/commandline/load/"><code>load</code></a> the image from the tarball:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker image load <span class="nt">--input</span> bind9<span class="se">\:</span>9.11.tar </code></pre> </div> <p>which returns the original tag for the image (<code>internetsystemsconsortium/bind9:9.11</code>) so I can re-tag it and push:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker image tag internetsystemsconsortium/bind9:9.11 jmarhee/bind9:9.11 docker push jmarhee/bind9:9.11 </code></pre> </div> <p>Now this image is available on Docker Hub for my (and your) new clusters to access. </p> docker containerd dns devops Recurring Background Jobs in Flask Joseph D. Marhee Tue, 24 May 2022 05:07:48 +0000 https://forem.com/jmarhee/recurring-background-jobs-in-flask-3407 https://forem.com/jmarhee/recurring-background-jobs-in-flask-3407 <p>Feeling some frustration with most RSS reader apps being way too feature-heavy for my liking, I recently tried building a <a href="https://github.com/jmarhee/rss-reader-simple">very simple RSS feed reader</a> that pulls from a <code>feeds.yaml</code> file that lists URLs and does little else beyond aggregating those links and, where available, providing the article body. </p> <p>In the app, a function like this builds the data body that is populated when Flask renders the template on the page in <code>parser.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="nn">feedparser</span> <span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">yaml</span> <span class="k">def</span> <span class="nf">buildConfig</span><span class="p">():</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'FEED_YAML_PATH'</span><span class="p">])</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="n">load</span><span class="p">(</span><span class="n">f</span><span class="p">,</span> <span class="n">Loader</span><span class="o">=</span><span class="n">yaml</span><span class="p">.</span><span class="n">FullLoader</span><span class="p">)</span> <span class="k">return</span> <span class="nb">dict</span><span class="p">[</span><span class="s">'feeds'</span><span class="p">]</span> <span class="k">def</span> <span class="nf">buildFeed</span><span class="p">(</span><span class="n">feeds</span><span class="p">):</span> <span class="n">feed_body</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">feeds</span><span class="p">:</span> <span class="n">feed_data</span> <span class="o">=</span> <span class="n">feedparser</span><span class="p">.</span><span class="n">parse</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">new_feed</span> <span class="o">=</span> <span class="p">{</span><span class="s">"feed"</span> <span class="p">:</span> <span class="n">url</span><span class="p">,</span> <span class="s">"data"</span><span class="p">:</span> <span class="p">[</span><span class="n">feed_data</span><span class="p">]}</span> <span class="n">feed_body</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">new_feed</span><span class="p">)</span> <span class="k">return</span> <span class="n">feed_body</span> </code></pre> </div> <p>basically just dumping all of the feed data into a larger JSON object for Flask to render in the template. </p> <p>I wanted to be able to see new feeds I added to this file without restarting Flask, and one way of doing this was to regenerate this data object on every page load, but that would make it take forever to load unless I added a bunch of additional logic or other dependencies or components (storing feeds in memory, etc.) </p> <p>In order to avoid adding new components to the app (it's a very small Docker image, and restoring app data only amounts to this Yaml file being available), I decided to add a recurring background task using the <code>apscheduler</code> package which has a <code>BackgroundScheduler</code> function in <code>app.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">apscheduler.schedulers.background</span> <span class="kn">import</span> <span class="n">BackgroundScheduler</span> </code></pre> </div> <p>then I have it define on app startup the variable that will store the feed_data object to be updated by the recurring job we'll define in a moment, and initialize it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">feed_data</span> <span class="o">=</span> <span class="bp">None</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">before_first_request</span> <span class="k">def</span> <span class="nf">initialize_feeds</span><span class="p">():</span> <span class="n">feeds</span> <span class="o">=</span> <span class="n">buildConfig</span><span class="p">()</span> <span class="k">global</span> <span class="n">feed_data</span> <span class="n">feed_data</span> <span class="o">=</span> <span class="n">buildFeed</span><span class="p">(</span><span class="n">feeds</span><span class="p">)</span> <span class="k">return</span> <span class="n">feed_data</span> </code></pre> </div> <p>and then adding an <code>updateFeeds</code> function that behaves similarly to the above function (in a production app, you could avoid repeating yourself and have the above function reference this one, but for the sake of demonstration):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">update_feeds</span><span class="p">():</span> <span class="n">feeds</span> <span class="o">=</span> <span class="n">buildConfig</span><span class="p">()</span> <span class="k">global</span> <span class="n">feed_data</span> <span class="n">feed_data</span> <span class="o">=</span> <span class="n">buildFeed</span><span class="p">(</span><span class="n">feeds</span><span class="p">)</span> <span class="k">return</span> <span class="n">feed_data</span> <span class="n">scheduler</span> <span class="o">=</span> <span class="n">BackgroundScheduler</span><span class="p">()</span> <span class="n">job</span> <span class="o">=</span> <span class="n">scheduler</span><span class="p">.</span><span class="n">add_job</span><span class="p">(</span><span class="n">update_feeds</span><span class="p">,</span> <span class="s">'interval'</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">scheduler</span><span class="p">.</span><span class="n">start</span><span class="p">()</span> </code></pre> </div> <p>and then having that function run as an argument to the <code>scheduler.add_job()</code> function above, with an interval of 1 minute. </p> <p>So, now, on changes to your Yaml file containing a new URL, the feed_data object will be updated in the background, and load time will be unaffected. </p> flask python rss blogs Rancher Logging Operator with in-cluster Syslog Joseph D. Marhee Thu, 19 May 2022 23:44:35 +0000 https://forem.com/jmarhee/rancher-logging-operator-with-in-cluster-syslog-16i9 https://forem.com/jmarhee/rancher-logging-operator-with-in-cluster-syslog-16i9 <p>The <a href="https://rancher.com/docs/rancher/v2.6/en/logging/">Rancher Logging Operator</a> supports a number of backends, but a very common one is logging to a syslog endpoint. However, rather than maintaining separate logging infrastructure if this is a new piece of your environment, you can deploy it to your Kubernetes clusters directly, either using the method in the UI above, or via the Helm chart. </p> <p>If you plan to deploy charts via Fleet (which I've written about <a href="https://dev.to/jmarhee/manage-an-authoritative-dns-server-on-kubernetes-with-helm-and-fleet-3o6n">before</a>, or some other GitOps flow, you would pull the following charts from the Rancher chart repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add rancher-charts https://charts.rancher.io helm repo update helm fetch rancher-charts/rancher-logging-crd helm fetch rancher-charts/rancher-logging </code></pre> </div> <p>but before we apply them, we want to setup the syslog endpoint in the cluster for the logging operator to log to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rsyslog-deployment</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">rsyslog</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">rsyslog</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">rsyslog</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rsyslog</span> <span class="na">image</span><span class="pi">:</span> <span class="s">sudheerc1190/rsyslog:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">514</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">250m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">524Mi</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">terminationGracePeriodSeconds</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <p>here we're just creating a syslog <code>Deployment</code>; for production, I would recommend creating a <code>PersistentVolume</code> and mount it to <code>/var/log/remote</code> so in subsequent recreations of this <code>Pod</code>, you can restore past logging data for this or other clusters.</p> <p>Because we want this just available internal to the cluster in this example, we'll just create the following <code>Service</code> objects to create cluster DNS entires for this endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">syslog-service-tcp"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">514</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">514</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s2">"</span><span class="s">rsyslog"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">syslog-service-udp"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">514</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">514</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">UDP</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s2">"</span><span class="s">rsyslog"</span> </code></pre> </div> <p>so depending upon which protocol you'd like to use for logging, you can use a hostname like <code>syslog-service-udp.default.svc.cluster.local</code>.