Kubernetes: proxy requests without additional pods

Sometimes you need to provide a legacy access to various downloads or proxy some requests to a different endpoint, that might not be running in your cluster. One can natively redirect such requests with having to add additional deployments / containers to your Kubernetes cluster. There is a special type of Kubernete’s service object that simply points any traffic to that external DNS name. This isn’t really document all too well but eventually you will find enough issues and pointers to frankenstein a solution together. For anybody else looking on how to do this correctly, here is run down with nginx-ingress-controller:0.19.0 that worked for me. First we create a normal ingress object, that allows us to terminate the SSL and look into the path of the HTTP request and decide if this is a request that is relevant to be proxied.  apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: “true” nginx.ingress.kubernetes.io/rewrite-target: “<your-bucket-namespace>” nginx.ingress.kubernetes.io/secure-backends: “true” name: artifacts spec: rules: – host: downloads.example.com http: paths: – path: “/artifacts/” backend: serviceName: proxy-artifacts servicePort: 443 tls: – secretName: tls hosts: – downloads.example.com Lets quickly take a look at what is going on here. We first configure our Ingress Controller to use nginx and […]

ZSH shortcut: quickly commit using a function

I have many private git repos to manage all the configuration files, ansible playbooks, source code and other stuff you would want to version. Most of them are just for me to view and often I want to quickly ‘save’ my current process by creating a commit I can go back to. I just recently switched to zsh after years of using bash – never had I thought that my life would change that much. So many neat little things that are really helpful and make my life easier. Themes, plugins and the oh so amazing oh-my-zsh really make it a pleasure to do stuff on the console. (I always have to bite my tongue once I SSH into a server that only has sh or bash now. So in order to commit quicker without having to write two to three commands like add, commit & push one can create a function that does all that and takes some arguments in case you need them. During my research, as any scientist should do properly before reinventing the wheel, I found Hasan has thought of the same thing a couple years back. Here is my version of it: gitc() { if […]

The road to Kubernetes

I finally wanted to setup my own kubernetes cluster as everyone I talk to, said its the hottest shit. I’m using three VMs, hosted at Netcup running the latest Debian 9 Stretch build. I’ve installed most basic tools for me and also already set up docker using this amazing ansible role. Make sure to disable any swap you have configured – kubelet will not start otherwise. The documentation on how to install things is pretty good, but I’ve missed some details, that I banged my head on, so I will copy most snippets over for future reference. Keep in mind, that this might have already changed and is no longer working at the time you read this. First install all needed CLI tools on each of the three hosts: apt-get update && apt-get install -y apt-transport-https curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add – cat <<EOF >/etc/apt/sources.list.d/kubernetes.list deb http://apt.kubernetes.io/ kubernetes-xenial main EOF apt-get update apt-get install -y kubelet kubeadm kubectl Start the systemd Service for kubelet, our kubernetes manager – also on every node. systemctl enable kubelet && systemctl start kubelet Now the docs are a bit unspecific, but here’s a command to set the correct cgroup on Debian 9.   […]

Termina(l)te your way in style

Usually I love to use guake as my terminal in gnome, as it quickly hides using the F12 key and you always have your terminal in reach. When doing more server heavy tasks, I often end up having several tabs in guake which tends to be messy. In those cases I love to use Terminator – the ultimate Terminal. Quickly installed using the following: # Debian / Ubuntu apt install terminator # Arch Linux pacman -S terminator Then you can use the following keyboard shortcuts to easily spawn new terminals the GUI way, instead of using tmux. Ctrl-Shift-E: will split the view vertically Ctrl-Shift-O: will split the view horizontally Ctrl-Shift-W: will close the view where the focus is on Ctrl-Shift-Q: will exit terminator As a good friend and I today noticed: using all those fancy commands like tmux directly might be faster, but sometimes the GUI way is easier and more intuitive.

Arch Linux: Touchpad right click no longer working

I’ve been using Arch on my XPS 2015 edition since the very beginning. Not only was the support of the software components newer/better than Dell’s official Ubuntu version for the developer edition, but also I absolutely love the rolling release before it was cool. So as we are bleeding edge, sometimes things break. Arch moved over to wayland some time ago, but like two days ago my touchpad’s right & middle click stopped working. Quick google search later revealed, that my gnome settings had the following option set to ‘fingers’. That didn’t work as my XPS has ‘areas’ – so switching it over with this simple command, fixed things for me. gsettings set org.gnome.desktop.peripherals.touchpad click-method ‘areas’  

Easily add your Github SSH Keys to any Server or Docker Image

The default way to copy your ssh key(s) to a remote server is to use the ssh-copy-id command. This will create a secure connection to the remote server over SSH and then check if the user exists, create the folder&files if needed and add your keys. Works, Easy, Simple. My problem is, that often I’m already in the shell and I logged in with some password combination, that I would need to enter a second time to copy my ids. Also I don’t always have all my keys on one machine. As I often get asked by my colleagues, what my SSH keys are, there is a nifty trick you can do, instead of sending them over via E-Mail. Github allows to get your public SSH keys with only your username: https://github.com/<username>.keys So with a little bit of magic we can utilize this and run the following command on an existing SSH connection to create a new authorized_keys file and download our keys from Github to the file. curl https://github.com/kordianbruck.keys > ~/.ssh/authorized_keys Easy! You can always use >> instead to append your keys. This can also be used in automated docker builds, where you have a SSH server running inside your container (which […]

Github requires referer header field to login

So I’ve had this happen for some time now and could not determine the perpetrator as it was happening not really too often. From time to time I would encounter a error when trying to Login to Github: Oops! Something went wrong. Please try again later. In many cases this was related to something using oAuth but not in mine. I simply wanted to login to Github as usual. So after some trial and error, I’ve noticed that disabling the “Referer Control” extension in chrome or chromium would solve the issue. My guess is they simply use that to prevent XSRF attacks. Solution: Add an exception in the settings for Github as shown below

LetsEncrypt now used everywhere

So today I decided to move all my certificates from StartSSL to LetsEncrypt. Not only is StartSSL really a bad CA with recent problems, but also they limit you with several obstacles that just don’t make any sense. They really just want you to sign up for one of their “great” extended validation thingys. Over the last couple months they have really improved the web interface but still this is not enough to deal with today’s challenges of delivering secure connections to users easily. Their new APIs and StartEncrypt service are merely a late effort, trying to outbid LE with a worse service. Not worth the time or effort. The biggest problem is, that today I run multiple domains on my server and I need to provide one single certificate with all domains via Dovecot / Postfix. StartSSL allows you to have up to five domain names in the certificates they sign. (For example www.bruck.me and bruck.me would be a total of two domain names) So I’ve ran out of the possibility of using all my domains with one StartSSL certificate. Well, LE offers up to 100 domain names in one certificate. Of course wildcard certificates would be nicer, but […]

No connection within eduroam WiFi at TUM

So recently I’ve not been able to connect to the eduroam WiFi at the Technische Universität München in Garching Forschungszentrum. I’m guessing the RBG is running some specialized DHCP server that is not compatible with the newest NetworkManager version in Arch Linux. So to fix this, edit the file “/etc/NetworkManager/Networkmanager.conf” and comment out this file like so: #dhcp=internal Credits to Philipp and Simon, for saving me lots of headaches.