mitzen

Calico support ebpf in AKS. Tried that with version kubernetes 1.30. The default installation uses iptables dataplane but you can easily convert that into ebpf using the followings command:-  kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxDataplane":"BPF"}}}' Then watch for the calico operator by running  watch kubectl get pods -n calico-system It is important to look for restarts.  Having kube-proxy at this stage can waste resources, therefor it can be removed kubectl patch ds -n kube-system kube-proxy -p '{"spec":{"template":{"spec":{"nodeSelector":{"non-calico": "true"}}}}}'  To revert back to IpTable please run the following command:- kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxDataplane":"Iptables"}}}' To r...

By simply running  kubectl get installation/default  -o yaml You can see that the current setup is using iptables and many more details. 

  Installing istio ambident mode on kind didn't work either for windows. It is important to have a linux machine. To get started, run the following command istioctl install --set profile=ambient --skip-confirmation Setup kubernetes gateway API - this will install the crds such as gatewayclass, httproute, tcproute and etc kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml Deploying book sample app  kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo-versions.yaml Then deploy gateway which uses the following yaml  apiVersion : gateway.networking.k8s.io/v1 kind : Gateway metadata :   name : bookinfo-gateway spec :   gatewayClassName : istio   listeners :   - name : http     port : 80     protoco...

  Istio ambient mode still uses IpTables instead of ebpf. Despite what was mentioned in the blog https://istio.io/latest/blog/ 2023/ambient-ebpf-redirection/ , saying that we can activate ebpf mode by running the following command istioctl install --set profile=ambient --set values.cni.ambient.redirectMode="ebpf"  Running this we get into an error saying redirectMode not supported. Tried this with istioctl 1.24.4 and istio 1.23

Load balancer is critical for the proper functionality of a cluster in AKS and although in some setup we tend to use NAT gateway, does it means we can delete the load balancer? Or maybe we think there's an overhead in maintaining our terraform code to do port number allocation (SNAT requirements) No - we still need it for stuff like create a load balancer service that in turns provision a public ip automatically. That gets associated to your AKS load balancer. If you try to forcefully remove it, you will bump into some error - as shown here.

 Let's say you wanted your client to issue a token that contains "audience" hardcoded a specific value. You can do that in keycloak by setting up Audience mapper under roles.  To do that create your client, lets call it testspn. In your designated realm, goto "Roles". Then create a new role. Click on "Add mapper". Then select "Audience". Please ensure that your existing client are not associated with any pre-existing role that has a audience mapper. Please remove it otherwise you would have conflicting audience. Then fill in the require details as shown here. As you may have noticed, i am trying to setup a federated client to access Azure resources. And finally associate the role to your client.

Seems like i can't even run istoctl install or anything for istioctl 1.24  😅 This is tracked under https://github.com/istio/istio/pull/32519/files. As a temporarily workaround fall back to version 1.23.3.  

When declaring c# primary constructors such as below, the cardtype and valid is accessible to the class. I was thinking that it might also exposed as property too.  public class CreditCardValidationResult ( string cardtype , bool valid )  {  } If you want to do this then record would be an alternative. Only thing, is that the argument passed into the record needs to be pascal casing - otherwise when accessing the property of the class you get something like cardvaldiationResult.cardType instead of cardvalidationResult.CardType. public record CreditCardValidationResult ( string CardType , bool Valid );

 Figure this would be handy to have, so i can re-use over and over again without too much thinking A sample code to evaluate both string and date time using switch statement. public CreditCardValidationResult Validate ( string cardNumber , DateTime date ) {     int a = 100 ;     int total = a switch     {         var s when s > 0 && s < 100 => 10000 ,         var s when s > 101 && s < 200 => 20000         _ => - 1     };      string cardType = cardNumber switch     {         var s when s . StartsWith ( "4" ) => "VISA" ,         var s when s . StartsWith ( "51" ) || s . StartsWith ( "52" ) || s . StartsWith ( "53" ) || s . StartsWith ( "54" ) || s . StartsWith ( "55" ) || s . StartsWith ( "37" ) ...