</p> <p>Now, you can create the CRDs and Logging Operator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>rancher-logging-crd ./rancher-logging-crd-100.1.2+up3.17.4.tgz <span class="nt">-n</span> cattle-logging-system <span class="nt">--create-namespace</span> helm <span class="nb">install </span>rancher-logging ./rancher-logging-100.1.2+up3.17.4.tgz <span class="nt">-n</span> cattle-logging-system </code></pre> </div> <p>Note that the version on these charts should match, and that they should be deployed to the <code>cattle-logging-system</code> namespace.</p> <p>In the logging operator, there are two pieces <code>Flow</code> (and cluster-wide <code>ClusterFlow</code>) resources and <code>Output</code> (and <code>ClusterOutput</code>) resources. This example will just use cluster-scoped examples that span namespaces, but <a href="https://banzaicloud.com/docs/one-eye/logging-operator/configuration/log-routing/">the matching rules</a> and <a href="https://banzaicloud.com/docs/one-eye/logging-operator/configuration/output/">output formatting</a> will work similarly in both cases.</p> <p>Our <code>ClusterOutput</code> will be what connects to our Syslog service, using <code>host: syslog-service-udp.default.svc.cluster.local</code> on port 514, in this case using <code>transport: udp</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">logging.banzaicloud.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterOutput</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">testing</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cattle-logging-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">syslog</span><span class="pi">:</span> <span class="na">buffer</span><span class="pi">:</span> <span class="na">total_limit_size</span><span class="pi">:</span> <span class="s">2GB</span> <span class="na">flush_thread_count</span><span class="pi">:</span> <span class="m">8</span> <span class="na">timekey</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">timekey_use_utc</span><span class="pi">:</span> <span class="no">true</span> <span class="na">timekey_wait</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">format</span><span class="pi">:</span> <span class="na">app_name_field</span><span class="pi">:</span> <span class="s">kubernetes.pod_name</span> <span class="na">hostname_field</span><span class="pi">:</span> <span class="s">custom-cluster-name</span> <span class="na">log_field</span><span class="pi">:</span> <span class="s">message</span> <span class="na">rfc6587_message_size</span><span class="pi">:</span> <span class="no">false</span> <span class="na">host</span><span class="pi">:</span> <span class="s">syslog-service-udp.default.svc.cluster.local</span> <span class="na">insecure</span><span class="pi">:</span> <span class="no">true</span> <span class="na">port</span><span class="pi">:</span> <span class="m">514</span> <span class="na">transport</span><span class="pi">:</span> <span class="s">udp</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">List</span> </code></pre> </div> <p>and you can verify the status of the output (deployment status, problems, etc.) with <code>kubectl get clusteroutput/testing -n cattle-logging-system</code>. The <code>ClusterOutput</code> should be namespaces with the operator deployment. In the above spec, under <code>format</code>, you can refer to <a href="https://banzaicloud.com/docs/one-eye/logging-operator/configuration/plugins/outputs/format_rfc5424/">the RFC format</a> for other options for logging fields. </p> <p>In our <code>ClusterFlow</code>, we're going to use just a basic rule, ask to exclude logs from the <code>kube-system</code> namespace, and then <code>select</code> everything from the <code>applications</code> namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">logging.banzaicloud.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterFlow</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">global-ns-clusterflow</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">exclude</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kube-system</span> <span class="pi">-</span> <span class="na">select</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">applications</span> <span class="na">globalOutputRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">testing</span> </code></pre> </div> <p>and you'll see we use the <code>testing</code> output as the global endpoint for sending logs. You can check the status of the Flow using <code>kubectl get clusterflow/global-ns-clusterflow</code>. </p> <p>I usually test after this point using a deployment like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:1.14.2</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> </code></pre> </div> <p>and then deploy it once to an excluded namespace and then an included one, then make a few requests (<code>curl -s http://{LB_IP}</code>, if the output and flow report no issues, you'll see the logs start to populate after a few minutes). You can then check the logs manually (if nothing is scraping syslog externally) with something formatted like <code>kubectl exec -it {rsyslog_pod} -- tail -f /var/log/remote/{date hierarchy}/{hour}.log</code>.</p> <p>More about the BanzaiCloud Operator can be found <a href="https://banzaicloud.com/docs/one-eye/logging-operator/">here</a>, and more on the Logging features in Rancher from this operator can be found <a href="https://rancher.com/docs/rancher/v2.6/en/logging/">here</a>.</p> logging kubernetes rancher syslog Changing Netplan Renderer Backend Joseph D. Marhee Fri, 06 May 2022 21:04:05 +0000 https://forem.com/jmarhee/changing-netplan-renderer-backend-a93 https://forem.com/jmarhee/changing-netplan-renderer-backend-a93 <p>I recently changed desktop environments on Linux, and found that my choice didn't render really well through <code>xrdp</code> and rather than figure it out, I wanted to try the screensharing option in the Ubuntu 20.04 system settings. </p> <p>However, when I went to enable it, I found the following error in syslog:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>May 6 15:49:08 boris gnome-control-c[64701]: message repeated 3 times: [ Failed to enable service vino-server: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: Sharing cannot be enabled on this network, status is '0'] </code></pre> </div> <p>This is a <a href="https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1877121">known bug in this GNOME package</a> when your network interface Vino would be binding to is managed by systemd-networkd. You can see which interfaces are currently managed using the <code>networkctl</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jdmarhee@boris /etc/netplan $ networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier unmanaged 2 eno1 ether routable managed 3 tailscale0 none routable unmanaged 4 docker0 bridge no-carrier unmanaged 4 links listed. </code></pre> </div> <p>where <code>eno1</code> was being managed. In Ubuntu 20.04, the network interfaces are configured using netplan. The systemd-networkd backend is the default for doing this, so I needed to update netplan to use NetworkManager instead. Your config will be in a file like this one in <code>/etc/netplan</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jdmarhee@boris /etc/netplan $ cat 00-installer-config.yaml # This is the network config written by 'subiquity' network: ethernets: eno1: dhcp4: true version: 2 </code></pre> </div> <p>and add the following under <code>network</code> key to specify the backend (I add it right under the <code>version</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> renderer: NetworkManager </code></pre> </div> <p>and then apply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>netplan apply </code></pre> </div> <p>You can then verify that that interface is no longer managed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jdmarhee@boris /etc/netplan $ networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier unmanaged 2 eno1 ether routable unmanaged 3 tailscale0 none routable unmanaged 4 docker0 bridge no-carrier unmanaged 4 links listed. </code></pre> </div> <p>and should be able to enable Vino without issue (amongst other preferences that rely on the interface not being managed by systemd). </p> linux desktop gnome networking Network Policies with Canal and Flannel on K3s Joseph D. Marhee Wed, 05 Jan 2022 06:10:55 +0000 https://forem.com/jmarhee/network-policies-with-canal-and-flannel-on-k3s-11oe https://forem.com/jmarhee/network-policies-with-canal-and-flannel-on-k3s-11oe <p>Flannel is a popular Container Network Interface (CNI) addon for Kubernetes, however, it does not provide (because it is Layer 3 network focused on transport between hosts, rather than container networking with the host) robust support for <code>NetworkPolicy</code> resources. Now, the policy features from another popular CNI, Calico, can be imported to Flannel using <a href="https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel">Canal</a>. </p> <p>I won't talk a lot about specific <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">NetworkPolicy</a> in this post, but a little bit about why you'd want a NetworkPolicy controller is for things like creating policies around access to Ingresses, to or from port or IP ranges, things like that-- the sort of concerns you might have creating ACLs and security rules on a traditional network, but scriptable and templateable for Kubernetes like any other resource type. </p> <p>Installing Canal requires applying a single manifest (containing the Calico controller, policy agent, and service accounts), however, because the Pod CIDR may differ (and in the case of <a href="//k3s.io">K3s</a>, it will be 10.42.0.0/24) from the Calico-expected default of 10.244.0.0/16, an environmental variable (<code>CALICO_IPV4POOL_CIDR</code>) and its accompanying value in the manifest.