mitzen

My cluster has been getting this error and tried googling and this is the closest issue i found. https://github.com/keycloak/keycloak/issues/25322 My setup, keycloak with infinispan backed by postges setup.  After reviewing my cluster setup, I notice that my statefulset created some ghost pod - meaning keycloak CRD states that it is 3 replicas, while my kubernetes statefulset is 6. And yes, some one update the STS manually and causes this issue. Why is solving this issue is important? Keycloak node will get into a crazy GC collection stage retrying alot of the operation again and again. And your keycloak node becomes really busy and before you know it, your keycloak pod is flagged as 'unhealty' My fix: I ensure the STS and keycloak replicas are in sync with each other - same replica.  kubectl edit sts/keycloak -n keycloak-wwnz And then ensure replica is 5.   

 To grant access to a database for a Active Directory user, you can use the following command   CREATE USER 'bob@microsoft.com' FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER 'bob@microsoft.com'

There are the ways we can mask our SQL server database column:-  ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber] ADD MASKED WITH ( FUNCTION = ' Partial(0,"XXX-XX-", 2) ' ) -- Default email masking ALTER TABLE [EMPLOYEE] ALTER COLUMN [EMAIL] ADD MASKED WITH ( FUNCTION = ' EMAIL() ' ) -- Using a random masking and value will be different ALTER TABLE [EMPLOYEE] ALTER COLUMN [SALARY[ ADD MASKED WITH ( FUNCTION = ' RANDOM(1,20000) ' )  And we can allow visibility by running this command  GRANT UNMASK TO DataOfficer

The main code that setup istio pilot discovery server are located here in istio/pilot/pkg/bootstrap/server.go where you will get to see al the magic happens. Istio Pilot (also known as the Discovery Server or istiod in newer versions) is the control plane component in Istio responsible for service discovery, configuration management, and traffic routing. It's the central brain that coordinates all the Envoy proxies (sidecars and gateways) in your service mesh. Most importantly it converts high-level Istio API resources (VirtualService, DestinationRule, Gateway, etc.) into Envoy-specific configuration.  It also expos the xDS API (x Discovery Service) protocols to push config to proxies such as  LDS (Listener Discovery Service) Purpose : Defines how Envoy accepts connections What it configures : Listeners (ports/endpoints Envoy listens on) Key Details: Each listener defines: IP address and port (e.g., 0.0.0.0:15001 , 0.0.0.0:15006 ) Protocol type (HTTP, TCP, gRPC, etc.) Filter ...

One of the cool thing about istio is that it automatically expose metrics and if you have prometheus, you can easily query it  Lets start by setting up your mesh istioctl install --set profile=ambient --skip-confirmation Install kubernetes gateway API  kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \   kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml Setup bookinfo app You can refer to this link here: https://istio.io/latest/docs/ambient/getting-started/deploy-sample-app/ Configure your namespace to use ambient mode kubectl label namespace default istio.io/dataplane-mode=ambient Deploy prometheus and kiali kubectl apply -f samples/addons/prometheus.yaml kubectl apply -f samples/addons/kiali.yaml Please ensure that you have update your mesh to include more metrics  apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec:   meshConfig:   ...

 We can print out helm variables by either using the following commands  To print single value  {{ printf "Value of myVar : %v " .Values.myVar }} To print entire object {{ toYaml .Values | indent 2 }} Let's say we are trying to create a template for object that might be nil or might contains value so we need to check for parent object and then do further checks. This can be troublesome. To check for object nil, we can use "dig" or "get" Use dig {{ - $vals := .Values | toJson | fromJson - }} <- This is to prevent nil {{ - $workloadIdentityEnabled := dig "security" "workloadIdentity" "enabled" false $vals - }} {{ - $clientId := dig "security" "workloadIdentity" "clientId" "" $vals - }} Or you want to use "get" here  {{ - $security := get .Values "security" | default dict - }}  {{ - $workloadIdentity := get $security "workloadIdentity" | default ...