Let say you would like to deploy your helm chart via github. So first thing you need to have your repository configured. To do that, you need to expose your github pages. Go to your repository -> Settings -> pages. Set the deployment options to main branch as shown here:-  You will noticed that the live site is  This will be url to use for configuration later.  Next prepare your chart - you can clone your sample chart from here: https://github.com/mitzenjeremywoo/podinfo-chart Run the following command from your terminal.    git clone https://github.com/mitzenjeremywoo/podinfo-chart cd podinfo-chart/charts Let's package your charts by running the following command:  helm package podinfo You would have a podinfo*.tgz file. Prepare the index.yaml file. We are using https://mitzenjeremywoo.github.io/podinfo-chart to serve out our helm charts - as you can see here with the commands below:- helm repo index . --url https://mitzenjeremywoo.github.io/podinfo-...

Ensure you have installed the followings  - kubernetes  - flux cli  - github account  Fluxcd will integrate with your github and apply any changes in the repository to deploy application to your k8s cluster.  In order to do that, we have to bootstrap your application first. This will install flux core component such as source-controller, helm controller, kustomization controller and notification-controller. To deploy an app from git you need a repository. Flux can create that for you  flux bootstrap github --owner=mitzenjeremywoo --repository=fleet-infra --branch=main --path=./clusters/my-cluster --personal Then you need to enter your PAT tokens for github. Once you have done that, please enter the following commands to start working with your repository. git clone https://github.com/mitzenjeremywoo/fleet-infra cd fleet-infra Creating your GitRepository source - this will be your source code or codebase where your application will be deploying and in this i...

To get access token for your github, please goto Developer settings -> Personal Access token then click on "Generate new token".  

Pretty useful command for my day to day work.  Set-Alias k kubectl

 Maintaining a repository of terraform modules can be challenging at times and we cannot expect all our team to migrate over to azurerm 4.2 for example.  In order to ensure that our test would continue to work (terraform test will use the latest version of the azurerm by default), we can use the following approach to lock down azurerm providers for your tests. This is applicable to other providers too. We have the following folder setup. There's a setup folder under tests folders. Then in the terraform test file called default.tftest.hcl, we have the following code to references our provider.  Referencing our azurerm providers 3.0 from test file.  # setup specific test run "setup_tests" {   module {     source = "./tests/setup"   } } And finally in our /test/setup/main.tf we have the following contents terraform {   required_providers {     azurerm = {       source   = "hashicorp/azurerm"    ...

  While trying to get my python code to run on a build agent, i bump into this error "TypeError: 'type' object is not subscriptable Python". It turns out that my code was using python 3.8 and I had to do some import from typings with the code below from typing import Dict. List Then I had to update my code to use Dict instead of dict. 

 Bump into this error while trying to test our network connectivity using network watcher. I disabled my VM nsg on the network card level - this technically should allowed all incoming/outgoing traffic - this means no restrictions. This can be really confusing. 

  You can mock your tests by using  - mock providers - in this scenario you do not call the providers and do not require credentials to be configured. This is the fastest because it doesn't make a actual call to the providers.  - override block - mocking out certain resources, data and modules. This allow us to specifically mock out certain or all resources/data or module. An example can be shown here. As your can see here, we mock out azurerm. If you run terraform init and terraform test, you will noticed test run much faster. mock_provider "azurerm" {} run " resource - group-name-created-correctly" {     variables {     prefix = "test"   }       command = plan   assert {     condition     = azurerm_resource_group.example.name == "myrg"     error_message = "Resource group created is not expected"   } } run "storage-account-prefix-created-correctly" {   variable s {    ...

To test terraform module, you can place your module into folder, let's call module. In your test that you place in the root directory, you can have the following: run " resource - group-name-created-correctly" {     variables {     prefix = "test"   }  module {     source = "./modules"   }       command = plan   assert {     condition     = output.resource_group_name == "myrg"     error_message = "Resource group created is not expected"   } } Then run terraform init and terraform test to execute your tests. As shown in the diagram above, you need to declare output from your module - and in this case we have our output called resource_group_name. All we need to do is, use the output keyword and append whatever variable we have just output.  The output full code. # Outputs output "storage_account_name" {   description = "The name of the storage account"   value   ...

