mitzen

  Enable secret provider class if you haven't done so.  export RESOURCE_GROUP = istio-rg export AKV_NAME = istio-kv-dev export LOCATION = australiaeast export CLUSTER = my-istio-cluster az keyvault create --name $AKV_NAME --resource-group $RESOURCE_GROUP --location $LOCATION az aks enable-addons --addons azure-keyvault-secrets-provider --resource-group $RESOURCE_GROUP --name $CLUSTER Grant all the role assignment to the user you're using so we can store the following into our keyvault. Once you have enable it, please deploy the book sample application: kubectl label namespace default istio.io/rev=asm-1-22 kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/platform/kube/bookinfo.yaml Next create the relevant secret for your keyvault az keyvault secret set --vault-name $AKV_NAME --name test-productpage-bookinfo-key --file bookinfo_certs/productpage.bookinfo.com.key az keyvault secret set --vault-nam

Please ensure you have an istio enable cluster for this. You can query the current istio configuration using Azure cli by running the following command az aks show --name my-istio-cluster --resource-group istio-rg --query 'serviceMeshProfile' And you will get output shown here Configuration are store in a config map called istio-asm-revision and in my case it is istio-asm-1-22 stored in my aks-istio-system.   

  Enabling External Ingress First we need to ensure our cluster is installed with istio service mesh. I typically run the following command to get it installed on my existing cluster # enabling my cluster az aks mesh enable --resource-group istio-rg --name my-istio-cluster # see if the cluster service mesh is enabled az aks show --resource-group istio-rg --name my-istio-cluster  --query 'serviceMeshProfile.mode' External ingress Next we activate istio external ingress. Getting 400 bad request when running  az aks mesh enable-ingress-gateway --resource-group istio-rg --name my-istio-cluster --ingress-gateway-type external Ensure your managed identity has Network contributor permission for your. # Get the principal ID for a system-assigned managed identity. CLIENT_ID=$(az aks show --name my-istio-cluster --resource-group istio-rg   --query identity.principalId --output tsv) # Get the resource ID for the node resource group. RG_SCOPE=$(az group show --name MC_istio-rg_my-istio-clu

  To setup your kubernetes load balancer service type and tied it into your Azure public IP, you need to ensure 1. the service principal of your kubernetes cluster has Network Contributor access to your MC or node resource group 2. deploy the service yaml with the proper namely, service.beta.kubernetes.io/azure-load-balancer-resource-group and service.beta.kubernetes.io/azure-pip-name. Assuming you have an existing cluster. Please note when you create your AKS cluster using the portal, you would have been given a public ip address that named with a Guid. Setting up the network contributor  We need to get the client_id and MC resource group. Getting cluster client Id CLIENT_ID=$(az aks show --name aks-static-cluster --resource-group aks-static-rg  --query identity.principalId --output tsv) Getting resource id RG_SCOPE=$(az group show --name MC_aks-static-rg_aks-static-cluster_australiaeast --query id --output tsv) Assigning the scope  az role assignment create --assignee ${CLIENT_ID} --

  When running "dotnet run -- schema export --output schema.graphql", you will hit this error if you don't have dotnet 7.11x installed. So you need to download 7.11x - it can be higher but cannot be 7.3x or 7.4x Once you install it, this error should go away. 

When you're trying to use AddTypes() to build up your service and if you bump into this error message.   error CS0121: The call is ambiguous between the following methods or properties: 'SchemaRequestExecutorBuilderExtensions.AddTypes(IRequestExecutorBuilder, params Type[])' and 'SchemaRequestExecutorBuilderExtensions.AddTypes(IRequestExecutorBuilder, params INamedType[])' 1>Done building project "Accounts.csproj" -- FAILED. This is discussed here https://github.com/ChilliCream/graphql-platform/discussions/5845.    And ensure your module is configured Finally ensure that you have the proper attributed in place - as the code will be generated on the fly. For example, this is what my query looks like.  And then try to compile and see if that works for you. It did work for me. 