</p> <p>You can retrieve your Pod CIDR using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[*].spec.podCIDR} </span></code></pre> </div> <p>and then modify that variable (commented out) after you download <code>https://docs.projectcalico.org/manifests/canal.yaml</code>.</p> <p>Or use a CLI tool like <code>sed</code> to modify it while writing the file locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> https://docs.projectcalico.org/manifests/canal.yaml | <span class="se">\</span> <span class="nb">sed</span> <span class="se">\</span> <span class="nt">-e</span> <span class="s1">'s| # - name: CALICO_IPV4POOL_CIDR| - name: CALICO_IPV4POOL_CIDR|g'</span> <span class="se">\</span> <span class="nt">-e</span> <span class="s2">"s| # value: </span><span class="se">\"</span><span class="s2">192.168.0.0/16</span><span class="se">\"</span><span class="s2">| value: </span><span class="se">\"</span><span class="si">$(</span>kubectl get nodes <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[*].spec.podCIDR}'</span><span class="si">)</span><span class="se">\"</span><span class="s2">|g"</span> </code></pre> </div> <p>and then (or alternatively) manage this manifest however you typically might do so (in Helm chart, or have an automation tool handle this templating for you, etc.)</p> <p>If you are a K3s user, conveniently, any manifests written to <code>/var/lib/rancher/k3s/server/manifests</code> will be applied automatically, so you can have the above simply write the file for you when provisioning your cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## Applies the modified manifest to K3s, which automatically applies the contents of /var/lib/rancher/k3s/server/manifests</span> curl <span class="nt">-s</span> https://docs.projectcalico.org/manifests/canal.yaml | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s| # - name: CALICO_IPV4POOL_CIDR| - name: CALICO_IPV4POOL_CIDR|g'</span> <span class="nt">-e</span> <span class="s2">"s| # value: </span><span class="se">\"</span><span class="s2">192.168.0.0/16</span><span class="se">\"</span><span class="s2">| value: </span><span class="se">\"</span><span class="si">$(</span>kubectl get nodes <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[*].spec.podCIDR}'</span><span class="si">)</span><span class="se">\"</span><span class="s2">|g"</span> | <span class="se">\</span> <span class="nb">tee</span> <span class="nt">-a</span> /var/lib/rancher/k3s/server/manifests/canal.yaml </code></pre> </div> <p>after your K3s install command, if you'd like, on cluster spin-up. </p> <p>Checking the status of the <code>calico-controllers</code> Deployment will let you know when you are ready to proceed to introduce policy objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get deployments <span class="nt">-n</span> kube-system </code></pre> </div> <p>Examples of common <code>NetworkPolicy</code> usage can be <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">found here.</a></p> k3s kubernetes network automation Manage an Authoritative DNS Server on Kubernetes with Helm and Fleet Joseph D. Marhee Fri, 24 Dec 2021 05:23:19 +0000 https://forem.com/jmarhee/manage-an-authoritative-dns-server-on-kubernetes-with-helm-and-fleet-3o6n https://forem.com/jmarhee/manage-an-authoritative-dns-server-on-kubernetes-with-helm-and-fleet-3o6n <p>Among my other clusters, I run infrastructure-specific services out of a small Kubernetes cluster. One such service (aside from things like a VPN gateway, Docker registry, etc.) is a DNS nameserver pair that I use inside and out of the cluster. I install and configure these namservers using <a href="https://helm.sh/docs/intro/using_helm/">Helm</a> and deploy/update the <code>Deployment</code> (and <code>ConfigMap</code>s that it serves zone files from) using <a href="//fleet.rancher.io/">Fleet</a>. </p> <p>In my <code>authoritative-dns</code> folder <a href="https://github.com/rancher/fleet-examples/tree/master/simple">in my repo that Fleet watches</a>, after running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm create authoritative-dns </code></pre> </div> <p>which creates the directory and the template chart (i.e. a templates directory, Chart.yaml, etc.), I am mostly going to be concerned with <code>templates/deployment.yaml</code> and <code>templates/configmap.yaml</code> (and optionally <code>templates/service.yaml</code>) being set-up to receive the BIND configuration and zone files I'd like it to serve.</p> <p>In <code>templates/configmap.yaml</code>, I'm going to set up two <code>ConfigMap</code> resources, one to handle the <code>named.conf</code> configuration, and another to hold the zone file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-config</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.bindconfig | nindent 2</span> <span class="pi">}}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.bindzones | nindent 2</span> <span class="pi">}}</span> </code></pre> </div> <p>The <code>.Values</code> in template brackets (<code>{{ }}</code>) will refer to data in your <code>Values.yaml</code> file, which will be the part of the Chart you want most of your modifications to go into, hold variable value configuration items. I'll return to that in a moment.</p> <p>In <code>templates/deployment.yaml</code>, we just need a <code>Deployment</code> that will mount these <code>ConfigMap</code> resources to the BIND container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.selectorLabels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicaCount</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.selectorLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">roll</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">randAlphaNum 5 | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.podAnnotations</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.selectorLabels" . | nindent 8</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">true</span> <span class="na">affinity</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.affinity | nindent 8</span> <span class="pi">}}</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.name</span> <span class="pi">}}</span><span class="s">-bind</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.image</span> <span class="pi">}}</span><span class="s">:{{ .Values.image.tag }}</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-tcp</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-udp</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">UDP</span> <span class="pi">{{</span><span class="nv">- if .Values.readinessProbe.enabled</span> <span class="pi">}}</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="s">dns-tcp</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.readinessProbe.enabled</span> <span class="pi">}}</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="s">dns-udp</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.resources | nindent 12</span> <span class="pi">}}</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/bind</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/lib/bind</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-config</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">named.conf</span> <span class="na">path</span><span class="pi">:</span> <span class="s">named.conf</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.zoneconfigs | nindent 12</span> <span class="pi">}}</span> </code></pre> </div> <p>where in this case, we want:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bind-zone-config</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.zoneconfigs | nindent 12</span> <span class="pi">}}</span> </code></pre> </div> <p>to refer to each zone file <code>ConfigMap</code> file, which you'll also populate in your <code>Values.yaml</code> file as well, and then appear in the container under <code>/var/lib/bind/{{your zone}}</code>.</p> <p><strong>Note</strong>: the Deployment contains an annotation, <code>roll: {{ randAlphaNum 5 | quote }}</code>-- this is because BIND requires a restart (and thereforce the Pods need to be restarted) to pick up changes in the zone configs. This will generate an updated value for the Pod to be annotated with triggering the restart-- the above restarts the Pod on every upgrade, but there's other <a href="https://v3.helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments">options to roll your deployment pods</a> (i.e. based on changes to the configmap specifically, etc.)</p> <p>This <code>Deployment</code>, because of how I use it, just uses the host network, so a <code>Service</code> is not required, but you can use a template like this <code>template/service.yaml</code> to expose on ports 53/TCP and 53/UDP with a <code>LoadBalancer</code>, in this case with MetalLB:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "authoritative-dns.name" .