DEV Community: Jakub Wołynko The latest articles on DEV Community by Jakub Wołynko (@3sky). https://dev.to/3sky https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1046705%2F3378ce69-c23b-4607-b0fe-71755386a12a.jpeg DEV Community: Jakub Wołynko https://dev.to/3sky en The standard - S3 IAM Policies Jakub Wołynko Tue, 24 Jun 2025 07:42:45 +0000 https://dev.to/aws-builders/the-standard-s3-iam-policies-e88 https://dev.to/aws-builders/the-standard-s3-iam-policies-e88 <p>In the previous post, we explored <a href="https://jakubwolynko.eu/blog/202507-configure-your-s3-bucket-access" rel="noopener noreferrer">S3 Access Control Lists (ACLs)</a><br> and learned why AWS recommends disabling them for most modern use cases.<br> Now it's time to dive into the <strong>proper</strong> way of securing your S3 buckets:<br> IAM policies and bucket policies.</p> <p>Unlike ACLs, which are considered legacy and can become operationally chaotic,<br> IAM policies offer centralized, scalable, and auditable access management.<br> They're the foundation of modern AWS security architecture and the tool<br> you should reach for when securing your S3 resources.</p> <blockquote> <p>Today we'll focus on IAM policies - the backbone of AWS access control that actually makes sense.</p> </blockquote> <h2> IAM Policies vs Bucket Policies - What's the Difference? </h2> <p>Before we dive deep, let's clarify the two main policy types for S3:</p> <p><strong>IAM Policies</strong> are attached to IAM users, groups, or roles and define what actions<br> those identities can perform across AWS services. They're identity-centric -<br> "what can this user/role do?"</p> <p><strong>Bucket Policies</strong> are attached directly to S3 buckets and define who can<br> access that specific bucket and what they can do with it. They're resource-centric -<br> "who can access this bucket?"</p> <p>Both use the same JSON policy language, but they serve different purposes<br> and are evaluated together by AWS when determining access. Think of them as<br> complementary layers of security rather than competing mechanisms.</p> <h2> Understanding IAM Policy Structure </h2> <p>IAM policies follow a standardized JSON structure that's both powerful and<br> relatively straightforward once you understand the components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowS3ReadAccess"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-secure-bucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-secure-bucket/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"IpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.0/24"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Let's break this down:</p> <ul> <li> <strong>Version</strong>: Currently, '2012-10-17' is the recommended and most up-to-date policy language version. It's best practice to use this version for all new policies. </li> <li> <strong>Statement</strong>: An array of individual permission statements</li> <li> <strong>Sid</strong>: Optional statement identifier for easier management</li> <li> <strong>Effect</strong>: Either "Allow" or "Deny"</li> <li> <strong>Action</strong>: The specific AWS API actions being granted/denied</li> <li> <strong>Resource</strong>: The AWS resources the policy applies to</li> <li> <strong>Condition</strong>: Optional conditions that must be met for the policy to apply</li> </ul> <h2> Essential S3 Actions and Resource Best Practices </h2> <p>Understanding the right S3 actions is crucial for creating effective policies.<br> Here are the most commonly used ones:</p> <h3> Bucket-Level Actions </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">List</span><span class="w"> </span><span class="err">objects</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="s2">"s3:GetBucketLocation"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Get</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="err">region</span><span class="w"> </span><span class="s2">"s3:GetBucketVersioning"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Check</span><span class="w"> </span><span class="err">versioning</span><span class="w"> </span><span class="err">status</span><span class="w"> </span><span class="s2">"s3:ListBucketVersions"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">List</span><span class="w"> </span><span class="err">object</span><span class="w"> </span><span class="err">versions</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Object-Level Actions </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Download</span><span class="w"> </span><span class="err">objects</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Upload</span><span class="w"> </span><span class="err">objects</span><span class="w"> </span><span class="s2">"s3:DeleteObject"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Delete</span><span class="w"> </span><span class="err">objects</span><span class="w"> </span><span class="s2">"s3:GetObjectVersion"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Get</span><span class="w"> </span><span class="err">specific</span><span class="w"> </span><span class="err">object</span><span class="w"> </span><span class="err">versions</span><span class="w"> </span><span class="s2">"s3:DeleteObjectVersion"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Delete</span><span class="w"> </span><span class="err">specific</span><span class="w"> </span><span class="err">versions</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Notice how bucket-level actions use the bucket ARN (<code>arn:aws:s3:::my-bucket</code>)<br> while object-level actions use the object ARN pattern (<code>arn:aws:s3:::my-bucket/*</code>).</p> <h2> Practical IAM Policy Examples </h2> <h3> Read-Only Access Policy </h3> <p>Perfect for analytics tools or monitoring systems that need to read data<br> but shouldn't modify anything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"${aws_s3_bucket.analytics_data.arn}"</span><span class="p">,</span><span class="w"> </span><span class="s2">"${aws_s3_bucket.analytics_data.arn}/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>In Terraform, always use resource references:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Good - uses Terraform resource reference</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"analytics_read"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AnalyticsReadAccess"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">analytics_data</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.analytics_data.arn}/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Bad - hardcoded bucket name</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"analytics_read_bad"</span> <span class="p">{</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:s3:::company-analytics-data"</span><span class="p">,</span> <span class="c1"># Don't do this!</span> <span class="s2">"arn:aws:s3:::company-analytics-data/*"</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Application Upload Policy </h3> <p>For applications that need to upload files but shouldn't be able to<br> delete or list existing content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Define the policy using Terraform data source</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"app_upload"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:PutObjectAcl"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"${aws_s3_bucket.app_uploads.arn}/*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"s3:x-amz-server-side-encryption"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AES256"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"app_upload"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AppUploadPolicy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">app_upload</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>This approach ensures your policy always references the correct bucket,<br> regardless of environment or bucket naming changes.</p> <h3> Time-Based Access Policy </h3> <p>Sometimes you need to restrict access to specific time windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::business-hours-data/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"DateGreaterThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:CurrentTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"08:00:00Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"DateLessThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:CurrentTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"18:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <h2> Common Pitfalls and Security Considerations </h2> <h3> The Wildcard Trap </h3> <p>One of the most dangerous mistakes is using overly broad wildcards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">DON'T</span><span class="w"> </span><span class="err">DO</span><span class="w"> </span><span class="err">THIS</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This grants unlimited S3 access across your entire AWS account.<br> Always be specific about actions and resources.</p> <h3> Resource ARN Best Practices </h3> <p><strong>Avoid hardcoded bucket names</strong> in your policies! Using fixed bucket names like<br> <code>arn:aws:s3:::my-bucket</code> creates several problems:</p> <ul> <li>Policies become environment-specific and hard to reuse</li> <li>Risk of accidentally granting access to wrong buckets</li> <li>Makes bucket renaming nearly impossible</li> <li>Creates maintenance nightmares across multiple environments</li> </ul> <p>Instead, use variables and references.</p> <blockquote> <p>As it's overview blog-post, sometime I used <strong>harcoded</strong> buckets name, in sake of simplicity.</p> </blockquote> <h3> Missing Bucket vs Object Permissions </h3> <p>A common source of confusion is forgetting that listing bucket contents<br> and reading objects require different permissions on different resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Correct</span><span class="w"> </span><span class="err">approach</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Note:</span><span class="w"> </span><span class="err">no</span><span class="w"> </span><span class="err">/*</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Note:</span><span class="w"> </span><span class="err">with</span><span class="w"> </span><span class="err">/*</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Cross-Account Access Considerations </h3> <p>When granting cross-account access, always use explicit conditions<br> to prevent unauthorized access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::shared-bucket/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceAccount"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"123456789012"</span><span class="p">,</span><span class="w"> </span><span class="s2">"987654321098"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Implementing S3 IAM Policies with Terraform </h2> <p>Terraform makes managing IAM policies much more maintainable than<br> clicking through the AWS console. Here's how to implement the policies<br> we discussed:</p> <h3> Basic Policy Attachment </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Create the IAM policy</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_read_only"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"S3ReadOnlyAccess"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Read-only access to specific S3 bucket"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">app_data</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.app_data.arn}/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach to a role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"s3_read_only"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">app_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_read_only</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Using Data Sources for Flexibility </h3> <p>For more complex scenarios, you can use Terraform data sources<br> to make your policies more dynamic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"s3_upload_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:PutObjectAcl"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${aws_s3_bucket.uploads.arn}/uploads/${var.environment}/*"</span> <span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"s3:x-amz-server-side-encryption"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AES256"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"IpAddress"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"aws:SourceIp"</span> <span class="nx">values</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">allowed_ip_ranges</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_upload"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"S3UploadPolicy-${var.environment}"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">s3_upload_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <h3> Policy Validation and Testing </h3> <p>Always validate your policies before applying them. Terraform can help<br> catch syntax errors, but logic errors require testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Use locals for policy validation</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Validate bucket ARN format</span> <span class="nx">bucket_arn_pattern</span> <span class="p">=</span> <span class="s2">"^arn:aws:s3:::[a-z0-9][a-z0-9</span><span class="err">\\</span><span class="s2">-]*[a-z0-9]$"</span> <span class="c1"># Ensure bucket name follows naming conventions</span> <span class="nx">valid_bucket_name</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z0-9][a-z0-9</span><span class="err">\\</span><span class="s2">-]*[a-z0-9]$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">))</span> <span class="p">}</span> <span class="c1"># Use validation blocks</span> <span class="nx">variable</span> <span class="s2">"bucket_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"S3 bucket name"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z0-9][a-z0-9</span><span class="err">\\</span><span class="s2">-]*[a-z0-9]$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Bucket name must contain only lowercase letters, numbers, and hyphens."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Policy Testing and Validation </h2> <p>The AWS IAM Policy Simulator is your best friend for testing policies<br> before deployment. It allows you to simulate API calls and see whether<br> they would be allowed or denied by your policies.</p> <p>For Terraform users, consider using the <code>aws_iam_policy_document</code> data source<br> instead of hardcoded JSON - it provides better syntax validation and<br> makes policies more readable.</p> <h2> Summary </h2> <p>IAM policies are the modern, scalable way to secure S3 resources.