 To get started please run  dotnet new tool-manifest Then install hotchoc fusion command  dotnet tool install HotChocolate.Fusion. CommandLine Then go to your subgraph project such as account or product or review. Ensure that you have "RunWithGraphQLCommands" configured as shown below:- using System . Numerics ; var builder = WebApplication . CreateBuilder ( args ); builder . Services     . AddSingleton < UserRepository >(); builder . Services     . AddGraphQLServer ()     . AddTypes ()     . AddGlobalObjectIdentification ()     . RegisterService < UserRepository >(); var app = builder . Build (); app . MapGraphQL (); app . RunWithGraphQLCommands ( args ); Then run the following command in your subgraph project to generate the graphql schema. dotnet run -- schema export --output schema.graphql Next run  dotnet fusion subgraph pack This will create a package with extension ccspkg, that contains schema, extensions and configuration of the subgraph. Then you

Kubernetes tends to mask the actual health check endpoint into something such as /health/ready or /health/live.  I was trying to configure livenessProbe and turns on it also requires readinessProbe and startupProbes. Let's use keycloak as an example. It exposes different healthcheck endpoint on port 8080.  Keycloak exposes 4 health endpoints: /health/live /health/ready /health/started /health So in my kubernetes health check configuration i would have something below: readinessProbe :   httpGet :     path : /health/live     port : 8080   failureThreshold : 1   periodSeconds : 10 livenessProbe :   httpGet :     path : /health/ready     port : 8080   failureThreshold : 1   periodSeconds : 10 startupProbe :   httpGet :     path : /health/started     port : 8080   failureThreshold : 30   periodSeconds : 10 FAQ  Do you need all to be configured?  Very likely yes. It is best to include startupProbe, livenessProbe and readinessProbe in your configuration to avoid unnecessary pod restarts.

  My pipeline was throwing EACCESS err 13 trying to spawn gradle when I ran snyk code test using SnykSecurityScan@1.  I can see that snyk linux was successfully downloaded and installed. To resolve this, I set the folder permission to allow it to execute gradle.  chmod -R +x $(Build.SourceDirectory)  After that my snyk task was able to run successfully.

The other day, I had massive amount of traffic calling my pods health check endpoint and trying to identify where the call is coming from.  It turns out that the agent is kube-proxy/<your-kubelet-version> and yes it is no other than kubelet itself. 

  The following command generate a self signed certificate for 365 days. openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

  Installing NGINX service mesh First of all, you need to install monitoring components for nginx service mesh.  Clone from this repo https://github.com/mitzenjeremywoo/nginx-service-mesh-setup.git and then run the following command. kubectl apply -f prometheus.yaml -f grafana.yaml -f otel-collector.yaml -f jaeger.yaml Next use helm to install the service mesh helm repo add nginx-stable https://helm.nginx.com/stable helm repo update helm install nsm nginx-stable/nginx-service-mesh --namespace nginx-mesh --create-namespace --wait --set prometheusAddress=prometheus.nsm-monitoring.svc:9090 --set telemetry.exporters.otlp.host=otel-collector.nsm-monitoring.svc --set telemetry.exporters.otlp.port=4317 --set telemetry.samplerRatio=1 Deploying bookinfo sample app.  We need to label the namespace first - just like how we do it in Istio. kubectl label namespaces default injector.nsm.nginx.com/auto-inject=enabled and then run this command to deploy book info. kubectl apply -f bookinfo.yaml  You c

 This tutorial covers only nginx ingress controller and not the service mesh.  Install NGINX ingress controller using helm Add nginx ingress controller helm repository  helm repo add nginx https://kubernetes.github.io/ingress-nginx Then update it using the following command helm repo update  Install nginx ingress controller by running the command here helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace To see what are the values that is available when running helm upgrade, you can use the following command: helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx To test your ingress installation so far.  kubectl get service ingress-nginx-controller --namespace=ingress-nginx The service will have an External-IP, in this case it is localhost. Deploy the book info application  # Copyright 2017 Istio Authors # #   Licensed under the Apache License, Version 2.0 (the "L