</span> <span class="pi">}}</span><span class="s">-tcp</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.service.annotations</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.service.annotations | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.type</span> <span class="pi">}}</span> <span class="na">externalTrafficPolicy</span><span class="pi">:</span> <span class="s">Local</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-tcp</span> <span class="na">selector</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.selectorLabels" . | nindent 4</span> <span class="pi">}}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "authoritative-dns.name" .</span> <span class="pi">}}</span><span class="s">-udp</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.service.annotations</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.service.annotations | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.type</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.targetPort</span> <span class="pi">}}</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">UDP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-udp</span> <span class="na">selector</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "authoritative-dns.selectorLabels" . | nindent 4</span> <span class="pi">}}</span> </code></pre> </div> <p>So, with these templates in place, now we need a <code>Values.yaml</code> to supply the data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">replicaCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">ORD1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">authoritative-dns</span> <span class="na">image</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">internetsystemsconsortium/bind9</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">tag</span><span class="pi">:</span> <span class="m">9.11</span> <span class="na">imageConfig</span><span class="pi">:</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">port</span><span class="pi">:</span> <span class="m">53</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">53</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1"># resources:</span> <span class="c1"># requests:</span> <span class="c1"># memory: 1Gi</span> <span class="c1"># cpu: 300m</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">bindzones</span><span class="pi">:</span> <span class="na">c00lz0ne.internal</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">$TTL 604800</span> <span class="s">@ IN SOA ns1.c00lz0ne.internal. admin.c00lz0ne.internal. (</span> <span class="s">5 ; Serial</span> <span class="s">604800 ; Refresh</span> <span class="s">86400 ; Retry</span> <span class="s">2419200 ; Expire</span> <span class="s">604800 ) ; Negative Cache TTL</span> <span class="s">;</span> <span class="s">c00lz0ne.internal. IN NS ns1.c00lz0ne.internal.</span> <span class="s">c00lz0ne.internal. IN NS ns2.c00lz0ne.internal.</span> <span class="s">ns1 IN A 10.24.0.11</span> <span class="s">ns2 IN A 10.24.0.12</span> <span class="s">rke00.mgr IN A 10.24.0.99</span> <span class="s">rke01.mgr IN A 10.24.0.100</span> <span class="s">rke-lb.mgr IN A 100.69.29.9</span> <span class="na">bindconfig</span><span class="pi">:</span> <span class="na">named.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">options {</span> <span class="s">directory "/var/cache/bind";</span> <span class="s">listen-on port 53 { any; };</span> <span class="s">auth-nxdomain yes;</span> <span class="s">forwarders { </span> <span class="s">1.1.1.1; </span> <span class="s">1.0.0.1; </span> <span class="s">};</span> <span class="s">listen-on-v6 { ::1; };</span> <span class="s">allow-recursion {</span> <span class="s">none;</span> <span class="s">};</span> <span class="s">allow-transfer {</span> <span class="s">none;</span> <span class="s">};</span> <span class="s">allow-update {</span> <span class="s">none;</span> <span class="s">};</span> <span class="s">};</span> <span class="s">zone "c00lz0ne.internal" {</span> <span class="s">type master;</span> <span class="s">file "/var/lib/bind/c00lz0ne.internal";</span> <span class="s">};</span> <span class="na">zoneconfigs</span><span class="pi">:</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">c00lz0ne.internal</span> <span class="na">path</span><span class="pi">:</span> <span class="s">c00lz0ne.internal</span> </code></pre> </div> <p>So, you'll see for my cool domain <code>c00lz0ne.internal</code>, I need to populate <code>bindzones.c00lz0ne.internal</code> with the BIND zonefile itself, then <code>bindconfig.named.conf</code> needs to be updated to add that file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> zone "c00lz0ne.internal" { type master; file "/var/lib/bind/c00lz0ne.internal"; }; </code></pre> </div> <p>which you'll see in the above uses the mount path we defined in the <code>Deployment</code> for the <code>ConfigMap</code> containing these files, and then finally, <code>zoneconfigs.items</code> which should contain a map of keys and paths for each of the domain zone files you created, and then referenced in <code>named.conf</code> so it mounts to the <code>Deployment</code> template when it renders.</p> <p>Typically, at this point, you could apply your chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>authoritative-dns ./ </code></pre> </div> <p>and then when the <code>Deployment</code> is online:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jdmarhee@boris ~/repos/terraform-digitalocean-k3s-highavailability <span class="o">(</span>master<span class="o">)</span> <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE authoritative-dns-6576df5d48-7glqk 1/1 Running 0 15s authoritative-dns-6576df5d48-nhjsq 1/1 Running 0 15s </code></pre> </div> <p>you can test resolution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig +short <span class="nt">-t</span> ns ns1.c00lz0ne.internal @<span class="k">${</span><span class="nv">SVC_IP</span><span class="k">}</span> </code></pre> </div> <p>However, because we want the <code>Deployment</code> to update with the changes to the <code>ConfigMap</code> and other values, we can use a <a href="https://fleet.rancher.io/quickstart/">GitOps tool like Fleet to update on changes to the repository</a>.</p> <p>Let's say I keep all of my charts in a repo (Fleet also supports private repositories, but for the sake of demonstration, a basic public repo) called <code>helm-charts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">fleet.cattle.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepo</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample</span> <span class="c1"># This namespace is special and auto-wired to deploy to the local cluster</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">fleet-local</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># Everything from this repo will be ran in this cluster. You trust me right?</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/c00lz0ne-infra/helm-charts"</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">authoritative-dns</span> </code></pre> </div> <p>where <code>paths</code> represent the charts that Fleet will track changes to, once this is applied and you can <a href="https://fleet.rancher.io/quickstart/#get-status">see Fleet is running</a>.</p> <p>In my case, I only want this chart deployed to specific clusters (in this case, with <code>env</code> matching <code>svcs</code>), so to the above GitRepo, I add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">clusterSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">env</span><span class="pi">:</span> <span class="s">svcs</span> <span class="na">name</span><span class="pi">:</span> <span class="s">svcs-cluster</span> </code></pre> </div> <p>so when this, or a new cluster with that label match (or using any of the other methods of <a href="https://fleet.rancher.io/gitrepo-targets/">mapping to downstream clusters</a>), the chart will be applied on each change to a specified branch or revision in the git repository. </p> <p>In my case, I will only have a small and fixed number of clusters that will ever be managed that way, but if you want to great ClusterGroups to target (using these matching rules, rather than mapping the GitRepo to the rule, map the GitRepo to the clustergroup, and manage it as its own resource), it can be defined like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterGroup</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">fleet.cattle.io/v1alpha1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">services-group</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">clusters</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">env</span><span class="pi">:</span> <span class="s">svcs</span> </code></pre> </div> <p>and then update the GitRepo resource to use this matching rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">clusterGroup</span><span class="pi">:</span> <span class="s">group1</span> </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">clusterGroupSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east</span> </code></pre> </div> <p>or optionally use a <a href="https://fleet.rancher.io/gitrepo-targets/#defining-targets">clusterGroupSelector</a>, or a combination of these to subset this group further (for example, in region <code>us-east</code> within that group), name a specific group, or in the above example, find ClusterGroups that are in a specific region.</p> <p>The result of all of this is that rather than writing complex rules for when and how to run Helm to target multiple clusters, Fleet will use the above resources to manage this application of chart changes on a specific branch, across the defined clusters.