The GitHub “Release” page for a repository can provide your consumers a convenient way to download a binary version of your software as well as track the latest changes and enhancements. In this article, I will show how to invoke a local release process for a Go language binary. A new Github release will be … Github: locally invoked release process for a Go binary
The Go language with its simplicity, concurrency support, rich package ecosystem, and ability to compile down to a single binary is an attractive solution for writing services on Ubuntu. However, the Go language does not natively provide a reliable way to daemonize itself. In this article I will describe how to take a couple of simple Go language programs … GoLang: Running a Go binary as a systemd service on Ubuntu 22.04
Update Sept 2024: changed the page parsed for latest version, validated installation of go1.23.1 on Ubuntu22.04 The Go programming language consistently ranks as one of the most popular languages in developer surveys. In fact, Kubernetes as well as most of the CNF projects are written in Go. And it compiles down to machine code, which … GoLang: Installing the Go Programming language on Ubuntu 22.04
If you need to quickly standup a secure HTTPS server on a machine, perhaps to validate that a client is sending the proper method or parameters, the socat utility can assist. In this article we will use “socat.local” as the FQDN of our certificate and host. Maybe you already have a pem key+certificate for this … Linux: socat used as secure HTTPS web server
In environments where certificates are manually deployed, reloading TLS certs is often only done annually when the certificate is near expiration. This long lapse in time often means that someone else has inherited the task of renewal, and the original key in use may even be in question. Luckily, openssl provides a way to validate … Linux: openssl to validate whether private key and TLS certificate match
sed is an excellent utility for doing substitutions, but if you need to work across multiple files, then you need to pair it with a command that can provide a list of candidate files. This is where find comes in handy. For example, to replace all instances of ‘zebra’ with ‘horse’ recursively in the current … Linux: sed to replace across multiple files in directory
When using a private key on the client to ssh into a remote server with the matching public certificate in ~/.ssh/authorized_keys, a common failure message from the client is: Permission denied (publickey) The most common reasons for this is private key permissions issues (chmod 600), a misconfiguration of authorized_keys, or trying to send the wrong … Linux: ssh-keygen to check whether ssh private key and public cert are keypair
Starting with Kubernetes client 1.22, you may start seeing warning messages about your authentication mechanism when running commands. Here is an example when using gcloud for GKE cluster credentials. WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead. This is because the authentication provider-specific login code will be removed … GCP: fix kubectl auth plugin deprecation warning by installing new auth plugin
GCP Compute VM Instances can be set to run as a service account with API scopes that allow specific operations to be performed. If you need to change the service account or the scopes, you will need to power down the VM instance, make the changes, and then start the VM instance up again. Here … GCP: gcloud to change VM instance service account and API scope
If you are scripting a set of gcloud commands, there is a good chance that it is within a Bash script. While some Bash loops can be driven by a single variable, sometimes you need access to multiple variables within the loop. In this article I will show you can drive a Bash loop requiring … GCP: gcloud csv format with no-heading for Bash parsing
Anthos Identity Service allows an organization to tie into their existing Identity Provider to authenticate and authorize users into their Anthos clusters. In this article, I will show how the authentication for an Anthos on VMware cluster can be integrated into an existing Active Directory deployment, and further how a user’s AD group membership can … GCP: LDAP authentication for Anthos VMware clusters using Anthos Identity Service
When GCP operations fail due to permissions issues, checking the IAM roles assigned to a user, group, or service account becomes a necessity. When hierarchical projects and organizations are involved it becomes even more complex. This article will show you how to use gcloud at the project and organization level to pull IAM policies for … GCP: listing IAM roles for user, group, and service account in project and organization
The ClientAliveInterval and ClientAliveMaxCount settings in “/etc/sshd/sshd_config” work together to control the timeout value of an ssh session on the server side. But under BASH, to keep idle client sessions from timing out, you also need to set the ‘TMOUT’ variable or you will see messages like below when disconnected. timed out waiting for input: … Bash: extend timeout for idle ssh sessions using TMOUT