<br> Unlike ACLs, they provide centralized management, powerful conditions,<br> and excellent auditability. Key takeaways:</p> <ul> <li>Use specific actions and resources - avoid wildcards</li> <li>Remember bucket-level vs object-level permissions require different resource ARNs</li> <li>Leverage conditions for additional security controls</li> <li>Test policies thoroughly before production deployment</li> <li>Use Terraform for maintainable, version-controlled policy management</li> </ul> <p>The combination of IAM policies and bucket policies gives you fine-grained<br> control over who can access your S3 resources and what they can do with them.<br> In the next article, we'll explore bucket policies and how they complement<br> IAM policies to create a comprehensive S3 security strategy.</p> <p>As always, even with a two-month-old keeping me busy, I'm committed to<br> sharing practical AWS security knowledge. The <code>NixOS</code> experiment is currently<br> stopped, however I starting thinking about re-activation of my newsletter.<br> Who knows, for sure the format will be diffrent, as link aggregation is just<br> boring!</p> <h3> Useful links </h3> <ol> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html" rel="noopener noreferrer">IAM Policy Language Reference</a></li> <li><a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html" rel="noopener noreferrer">S3 Actions and Resources</a></li> <li><a href="https://policysim.aws.amazon.com/" rel="noopener noreferrer">IAM Policy Simulator</a></li> <li><a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy" rel="noopener noreferrer">Terraform aws_iam_policy Resource</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">AWS Security Best Practices</a></li> </ol> aws s3 security policy Fighting Bots While Serving Humans: A Real-World API Protection Journey Jakub Wołynko Mon, 16 Jun 2025 10:11:16 +0000 https://dev.to/3sky/fighting-bots-while-serving-humans-a-real-world-api-protection-journey-51ea https://dev.to/3sky/fighting-bots-while-serving-humans-a-real-world-api-protection-journey-51ea <p>In today's digital landscape, serving APIs has become increasingly challenging. The task of exposing data and functionality to legitimate users has evolved into a complex battle against automated attacks, aggressive crawlers, and misguided AI training attempts.</p> <p>The challenge isn't just technical—it's philosophical.</p> <blockquote> <p>How do you distinguish between legitimate automation (which powers the modern web) and malicious bots that drain resources and compromise security?</p> </blockquote> <p>How do you balance accessibility with protection, especially when dealing with rate limiting, bot detection, and content delivery networks like Cloudflare? </p> <p>This post explores the real-world challenges of maintaining APIs that serve humans while fighting with army of automated requests that seem determined to treat every endpoint as their personal data source.</p> <h2> Intro </h2> <p>As I enjoy working with multiple folks, one of my colleagues is running a company that collects a lot of data. Really cool data. The goal is to give everyone on the Internet a chance to see it or work with them. The problem on the other hand is that is not a real-time system, data are updated once a day. So hitting API every second is emm, pointless as you get exactly the same date 86400 times.</p> <p>And it's a problem on my side, as it just uses a lot of resources, especially if we have multiple IPs that work in that way. So what's the scale of the challenge? For less than ~ 40K requests in 24 hours, mostly on Sunday.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdd59n7mpqp1df61m8rca.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdd59n7mpqp1df61m8rca.png" alt="39.21k requests, where 39.21 were blocked" width="800" height="262"></a></p> <h2> Iteration 1 </h2> <p>Ah, it's time to clarify, we're using Cloudflare at the front, and then API is hosted in different places, this particular one is using Azure App Services. (yep, I can into Azure as well). But that's not a point, I'm not a developer, I was contracted here to just do a security/network job.</p> <p>My first idea was to observe data from the Events tab and try to understand the pattern. For me blocking a particular IP wasn't an option.</p> <p>Why? This requires a bit of specific knowledge. As you may know,<br> I'm living in Poland, and having a static IP it's not a default option. If you need it, you need to pay a bit more extra for the business plan in most cases. Based on that fact, and information that our. My favourite client is from Poland as well (at least based on CloudFlares' data), blocking just IP doesn't have sense,<br> as it will change after some time, and we will block random person<br> or organization on the internet.</p> <p>The first iteration was the usage of the classic rate limit. Also, note, that it's partly supported by <a href="https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset" rel="noopener noreferrer">Terrafrom modules</a>, so our code was more or less:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"cloudflare_ruleset"</span> <span class="s2">"rl_custom_response"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"&lt;ZONE_ID&gt;"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Rate-limit bots"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"zone"</span> <span class="nx">phase</span> <span class="p">=</span> <span class="s2">"http_ratelimit"</span> <span class="nx">rules</span> <span class="p">{</span> <span class="nx">ref</span> <span class="p">=</span> <span class="s2">"rate_limit_example_com_status_404"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"</span> <span class="nx">expression</span> <span class="p">=</span> <span class="s2">"http.host eq </span><span class="se">\"</span><span class="s2">www.example.com</span><span class="se">\"</span><span class="s2"> and (http.request.uri.path matches </span><span class="se">\"</span><span class="s2">^/status/</span><span class="se">\"</span><span class="s2">)"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"block"</span> <span class="nx">action_parameters</span> <span class="p">{</span> <span class="nx">response</span> <span class="p">{</span> <span class="nx">status_code</span> <span class="p">=</span> <span class="mi">429</span> <span class="nx">content</span> <span class="p">=</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">response</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">API refresh data, one a day. Come back tommorow</span><span class="se">\"</span><span class="s2">}"</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"application/json"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">ratelimit</span> <span class="p">{</span> <span class="nx">characteristics</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ip.src"</span><span class="p">,</span> <span class="s2">"cf.colo.id"</span><span class="p">]</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">requests_per_period</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">mitigation_timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">counting_expression</span> <span class="p">=</span> <span class="s2">"(http.host eq </span><span class="se">\"</span><span class="s2">www.example.com</span><span class="se">\"</span><span class="s2">) and (http.request.uri.path matches </span><span class="se">\"</span><span class="s2">^/status/</span><span class="se">\"</span><span class="s2">) and (http.response.code eq 404)"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There were no changes after that, we got a lot of blocked IPs, but they are still pinging the API. That was great evidence, that bots are used for home automation or some not very important system.<br> Also, it introduces a problem, we have no idea how users use the data. After a while, we realised, that a lot of browser-based users were blocked. Probably due to the constant refreshing of some kinds of dashboards.</p> <p>In the meantime, we changed the custom response, to <code>Managed Challange</code>. Unfortunately, it doesn't solve the issue with user behaviours.</p> <h2> Iteration 2 </h2> <p>At this point, we're sure, that the rate limit without knowledge about API usage could be a challenge. So we've been forced to find a different solution.</p> <p>The next step was to block IPs to at least cut off, the most active<br> autmated users. As it works, as expected, we have noticed a lot of requests classified by Cloudflare as Azure/AWS/etc. What it could mean? Probably some Machine learning processes. Again, blocking whole hyperscaler subnets is just pointless, we can't block the whole Internet, right?</p> <h2> Iteration 3 </h2> <p>At this point after tracking an events dashboard, I realized<br> that there is a simple way to block "not-browser" users. Check a user agent. After a short debug session, I was able to build the first user-agent-based block query. Which looks like that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>(http.user_agent eq "") or (http.user_agent eq "got (https://github.com/sindresorhus/got)") or (http.user_agent eq "Embarcadero RESTClient/1.0") or (starts_with(http.user_agent, "python-requests")) </code></pre> </div> <p>This very simple method allows me to drop all, non-human requests.<br> So far so good, right?</p> <h2> Iteration 4 </h2> <p>After a while and a few days of watching events, I realized that<br> a few requests are made by AI crawlers.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fol5r1j5c96fmwb1n524j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fol5r1j5c96fmwb1n524j.png" alt="AI crawlers hitting public APIs" width="800" height="392"></a></p> <p>That's led to more philosophical questions. Should we treat it as users who are seeking knowledge, and GenerativeAI finds out our data is valuable. Or we should block it, as it does not generate traffic to our blogs, or app, just use the data without linking to it? Also, it will probably include results and <code>path</code> in the newly trained model, what will be the situation when <code>path</code> is updated, and the model will redirect the user to the wrong source? Who will be responsible for it? Our company, or model owner? To just avoid these questions, we will block it for now. If you have a different option let me know!</p> <h2> Summary </h2> <p>This not-such-long article could be summarised in a few lines of text, and it is exactly what I will do.</p> <p>To protect your API, no matter what tool you use, you need a few steps:</p> <ol> <li>Observe events and logs of your API</li> <li>Try to find a pattern</li> <li>Implement a rather, simple, not aggressive solution</li> <li>Keep observing, try to understand users, not developers</li> <li>Implement another rule, based on the results</li> <li>Keep integrating until, your resources are happy, as well as your clients, and wallet (if you're using the cloud)</li> </ol> <p>That's for reading it, if you find it interesting, or you have different observation ping me on <a href="https://hachyderm.io/@jwolynko" rel="noopener noreferrer">Mastodon</a> or via <a href="//hello+blog@jakubwolynko.eu">email</a>.</p> cloudflare api security devops How do I use Vercel to host Umami? Jakub Wołynko Tue, 15 Apr 2025 07:42:31 +0000 https://dev.to/aws-builders/how-do-i-use-vercel-to-host-umami-2h3o https://dev.to/aws-builders/how-do-i-use-vercel-to-host-umami-2h3o <p>As you may already know, or not. I'm self-hosting a view apps, where it doesn't mean <code>home-labbing</code> them. My flat wasn't designed to have network cables in all rooms, and storing more units than Synology NAS, HomeAssistant, RasbberyPi and Router on a tiny Ikea shelf could be a dangerous situation. That is why I'm not using my mini-pc as a homelab anymore.</p> <p>In the beginning, I moved a lot of my services to Hetzner (take a look at previous posts). Now after a while, I started thinking about making more for less. During the vibe coding wave, I learned how to use Supabase and Vercel. Then I started thinking about one crazy thing.</p> <blockquote> <p>Can I host Umami on Vercel and Supabase for free?</p> </blockquote> <p>At the end of March, some free time appears. That is why you my friend can read this blog post!</p> <h2> What is Umami, Vercel or Supabase? </h2> <p>Let's rely on the provided documentation/marketing slogans.</p> <h3> Umami </h3> <blockquote> <p>Umami makes it easy to collect, analyze,<br> and understand your website data — so you can focus on growth</p> </blockquote> <p>Basically <a href="https://umami.is/" rel="noopener noreferrer">Umami</a> is <a href="https://github.com/umami-software/umami" rel="noopener noreferrer">open-source</a> tool that allows us - content creators collect data about our users. For example, I like to track the way users come to my blog or most popular articles, so I can modify pinned ones. Also, it's focused on privacy. For example, user data are analyzed by default, also there is no cross-site tracking, so umami tracks users only on a particular website.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd4i87hricgli6pkem54i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd4i87hricgli6pkem54i.png" alt="Dashboard view, with my blog's stats" width="800" height="534"></a></p> <h3> Vercel </h3> <blockquote> <p>Vercel provides the developer tools and<br> cloud infrastructure to build, scale,<br> and secure a faster, more personalized web.</p> </blockquote> <p><a href="https://vercel.com/" rel="noopener noreferrer">Vercel</a> is a full CI/CD platform, that provides infrastructure and whole more for your projects. It's expensive when you're bigger, but on my scale the price is great - 0$! Also, they are responsible for <a href="https://nextjs.org/" rel="noopener noreferrer">next.js</a>, so we can consider them as solid brands. To be totally honest I'm really impressed by their CI/CD system, it works really good for standard apps!</p> <h3> Supabase </h3> <blockquote> <p>Supabase is an open source Firebase alternative.<br> Start your project with a Postgres database,<br> Authentication, instant APIs, Edge Functions,<br> Realtime subscriptions, Storage, and Vector embeddings.</p> </blockquote> <p>Yes, the <a href="https://supabase.com/" rel="noopener noreferrer">Supabase</a> description could be not easy to understand. It's become much more clear when you start using it. Let's say it that way, as Vercel is for hosting the frontend, Supabase will handle your backend. Small Postgresql database, edge functions, also auth to your app, s3-like storage, etc.</p> <h3> Example </h3> <p>For example, you can take a look at my [security scanner (<a href="https://www.selfsiteaudit.com/" rel="noopener noreferrer">https://www.selfsiteaudit.com/</a>). It was built entirely with the usage of Vercel as web app hosting, Supabase as database(for report storing), and place where my Deno's functions are living - serverless part!