</p> rancher gitops dns devops Using OpenPolicyAgent to Inject Proxy Configuration into Kubernetes Workloads Joseph D. Marhee Sat, 18 Dec 2021 06:49:46 +0000 https://forem.com/jmarhee/using-openpolicyagent-to-inject-proxy-configuration-into-kubernetes-workloads-2dde https://forem.com/jmarhee/using-openpolicyagent-to-inject-proxy-configuration-into-kubernetes-workloads-2dde <p>It's not unusual to find enterprise services behind a corporate proxy, and in order to get out, must have this proxy access configured to access out through it. The same applies to services running o Kubernetes. </p> <p>One way to do this is manually, by creating a <code>Secret</code> resource containing a proxy string like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic corporate-proxy <span class="nt">--from-literal</span><span class="o">=</span>authentication-string<span class="o">=</span><span class="s2">"http://{USERNAME}:{PASSWORD}@{PROXY_ADDRESS}:{PROXY_PORT}"</span> <span class="nt">--from-literal</span><span class="o">=</span>no-proxy-string<span class="o">=</span><span class="s2">"localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,cattle-system.svc,10.42.0.0/24,.svc,.cluster.local,example.com"</span> </code></pre> </div> <p>and, mount it to the environment of a Kubernetes application resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">appWithProxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">appWithProxy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourApplication</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">HTTP_PROXY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">corporate-proxy</span> <span class="na">key</span><span class="pi">:</span> <span class="s">authentication-string</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NO_PROXY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">corporate-proxy</span> <span class="na">key</span><span class="pi">:</span> <span class="s">no-proxy-string</span> </code></pre> </div> <p>and when you <code>exec</code> into that container, you can use that proxy to access public resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--proxy</span> <span class="nv">$HTTP_PROXY</span> http://ipinfo.io/json </code></pre> </div> <p>However, this is a tedious, manual process that you would, then, need to repeat for every resource you'd like to have proxy access.</p> <p>Among the many things OpenPolicyAgent Gatekeeper does, is allow you to mutate Kubernetes API requests based on a variety of scoping rules, and inject things like environment variables into resources that meet said scope. </p> <p>This is done using a Mutating Admission Webhook. Using <a href="https://slack.engineering/simple-kubernetes-webhook/">Mutating Admission Webhook to inject environment variables like these proxy settings</a>, for example, to modify requests to create a resource like a <code>Pod</code> or <code>Deployment</code>, etc. to inject the proxy configuration data. There are other types of Webhooks, such as (in the linked example) Validating Webhooks, which do things like confirm a workload has a label, or an appropriate name, etc. to dictate some other action by the Admission Webhook.</p> <p><a href="https://rancher.com/docs/rancher/v2.0-v2.4/en/cluster-admin/tools/opa-gatekeeper/">OPA Gatekeeper</a>, in this scenario, will do much of this for you, and instead, mutation and scoping is dictated by policies. In our case, we want to create a namespace that will contain resources that we wish to mutate, upon request, to include mounting the above <code>corporate-proxy</code> resource <code>Secret</code> as an environment variable.</p> <p>OPA also provides <a href="https://www.openpolicyagent.org/docs/latest/kubernetes-primer/#testing-policies">facilities for testing these policies</a>.</p> <p>After <a href="https://open-policy-agent.github.io/gatekeeper/website/docs/install/#using-prebuilt-image">installing OPA Gatekeeper</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml </code></pre> </div> <p>Or if you're a <a href="https://rancher.com/docs/rancher/v2.0-v2.4/en/cluster-admin/tools/opa-gatekeeper/">Rancher user, Gatekeeper can be installed and enabled from the UI</a>.</p> <p>We can then define a <code>ModifySet</code> resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">mutations.gatekeeper.sh/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ModifySet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">demo-annotation-owner</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">proxy-test</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">applyTo</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">versions</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">v1"</span><span class="pi">]</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Pod"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Deployment"</span><span class="pi">]</span> <span class="na">match</span><span class="pi">:</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">Namespaced</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">*"</span><span class="pi">]</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Pod"</span><span class="pi">]</span> <span class="na">location</span><span class="pi">:</span> <span class="s2">"</span><span class="s">spec.containers[name:*].env"</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">values</span><span class="pi">:</span> <span class="na">fromList</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">HTTP_PROXY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">corporate-proxy</span> <span class="na">key</span><span class="pi">:</span> <span class="s">authentication-string</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NO_PROXY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">corporate-proxy</span> <span class="na">key</span><span class="pi">:</span> <span class="s">authentication-string</span> </code></pre> </div> <p>which is deployed to the <code>proxy-test</code> namespace, and a couple of lines down, the <code>scope</code> is set to <code>Namespaced</code>, meaning that it will only apply the following to matching resources in that namespace. </p> <p>If the API server passes a request that is that namespace, and matches any apiGroup ("*"), and is of <code>kind: Pod</code>, it will read a spec like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shell-demo</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">proxy-test</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-data</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SOME_EXISTING_VAR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Present"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">dnsPolicy</span><span class="pi">:</span> <span class="s">Default</span> </code></pre> </div> <p>where it will look in <code>spec.containers</code>, and you'll see since this request does not contain an <code>env</code> block, it will inject our <code>Secret</code> from above (<code>secret/corporate-proxy</code>) into this spec appending <code>env</code> represented above in Yaml, but can also be inserted as JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP_PROXY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"secretKeyRef"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"corporate-proxy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"authentication-string"</span><span class="p">}}}]</span><span class="w"> </span></code></pre> </div> <p>and create the <code>Pod</code>. </p> <p>You can test this out by creating two <code>Pods</code> using the above spec, one in the <code>proxy-test</code> namespace and one in another:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt;&gt; proxy.yaml apiVersion: v1 kind: Pod metadata: name: shell-demo namespace: proxy-test spec: volumes: - name: shared-data emptyDir: {} containers: - name: nginx image: nginx env: - name: SOME_EXISTING_VAR value: "Present" volumeMounts: - name: shared-data mountPath: /usr/share/nginx/html dnsPolicy: Default </span><span class="no">EOF </span>kubectl apply <span class="nt">-f</span> proxy.yaml </code></pre> </div> <p>and one in another:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt;&gt; no-proxy.yaml apiVersion: v1 kind: Pod metadata: name: shell-demo namespace: default spec: volumes: - name: shared-data emptyDir: {} containers: - name: nginx image: nginx env: - name: SOME_EXISTING_VAR value: "Present" volumeMounts: - name: shared-data mountPath: /usr/share/nginx/html dnsPolicy: Default </span><span class="no">EOF </span>kubectl apply <span class="nt">-f</span> no-proxy.yaml </code></pre> </div> <p>and when you run <code>kubectl describe</code> on the namespaced <code>Pod</code>, you'll see the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu-proxy-k3s:~# kubectl describe pod/shell-demo <span class="nt">-n</span> proxy-test Name: shell-demo Namespace: proxy-test ... Containers: nginx: Image: nginx ... Environment: SOME_EXISTING_VAR: <span class="s2">"Present"</span> HTTP_PROXY: &lt;<span class="nb">set </span>to the key <span class="s1">'authentication-string'</span> <span class="k">in </span>secret <span class="s1">'corporate-proxy'</span><span class="o">&gt;</span> Optional: <span class="nb">false </span>NO_PROXY: &lt;<span class="nb">set </span>to the key <span class="s1">'authentication-string'</span> <span class="k">in </span>secret <span class="s1">'corporate-proxy'</span><span class="o">&gt;</span> Optional: <span class="nb">false</span> </code></pre> </div> <p>where the one in the <code>default</code> namespace will not have an Envrionment set. </p> <p>These <code>ModifySet</code> resources can be written to mutate based on a number of other scopes as well, and any part of a manifest that you specify in the <code>location</code> key, and then assign with a <code>value</code> under parameters as we did above. Other examples of using OPA Gatekeeper resources to mutate resources can be found <a href="https://open-policy-agent.github.io/gatekeeper/website/docs/mutation/#!">here</a>.