Scripting

Bash: calculating number of days till certificate expiration using openssl

The openssl utility can be used to show the details of a certificate, including its ‘Not After’ expiration date in string format.  This can be transformed into “how many days till expiration” with a bit of Bash date math. Create test certificate and key Using a line provided by Diego Woitasen for non-interactive self-signed certification Bash: calculating number of days till certificate expiration using openssl

Kubernetes: list all pods in deployment

Listing all the pods belonging to a deployment can be done by querying its selectors, but using the deployment’s synthesized replicaset identifier allows for easier automation. # deployment name and namespace deployment_name=mydeployment deployment_ns=mynamespace # get replica set identifier for deployment dep_rs=$(kubectl describe deployment $deployment_name -n $deployment_ns | grep ^NewReplicaSet | awk ‘{print $2}’) # get Kubernetes: list all pods in deployment

Bash: awk to extract Nth match from file based on line separator

If you need to extract the Nth occurrence of a match in a file (given definitive block separators), awk provides a convenient way to express the extraction. For example, a chained pem certificate will have multiple certification definitions with unique starting and ending marker lines.  Here is how you would extract the second certificate. awk Bash: awk to extract Nth match from file based on line separator

Linux: openssl to validate whether private key and TLS certificate match

In environments where certificates are manually deployed, reloading TLS certs is often only done annually when the certificate is near expiration.  This long lapse in time often means that someone else has inherited the task of renewal, and the original key in use may even be in question. Luckily, openssl provides a way to validate Linux: openssl to validate whether private key and TLS certificate match

Linux: ssh-keygen to check whether ssh private key and public cert are keypair

When using a private key on the client to ssh into a remote server with the matching public certificate in ~/.ssh/authorized_keys, a common failure message from the client is: Permission denied (publickey) The most common reasons for this is private key permissions issues (chmod 600), a misconfiguration of authorized_keys, or trying to send the wrong Linux: ssh-keygen to check whether ssh private key and public cert are keypair

GCP: listing IAM roles for user, group, and service account in project and organization

When GCP operations fail due to permissions issues, checking the IAM roles assigned to a user, group, or service account becomes a necessity. When hierarchical projects and organizations are involved it becomes even more complex.  This article will show you how to use gcloud at the project and organization level to pull IAM policies for GCP: listing IAM roles for user, group, and service account in project and organization

Microsoft: configuring an Application Group for OAuth2/OIDC on ADFS 2019

Windows AD FS provides enterprise Identity and Authentication services, which includes support for OAuth2 and OIDC authentication flows. In this article, we will create and configure an ADFS Application group that supports the Authorization Code flow.  This flow allows an application to access a 3rd party API on behalf of the end user as illustrated Microsoft: configuring an Application Group for OAuth2/OIDC on ADFS 2019

Kubernetes: targeting the addition of array items to a multi-document yaml manifest

If you have a Kubernetes yaml manifest that contains multiple documents, targeting a single document for modification while still outputting the other documents untouched can be a challenge. As an example, consider the simple example below were you have a single yaml file that contains: a Namespace, Deployment, and DaemonSet.  And we want to add Kubernetes: targeting the addition of array items to a multi-document yaml manifest

Kubernetes: kustomize overlay to enrich a base resource

With kustomize built into the kubectl CLI since version 1.14, there is little reason not to take advantage of this overlay system to deploy components to your Kubernetes cluster. Kustomize has the advantage that it is purpose built to understand and validate yaml and Kubernetes CRD, as opposed to bespoke templating solutions using sed/envsubst, Ansible, Kubernetes: kustomize overlay to enrich a base resource

Python: converting JSON to dot notation for easier path determination

Most of the modern cloud platforms and utilities have us manipulate either JSON or YAML configuration files.  And when you start dealing with real world scenarios with hundreds of lines of embedded data structures it is too difficult and error-prone to manually inspect indentation levels to determine the exact dotted or json path to an Python: converting JSON to dot notation for easier path determination

Terraform: converting ordered lists to sets to avoid errors with for_each

If you are using a Terraform “for_each” and get the error message below, it is most likely because you are sending an ordered list instead of an unordered set (which is not supported at the resource level). The given “for_each” argument value is unsuitable: the “for_each” argument must be a map, or set of strings, Terraform: converting ordered lists to sets to avoid errors with for_each

Terraform: installing Terraform manually on Ubuntu

Terraform is a popular tool for provisioning infrastructure on cloud providers such as EC2, Azure, and GCP.    If you want to install Teraform on Ubuntu using apt-get, follow HashiCorp’s standard installation document. However, I find that I often need multiple versions for different projects.  Find your desired version of the binaries at the Terraform download Terraform: installing Terraform manually on Ubuntu

Terraform: using update-alternatives to manage multiple terraform binaries

If you have multiple terraform projects, it can be necessary to support multiple versions of the terraform binary to match module and provider dependencies. Instead of creating a custom solution of binary copies and links, this can be done using the Alternatives concept which handles these symbolic links in a standard way using links in Terraform: using update-alternatives to manage multiple terraform binaries

Bash: performing multiple substitutions with a single sed invocation

Instead of stringing together sed multiple times in a pipeline, it is also possible to make multiple substitutions with a single invocation of sed. Consider the following example which replaces the word ‘hello’ as well as ‘quick’ in the paragraph: $ sed “s/hello/goodbye/g; s/quick/slow/g” <<EOF hello, world! hello, universe! the quick brown fox EOF goodbye, Bash: performing multiple substitutions with a single sed invocation