Before Kubernetes 1.24, the creation of a KSA (Kubernetes Service Account) would also create a non-expiring secret, where the token controller would generate a token that could be used to authenticate into the API server. As a quick example of the legacy behavior on Kubernetes < 1.24, notice how the creation of a service account … Kubernetes: KSA must now create secret/token manually as of Kubernetes 1.24
When orchestrating a playbook against multiple hosts, you may need to pull facts from one host in order to feed those values to another host. For example, a database master may need to provide its IP address to its many replicas, or a CA certificate from a controller may need to be distributed among its … Ansible: accessing a fact from a different host using cached facts
In this article I will demonstrate how to create an Ubuntu 22 template in vCenter. Then use Terraform to create a vSphere VM based on this template. The VM template creation is done by manually stepping through the Ubuntu server ISO installation wizard, followed by a set of preparation steps. Then Terraform is used to … Terraform: creating an Ubuntu 22 template and then guest VM in vCenter
Anthos GKE on-prem is a managed platform that brings GKE clusters to on-premise datacenters. This product offering brings best practice security measures, tested paths for upgrades, basic monitoring, platform logging, and full enterprise support. Setting up a platform this extensive requires many steps as officially documented here. However, if you want to practice in a … Kubernetes: Anthos GKE on-prem 1.13 on nested VMware environment
If you are creating a log file or perhaps an archive directory, it can be a convenience to end users to use a sortable timestamp in the file name itself, similar to “YYYYMMDD-HHMMSS”. This allows them to easily find the file relevant to their needs. Here are a couple of ways to implement this logic … Ansible: embedding a timestamp in a file name
Migrating from one Python 3.x version to a newer 3.x minor version seems like it would just be a simple ‘apt install’ of the latest Python package. But you most likely have pip modules installed at a version specific ‘dist-packages’ or ‘site-packages’ directory, and those modules have to be freshly installed into the newer version … Python: migrating pip modules to newer Python version on Ubuntu
In order to expose KVM virtual machines on the same network as your bare-metal Host, you need to enable bridged networking. In this article, I’ll show how to implement KVM bridged networking on Ubuntu 22.04 using Netplan. This bridged network will expose the KVM Guest OS as a peer on the upstream network, with no … KVM: Creating a bridged network with NetPlan on Ubuntu 22.04
Google’s API supports OAuth2 and OIDC, and can be used to both authenticate and authorize users. In this article, I will show how to use the Google web console to configure an Application that can support OAuth2/OIDC. We will then use a small, local Docker image to implement the Client Application side and smoke test … OAuth2: Configuring Google for OAuth2/OIDC
Github allows users or systems to access their API via OAuth2. Although this mechanism is often used on the public internet for authentication of users into a 3rd party site, note that OIDC is not implemented. In this article, I will show how to use the Spotify Dashboard to configure an Application that can support … OAuth2: Configuring Github for OAuth2
Spotify allows users or systems to access their data and features via OAuth2. Note that this is not intended for centralized authentication, and does not implement OIDC. In this article, I will show how to use the Spotify Dashboard to configure an Application that can support OAuth2. We will then use a small, local Docker … OAuth2: Configuring Spotify for OAuth2
okta is an Identity and Access Management solution that can be used to provide OAuth2 and OIDC authentication and authorization to your applications. In this article, I will show how to use the okta Dashboard to configure a hosted okta Application that can support OAuth2/OIDC. We will then use a small, local Docker image to … OAuth2: Configuring okta for OAuth2/OIDC
The ‘kubectl cp‘ command is a convenient way to get files into and out of remote containers, however it requires that the ‘tar’ utility be installed inside the container. There are many images that have removed this utility because of the identified security vulnerability, while others have removed it due to the adoption of the … Kubernetes: copying files into and out of containers without ‘kubectl cp’
Keycloak is an open-source Identity and Access Management (IAM) solution that can be used to provide authentication and authorization to your enterprise applications. One of the many protocols it supports is OAuth2/OIDC. One of the easiest ways to deploy Keycloak is directly into your Kubernetes cluster, exposed securely with an NGINX Ingress. In this article, … Kubernetes: Keycloak IAM deployed into Kubernetes cluster for OAuth2/OIDC
Flask OIDC is an extension to the popular Flask web framework that enables OAuth2/OIDC for your application. The base project does not support ADFS, but I have create a personal fork of this module that supports Windows 2019 ADFS as the OAuth2 Authentication Server. In this article, we will exercise the OAuth2 Authorization Code flow. … Python: Flask-OIDC protecting Client App and Resource Server using Windows 2019 ADFS