</p> kubernetes networking openpolicyagent k3s Capturing and Posting Video Screenshots at Random Intervals Joseph D. Marhee Tue, 31 Aug 2021 05:08:35 +0000 https://forem.com/jmarhee/capturing-and-posting-video-screenshots-at-random-intervals-2739 https://forem.com/jmarhee/capturing-and-posting-video-screenshots-at-random-intervals-2739 <p>I recently created a couple of bot Twitter accounts, <a href="//twitter.com/screenshotsVice">@ScreenshotsVice</a> which shares screencaps from episodes of "Miami Vice" and <a href="//twitter.com/pasolinibot">@Pasolinibot</a> which shares caps from the filmography of Pier Paolo Pasolini, both at regular intervals. </p> <p>The way these accounts are managed are that, when a cronjob is triggered, from a video library, a series of screencaptures are dumped (if they were set to refresh on the previous run), and then the listing in the directory is shuffled, and then the script selects one at random and posts it to Twitter. </p> <p>Because the intervals are managed by cronjobs, I'll focus on what happens when a job is triggered. </p> <p>The Python script that selects and posts the capture relies on the <code>tweepy</code> Twitter API client for Python, so you will need your <a href="//developers.twitter.com">Twitter Developer API credentials</a>. The script that generates the captures, before running, requires that <a href="https://github.com/jmarhee/screenshot-capture-twitter"><code>ffmpeg</code> be installed</a> and the directory where the video library is stored and the directory where you'll store screencaptures.</p> <p>To generate the capture library, the following script is used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">LNVC_DATA_PATH</span><span class="o">=</span><span class="k">${</span><span class="nv">SOURCE_DIR</span><span class="k">}</span> <span class="nv">LNVC_PREV_PATH</span><span class="o">=</span><span class="k">${</span><span class="nv">SOURCE_DIR_OUT</span><span class="k">}</span><span class="nt">-Screens</span> <span class="nv">REFRESH_SCREENS</span><span class="o">=</span>1 <span class="nv">DUMP_INTERVAL</span><span class="o">=</span>1 <span class="nv">DUMP_RANDOM</span><span class="o">=</span>1 <span class="nv">RANDOMIZE_NAMES</span><span class="o">=</span>1 <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">LNVC_DATA_PATH</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"No source path found. Set LNVC_DATA_PATH."</span> <span class="p">;</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">LNVC_PREV_PATH</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"No target path found. Set LNVC_PREV_PATH."</span> <span class="p">;</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">REFRESH_SCREENS</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">rm</span> <span class="nt">-rf</span> <span class="nv">$LNVC_PREV_PATH</span>/<span class="k">*</span> <span class="k">fi</span> </code></pre> </div> <p>This sets up options for things like randomizing filenames, whether or not to refresh the library, defining the video source and the capture outputs, the latter two are the only ones that are required.</p> <p>After this, the video library is iterated, and the captures created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>v <span class="k">in</span> <span class="sb">`</span><span class="nb">ls</span> <span class="nv">$LNVC_DATA_PATH</span><span class="sb">`</span><span class="p">;</span> <span class="k">do</span> <span class="se">\</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">DUMP_RANDOM</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">LENGTH</span><span class="o">=</span><span class="si">$(</span>ffmpeg <span class="nt">-i</span> <span class="nv">$LNVC_DATA_PATH</span>/<span class="nv">$v</span> 2&gt;&amp;1 | <span class="nb">grep </span>Duration | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s1">' '</span> <span class="nt">-f</span> 4 | <span class="nb">sed </span>s/,//<span class="si">)</span> <span class="p">;</span> <span class="se">\</span> <span class="nv">HOUR</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="k">$((</span><span class="m">0</span> <span class="o">+</span> RANDOM <span class="o">%</span> <span class="si">$(</span><span class="nb">echo</span> <span class="nv">$LENGTH</span> | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s2">":"</span> <span class="nt">-f</span> 2<span class="si">)</span><span class="k">))</span><span class="si">)</span> <span class="p">;</span> <span class="se">\</span> <span class="k">if</span> <span class="o">((</span> <span class="nv">$HOUR</span> &lt; 10 <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nv">HOUR</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s2">"%02d</span><span class="se">\n</span><span class="s2">"</span> <span class="nv">$HOUR</span><span class="si">)</span><span class="p">;</span> <span class="k">fi</span> <span class="p">;</span> <span class="se">\</span> <span class="nv">MINUTE</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="k">$((</span><span class="m">1</span> <span class="o">+</span> RANDOM <span class="o">%</span> <span class="si">$(</span><span class="nb">echo</span> <span class="nv">$LENGTH</span> | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s2">":"</span> <span class="nt">-f</span> 2<span class="si">)</span><span class="k">))</span><span class="si">)</span> <span class="p">;</span> <span class="se">\</span> <span class="k">if</span> <span class="o">((</span> <span class="nv">$MINUTE</span> &lt; 10 <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nv">MINUTE</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s2">"%02d</span><span class="se">\n</span><span class="s2">"</span> <span class="nv">$MINUTE</span><span class="si">)</span><span class="p">;</span> <span class="k">fi</span> <span class="p">;</span> <span class="se">\</span> <span class="nv">SECOND</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="k">$((</span><span class="m">1</span> <span class="o">+</span> RANDOM <span class="o">%</span> <span class="m">59</span><span class="k">))</span><span class="si">)</span> <span class="p">;</span> <span class="se">\</span> <span class="k">if</span> <span class="o">((</span> <span class="nv">$SECOND</span> &lt; 10 <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nv">SECOND</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s2">"%02d</span><span class="se">\n</span><span class="s2">"</span> <span class="nv">$SECOND</span><span class="si">)</span><span class="p">;</span> <span class="k">fi</span> <span class="p">;</span> <span class="se">\</span> ffmpeg <span class="nt">-i</span> <span class="nv">$LNVC_DATA_PATH</span>/<span class="nv">$v</span> <span class="nt">-ss</span> <span class="nv">$HOUR</span>:<span class="nv">$MINUTE</span>:<span class="nv">$SECOND</span>.000 <span class="nt">-vframes</span> 1 <span class="nv">$LNVC_PREV_PATH</span>/<span class="sb">`</span><span class="nb">head</span> /dev/urandom | <span class="nb">tr</span> <span class="nt">-dc</span> A-Za-z0-9 | <span class="nb">head</span> <span class="nt">-c</span> 13 <span class="p">;</span> <span class="nb">echo</span> <span class="s1">''</span><span class="sb">`</span>.jpg <span class="k">fi if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">DUMP_INTERVAL</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>ffmpeg <span class="nt">-i</span> <span class="nv">$LNVC_DATA_PATH</span>/<span class="nv">$v</span> <span class="nt">-frames</span>:v 1 <span class="nt">-vf</span> <span class="nv">fps</span><span class="o">=</span>1/<span class="nv">$DUMP_INTERVAL</span> <span class="nv">$LNVC_PREV_PATH</span>/<span class="sb">`</span><span class="nb">head</span> /dev/urandom | <span class="nb">tr</span> <span class="nt">-dc</span> A-Za-z0-9 | <span class="nb">head</span> <span class="nt">-c</span> 13 <span class="p">;</span> <span class="nb">echo</span> <span class="s1">''</span><span class="sb">`</span>.jpg <span class="c"># The filenames will be prefixed by a random string, but per-video; if you'd like them randomized in totality, set `RANDOMIZE_NAMES`</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">RANDOMIZE_NAMES</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">cd</span> <span class="nv">$LNVC_PREV_PATH</span> <span class="p">;</span> <span class="se">\</span> <span class="k">for </span>f <span class="k">in</span> <span class="sb">`</span><span class="nb">ls</span><span class="sb">`</span><span class="p">;</span> <span class="k">do </span><span class="nb">mv</span> <span class="nv">$f</span> <span class="sb">`</span><span class="nb">head</span> /dev/urandom | <span class="nb">tr</span> <span class="nt">-dc</span> A-Za-z0-9 | <span class="nb">head</span> <span class="nt">-c</span> 13 <span class="p">;</span> <span class="nb">echo</span> <span class="s1">''</span><span class="sb">`</span>.jpg<span class="p">;</span> <span class="k">done fi fi done</span> </code></pre> </div> <p>If <code>DUMP_RANDOM</code> is enabled, random timecodes will be dumped from a video file, <code>DUMP_INTERVAL</code> will dump video files into captures at each interval (useful for films, rather than slices from an episode of a TV series). Filenames (which helps when selecting images randomly to post) can be selectively re-randomized. </p> <p>This script has dumped videos from <code>SOURCE_DIR</code> into <code>SOURCE_DIR_OUT</code>, which our poster script will read from.