This is taken from Dynatrace playground notebook here which is quite good. https://wkf10640.apps.dynatrace.com/ui/apps/dynatrace.notebooks/notebook/94d1e2b0-0d81-4803-8b5e-5b9614598d86#0db54f82-0594-4d04-a396-0fcb505d43c2 Get the most often used SQL statements fetch spans | filter isNotNull(db.query.text)  | parse db.query.text, "string:type" | makeTimeseries count(), by:{upper(type)} Get SQL with highest execution time  fetch spans | filter isNotNull(db.query.text)  | summarize {minDuration = min(duration), avgDuration = avg(duration), maxDuration = max(duration)}, by:{db.query.text} | fieldsAdd diffAvgMax = maxDuration - avgDuration DQL tracing by exceptions  fetch spans | filter iAny(span.events[][span_event.name] == "exception") | expand span.events | fieldsFlatten span.events, fields: {exception.type, exception.message} | summarize count(), by: {service.name, exception.message} Using time bin and time stamp filtering fetch logs  |  filter contains(dt.p...

We can easily turn change keda logging to debug mode by just using the following value files. logging :   operator :     # -- Logging level for KEDA Operator.     # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string     level : info   metricServer :     # -- Logging level for Metrics Server (Deprecated).     # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string     level : 0 ` millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano `     z apTimeEncoding : rfc3339   webhooks :     # -- Logging level for KEDA Operator.     # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string     level: info Not sure why metric server uses numeric, while the other 2 uses format like info, debug or error More values can be obtained here https://git...

I am always fixated on istio version and its compatibility with kubernetes version. Now there's KEDA compatibility too. 😊 https://keda.sh/docs/2.18/operate/cluster/

  To setup prometheus operator we can use the helm chart to do so helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm install monitoring prometheus-community/kube-prometheus-stack \   -n monitoring --create-namespace And then create the prometheusRule to create an alert. The important thing here is the metadata: labels which needs to match the pod that you're trying to applied to. Regardless if this is a simple vector(1)==1 eample, it needs to match for the trigger gets generated.  apiVersion : monitoring.coreos.com/v1 kind : PrometheusRule metadata :   name : always-firing   namespace : monitoring   labels :     release : monitoring spec :   groups :   - name : test-alerts     rules :     - alert : AlwaysFiring       expr : vector(1) == 1       for : 0s       labels :         severity : critical ...

How do you know which API(s) has been deprecated by release in kubernetes? Then you should check out this link here:- https://kubernetes.io/docs/reference/using-api/deprecation-guide/

While upgrading, you might receive the following message. This means there's no upgrade require. Your cluster is up to date. Nice but not so intuitive.  ERROR: Table output unavailable. Use the --query option to specify an appropriate query. Use --debug for more info.

Azure managed keda upgrade are deplo automatically. No additional work or manual intervention is required. Source:- https://learn.microsoft.com/en-us/answers/questions/1300757/how-to-update-azure-managed-keda-to-latest-version

This looks like an easy way to install k9s - not sure why can't find it in the official web page. curl -sS https://webinstall.dev/k9s | bash  

We will lable our default namespace to turn on ambient support.  kubectl label ns default istio.io/dataplane-mode=ambient Next we will deploy our httpbin workload kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.26/samples/httpbin/httpbin.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.26/samples/curl/curl.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.26/samples/httpbin/sample-client/fortio-deploy.yaml Deploying waypoint for default namespace istioctl waypoint apply -n default --enroll-namespace --wait And we will apply this to turn on telemetry and logging  apiVersion : telemetry.istio.io/v1 kind : Telemetry metadata :   name : enable-access-logging   namespace : default spec :   accessLogging :     - providers :       - name : envoy Next, lets verify the logs are coming through  kubectl logs --follow deploy/waypoint When we run the command below,...

First we create our namespace  kubectl create ns test  Next we will label it accordingly kubectl label namespace test istio.io/dataplane-mode=ambient --overwrite and then apply waypoint  istioctl waypoint apply --namespace test To view envoy dashboard for this  istioctl dash envoy deployment/waypoint.test

In this setup, I am installing istio ambient mode using windows docker with kind. The steps that I've used are as follows:-  kind create cluster --name my-cluster install kubectl gateway crds kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \   kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml export PATH= "$PATH:/home/nzai/istio-1.28.1/bin" istioctl install --set profile=ambient -y or if you prefer the helm approach This didn't really work for me. helm repo add istio https://istio-release.storage.googleapis.com/charts helm repo update helm install istio-base istio/base -n istio-system --create-namespace --wait helm install istio-cni istio/cni -n istio-system --set profile=ambient --wait helm install ztunnel istio/ztunnel -n istio-system --wait And then install the sample app from here https://istio.io/latest/docs/ambient/getting-started/deploy-sample-app/ from yo...