mitzen

 To setup argocd plugin for kubectl, we need to run the following command on our linux machine curl -LO https://github.com/argoproj/argo-rollouts/releases/latest/download/kubectl-argo-rollouts-linux-amd64 chmod +x ./kubectl-argo-rollouts-linux-amd64 sudo mv ./kubectl-argo-rollouts-linux-amd64 /usr/local/bin/kubectl-argo-rollouts Finally test if it is working  kubectl argo rollouts version

Krew is a plugin manager which allows us to download and use plugins and extend current functionality of kubectl.  To install on bash, run the following command :- ( set -x; cd " $( mktemp -d ) " && OS = " $( uname | tr '[:upper:]' '[:lower:]' ) " && ARCH = " $( uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/' ) " && KREW = "krew- ${ OS } _ ${ ARCH } " && curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/ ${ KREW } .tar.gz" && tar zxvf " ${ KREW } .tar.gz" && ./ " ${ KREW } " install krew ) And remember to add this to your path  export PATH = " ${ KREW_ROOT :- $HOME /.krew } /bin: $PATH " Then run this to update,  kubectl krew update Next run this to list plugins  kubectl krew list 

In AKS we can setup rbac for service acount. Let's create a service account and then  using the following yaml definition to setup it access to list pods.  kubectl create serviceaccount pod-watcher -n dev Next we will create a role that only allows this service account to list and watch pods in dev namespace, Role is reusable.  apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   namespace: dev   name: pod-reader-only rules: - apiGroups: [ "" ] # The core API group   resources: [ "pods" ]   verbs: ["get", "list", "watch"] # No "delete", "create", or "update" Here we can see the common apiGroups that you can use and please ensure you do not omit the (s) - plural as will NOT work API Group Common Resources "" (Core) pods , services , nodes , namespaces , configmaps , secrets , persistentvolumeclaims apps deployments , statefulsets , daemonsets , replicasets batch jobs , cronjobs ne...

This is a step by step guide to show how we can federate our workload identity in a kubernetes cluster. First we enable OIDC on our cluster. Next, we create a managed identity in Azure.  Then we will be creating a service account and the federating the managed identity. # 1. Enable OIDC and Workload Identity on your cluster az aks update - g myRG - n myCluster -- enable - oidc - issuer -- enable - workload - identity # 2. Get the OIDC Issuer URL (needed for the trust) AKS_OIDC_ISSUER = $ ( az aks show - n myCluster - g myRG -- query " oidcIssuerProfile.issuerUrl " - otsv ) # 3. Create the Managed Identity in Azure az identity create -- name " my-app-identity " -- resource - group myRG # 4. Create the Kubernetes Service Account (SA) # Note: You MUST annotate it with the Client ID of the Managed Identity CLIENT_ID = $ ( az identity show -- name " my-app-identity " -- resource - group myRG -- query clientId - o tsv ) kubectl create serviceaccount my - app...

This questions might sound hard but it is quite easy to answer. When we enable service endpoint for storage acccount or other resources, we will be using microsoft backbone to route request to the storage account. When this happens, we no longer using a NAT and hence our public IP might not be whitelisted.  In that case, how do you whitelist it? Simple, just use the subnet that your resources resides in. 

Terraform taint will mark a resource to be 'bad' and requires it to be re-created when we run terraform plan or terraform apply. And example of use case would be something like this :- Here we are listing the statefile. From here, we can easily apply taint and untaint our resources.

 We can easily setup our terraform to support different providers. This is useful when we like to setup our resources using different subscription.  modules/storage/main.tf resource "azurerm_storage_account" "old_storage" {   name                     = var . storage_name   resource_group_name       = " mytest-kv-rg "   location                 = " australiaeast "   account_tier             = " Standard "   account_replication_type = " LRS " } variable "storage_name" {   type = string } And then we have this as our main.tf  # The default provider (Implicitly used if no provider is specified) provider "azurerm" {   features {}   subscription_id = "aaaaaaaaaaaaaaaaaaaaa " # Subscription A } # The aliased provider provider "azurerm" {   alias         ...

Ran into this error trying to work with terraform - turn out the simplest solution is just to do "az login" 

  In this example, we will be creating a simple storage account and then testing it with terraform test. Let start off with the following scripts  variable "account_name" { type = string } variable "resource_group_name" { type = string } variable "location" { type = string } variable "environment" { type = string description = "The environment for the deployment." validation { # The condition must return true for the variable to be accepted. condition = contains ([ "dev" , "staging" , "prod" ], var . environment) # This is the message printed to the screen if the condition is false. error_message = "Validation Error: The environment must be 'dev', 'staging', or 'prod'." } } resource "azurerm_storage_account" "this" { name = var . account_name resource_group_name...

We can use Entra to create a open client where is often use for mobile app that are distributed over to others. To do that goto App Registration -> Create a new App Registration  Please note that we have set valid redirect url to 'https://localhost'. We do not need a local web server to be running for our test.  Next, we will add relevant scope.  Let's test out our client here using Postman. Please provide the require configuration as shown here:  Auth URL :-  https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize Access Token Url :-  https://login.microsoftonline.com/tenant-id/oauth2/token Client ID:  (should replace with your client id) Client Authentication: Send Client Credential in Body) And if you hit "Get new access token" - you should get a new token  

Ran into this error "The request body must contain the following parameter: 'client_id'" here when trying to configure Microsoft Entra public client.  To resolve this issue, please ensure you set "Client authentication" to "send client credential in body".

 To create a client credential login with microsoft, we can goto Microsoft Entra -> App Registration and create new app registration. Provide a name to your client for example "my-client-credential-registration" and click register. Configure your client API permission Goto API Permission (not Expose an API) and then  1. Grant admin consent for default directory 2. Add Microsoft Graph permission and select Application permission. It is stated there that this is for application running as background task.  Then select "User.Read.All" permission. You should have the following configuration. This settings here is what define your JWT scope. In this configuration, you will get a "User.Read.All" - if you requested "https://graph.microsoft.com/.default" as your request scope. Please remember to Grant Admin consent permission otherwise the scope or permission you specify will not appear. 3. Next create a secret for your client. So we go to "Certi...

In the previous post , we learned how to setup plugin so we can call it from opencode. In this post, we are going to add a skill - bragging skills - as I find it really important arsenal to have especially in an interview.  So we only need to update our config object for opencode. Let's see an example of how to do it with skills   config : async ( config : any ) => {       config . skills = config . skills || {};       config . skills . paths = config . skills . paths || [] ;       if ( ! config . skills . paths . includes ( skillsDir )) {         config . skills . paths . push ( skillsDir ) ;       } And that's it. Once you have restart opencode, it will load my new skills.  The full code is here and the repo here: https://github.com/kepungnzai/appcoreopc-num-mastery.git import { type Plugin } from " @opencode-ai/plugin " import { tool } from " @opencode-ai/pl...