</p> <p>First, we have to setup the Twitter authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">tweepy</span> <span class="kn">import</span> <span class="nn">os</span><span class="p">,</span> <span class="n">random</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">twitter_auth_keys</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"consumer_key"</span> <span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'twitter_consumer_key'</span><span class="p">],</span> <span class="s">"consumer_secret"</span> <span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'twitter_consumer_secret'</span><span class="p">],</span> <span class="s">"access_token"</span> <span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'twitter_access_token'</span><span class="p">],</span> <span class="s">"access_token_secret"</span> <span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'twitter_access_token_secret'</span><span class="p">]</span> <span class="p">}</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">tweepy</span><span class="p">.</span><span class="n">OAuthHandler</span><span class="p">(</span> <span class="n">twitter_auth_keys</span><span class="p">[</span><span class="s">'consumer_key'</span><span class="p">],</span> <span class="n">twitter_auth_keys</span><span class="p">[</span><span class="s">'consumer_secret'</span><span class="p">]</span> <span class="p">)</span> <span class="n">auth</span><span class="p">.</span><span class="n">set_access_token</span><span class="p">(</span> <span class="n">twitter_auth_keys</span><span class="p">[</span><span class="s">'access_token'</span><span class="p">],</span> <span class="n">twitter_auth_keys</span><span class="p">[</span><span class="s">'access_token_secret'</span><span class="p">]</span> <span class="p">)</span> <span class="n">api</span> <span class="o">=</span> <span class="n">tweepy</span><span class="p">.</span><span class="n">API</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> </code></pre> </div> <p>Then lock in our selected image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">files</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">listdir</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'SOURCE_DIR_OUT'</span><span class="p">])</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">10000</span><span class="p">):</span> <span class="n">random</span><span class="p">.</span><span class="n">shuffle</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> <span class="n">path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'SOURCE_DIR_OUT'</span><span class="p">]</span> <span class="o">+</span> <span class="s">"/"</span> <span class="o">+</span> <span class="n">random</span><span class="p">.</span><span class="n">choice</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> <span class="n">media</span> <span class="o">=</span> <span class="n">api</span><span class="p">.</span><span class="n">media_upload</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> </code></pre> </div> <p>you'll see above that it reads the captures into a list of filenames, then shuffles the list, before selecting one at random, then we post:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">tweet</span> <span class="o">=</span> <span class="s">"#pasolini"</span> <span class="n">post_result</span> <span class="o">=</span> <span class="n">api</span><span class="p">.</span><span class="n">update_status</span><span class="p">(</span><span class="n">status</span><span class="o">=</span><span class="n">tweet</span><span class="p">,</span> <span class="n">media_ids</span><span class="o">=</span><span class="p">[</span><span class="n">media</span><span class="p">.</span><span class="n">media_id</span><span class="p">])</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">"__main__"</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre> </div> <p>The package can be found on <a href="https://github.com/jmarhee/screenshot-capture-twitter">Github</a> along with some additional examples (one using a Kubernetes CronJob resource, for example) for use. </p> python ffmpeg twitter Using pre-commit and post-update git hooks Joseph D. Marhee Wed, 09 Jun 2021 05:42:08 +0000 https://forem.com/jmarhee/using-pre-commit-and-post-update-git-hooks-1e54 https://forem.com/jmarhee/using-pre-commit-and-post-update-git-hooks-1e54 <p>Adding some additional processing to your git workflow is sometimes useful/cool/interesting, and the functionality provided by <a href="https://githooks.com/">githooks</a> make this fairly accessible to make use of. I typically make use of very few of these (in place of having things happen on the server-side — tests, etc.-that can be enabled externally or using server-side hooks) on the client-side, and adapt two included in <code>.git/hooks/</code> by default, <code>pre-commit</code> and <code>post-update</code>, for, you guessed it, before commits are made, and after a set of commits are pushed.</p> <p>In my capacity as an operations engineer, I make use of tools like Terraform often, which has the benefit of including a formatting tool and a validation tool — this is a good example of where a pre-commit hook can be useful — before I create a commit, I can validate the manifest and check formatting/style of the manifests being updated. I can do this by modifying, in my project root, <code>.git/hooks/pre-commit.sample</code>, and add something like this to check <code>.tf</code> files against these standards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">modified_files</span><span class="o">=</span><span class="si">$(</span>git ls-files <span class="nt">-m</span><span class="si">)</span> <span class="k">for </span>f <span class="k">in </span>modified_files <span class="k">do if</span> <span class="o">[</span><span class="nt">-e</span> <span class="s2">"</span><span class="nv">$f</span><span class="s2">"</span> <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[[</span> <span class="nv">$f</span> <span class="o">==</span> <span class="k">*</span>.tf <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>terraform validate <span class="si">$(</span><span class="nb">dirname</span> <span class="nv">$f</span><span class="si">)</span> terraform <span class="nb">fmt</span> <span class="nv">$f</span> <span class="nt">-check</span><span class="o">=</span><span class="nb">true </span>git add <span class="nv">$f</span> <span class="k">fi done</span> </code></pre> </div> <p>I’ve adapted my approach from <a href="https://gist.github.com/jamtur01/a567078b7ba545c3492f7cd32a65450d">James Turnbull’s pre-commit hook script</a> to process this slightly differently, but also highlights that these are basically just a scriptable interface to manage git’s behavior.</p> <p>To enable this hook, copy the file to <code>.git/hooks/pre-commit</code> (no <code>.sample</code>).</p> <p>Let’s take a look at a more involved example in my <code>post-update</code> script. In my case, I am working on a Mac, so I’d like to make the most of this — maybe introduce some more visual cues for me to follow, so I want to use some Applescript as well.</p> <p>In <code>.git/hooks/post-update</code>, I want to grab the hash and message of the last commit pushed, and the branch I pushed to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">COMMIT</span><span class="o">=</span><span class="si">$(</span>git log <span class="nt">-1</span> HEAD | <span class="nb">head</span> <span class="nt">-n</span> 1 | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span> <span class="nv">MESSAGE</span><span class="o">=</span><span class="si">$(</span>git log <span class="nt">--format</span><span class="o">=</span>%B <span class="nt">-n</span> 1 <span class="nv">$COMMIT</span> | xargs <span class="nb">echo</span> <span class="si">)</span> <span class="nv">BRANCH</span><span class="o">=</span><span class="si">$(</span>git branch | <span class="nb">grep</span> <span class="se">\*</span> | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s1">' '</span> <span class="nt">-f2</span><span class="si">)</span> </code></pre> </div> <p>and to make this useful, I can see a summary of my latest push by adding this call to <code>osascript</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/osascript <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> display dialog "To </span><span class="nv">$BRANCH</span><span class="sh">:</span><span class="se">\n\n</span><span class="nv">$MESSAGE</span><span class="se">\n\n\t</span><span class="sh">(</span><span class="nv">$COMMIT</span><span class="sh">)</span><span class="se">\n</span><span class="sh">" with title "Git Push" buttons {"I meant to do that"} default button 1 </span></code></pre> </div> <p>To have a pop-up dialog and just a reminder of what I did, so I stop to check my work one last time before moving on to my next task.</p> git terraform automation testing Configuring and Managing Routes Between Multiple Networks with Wireguard Joseph D. Marhee Tue, 08 Jun 2021 08:16:42 +0000 https://forem.com/jmarhee/configuring-and-managing-routes-between-multiple-networks-with-wireguard-3ja3 https://forem.com/jmarhee/configuring-and-managing-routes-between-multiple-networks-with-wireguard-3ja3 <p>I recently updated the VPN solution in my infrastructure lab using Wireguard; my architecture is fairly basic, in that each site (in this case, a handful of colocated environments, and multiple cloud providers) runs a Wireguard endpoint, which then are peered with one-another to connect my service network (rather than that of the hosts themselves) across these sites and providers.