</p> <h2> Let's start then </h2> <ol> <li> <p>Start with Vercel, the only thing is that we need to open an account there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo0bk6nugqk2d0g7bejb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo0bk6nugqk2d0g7bejb.png" alt="Vercel singin options" width="577" height="487"></a></p> <p>As you can see, they do not provide Google/Facebook auth options, fortunately we can just use the email/login method.</p> </li> <li> <p>Next we need to create our first project.</p> <p>To achieve that, you need first click <code>Add New</code> on your project dashboard.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegmt25oj9tqaomotvhv7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegmt25oj9tqaomotvhv7.png" alt="Create a new project with Vercel" width="800" height="125"></a></p> </li> <li> <p>After that we need to configure a connection with GitHub, or another VCS server.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegf6bebwmoqhiq4wtiex.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegf6bebwmoqhiq4wtiex.png" alt="New project view" width="800" height="610"></a></p> <p>But hey! We don't have any projects yet. Let's fix it now.</p> </li> <li> <p>Go to the GitHub page and fork the offical <a href="https://github.com/umami-software/umami" rel="noopener noreferrer">repository</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jcq6bxflwws184qbdgh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jcq6bxflwws184qbdgh.png" alt="Just fork the repo here" width="800" height="489"></a></p> <p>Great, now we're almost done.</p> <p>Let's see Vercel's magic in action.</p> </li> <li><p>Back to the project page, and choose your fork.</p></li> <li> <p>Just click deploy.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F20c1hwlvzpgwp3lo5an6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F20c1hwlvzpgwp3lo5an6.png" alt="Project deploy view" width="759" height="738"></a></p> <p>A. You can change the name of the project (but why?)<br> B. Auto-detected framework.<br> C. Some boring settings.<br> D. Click the <strong>Deploy</strong> button, just do it!</p> </li> <li> <p>And... bum! Errors.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc02pbqxmmuo519tdvoze.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc02pbqxmmuo519tdvoze.png" alt="Initial deploy log" width="698" height="856"></a></p> <p>At this stage, we need a database. It's not that simple right? Vercel is not such smart yet. In the beginning, I thought about Supabase, however I noticed that Vercel has something called Storage.</p> <blockquote> <p>Read and write directly to databases and stores from your projects</p> </blockquote> <p>Let's use it then for our application.</p> </li> <li> <p>Create a database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhts5pjev8ocoqlqv7r8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhts5pjev8ocoqlqv7r8.png" alt="Create new Storage button" width="800" height="210"></a></p> </li> <li> <p>Choose a database type.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F29cu85phwfmzehz30oe3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F29cu85phwfmzehz30oe3.png" alt="Mark database provider of choice" width="516" height="478"></a></p> <p>Here we can choose multiple providers, Supabase as well. Just out of curiosity, I decided to Neon - a serverless version of Postgresql. Just to check if it will work as expected. You can choose whatever you want. After that find your region, as well as <code>Installation Plans</code>, where the recommended version is ehm, <strong>Free</strong>.</p> </li> <li> <p>Connect our database.</p> <ol> <li>Go to <strong>Storage</strong> tab.</li> <li>Click <strong>Connect Project</strong>.</li> <li>Search for your project and choose it.</li> <li>Click <strong>Connect</strong>.</li> <li>Now you should see something like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmnv7rp7oalzfuc8vx8sl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmnv7rp7oalzfuc8vx8sl.png" alt="View of connected database" width="800" height="342"></a></p> <p>Now, your app should be fully connected.</p> </li> <li> <p>Redeploy the app.</p> <ol> <li> <strong>Overview</strong> -&gt; <strong>Project name pane</strong> -&gt; <strong>Deployments</strong>.</li> <li>Choose the first build and hit <strong>Redeploy</strong> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcq3wulidmvrwivy0t80d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcq3wulidmvrwivy0t80d.png" alt="Just redeploy the application" width="800" height="265"></a></p> </li> <li> <p>After a while you should see a similar screen to the below one:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fshmmd14igmqhjy76bpia.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fshmmd14igmqhjy76bpia.png" alt="Successful deployment" width="800" height="267"></a></p> <ol> <li>Here you see the deployment status - <code>Ready</code> </li> <li>As well as the page URL, in my case <code>https://umami-6n48.vercel.app/</code>, just hit it!</li> </ol> </li> </ol> <h2> Summary </h2> <p>As you can see, you can access your instance of Umami. Initial login, will require some credentials, remember to change them!</p> <ul> <li>username: <code>admin</code> </li> <li>password: <code>umami</code> </li> </ul> <p>What's the result of this project? Up and running self-hosted an instance of Umami, for free, able to handle analytics at least for 5 different pages, I'm currently running. Why it could be a good move? The ability to learn new things is always good. As it's a self-managed app, you don't need to worry about the price change, also Vercel stability for sure will be better than a regular production-like environment, where you still testing a lot of things. The most important thing is that you don't need to use Google Analytics if you want to use website analytics for free and avoid services provided by Google.</p> selfhosting umami vercel privacy Bootstrap cluster with FluxCD Jakub Wołynko Tue, 15 Apr 2025 07:28:36 +0000 https://dev.to/3sky/bootstrap-cluster-with-fluxcd-4im8 https://dev.to/3sky/bootstrap-cluster-with-fluxcd-4im8 <p>That is the next iteration of the "5 AM Club" Kubernetes migration. As you can remember from other entries published in this series, I started playing with Kubernetes daily. Not on a daily basis, but literally every single day. To be honest, I'm pretty happy with the results. However, my plan has one challenge, that requires to be solved. Build time was long <strong>~15 minutes</strong> every day, and sometimes ESO operator faced an issue regarding using kustomize for Helm-based deployment. And just due to random constraints, I wanted to use one tool for bootstrapping a cluster.</p> <p>That is why I started with the layout presented last time. So logical split per operator with the <code>base/overlay</code> sub-group.</p> <p>Then I thought, why not just use some standard solution for that?<br> The first idea was to extend the usage of Argo for my infrastructure. But... It requires setting ESO, Doppler secret, and ArgoCD installed. Then I can reconfigure apps from the git level.</p> <p>The challenge was, to make it easier, faster, and more standardised, than it was currently.</p> <h2> Starting from beginning </h2> <p>What <a href="https://fluxcd.io/flux/" rel="noopener noreferrer">Flux</a> is? And what is not?</p> <blockquote> <p>Flux is a tool for keeping Kubernetes<br> clusters in sync with sources of configuration (like Git repositories),<br> and automating updates to the configuration when there is new code to deploy.</p> </blockquote> <p>We can use Flux to keep the configuration of our whole cluster in sync, with the Git repository. The funny thing is that we can configure both apps and infra with the usage of Flux.</p> <p>However, managing apps with Flux in my opinion is not the easiest and most comfortable solution. Especially, if we're changing versions quite often and we would like to have at least a few dependencies between apps and infra. For example, my Immich instance needs <code>csi-driver-smb</code>, which on the other hand requires <code>external-secret-operator</code> and <code>external-secret-secret</code><br> (the actual link between in-cluster secret and ESO <code>ClusterSecretStore</code>). So, every <a href="https://github.com/immich-app/immich/releases" rel="noopener noreferrer">new relese</a>, needs to be built and checks that all kustomizations are in place.<br> Then actually deploy a new version. Very long process, also ArgoCD UI is just better, easier to use, and definitely more user-friendly - at least in my opinion.</p> <h2> Repository structure </h2> <p>So after a few initial rounds it's ended in the following state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">.</span> ├── README.md ├── clusters │   └── cluster0 │   └── flux-system │   ├── gotk-components.yaml │   ├── gotk-sync.yaml │   ├── infrastructure.yaml │   └── kustomization.yaml └── infrastructure └── controllers ├── argocd-operator │   ├── configmap-patch.yaml │   ├── kustomization.yaml │   ├── namespace.yaml │   └── patch-argocd-server-annotations.yaml ├── argocd-operator-apps │   ├── applications.yaml │   ├── kustomization.yaml │   ├── projects.yaml │   └── repositories.yaml ├── csi-driver-smb │   ├── csi-driver-smb.yaml │   └── kustomization.yaml ├── external-secrets │   ├── external-secrets-operator.yaml │   └── kustomization.yaml ├── external-secrets-secret │   ├── cluster-secret-store.yaml │   └── kustomization.yaml ├── tailscale-operator │   ├── kustomization.yaml │   └── tailscale-operator.yaml ├── tailscale-operator-secrets │   ├── kustomization.yaml │   └── tailscale-operator-exteral-secret.yaml └── traefik ├── kustomization.yaml └── traefik-ext-conf.yaml </code></pre> </div> <p>Now we need some explanation, right?</p> <h2> Flux configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>clusters └── cluster0 └── flux-system ├── gotk-components.yaml ├── gotk-sync.yaml ├── infrastructure.yaml └── kustomization.yaml </code></pre> </div> <p>Here we have the configuration of our cluster, which is an awesome idea. In one repository we can have configurations for multiple clusters, based on provider, environment, or location, and manage them in a very simple way. Then we have regular flux-system files, so <code>flux-system/gotk-components.yaml</code> and <code>flux-system/gotk-sync.yaml</code>. Next, let's talk about my simple <code>Kustomization</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gotk-components.yaml</span> <span class="pi">-</span> <span class="s">gotk-sync.yaml</span> <span class="pi">-</span> <span class="s">infrastructure.yaml</span> </code></pre> </div> <p>This just tells Flux, that after bootstrapping itself, install<br> manifests based on <code>infrastructure.yaml</code> file. So let's take a look at the most crucial part of the config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">csi-driver-smb</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/csi-driver-smb</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/external-secrets</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/external-secrets-secret</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tailscale-operator</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/tailscale-operator</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets-secret</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tailscale-operator-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/tailscale-operator-secrets</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/traefik</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-operator</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/argocd-operator</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tailscale-operator</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-apps</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">retryInterval</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./infrastructure/controllers/argocd-operator-apps</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-operator</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>As you can see I heavily rely on <code>dependsOn</code> command. That is due Flux and Kubernetes archtecture design. When we're applying a Kustomization, we do not control the order of creating the resources. Of course, if we put in one file, service, ingress, and deployment, Kubernetes will know how to handle that. The problem is when we deploy an application that has dependencies on each other, that is not what Kubernetes understands. So we need to specify it directly. In my example <code>csi-driver-smb</code>, <code>external-secrets</code>, and <code>traefik</code> can be installed in parallel, but then we have some relations. At the end, we're installing Argo's <code>app-of-apps</code>, which requires in general all previous components, besides <code>traefik</code> - I'm routing my traffic through Tailscale there, not via the Internet.</p> <p>Now you can think:</p> <blockquote> <p><strong>App-of-apps</strong>? You said infra only!</p> </blockquote> <p>That is right, my logic was quite complex, to be honest here. Do you remember, when I wrote about use-case? Bootstraping the whole cluster so that I will be able to work with it fast. Apps are part of the overall cluster at the end. So my app-of-apps definition was very simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>infrastructure/controllers/argocd-operator-apps ├── applications.yaml ├── kustomization.yaml ├── projects.yaml └── repositories.yaml </code></pre> </div> <p>Let's dive into it one, one by one.</p> <ol> <li> <p>applications.yaml<br> </p> <pre class="highlight yaml"><code> <span class="s">---</span> <span class="s">apiVersion</span><span class="err">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="s">kind</span><span class="err">:</span> <span class="s">Application</span> <span class="s">metadata</span><span class="err">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">self-sync</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">project</span><span class="pi">:</span> <span class="s">non-core-namespaces</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://codeberg.org/3sky/argocd-for-home</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s">app-of-apps</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> </code></pre> <p>That is a very simple definition of my main <code>Application</code> that controls all apps running on my cluster. Nothing very special here, I was experimenting with <code>codeberg</code>, but let's talk about that later.</p> </li> <li> <p>kustomization.yaml<br> </p> <pre class="highlight yaml"><code> <span class="s">---</span> <span class="s">apiVersion</span><span class="err">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="s">kind</span><span class="err">:</span> <span class="s">Kustomization</span> <span class="s">namespace</span><span class="err">:</span> <span class="s">argocd</span> <span class="s">resources</span><span class="err">:</span> <span class="pi">-</span> <span class="s">repositories.yaml</span> <span class="pi">-</span> <span class="s">projects.yaml</span> <span class="pi">-</span> <span class="s">applications.yaml</span> </code></pre> <p><code>Kustomization</code> is simple, just ordered in the logic path.