If you need to enable JDWP debugging of your Spring Boot web application in an IDE such as Eclipse, you can append the ‘debug-jvm’ flag to the gradle task, and then from your IDE enable a remote debugging connection to port 5005. I will walk you through a full example, but very quickly, here is … Gradle: interactive JDWP debugging of bootRun gradle task in Eclipse IDE
The Spring Security framework provides a robust and customizable framework for authentication and authorization for Spring based applications. Using Spring Security, a Spring developer can add OIDC authentication and OAuth2 protection of resources by including the libraries in the build, configuring the Spring application.yml, and enabling various component configurations and annotations. In this article, I … Java: Spring Security OAuth2/OIDC protecting Client App and Resource Server
Windows AD FS provides enterprise Identity and Authentication services, which includes support for OAuth2 and OIDC authentication flows. In this article, we will create and configure an ADFS Application group that supports the Authorization Code flow. This flow allows an application to access a 3rd party API on behalf of the end user as illustrated … Microsoft: configuring an Application Group for OAuth2/OIDC on ADFS 2019
See the newer version of this article, “Installing the Go Programming language on Ubuntu 22.04“. The Go programming language consistently ranks as one of the most popular languages in developer surveys. In fact, Kubernetes as well as most of the CNF projects are written in Go. And it compiles down to machine code, which has … GoLang: Installing the Go Programming language on Ubuntu 20.04
The Microsoft .NET SDK is an open-source development platform for developing applications across multiple architectures and operating systems. In this article, I will show you how to install the .NET SDK on Ubuntu 20.04 and then create/compile/run a simple web application. Ubuntu 22 will have the dotnet-sdk available in the default Ubuntu apt repositories, but … Ubuntu: Installing .NET SDK 6 on Ubuntu 20.04
If the gradle wrapper for your project is broken, you can reinstall it with the “gradle wrapper” command. For example, below is a common error if you have cloned a git repository where the owner has not pushed all the necessary gradle components into the repo. $ ./gradlew –info Error: Could not find or load … Gradle: fixing the gradle wrapper for a Java project
Based on my previous article on creating a Windows2019 Windows Domain Controller from a Sysprep template, we now want to move on to creating an Windows 2019 ADFS server in a similar fashion. Once this new Windows 2019 guest OS is provisioned, we will prepare it and then run Powershell scripts that will enable the … KVM: Creating a Windows2019 ADFS server using Powershell
Based on my previous article on creating a Windows2019 base template using Sysprep, we can now move on to creating a Windows Domain Controller using this template as a backing file. Once this new Windows 2019 guest OS is provisioned, we will prepare it and then run Powershell scripts that will enable the Active Directory … KVM: creating a Windows2019 Domain Controller using Powershell
In the world of Linux containers where deployment takes on the order of seconds, even the best-case scenario for spinning up a new Windows host can seem like an eternity. Clearly, you don’t want to wait for the entire Windows install process each time you bring up a Windows guest OS. Even automated, this would … KVM: configuring a base Window2019 instance with Sysprep
The Kubernetes Dashboard provides a convenient web interface for viewing cluster resources. However, if you are logged using a token tied to the ‘cluster-admin’ role, you will have privileges beyond what are typically necessary. In this article, I will show you how to create a ServiceAccount and ClusterRole with limited privileges that can be used … Kubernetes: accessing the Kubernetes Dashboard with least privilege
In a previous article, I provided a full step-by-step example of creating and running a Spring Boot web application that was packaged as a Docker image and run using the local Docker daemon. In this article, I want to focus on the same Spring Boot REST web application, but without using Docker. Instead we will … Java: creating OCI-compatible image for Spring Boot web using buildah
buildah is a tool that can create OCI compatible (Docker) images without the Docker daemon. podman can run these images without the need for a Docker daemon. The buildah and podman packages are available on the Debian Bullseye testing branch, but are not available from an Ubuntu 20.04 LTS release because these test packages could … Buildah: Installing buildah and podman on Ubuntu 20.04
If you have a domain that you want CoreDNS to forward to a specific upstream DNS, you can add a block to the CoreDNS configmap. Adding this domain block to the CoreDNS configmap and restarting the CoreDNS pods is sufficient will make the change take affect. You may need to restart client pods if DNS … Kubernetes: custom upstream for domain with CoreDNS