</p> <p>I made the switch after using Wireguard in the context of direct connecting cloud provider networks in my work, and decided to do the same for my lab, which spans a much smaller scale, but a much more diverse set of machines and networks, which made managing a large OpenVPN configuration somewhat cumbersome, and found Wireguard straight-forward, if a little light on diverse documentation, but reasonably well-suited to automation.</p> <p>There are many excellent guides online for <a href="https://www.ericlight.com/wireguard-part-two-vpn-routing.html">configuring Wireguard between multiple peer nodes</a>, and for my use-case, I found that I need additional route changes to allow each peer to access the LANs the accompanying peered nodes were a part of.</p> <p>For example, assuming a network, 192.168.2.0/24 for the Wireguard interfaces themselves, my first server in one location, 192.168.2.1 was part of a network in that location for machines not, themselves, setup with Wireguard, 192.168.122.0/24 , and another endpoint accessible on Wireguard as 192.168.2.2, 192.168.1.0/24 , and I wanted this latter set of machines to be able to access the machines in the LAN for the former, but not the other way around.</p> <p>The standard Wireguard config supports PostUp and Down arguments to add additional routing changes, and support for things like configuring NAT with iptables . In this respect, this is the only non-standard use of Wireguard in-use in my project.</p> <p>On my server, my configuration looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="mf">192.168.2.1</span> <span class="err">PrivateKey</span> <span class="err">=</span> <span class="err">(Hidden)</span> <span class="err">ListenPort</span> <span class="err">=</span> <span class="err">(Whatever)</span> <span class="err">PostUp</span> <span class="err">=</span> <span class="err">iptables</span> <span class="err">-A</span> <span class="err">FORWARD</span> <span class="err">-i</span> <span class="err">%i</span> <span class="err">-j</span> <span class="err">ACCEPT;</span> <span class="err">iptables</span> <span class="err">-A</span> <span class="err">FORWARD</span> <span class="err">-o</span> <span class="err">%i</span> <span class="err">-j</span> <span class="err">ACCEPT;</span> <span class="err">iptables</span> <span class="err">-t</span> <span class="err">nat</span> <span class="err">-A</span> <span class="err">POSTROUTING</span> <span class="err">-o</span> <span class="err">virbr</span><span class="mi">0</span> <span class="err">-j</span> <span class="err">MASQUERADE</span> <span class="err">PostDown</span> <span class="err">=</span> <span class="err">iptables</span> <span class="err">-D</span> <span class="err">FORWARD</span> <span class="err">-i</span> <span class="err">%i</span> <span class="err">-j</span> <span class="err">ACCEPT;</span> <span class="err">iptables</span> <span class="err">-D</span> <span class="err">FORWARD</span> <span class="err">-o</span> <span class="err">%i</span> <span class="err">-j</span> <span class="err">ACCEPT;</span> <span class="err">iptables</span> <span class="err">-t</span> <span class="err">nat</span> <span class="err">-D</span> <span class="err">POSTROUTING</span> <span class="err">-o</span> <span class="err">virbr</span><span class="mi">0</span> <span class="err">-j</span> <span class="err">MASQUERADE</span> </code></pre> </div> <p>with [Peer] blocks for two other endpoints that can access the networks attached to 192.168.2.1 ‘s virbr0 interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="err">TH+DHbSc</span><span class="mi">7</span><span class="err">ALMapPCsUlCVzWJdQKtFPNfW</span><span class="mi">8</span><span class="err">Hkel</span><span class="mi">8</span><span class="err">m</span><span class="mi">2</span><span class="err">Uw=</span> <span class="err">Endpoint</span> <span class="err">=</span> <span class="err">(Host):(Port)</span> <span class="err">PersistentKeepalive</span> <span class="err">=</span> <span class="mi">25</span> <span class="err">AllowedIPs</span> <span class="err">=</span> <span class="mf">192.168.2.3</span><span class="err">/</span><span class="mi">32</span> <span class="nn">[Peer]</span> <span class="err">PublicKey</span> <span class="err">=</span> <span class="mi">6</span><span class="err">w/+laHf</span><span class="mi">7</span><span class="err">m</span><span class="mi">0</span><span class="err">T</span><span class="mi">13</span><span class="err">tgogRbwKp</span><span class="mi">5</span><span class="err">na</span><span class="mi">20</span><span class="err">yygLObLL</span><span class="mi">9</span><span class="err">AgSHH</span><span class="mi">8</span><span class="err">=</span> <span class="err">AllowedIPs</span> <span class="err">=</span> <span class="mf">192.168.2.2</span><span class="err">/</span><span class="mi">32</span> <span class="err">Endpoint</span> <span class="err">=</span> <span class="err">(Host):(Port)</span> </code></pre> </div> <p>Pretty straightforward, but to drill down on the behavior I’m hoping to achieve here, only this server 192.168.2.1 will have PostUp and Down rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-A</span> FORWARD <span class="nt">-i</span> %i <span class="nt">-j</span> ACCEPT<span class="p">;</span> iptables <span class="nt">-A</span> FORWARD <span class="nt">-o</span> %i <span class="nt">-j</span> ACCEPT<span class="p">;</span> iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-o</span> virbr0 <span class="nt">-j</span> MASQUERADE </code></pre> </div> <p>in this case, to forward traffic over the wg0 interface (in my case, but in the above, the %i will automatically substitute the interface you’re bringing online when you do things like wq-quick up {interface name} ) to the target network you’d like to expose to the peers (and then enable in the client config, which I’ll cover in a moment), which in this case is the network attached to the bridged interface, virbr0 .</p> <p>Because I wanted my peer sites to be able to run workloads in and out of this LAN attached to 192.168.2.1 endpoint, my client config does not require PostUp or PostDown -managed route changes, but does need to be aware of the networks it will be exposed to (via those firewall changes on that endpoint — changes we will not be making on these client peer endpoints):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="err">(Hidden)</span> <span class="err">ListenPort</span> <span class="err">=</span> <span class="err">(Port)</span> <span class="err">Address</span> <span class="err">=</span> <span class="mf">192.168.2.2</span><span class="err">/</span><span class="mi">24</span> <span class="err">DNS</span> <span class="err">=</span> <span class="mf">1.1.1.1</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="err">mXvCVKYmYuYL</span><span class="mi">0</span><span class="err">AO</span><span class="mi">2</span><span class="err">AvDPsLmOdUGwXDi</span><span class="mi">5</span><span class="err">d</span><span class="mi">2</span><span class="err">DekKCt</span><span class="mi">9</span><span class="err">RY=</span> <span class="err">AllowedIPs</span> <span class="err">=</span> <span class="mf">192.168.2.0</span><span class="err">/</span><span class="mi">24</span><span class="p">,</span> <span class="mf">192.168.122.0</span><span class="err">/</span><span class="mi">24</span> <span class="err">Endpoint</span> <span class="err">=</span> <span class="err">(Host):(Port)</span> <span class="err">PersistentKeepalive</span> <span class="err">=</span> <span class="mi">25</span> </code></pre> </div> <p>So, in this configuration, we’re exposing a new endpoint at 192.168.2.2 to peer with 192.168.2.1 , and in AllowedIPs , we not only want to be aware of the Wireguard network we’re declaring 192.168.2.0/24 , but the network attached to the first host’s virbr0 interface, in this case, 192.168.122.0/24 .</p> <p>Behind this new endpoint is a network, 192.168.0.0/24 that the first host cannot be routed back to without adding a similar rule on this new endpoint’s Interface configuration, but if we were to add similar rules to the iptables rules we added above, and then in the config for the first server’s Peer block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="mi">6</span><span class="err">w/+laHf</span><span class="mi">7</span><span class="err">m</span><span class="mi">0</span><span class="err">T</span><span class="mi">13</span><span class="err">tgogRbwKp</span><span class="mi">5</span><span class="err">na</span><span class="mi">20</span><span class="err">yygLObLL</span><span class="mi">9</span><span class="err">AgSHH</span><span class="mi">8</span><span class="err">=</span> <span class="err">AllowedIPs</span> <span class="err">=</span> <span class="mf">192.168.2.2</span><span class="err">/</span><span class="mi">32</span><span class="p">,</span> <span class="mf">192.168.0.0</span><span class="err">/</span><span class="mi">24</span> <span class="err">Endpoint</span> <span class="err">=</span> <span class="err">(Host):(Port)</span> </code></pre> </div> <p>like so, this remote peer’s network could similarly forward traffic, and route it appropriately.</p> <p>Basically, at the end of this, you can use Wireguard as a site-to-site VPN, and much like you would with any VPN solution, more flexibly operate access to the networks attached to each endpoint, and similar to the push "${some route}" behavior in OpenVPN, for example, using the lean interface of the Wireguard configuration format to accomplish this.</p> <p>Additional Resources</p> <p><a href="https://www.stavros.io/posts/how-to-configure-wireguard/">Configuring Wireguard</a></p> <p><a href="https://github.com/squat/kilo">Kilo — Wireguard-based multi-cloud overlay</a></p>