</p> <p><strong>Repository</strong> -&gt; <strong>Projects</strong> -&gt; <strong>Application</strong></p> </li> <li> <p>projects.yaml<br> </p> <pre class="highlight yaml"><code> <span class="s">---</span> <span class="s">apiVersion</span><span class="err">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="s">kind</span><span class="err">:</span> <span class="s">AppProject</span> <span class="s">metadata</span><span class="err">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">non-core-namespaces</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Allow argo deploy everywhere</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">https://codeberg.org/3sky/argocd-for-home'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> <p>As I'm creating <code>namespaces</code> as part of my application setup, permission granted to Argo's Projects are very wide. In this case, I just trust the GitOps process.</p> </li> <li> <p>repositories.yaml<br> </p> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitops-with-argo-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitops-with-argo</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/secret-type</span><span class="pi">:</span> <span class="s">repository</span> <span class="na">data</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">git</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://codeberg.org/3sky/argocd-for-home</span> <span class="na">username</span><span class="pi">:</span> <span class="s">3sky</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">password</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">CODEBERG_TOKEN</span> </code></pre> <p>This is probably the most interesting part of the configuration. As we're unable to inject our password directly into <code>argocd.argoproj.io/secret-type: repository</code>, which is a regular Kubernetes Secret. We need to generate the whole object<br> with ESO - details can be found <a href="https://jakubwolynko.eu/blog/202503-eso-with-doppler/" rel="noopener noreferrer">here</a>.</p> </li> </ol> <p>And that's it. Now let's talk about the actual bootstrap process.</p> <h2> Bootstraping environment </h2> <ol> <li> <p>Spin up infrastructure with Terraform.<br> </p> <pre class="highlight shell"><code>terraform apply <span class="nt">-var</span><span class="o">=</span><span class="s2">"local_ip=</span><span class="si">$(</span>curl <span class="nt">-s</span> ifconfig.me<span class="si">)</span><span class="s2">"</span> </code></pre> </li> <li> <p>Installing K3S with local fork of <a href="https://github.com/k3s-io/k3s-ansible" rel="noopener noreferrer">k3s-ansible</a>.<br> </p> <pre class="highlight shell"><code>ansible-playbook playbooks/site.yml <span class="nt">-i</span> inventory.yml </code></pre> </li> <li> <p>Load KUBECONFIG<br> </p> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span>/home/kuba/.kube/config.hetzner-prod kubectl config use-context k3s-ansible </code></pre> </li> <li> <p>Doppler configuration (we need an initail secret somewhere)<br> </p> <pre class="highlight shell"><code>kubectl create namespace external-secrets kubectl create secret generic <span class="se">\</span> <span class="nt">-n</span> external-secrets doppler-token-argocd <span class="se">\</span> <span class="nt">--from-literal</span> <span class="nv">dopplerToken</span><span class="o">=</span><span class="s2">""</span> </code></pre> </li> <li> <p>Bootstrap the cluster<br> </p> <pre class="highlight shell"><code>flux bootstrap github <span class="se">\</span> <span class="nt">--owner</span><span class="o">=</span>3sky <span class="se">\</span> <span class="nt">--repository</span><span class="o">=</span>flux-at-home <span class="se">\</span> <span class="nt">--branch</span><span class="o">=</span>main <span class="se">\</span> <span class="nt">--path</span><span class="o">=</span>./clusters/cluster0 <span class="se">\</span> <span class="nt">--personal</span> </code></pre> <p>Where GitHub is supported natively (via GitHub Apps). Solutions like <a href="https://codeberg.org/" rel="noopener noreferrer">Codeberg</a> needs a more direct method.<br> </p> <pre class="highlight shell"><code>flux bootstrap git <span class="se">\</span> <span class="nt">--url</span><span class="o">=</span>ssh://git@codeberg.org/3sky/flux-at-home.git <span class="se">\</span> <span class="nt">--branch</span><span class="o">=</span>main <span class="se">\</span> <span class="nt">--path</span><span class="o">=</span>./clusters/cluster0 <span class="se">\</span> <span class="nt">--private-key-file</span><span class="o">=</span>/home/kuba/.ssh/id_ed25519_git </code></pre> </li> <li> <p>Get ArgoCD password if needed<br> </p> <pre class="highlight shell"><code>kubectl <span class="nt">--namespace</span> argocd <span class="se">\</span> get secret argocd-initial-admin-secret <span class="se">\</span> <span class="nt">-o</span> json | jq <span class="nt">-r</span> <span class="s1">'.data.password'</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </li> </ol> <h2> Summary </h2> <p>With this set of commands, I'm able to set fresh clusters, with Hetzner or whatever in literally 7 minutes. Starting from installing k3s to having applications exposed via Cloudflare tunnel, or Tailscale tailnet. To be honest I'm really satisfied with the result of this exercise. Besides a long-running cluster for my self-hosted apps. I can quite easily, fast, and with low costs test new versions of ArgoCD, or <code>smb-driver</code> operator, without harming my current setup! And that is great, to be honest. Especially for self-hosting, where it's good to have apps that are working in let's say <code>production mode</code>, even if there is only one user.</p> selfhosting kubernetes fluxcd External Secret Operator with Doppler Jakub Wołynko Tue, 15 Apr 2025 07:18:10 +0000 https://dev.to/3sky/external-secret-operator-with-doppler-35e1 https://dev.to/3sky/external-secret-operator-with-doppler-35e1 <p>Last time we configured our cluster step by step maybe without public code yet, but someday I will publish it. Probably when it will be smooth enough to share. Nevertheless, we have a working cluster. Today I will focus on connecting the External Secret Operator with Doppler. So let's introduce today's stars.</p> <h2> External Secret Operator </h2> <blockquote> <p>External Secrets Operator is a Kubernetes operator that<br> Integrates external secret management systems like AWS Secrets Manager,<br> HashiCorp Vault, Google Secrets Manager, Azure Key Vault,<br> IBM Cloud Secrets Manager, CyberArk Conjur,<br> Pulumi ESC and many more. The operator reads information from<br> external APIs and automatically inject the values into a Kubernetes Secret.</p> </blockquote> <p><a href="https://external-secrets.io/latest/" rel="noopener noreferrer">Link</a></p> <h2> Doppler </h2> <blockquote> <p>Doppler integrates with popular CI/CD tools<br> and frameworks, making it easy to automate secrets<br> management within your development workflow.</p> </blockquote> <p><a href="https://www.doppler.com" rel="noopener noreferrer">Link</a></p> <h3> Fast guide over platform </h3> <ol> <li> <p><strong>Create a project</strong></p> <p>Adding new project is very simple, and easy.<br> Just click on <code>+</code> button near to the <code>Projects</code> text.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fop980q6x5dq7igfz49bm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fop980q6x5dq7igfz49bm.png" alt="View of initial dashboard without projects" width="800" height="489"></a></p> </li> <li> <p><strong>Manage stages</strong></p> <p>Here we can add, delete, or modify stages. At the beginning, I would like to recommend using only one stage.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwv56ikffyk4123jz9gw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkwv56ikffyk4123jz9gw.png" alt="View on default stages' dashboard" width="800" height="315"></a></p> </li> <li> <p><strong>Adding secrets</strong></p> <p>Then after clicking on the stage name, we can add next secret with two-click.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwy3598r81idgm733styh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwy3598r81idgm733styh.png" alt="Regular secret view" width="800" height="327"></a></p> </li> <li> <p><strong>Getting a token</strong></p> <p>The last action to do is token generation. To archive it, just go to *<em>Access</em> tab, then generate a token, that will have access to particular config.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F09ihf20jucavhgohx2pr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F09ihf20jucavhgohx2pr.png" alt="View of access tab" width="800" height="320"></a></p> </li> </ol> <h2> How to use this duet </h2> <p>First, we need to understand how it works. In my cluster, it looks<br> as shown in the picture below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogk68e0gjiu0wdh58w3s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogk68e0gjiu0wdh58w3s.png" alt="Flow diagram of ESO integration with Doppler and cluster" width="800" height="663"></a></p> <p>As you may see, we need to have one "static secret" in our cluster, we can make it from CLI directly or with the usage of sops, however, the effect will be the same, where we need to start. I decided that my workstation terminal session is a good place to create the main secret.</p> <p>When we have our token, we can call Doppler and retrieve needed secrets. In my case, I'm using one Doppler's project for everything and all namespaces have access to my token, but we can restrict it on the RBAC level if needed. Or not, that is why we're using ESO.</p> <h2> Retrieving secrets </h2> <p>In my opinion, we have at least 2 modes of getting credentials, that should meet all our needs.</p> <ol> <li> <p>Getting all prefixed secrets.<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">externalsecret</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Kustomize</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">dataFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">find</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">HELLO_</span> </code></pre> <p>With this code, we're fetching all secrets with prefix <code>HELLO_</code>, into a single secret with the name hello. And that's it. If you want to check the result of your integration just run:<br> </p> <pre class="highlight shell"><code>kubectl get secrets hello <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.HELLO_SECRET}"</span> <span class="se">\ </span> <span class="nt">-n</span> hello | <span class="nb">base64</span> <span class="nt">--decode</span> </code></pre> </li> <li> <p>Getting particular secret and putting them into a specific order<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">externalsecret</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Kustomize</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-secret</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">APP_SECRET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_SECRET</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">INIT_PASSWORD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_INIT_PASSWORD</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">dataFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">find</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">HELLO_</span> </code></pre> <p>This will create <code>secret/hello-secret</code> with a specific object structure. When it could be helpful? I will show you 3 interesting examples, that you could use in your setup.</p> <ol> <li> <p>Adding Cloudflare tunnel config file</p> <p>Cloudflare tunnels require providing data in a specific format.<br> It's a JSON string, looking similar to:<br> </p> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"AccountTag"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f3cc889ae810"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TunnelSecret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SVD/O0sU+VtDlH023aBcToG0dMk="</span><span class="p">,</span><span class="w"> </span><span class="nl">"TunnelID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"8127899-c332-482c-91aa-d1210a479658"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> <p>And you need to use exactly this as a file-based secret. Then you have two option get your prefixed secrets into one object, then <code>credentials.json</code> into second, or use templates.<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">externalsecret</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Kustomize</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-secret</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">credentials.json</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_TUNNEL</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_SECRET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_APP_SECRET</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">DB_SECRET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_DB_SECRET</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.HELLO_DB_URL</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">dataFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">find</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">HELLO_</span> <span class="nn">---</span> </code></pre> </li> <li> <p>Building ArgoCD repository secret.</p> <p>If you have worked with ArgoCD in the past, there is a chance, that you know that problem is not trivial. You need to use build object with type secret, with repository URL, user, and secret. As you can't have a nested secret (secret ref in another secret), you are forced to keep the whole file secret. Fortunately, you can use ESO templates.<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitops-with-argo-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitops-with-argo</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/secret-type</span><span class="pi">:</span> <span class="s">repository</span> <span class="na">data</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">git</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://github.com/3sky/argocd-for-home</span> <span class="na">username</span><span class="pi">:</span> <span class="s">3sky</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">password</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">GITHUB_TOKEN</span> </code></pre> </li> <li> <p>At the end, simple, direct Tailscale mapping<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">operator-oauth-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">tailscale</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">6h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">doppler-auth-argocd</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterSecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">operator-oauth</span> <span class="na">creationPolicy</span><span class="pi">:</span> <span class="s">Owner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">client_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.client_id</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">client_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.client_secret}}"</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">client_id</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">TAILSCALE_CLIENT_ID</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">client_secret</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">TAILSCALE_CLIENT_SECRET</span> </code></pre> </li> </ol> </li> </ol> <h2> Summary </h2> <p>Based on my testing and usage of this integration, so far so good. Stable, not very resource-consuming, we can limit sync intervals. Doppler as mentioned at the beginning is free for small projects, or individual users. However, using ESO with popular enterprise solutions like Hashicorp Vault should be very similar. Maybe I will check it someday.