  I have been trying to get started with terraform test and here is an example of a very simple test.  It just test for resource group and storage account name on the plan stage.  Essentially test file has to end with tftest.hcl extension. Here is an example to create resource group and storage account. # Terraform Configuration with Provider Version terraform {   required_providers {     azurerm = {       source  = "hashicorp/azurerm"       version = "~> 4.2 " # Specifies the version of the AzureRM provider (e.g., any 3.x version)     }   }   #backend "azurerm" {   # resource_group_name  = "terraform-backend-rg"   # storage_account_name = "terraformbackendsa" # Must be globally unique   # container_name       = "tfstate"   # key                  = "terraform.tfstate"   #}   #required_version = ">= 1...

 This can be handy when we want to setup and install kind curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 chmod +x ./kind sudo mv ./kind /usr/local/bin/ kind create cluster

  You can find lots of cilium material from here:-  https://isovalent.com/resource-library/labs/?utm_source=website-cilium&utm_medium=referral&utm_campaign=cilium-lab

 We can configure aspnet core app url in launchSettings.json and appsettings.json. A couple of test would reveal that lanchSettings.json is being evaluated then appsettings.  If you would like to override launch settings.json simply the following into appsettings.json.   "Kestrel" : {     "EndPoints" : {       "Http" : {         "Url" : "http://0.0.0.0:5090"       }     }   }

In this setup, we will be setting up centralize hotchoc grapql federation that resolves schema residing in another services. The gateway does not import or contains subgraph schema. It does not require developer to copy schema from subgraph over.   In a centralize approach, gateway reference subgraph schemas. Stitching generally happens when we would like to extend our subgraphs for example, introducing another query name. We will see more of this. Inline with the federation intention,  if a request for product info, the product subgraph would return product info while leaving reviews to be resolved by another subgraph service.  We will be creating 5 projects  - the gateway - this main graphql allows us to query other subgraph define below. - product subgraph - a simple subgraph that shows product info - review subgraph - a slightly more complicated subgraph that provides review information - account subgraph  - inventory subgraph  Github repository...

 This is a good link that might help with understanding istioctl proxy outputs. https://www.envoyproxy.io/ docs/envoy/latest/intro/arch_ overview/operations/dynamic_ configuration

Bump into this weird hotchoc error while trying to run 'dotnet run -- schema export --output schema.graphql' to generate my schema.  This is what my hotchoc types looks like. It turn out that I have a static method which prevented the auto code generations to work properly.  using System . Collections . Generic ; using HotChocolate ; using HotChocolate . Types ; using HotChocolate . Types . Relay ; namespace Reviews . Types {     [ QueryType ]     public class Query     {               [ NodeResolver ]         public static Review GetReview (         [ Service ] ReviewRepository repository ,         int upc ) =>         repository . GetReview ( upc );           } } To resolve this, simply remove the static method in my Query.   

  Enable secret provider class if you haven't done so.  export RESOURCE_GROUP = istio-rg export AKV_NAME = istio-kv-dev export LOCATION = australiaeast export CLUSTER = my-istio-cluster az keyvault create --name $AKV_NAME --resource-group $RESOURCE_GROUP --location $LOCATION az aks enable-addons --addons azure-keyvault-secrets-provider --resource-group $RESOURCE_GROUP --name $CLUSTER Grant all the role assignment to the user you're using so we can store the following into our keyvault. Once you have enable it, please deploy the book sample application: kubectl label namespace default istio.io/rev=asm-1-22 kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/platform/kube/bookinfo.yaml Next create the relevant secret for your keyvault az keyvault secret set --vault-name $AKV_NAME --name test-productpage-bookinfo-key --file bookinfo_certs/productpage.bookinfo.com.key az keyvault secret set --vault-na...