</p> <p>I hope you like this kind of article, smaller, focused on a particular problem or integration. If not, let me know.</p> selfhosting kubernetes eso doppler Again self-hosting! on k3s Jakub Wołynko Tue, 15 Apr 2025 07:07:04 +0000 https://dev.to/3sky/again-self-hosting-on-k3s-2bji https://dev.to/3sky/again-self-hosting-on-k3s-2bji <p>Over some time I was really happy with my podman + ansible setup. It was great, but do you know what wasn’t such great? Deployment rollbacks. It all started with linkwarden. On my miniflux, I received a notification - that a new minor release is ready.</p> <blockquote> <p>You can use GitHub repos as RSS links and received<br> notification about new releases. If you're using miniflux<br> just past <code>https://github.com/ansible/ansible/releases.atom</code></p> </blockquote> <p>Let's say version 2.8.0. When the time came, I just changed my variable and executed <code>ansible-playbook</code> command. Then after 3 minutes, my uptime-kuma started screaming, and saying that my app was dead. Initially, I ignored that, due to my experience with podman. During the service restart it makes an app unavailable, then downloads the new image and tries to run it. If the package is big, it could take a while. It wasn't great, but that is what could be acceptable for self-hosting service. Unfortunately, the main problem was with something different. Maintainers of Linkwarden sometimes inform users about a new release, however, it's only delivered as an rpm/deb package. The container image could be still in the building, or the building process could fail. It doesn't matter, sometimes my typo could occur as well. Then podman can't handle that, nor Ansible as it just restarts the service. Podman on another hand just stops service and does not roll back to the old version automatically. So sometimes it becomes annoying as I need to log into the server with ssh and manually fix it. That is why I decided to switch to some Kubernetes distribution.</p> <h2> k3s </h2> <p>So why is the based version of small Kubernetes supported by Suse?<br> Hmm mostly due to popularity, stability, and small resource consumption. It was good enough to run on a single host, and it's shipped as just a binary. This fits my needs, a small, easy-to-use package with build-in ingress, local-path storage provider, and flannel that implements Kubernetes CNI. Here is also a really nice<br> <a href="https://github.com/k3s-io/k3s-ansible" rel="noopener noreferrer">project</a> for installation and configuration base cluster, which I used for my setup.</p> <h2> The migration process </h2> <p>I did not have much time for migration, as I really enjoy spending time with my family, also with a full-time job it is just hard to put in the calendar. That is why I decided to join the "5 AM Club", and start re-learning Kubernetes again. I have a full log of my activities with dates, but probably that is not what you could be interested in. Let's say my regular everyday process look like this:</p> <ol> <li> <p>Apply terraform code<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>hetzner terrafrom apply </code></pre> </li> <li> <p>Run <code>k3s-ansible</code> project, (check IP in inventory.yaml).<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>k3s-ansible ansible-playbook playbooks/site.yml <span class="nt">-i</span> inventory.yml </code></pre> </li> <li> <p>With ready cluster update KUBECONFIG.<br> </p> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span>~/.kube/config.new kubectl config use-context k3s-ansible </code></pre> </li> <li> <p>Patch k3s setup with traefik config.<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>cluster-config k apply <span class="nt">-f</span> traefik-ext-conf.yaml </code></pre> </li> <li> <p>Create External Secret Operator main token for doppler<br> </p> <pre class="highlight shell"><code>kubectl create namespace external-secrets kubectl create secret generic <span class="se">\</span> <span class="nt">-n</span> external-secrets <span class="se">\</span> doppler-token-argocd <span class="se">\</span> <span class="nt">--from-literal</span> <span class="nv">dopplerToken</span><span class="o">=</span><span class="s2">"dp.st.xx"</span> </code></pre> </li> <li> <p>Install EOS operator<br> </p> <pre class="highlight shell"><code>helm <span class="nb">install </span>external-secrets <span class="se">\</span> external-secrets/external-secrets <span class="se">\</span> <span class="nt">-n</span> external-secrets <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">installCRDs</span><span class="o">=</span><span class="nb">true</span> </code></pre> </li> <li> <p>Check if the webhook is up and running (sometimes is not)<br> </p> <pre class="highlight shell"><code>k logs <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>external-secrets-webhook <span class="nt">-n</span> external-secrets </code></pre> </li> <li> <p>If yes, apply the overlay and create ClusterSecretStore<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>ESO/ kubectl apply <span class="nt">-k</span> overlay/ </code></pre> </li> <li> <p>Install tailscale<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>tailscale kubectl apply <span class="nt">-k</span> <span class="nb">.</span> </code></pre> </li> <li> <p>Install argo<br> </p> <pre class="highlight shell"><code><span class="nb">cd </span>argocd kubectl apply <span class="nt">-k</span> base/ kubectl apply <span class="nt">-k</span> overlay/ </code></pre> </li> <li> <p>Get Argo init admin password<br> </p> <pre class="highlight shell"><code>kubectl <span class="nt">--namespace</span> argocd get <span class="se">\</span> secret argocd-initial-admin-secret <span class="se">\</span> <span class="nt">-o</span> json <span class="se">\</span> | jq <span class="nt">-r</span> <span class="s1">'.data.password'</span> <span class="se">\</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> <p>So far so good. Now let's break down used services.</p> </li> </ol> <h2> Operators </h2> <p>I started by extending my traefik configuration to be able to handle regular requests from the internet. If you decide to do it,<br> as well please be aware that k3s for today (07-Feb-2025) is using version 2+, not 3+, which is why not everything straight from documentation will work. For example, my code is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">HelmChartConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="c1"># we're still on with k3s https://github.com/traefik/traefik-helm-chart/blob/v27.0.2/traefik/values.yaml</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">valuesContent</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">additionalArguments:</span> <span class="s">- "--certificatesresolvers.letsencrypt.acme.email=mark@example.com"</span> <span class="s">- "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"</span> <span class="s">- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"</span> <span class="s"># - "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"</span> </code></pre> </div> <p>With that, and <a href="https://ducknds.org" rel="noopener noreferrer">duckdns</a> domain (Hetzner,<br> very often gave you the same IP address. Thanks folks!). I was<br> able to expose my service directly to the internet with the usage HTTPS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">traefik.ingress.kubernetes.io/router.entrypoints</span><span class="pi">:</span> <span class="s2">"</span><span class="s">websecure"</span> <span class="na">traefik.ingress.kubernetes.io/router.tls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">traefik.ingress.kubernetes.io/router.tls.certresolver</span><span class="pi">:</span> <span class="s2">"</span><span class="s">letsencrypt"</span> <span class="na">traefik.ingress.kubernetes.io/service.serversscheme</span><span class="pi">:</span> <span class="s2">"</span><span class="s">h2c"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">traefik"</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nginx997.duckdns.org</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">nginx997.duckdns.org</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>Then we have a challenge called:</p> <blockquote> <p>How to store secrets with the usage of external sources?</p> </blockquote> <p>I decided to use two products: External Secret Operator, and Doppler. In the beginning, I thought about Bitwarden's "not-so-new" Secret Manager, however, after a short investigation, the product seems to be not so well-supported by the ESO, which IMO is useful as it allows me to have one cluster-wide secret for getting secrets from external sources, which is great.</p> <p>Doppler and ESO combo requires another post, so check my website from time to time.</p> <p>Then I wanted to add <a href="https://tailscale.com" rel="noopener noreferrer">Tailscle</a> which besides being a "best in class VPN" for the homelabbers, allows you to add k8s services directly into your tailnet. What does it mean? The Tailscale operator allows you to access your k8s applications only when you are logged into your private<br> network (tailnet), with the usage of your domain for ended with <code>ts.net</code>. You can configure it in two ways on the resource side, with ingress or with service annotation.</p> <ol> <li> <p>Ingress<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">tailscale</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hello.john-kira.ts.net</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">hello.john-kira.ts.net</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </li> <li> <p>Service<br> </p> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">tailscale.com/expose</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">tailscale.com/tailnet-fqdn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">hello.john-kira.ts.net"</span> <span class="na">tailscale.com/hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">hello"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </li> </ol> <p>Also please be aware that service by default exposes your service into tailnet over HTTP, where ingress provides a TLS certification as well.</p> <p>Nice, at this point I was able to access my public service, as well as internal. What was the next step? ArgoCD.</p> <p>Deploying ArgoCD was simple. During the first iteration, I decided to split my repo into <code>base</code> and <code>overlay</code> folders. The first directory contains the file for deploying an instance of Argo, exposing it to the tailnet. To archive it I just created a simple <code>kustomization.yaml</code> file as below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">namespace.yaml</span> <span class="pi">-</span> <span class="s">https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.2/manifests/install.yaml</span> <span class="c1"># add --insecure flag to deployment, to avoid 307 redirection loop</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cmd-params-cm</span> <span class="na">path</span><span class="pi">:</span> <span class="s">configmap-patch.yaml</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">path</span><span class="pi">:</span> <span class="s">patch-argocd-server-annotations.yaml</span> </code></pre> </div> <p>Then two patches were:</p> <ul> <li> <p><code>patch-argocd-server-annotations.yaml</code><br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">tailscale.com/expose</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">tailscale.com/tailnet-fqdn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">argo.john-kira.ts.net"</span> <span class="na">tailscale.com/hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">argo"</span> </code></pre> </li> <li> <p><code>configmap-patch.yaml</code><br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cmd-params-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> </code></pre> </li> </ul> <p>Then my <code>overlay</code> directory contains only Argo's objects definitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">overlay ├── applications.yaml ├── kustomization.yaml ├── projects.yaml └── repositories.yaml </span></code></pre> </div> <h2> Summary </h2> <p>That was my first iteration of the "5 AM Club" Kubernetes migration. It takes me a bit longer than one or two mornings. Based on my notes it was around 7 days of work, ~1h per day. Not bad at all, however, there were a few things that are missing and which I should improve to make my setup much more flexible, stable, and easier to test. Where "to test" I understand deploying a new version of the operator and watching how the cluster is burning. Or not, I hope rather not.</p> <p>With that in mind, thanks for your time, hope you enjoy reading it. If you would like to reach me or you have questions please use <a href="https://jakubwolynko.eu/about" rel="noopener noreferrer">about</a> page infos.</p> selfhosting k3s ansible argocd Self-hosting with Podman Jakub Wołynko Tue, 15 Apr 2025 06:53:31 +0000 https://dev.to/3sky/self-hosting-with-podman-3g5n https://dev.to/3sky/self-hosting-with-podman-3g5n <p>I've been a self-hoster for a while. The adventure started with regular mani-pc manufactured by HP. 32G of RAM, Intel gen 10, and 1T HDD drive. However, as long as it was a great experience at the beginning, with time it became a challenge. My stack was built with <a href="https://www.portainer.io/" rel="noopener noreferrer">portainer</a> and a bunch of docker-compose files. It leads to specific issues: with portainer, you don't own the Compose files, they are living inside your tool, but nowhere on the filesystem or git repo.</p> <p><strong>update Feb-2025</strong>: portioner supports GitOps</p> <p>Additionally at some point people behind this product decided to change the licensing model, and allow the use of community editions for up to 5 nodes. It wasn't my case, but that pushed me to use something more independent. So I started using <a href="https://dockge.kuma.pet/" rel="noopener noreferrer">dockge</a>, then added another service for docker <a href="https://dozzle.dev/" rel="noopener noreferrer">logs</a>, <a href="https://crazymax.dev/diun/" rel="noopener noreferrer">version monitor</a>, and keeps adding applications that are fun to use, for example <a href="https://hay-kot.github.io/homebox/" rel="noopener noreferrer">homebox</a> or <a href="https://www.bookstackapp.com/" rel="noopener noreferrer">bookstack</a>. It was fun until I released the cost of energy and maintenance effort need to keep it running, at my home. Every internet issue, or power issue takes my setup down. Maybe it was not happening very often, but when I wasn’t home, and the hardware was down, there was no chance to fix it remotely. And I started relaying on that service. That is why I simply decided<br> to migrate to <a href="https://www.hetzner.com/" rel="noopener noreferrer">hetzner</a>, and podman at the same time, and use remote NFS. However, let's start from the beginning.</p> <h2> Why Hetzner </h2> <p>As I'm an AWS Community Builder, every renewal cycle I receive $500 for AWS services. I was getting an EC2 instance on ARM (yes, I decided to switch CPU architecture too) with 4 cores and 8GB of RAM, which cost more than $500 per year. Since we're talking about a server running 24/7, with additional VPC, EBS, etc., the estimated cost was just $111.744 per month. For EC2 only!</p> <p>Hetzner is much more affordable. A standard AmpereOne VM, with backups, a public IP, and 80GB of SSD, was about $7 per month. Then I added a 1TB storage box for an additional $3. Based on complex math, my setup was only 10x cheaper than what AWS could provide.</p> <p>Note: We're talking about a constantly running server, without the need for scalability or high availability.</p> <p>Using Hetzner is pretty simple. If you know how to use Terraform and AWS, the German company provider is less complex. For example, spinning up one VM with a public IP address and backup enabled is just:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">hcloud</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hetznercloud/hcloud"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.49.1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.9.8"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"hcloud"</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hcloud_token</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hcloud_token"</span> <span class="p">{</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"local_ip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"79.184.235.150"</span> <span class="c1">#default = "31.61.169.52"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"hcloud_primary_ip"</span> <span class="s2">"box_ip"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"box-ip"</span> <span class="nx">datacenter</span> <span class="p">=</span> <span class="s2">"fsn1-dc14"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ipv4"</span> <span class="nx">assignee_type</span> <span class="p">=</span> <span class="s2">"server"</span> <span class="nx">auto_delete</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"arch"</span> <span class="err">:</span> <span class="s2">"arm64"</span><span class="p">,</span> <span class="s2">"managed_by"</span> <span class="err">:</span> <span class="s2">"terraform"</span><span class="p">,</span> <span class="s2">"env"</span><span class="err">:</span> <span class="s2">"prod"</span><span class="p">,</span> <span class="s2">"location"</span><span class="err">:</span> <span class="s2">"de"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"hcloud_firewall"</span> <span class="s2">"box_fw"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"box-firewall"</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"in"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"22"</span> <span class="nx">source_ips</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">local_ip</span><span class="p">]</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"arch"</span> <span class="err">:</span> <span class="s2">"arm64"</span><span class="p">,</span> <span class="s2">"managed_by"</span> <span class="err">:</span> <span class="s2">"terraform"</span><span class="p">,</span> <span class="s2">"env"</span><span class="err">:</span> <span class="s2">"prod"</span><span class="p">,</span> <span class="s2">"location"</span><span class="err">:</span> <span class="s2">"de"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"hcloud_server"</span> <span class="s2">"box"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"box"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"centos-stream-9"</span> <span class="nx">server_type</span> <span class="p">=</span> <span class="s2">"cax21"</span> <span class="nx">datacenter</span> <span class="p">=</span> <span class="s2">"fsn1-dc14"</span> <span class="nx">ssh_keys</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"mbp@home"</span><span class="p">]</span> <span class="nx">backups</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"arch"</span> <span class="err">:</span> <span class="s2">"arm64"</span><span class="p">,</span> <span class="s2">"managed_by"</span> <span class="err">:</span> <span class="s2">"terraform"</span><span class="p">,</span> <span class="s2">"env"</span><span class="err">:</span> <span class="s2">"prod"</span><span class="p">,</span> <span class="s2">"location"</span><span class="err">:</span> <span class="s2">"de"</span> <span class="p">}</span> <span class="nx">public_net</span> <span class="p">{</span> <span class="nx">ipv4_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ipv4</span> <span class="p">=</span> <span class="nx">hcloud_primary_ip</span><span class="p">.</span><span class="nx">box_ip</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ipv6_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">firewall_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">hcloud_firewall</span><span class="p">.</span><span class="nx">box_fw</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"box_public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">hcloud_server</span><span class="p">.</span><span class="nx">box</span><span class="p">.</span><span class="nx">ipv4_address</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_box"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ssh -i ~/.ssh/id_ed25519_local root@${hcloud_server.box.ipv4_address}"</span> <span class="p">}</span> </code></pre> </div> <p>Then we can execute our code with a simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="nt">-var</span><span class="o">=</span><span class="s2">"local_ip=</span><span class="si">$(</span>curl <span class="nt">-s</span> ifconfig.me<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p>To list accessible images, use hcloud image list.</p> <p>So, when we have our CentOS box, let's install some baseline packages there.</p> <h2> Ansible </h2> <p>The standard tool for this will be Ansible - a simple, stable, and solid product. 100% open source. For setting up my server, I decided to write a custom role. The structure of my role's task folder is simple but, in my opinion, requires some explanation.</p> <p>Tasks's name started with 01 and 02 are core services.<br> Tasks's name started with 03 are responsible for packages.<br> Tasks's name started with 1 are application services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tasks ├── 010_shost.yml ├── 020_ssh.yml ├── 030_packages.yml ├── 035_tailscale.yml ├── 036_storagebox.yml ├── 100_containers.yml ├── 101_linkwarden.yml ├── 102_miniflux.yml ├── 103_umami.yml ├── 104_internal.yml ├── 105_immich.yml ├── 106_jellyfin.yml └── main.yml </code></pre> </div> <p><code>main.yml</code> is a role control point; I have tags here and custom </p> <p>logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># tasks file for roles/hetzner</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that shost exists, it's a main user, and root cannot access the server</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">baseline</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">010_shost.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that ssh config is correct</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">baseline</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">020_ssh.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that needed packages are installed</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">packages</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">030_packages.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that Tailscale is installed if needed</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">vpn</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">035_tailscale.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that StorageBox was attached</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage</span> <span class="na">when</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hetzner_storagebox_enabled</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">036_storagebox.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure that containers have latest configuration</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">never</span> <span class="pi">-</span> <span class="s">containers</span> <span class="na">ansible.builtin.import_tasks</span><span class="pi">:</span> <span class="na">file</span><span class="pi">:</span> <span class="s">100_containers.yaml</span> </code></pre> </div> <p>Then, every new application has a dedicated playbook, which will look like <code>101_linkwarden.yml</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Supply system with Linkwarden network configuration</span> <span class="na">notify</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Restart Linkwarden</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">linkwarden.network.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/home/shost/.config/containers/systemd/linkwarden.network</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0700'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">shost</span> <span class="na">group</span><span class="pi">:</span> <span class="s">shost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Supply system with Linkwarden service</span> <span class="na">notify</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Restart Linkwarden</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">linkwarden.service.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/home/shost/.config/systemd/user/linkwarden.service</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0700'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">shost</span> <span class="na">group</span><span class="pi">:</span> <span class="s">shost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Supply system with Linkwarden Postgresq config</span> <span class="na">notify</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Restart Linkwarden</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">linkwarden-postgresql.container.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/home/shost/.config/containers/systemd/linkwarden-postgresql.container</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0700'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">shost</span> <span class="na">group</span><span class="pi">:</span> <span class="s">shost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Supply system with Linkwarden server</span> <span class="na">notify</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Restart Linkwarden</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">linkwarden-app.container.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/home/shost/.config/containers/systemd/linkwarden-app.container</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0700'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">shost</span> <span class="na">group</span><span class="pi">:</span> <span class="s">shost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Supply system with Linkwarden Tunnel</span> <span class="na">notify</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Restart Linkwarden</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">linkwarden-tunnel.container.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/home/shost/.config/containers/systemd/linkwarden-tunnel.container</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0700'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">shost</span> <span class="na">group</span><span class="pi">:</span> <span class="s">shost</span> </code></pre> </div> <p>You may be wondering why I'm not using docker-compose and have a lot of systemd services instead. Let me explain it.</p> <h2> Podman </h2> <p>By default, Podman supports rootless containers. What does it mean? Basically, you don't need to be root or a member of the docker group to run the container. All the magic happens inside the user namespace and only has access to the user's data. As an extra feature, we have SELinux context on files as another security layer. However, as good as the community.docker.docker_compose_v2 module is, there is no Podman equivalent. Folks responsible for the project are saying that you should use quadlets, not composes. WTF are quadlets? Generally speaking, they are systemd services that live in a user namespace and orchestrate Podman containers. Unfortunately, one by one. Wait, what? Yes, the user needs to write a new service per container, and network, and service dependencies. Sounds like fun, isn't it?</p> <p>There is a project on the internet that allows you to convert your docker-compose directly into quadlets. However, I will show you my systemd services, which could be helpful.</p> <ul> <li> <code>linkwarden.service.j2</code> is a dummy service that allows me to control the whole application with one service. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="err">Linkwarden</span> <span class="nn">[Service]</span> <span class="py">Type</span><span class="p">=</span><span class="err">oneshot</span> <span class="py">ExecStart</span><span class="p">=</span><span class="err">/bin/</span><span class="kc">true</span> <span class="py">RemainAfterExit</span><span class="p">=</span><span class="err">yes</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="err">basic.target</span> </code></pre> </div> <ul> <li> <code>linkwarden.network.j2</code> is a simple definition of my separated network, only for this particular app. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="err">Linkwarden</span> <span class="err">-</span> <span class="err">Network</span> <span class="py">PartOf</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="nn">[Network]</span> </code></pre> </div> <ul> <li> <code>linkwarden-app.container.j2</code> is the main service for my app. As I'm using Ansible and Jinja2, avoiding hardcoded credentials is easy (use sops). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="err">Linkwarden</span> <span class="err">-</span> <span class="err">Server</span> <span class="py">PartOf</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden-network.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden-postgresql.service</span> <span class="nn">[Container]</span> <span class="py">Image</span><span class="p">=</span><span class="err">ghcr.io/linkwarden/linkwarden:v{{</span> <span class="err">hetzner_linkwarden_app_version</span> <span class="err">}}</span> <span class="py">ContainerName</span><span class="p">=</span><span class="err">linkwarden-app</span> <span class="py">Network</span><span class="p">=</span><span class="err">systemd-linkwarden</span> <span class="py">Volume</span><span class="p">=</span><span class="err">linkwarden-data:/data/data</span> <span class="py">LogDriver</span><span class="p">=</span><span class="err">journald</span> <span class="py">Environment="DATABASE_URL</span><span class="p">=</span><span class="err">postgresql://postgres:{{</span> <span class="err">linkwarden_postgresql_password</span> <span class="err">}}@linkwarden-postgresql:</span><span class="mi">5432</span><span class="err">/postgres</span><span class="s">"</span><span class="err"> </span><span class="py">Environment=NEXTAUTH_SECRET</span><span class="o">=</span><span class="p">{</span><span class="err">{</span> <span class="err">linkwarden_next_auth_secret</span> <span class="p">}</span><span class="err">}</span> <span class="py">Environment=NEXTAUTH_URL</span><span class="p">=</span><span class="err">http://localhost:</span><span class="mi">3000</span><span class="err">/api/v</span><span class="mi">1</span><span class="err">/auth</span> <span class="py">Environment=NEXT_PUBLIC_DISABLE_REGISTRATION</span><span class="p">=</span><span class="kc">true</span> <span class="nn">[Service]</span> <span class="py">Restart</span><span class="p">=</span><span class="err">always</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="err">linkwarden.service</span> </code></pre> </div> <p>As you may have noticed, specifying the volume is very straightforward. The usage of After/PartOf is needed, and what is tricky is that the whole image path is required, as Podman could have issues finding images like linkwarden/linkwarden.</p> <ul> <li> <code>linkwarden-postgresql.container.j2</code> - database service </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="err">Linkwarden</span> <span class="err">-</span> <span class="err">Postgresql</span> <span class="py">PartOf</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden-network.service</span> <span class="nn">[Container]</span> <span class="py">Image</span><span class="p">=</span><span class="err">docker.io/library/postgres:</span><span class="mi">16</span><span class="err">-alpine</span> <span class="py">ContainerName</span><span class="p">=</span><span class="err">linkwarden-postgresql</span> <span class="py">Network</span><span class="p">=</span><span class="err">systemd-linkwarden</span> <span class="py">Volume</span><span class="p">=</span><span class="err">linkwarden-postgresql:/var/lib/postgresql/data</span> <span class="py">LogDriver</span><span class="p">=</span><span class="err">journald</span> <span class="py">Environment="POSTGRES_PASSWORD</span><span class="o">=</span><span class="p">{</span><span class="err">{</span> <span class="err">linkwarden_postgresql_password</span> <span class="p">}</span><span class="err">}"</span> <span class="nn">[Service]</span> <span class="py">Restart</span><span class="p">=</span><span class="err">always</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="err">linkwarden-tunnel.container.j2</span> <span class="err">-</span> <span class="err">Cloudflare</span> <span class="err">tunnels</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="err">Linkwarden</span> <span class="err">-</span> <span class="err">Server</span> <span class="py">PartOf</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden-postgresql.service</span> <span class="py">After</span><span class="p">=</span><span class="err">linkwarden-network.service</span> <span class="py">Requires</span><span class="p">=</span><span class="err">linkwarden-app.service</span> <span class="nn">[Container]</span> <span class="py">ContainerName</span><span class="p">=</span><span class="err">linkwarden-tunnel</span> <span class="py">Exec</span><span class="p">=</span><span class="err">tunnel</span> <span class="err">--no-autoupdate</span> <span class="err">run</span> <span class="py">Image</span><span class="p">=</span><span class="err">docker.io/cloudflare/cloudflared:{{</span> <span class="err">hetzner_tunnel_version</span> <span class="err">}}</span> <span class="py">Network</span><span class="p">=</span><span class="err">systemd-linkwarden</span> <span class="py">Volume</span><span class="p">=</span><span class="err">linkwarden-tunnel:/etc/cloudflared</span> <span class="py">LogDriver</span><span class="p">=</span><span class="err">journald</span> <span class="py">Environment="TUNNEL_TOKEN</span><span class="o">=</span><span class="p">{</span><span class="err">{</span> <span class="err">linkwarden_tunnel_token</span> <span class="p">}</span><span class="err">}"</span> <span class="nn">[Service]</span> <span class="py">Restart</span><span class="p">=</span><span class="err">always</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="err">linkwarden.service</span> </code></pre> </div> <p>I like the idea of tunnels, even if all of them are commercial software. They allow me to expose my service to the internet without needing to set up NGINX or Caddy, and more importantly, hardening them.</p> <h2> Summary </h2> <p>So far so good. The solution seems complex, but after the initial setup, it is very secure and stable. The regular path of upgrading my services is changing the version of the images I'm using in the <code>group_vars</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>diff <span class="nt">--git</span> a/apps.yaml b/apps.yaml <span class="go">index 63b65b2..e08c7a3 100644 --- a/apps.yaml +++ b/apps.yaml @@ -1 +1 @@ -hetzner_linkwarden_app_version: 2.8.3 +hetzner_linkwarden_app_version: 2.9.3 </span></code></pre> </div> <p>Then just running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>ansible-playbook <span class="se">\</span> selfhost-hetzner.yaml <span class="se">\</span> <span class="nt">--tags</span> containers <span class="nt">-u</span> shost </code></pre> </div> <p>That's it. What am I thinking after 4 months of using Hetzner in production? I'm very happy with them. The price is unbeatable, it's stable, and the user experience is very high level. For a project like this one, I can't recommend it more.</p> <p>Ah, a few words about the AmpereOne CPUs. For the services I'm using, there is no problem with using ARM64 binaries.</p> <ul> <li>Miniflux</li> <li>Jellyfin</li> <li>Immich</li> <li>Linkwarden</li> <li>N8N</li> <li>Caddy</li> <li>Actual-budget</li> <li>uptime-kuma</li> <li>ghost</li> </ul> <p>All of them are running very well on an ARM64 CPU, 4 CPU cores and 8GB of RAM to be precise. This is probably due to the popularity of Raspberry Pi in the self-hosting landscape. So yes, if you have a chance to use ARM CPUs, let's give them a spin. It will be cheaper, probably more efficient, and you could give yourself an ‘innovative soul’ award.</p> selfhosting podman ansible OneDev on ECS - How to host your own instance of OneDev on AWS Jakub Wołynko Mon, 16 Sep 2024 06:00:00 +0000 https://dev.to/aws-builders/onedev-on-ecs-how-to-host-your-own-instance-of-onedev-on-aws-3h7j https://dev.to/aws-builders/onedev-on-ecs-how-to-host-your-own-instance-of-onedev-on-aws-3h7j <h2> Welcome </h2> <p>At the beginning of September, I saw a post from Johannes Koch about [self-hosting CodeCommit alternative (<a href="https://lockhead.info/index.php/2024/09/03/a-self-hosted-codecommit-alternative/" rel="noopener noreferrer">https://lockhead.info/index.php/2024/09/03/a-self-hosted-codecommit-alternative/</a>). Then I realised, that I'm using my home, not such a popular, but very nice and solid git repository system. To be more precise, much more than a git server. Let's welcome <a href="https://onedev.io/" rel="noopener noreferrer">OneDev</a>.</p> <blockquote> <p>Git server with CI/CD, kanban, and packages.</p> </blockquote> <p>They also support repo tags, and groups like GitLab.<br> The project is also very resource-friendly, and I've been using it for a while on my home server.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjugj36ta8o3z7rlflf7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjugj36ta8o3z7rlflf7.png" alt="OneDev ovierview" width="800" height="352"></a></p> <p>And to be honest no issues so far, however, I store only code there. I don't have an opinion about package registry, CICD, and Kanban, but if you need it, try it!</p> <p>Also if you're thinking about hosting on AWS apps that you’re using, instead of using regular units under the desk because of the cost of energy in your current location is very high, or you are just not sure if the hobby is fits your personality. This blog is a great place to be, as I'm starting "self-host on AWS” series.</p> <h2> Why host a git server on your own? </h2> <p>The main point here is privacy. Sometimes laziness as well.<br> Let's imagine the situation when you push accidentally AWS keys into the repository or SSH key. If you’re using GitHub, after a while you will get a notification that one of your repositories contains a secret, so you should change it immediately (don't ask me how I know this). There is always a change, the someone already<br> started using it, so your AWS bills are going higher with every second. If it is a private internal git server, nobody cares, as you trust your coworkers, right? Nobody will judge your code, even if you're using, <code>&lt;put random JS framework name here&gt;</code>.<br> However, the real reason is code ownership. Some organisations would like to fully own their code, or at least host it in Europe. Now we, how to answer the <code>why</code> question. Let's now focus on the <code>how</code> question.</p> <h2> Implementation </h2> <p>As I already said, the initial point of implementation was my docker-compose file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">onedev</span> <span class="nn">---</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">onedev_data</span> <span class="nn">---</span> <span class="na">services</span><span class="pi">:</span> <span class="na">onedev</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">1dev/server:11.0.9</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">onedev</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="pi">-</span> <span class="s">data:/opt/onedev</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">6610:6610</span> <span class="pi">-</span> <span class="s">6611:6611</span> </code></pre> </div> <p>On top of it, I have Caddy reverse proxy config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ log default { output stdout format json exclude http.handlers.reverse_proxy } } *.pinkwall.cc { tls { dns cloudflare M8zaR6d1la_SI1vggnrnl3-Fhfa11359bnn31 } @git host git.pinkwall.cc handle @git { reverse_proxy 100.16.152.33:6610 } } </code></pre> </div> <p>An SSH config, as Caddy, can't reverse proxy SSH.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git.pinkwall.cc PreferredAuthentications publickey IdentitiesOnly=yes IdentityFile ~/.ssh/id_ed25519_local User 3sky Port 6611 </code></pre> </div> <p>So when I started thinking about the AWS-based design, I created a<br> diagram, initially on paper, but the digital one looks pro.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1z8o3lkxun9830965s9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1z8o3lkxun9830965s9.png" alt="AWS Arch HLD" width="800" height="610"></a></p> <ol> <li>As you can see, I'm using NLB, that's due to the fact, that I wanted to operate on layer 4 (TCP), not L7 (HTTP). Why? Because using git over ssh is way more smoother.</li> <li>EFS as persistent storage. As we need to store our data, right?</li> <li>EFS access points have root permission, inside the volume, that is because OneDev expects it.</li> <li>ECS with Fargate, to make it cost efficient as possible.</li> <li>We're using standard 2-tier subnet architecture with small CIDR ranges. <ul> <li>We're not interested in having ECS Cluster exposed directly to the Internet.</li> <li>We do not expect more apps in the subnets, for now.</li> </ul> </li> </ol> <h2> Actual implementation </h2> <p>Code can be find on <a href="https://github.com/3sky/onedev-on-ecs" rel="noopener noreferrer">GitHub</a>, what a plot twist, isn’t it?</p> <p>As in most of my implementation, I'm using AWS CDK, Typescript, and Projen. Below I will try to show the most crucial part of this implementation, as the whole file has 199 lines.</p> <h3> Constants </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">CUSTOM_IMAGE</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">1dev/server:11.0.9</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">DOMAIN_NAME</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">3sky.in</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>I'm using two hardcoded values (3, if counting the CIDR range). As you can read <code>CUSTOM_IMAGE</code> is an image for our ECS Task, and <code>DOMAIN_NAME</code> is our only prerequisite. I strongly recommend having a domain name on AWS, if you're like me, <a href="https://blog.3sky.dev/article/202406-cheap-tld/" rel="noopener noreferrer">here</a> you can find tips, about setting it up with a small budget. Of course, the external domain is supported as well, but it requires a bit more work and changes in code.</p> <h3> Security groups </h3> <p>Then we have security groups, which is quite important right? Let's use minimal set of open needed traffic, as it's good practice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">nlbSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ALBSecurityGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Allow HTTPS traffic to ALB</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">nlbSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">443</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow HTTPS traffic from anywhere</span><span class="dl">'</span><span class="p">);</span> <span class="nx">nlbSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow SSH traffic from anywhere</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">privateSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PrivateSG</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Allow access from NLB</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">privateSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">nlbSecurityGroup</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">6610</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow traffic for HTTP to app</span><span class="dl">'</span><span class="p">);</span> <span class="nx">privateSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">nlbSecurityGroup</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">6611</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow traffic for SSH to app</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">efsSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EfsSG</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Allow access from cluster</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">efsSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">privateSecurityGroup</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">2049</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow traffic to EFS from ECS cluster</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>As you can see, we have 3 SGs. One is attached to NLB, the second for our ECS Cluster, and the last one<br> for EFS service.</p> <h3> EFS </h3> <p>Now let's configure EFS, as it's a <code>new</code> service. At least on this blog. So we need a few things.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">fileSystem</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">efs</span><span class="p">.</span><span class="nc">FileSystem</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EfsFilesystem</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">efsSecurityGroup</span><span class="p">});</span> <span class="kd">var</span> <span class="nx">accessPoint</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">efs</span><span class="p">.</span><span class="nc">AccessPoint</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VolumeAccessPoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">fileSystem</span><span class="p">:</span> <span class="nx">fileSystem</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/opt/onedev</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// app is running as root</span> <span class="na">createAcl</span><span class="p">:</span> <span class="p">{</span> <span class="na">ownerGid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">,</span> <span class="na">ownerUid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="dl">'</span><span class="s1">755</span><span class="dl">'</span> <span class="p">},</span> <span class="na">posixUser</span><span class="p">:</span> <span class="p">{</span> <span class="na">uid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">,</span> <span class="na">gid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">volume</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">volume</span><span class="dl">'</span><span class="p">,</span> <span class="na">efsVolumeConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorizationConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">accessPointId</span><span class="p">:</span> <span class="nx">accessPoint</span><span class="p">.</span><span class="nx">accessPointId</span><span class="p">,</span> <span class="na">iam</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ENABLED</span><span class="dl">'</span> <span class="p">},</span> <span class="na">fileSystemId</span><span class="p">:</span> <span class="nx">fileSystem</span><span class="p">.</span><span class="nx">fileSystemId</span><span class="p">,</span> <span class="na">transitEncryption</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ENABLED</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">ecsTaskDefinition</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateTaskDefinition</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TaskDefinition</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="mi">2048</span><span class="p">,</span> <span class="na">cpu</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="na">runtimePlatform</span><span class="p">:</span> <span class="p">{</span> <span class="na">operatingSystemFamily</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">OperatingSystemFamily</span><span class="p">.</span><span class="nx">LINUX</span><span class="p">,</span> <span class="na">cpuArchitecture</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">CpuArchitecture</span><span class="p">.</span><span class="nx">X86_64</span> <span class="p">},</span> <span class="na">volumes</span><span class="p">:</span> <span class="p">[</span><span class="nx">volume</span><span class="p">]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nx">ecsTaskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">onedev</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="nx">CUSTOM_IMAGE</span><span class="p">),</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">6610</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">},</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">6611</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">}</span> <span class="p">],</span> <span class="na">logging</span><span class="p">:</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">AwsLogDriver</span><span class="p">(</span> <span class="p">{</span><span class="na">streamPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">onedev</span><span class="dl">'</span><span class="p">}</span> <span class="p">)</span> <span class="p">});</span> <span class="nx">container</span><span class="p">.</span><span class="nf">addMountPoints</span><span class="p">({</span><span class="na">readOnly</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">containerPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/opt/onedev</span><span class="dl">'</span><span class="p">,</span> <span class="na">sourceVolume</span><span class="p">:</span> <span class="nx">volume</span><span class="p">.</span><span class="nx">name</span><span class="p">});</span> </code></pre> </div> <p>First, a file system is attached to the VPC and security group. Then, we can see the access option. So, basically a way of accessing our storage. Please take a look at the <code>createAcl</code> and <code>posixUser</code> methods, as both of them are responsible for our storage security. However in the case of OneDev, we need to<br> be a root, so… yes, it could be better. At the end, we have <code>volume</code> which is just a JS object here, as code construction is rather unexpected. Then, we're adding volume to our task definition, not to cluster itself! Lastly, we're adding a container to our task, and attaching mount point to our container. Not such complex, right?</p> <h3> Listeners </h3> <p>In the end, we need to specify listeners and targets. In general, it's rather simple port mapping, however, please take a look at protocols settings. Only the listener on port 443 should use the certificate and <code>TLS</code> as protocol. The rest of the objects should use plain TCP. If we decided to attach a certificate to our listener on port 22, ssh will be unable to connect the service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">listener443</span> <span class="o">=</span> <span class="nx">nlb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listener443</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">443</span><span class="p">,</span> <span class="na">certificates</span><span class="p">:</span> <span class="p">[</span><span class="nx">nlbcert</span><span class="p">],</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TLS</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">listener22</span> <span class="o">=</span> <span class="nx">nlb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listener22</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">});</span> <span class="nx">listener22</span><span class="p">.</span><span class="nf">addTargets</span><span class="p">(</span><span class="dl">'</span><span class="s1">ECS-22</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">6611</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="nx">ecsService</span><span class="p">]</span> <span class="p">});</span> <span class="nx">listener443</span><span class="p">.</span><span class="nf">addTargets</span><span class="p">(</span><span class="dl">'</span><span class="s1">ECS-443</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">6610</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="nx">ecsService</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> Local ssh </h3> <p>That allows us to use a very simple SSH config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Host git.3sky.in PreferredAuthentications publickey IdentitiesOnly=yes IdentityFile ~/.ssh/id_rsa User kuba </code></pre> </div> <p>This part is important. The wrong user or IdentityFile, inhered from <code>git config —global</code>, could mess with your <code>git clone</code> command. So as long as you're not using the same user and SSH key pair, please remember about <code>.ssh/config</code> file.</p> <h2> Summary </h2> <p>Nice, now you can host your code on ECS with limited spending. OneDev seems to be a very solid solution, and because it's one container only, it's very easy to manage. In case of backup it's EFS, so we backup it and restore it without issues.<br> What about spending? Not sure yet, it will require some real-life testing. Based only on vCPU and RAM usage for one month, the cost could be around 35$.</p> selfhosting aws git Information flow - how I capture the notes Jakub Wołynko Mon, 26 Aug 2024 11:52:16 +0000 https://dev.to/aws-builders/information-flow-how-i-capture-the-notes-9oi https://dev.to/aws-builders/information-flow-how-i-capture-the-notes-9oi <h2> Welcome </h2> <p>This post will be different, than usual. It will be soft, flexible, and with late summer vibes. Please stop coding, deploying, or whatever is important you're doing. That will be the most helpful post you will read today! Let's talk about being old, or more correctly about seniority. What will distinguish you as a person with 10 years of experience in your job with newcomers with 6 months? Probably first things that will come to your mind will be:</p> <ul> <li>coding style</li> <li>knowing framework or technologies</li> <li>understanding domain or context(as long as you work for the same company)</li> </ul> <p>And that's it. Which for sure it's true. The thing is that most of those items people are able to master in 2-3 years. Also, when you've been working with technology <em>X</em>, for 3 years, probably you don't remember the tech stack of projects from the beginning of your journal. Unfortunately, that is our(old people's) power - general experience, and specific knowledge. That is why today we will focus on capturing notes and, most importantly using them.</p> <h2> My story with second brain </h2> <p>When I started consulting business (end of 2020), I relied that a lot of my knowledge from previous assignments was gone. Even if I build some <em>hacky</em> Jenkins script, great, slim, and unbelievably readable Ansible playbook, or super SQL query, I can't even look at it. Besides the fact, that it was stored in some corp internal documentation system or git repository. I don't have access to it anymore, and it's not about copyright issues or company-specific things. The general solution could be safely reused, at least in my case. That is why I started looking into the best note-taking app. Which was a wrong idea, and I explain it later. Now, let's talk about available solutions. In order of my story.</p> <h3> Notion </h3> <p><a href="https://www.notion.so/" rel="noopener noreferrer">Notion</a>, <strong>free</strong> for one-person team. Currently, probably the most popular application on the whole internet. You can do everything with it. Build a CRM, take notes, and store rows, as you can do with <a href="https://github.com/nocodb/nocodb" rel="noopener noreferrer">nocodb</a>. Awesome Swiss-army knife, with a web app,<br> and native clients (officially Mac and Windows). Unfortunately, in those days no offline mode, and privacy concerns, and everything was stored on Notion's side. Bessie last thing, why did I leave it?</p> <ul> <li>way too many features I don’t need</li> <li>most of the features aren't platform agnostic, even If I can export to Markdown, without databases it becomes useless</li> <li>lack of full control over my files</li> </ul> <h3> Org-mode </h3> <p><a href="https://orgmode.org/" rel="noopener noreferrer">orgmode</a> seems to be a big change after using Notion. However, I fell in love with Emacs, so I wanted to use all the best things. It was easy to set up org-agenda, org-roam, etc. Unfortunately, after a while, I noticed that using a non-standard system(not Markdown) could impact my note-sharing capabilities, as well my <em>work</em> docs were mostly built with Markdown. So, a note system that uses Markdown. Also, I switched to VIM :)</p> <h3> Obsidian </h3> <p><a href="https://obsidian.md/" rel="noopener noreferrer">Obsidian</a>, <strong>free</strong> for personal use, however <a href="https://obsidian.md/sync" rel="noopener noreferrer">Sync</a> is paid service.<br> Obsidian is the holly grail of all second brain builders and home of <a href="https://en.wikipedia.org/wiki/Personal_knowledge_management" rel="noopener noreferrer">PKM</a>,<br> <a href="https://en.wikipedia.org/wiki/Zettelkasten" rel="noopener noreferrer">Zettelkasten</a> or many other methods lovers. Personally, during the first time, I went too deep into this solution. I tried many plugins, and added workflow, task and project management, presentations, and diagrams, without the correct directory structure and idea. Also, I was struggling with the setting of the Syncing solution, as git crashed from time to time and iCloud worked fine as long as I was using one machine. So switch. Reasons were:</p> <ul> <li>to a complex system, unstructured and messy as with great power comes great responsibility</li> <li>issues with syncing</li> </ul> <h3> Logseq </h3> <p><a href="https://logseq.com/" rel="noopener noreferrer">logseq</a> fully free and open-source Obsidan-like tool with fewer plugins, however, it also gives you a chance to complex everything a lot. I have been using it for less than a year, however at some point, I noticed that I'm writing longer<br> forms in Obsidian, and daily notes in Logseq. Why? Due Logseq design. It starts everything as a new point<br> with <code>-</code>, even if it's a standard Markdown. We’re starting everything at a new point. Issues?</p> <ul> <li>not fully clean Markdown, the <code>text mode</code> isn’t suitable for my needs</li> <li>not such popular as Obsidian = fewer plugins</li> </ul> <h3> Joplin </h3> <p><a href="https://joplinapp.org/" rel="noopener noreferrer">Joplin</a> open-source tool, with paid Sync service. However, it supports WebDav sync. As a user of <a href="https://www.fastmail.com/" rel="noopener noreferrer">Fastmail</a> have a lot lot of storage for it. Those parts work great, links, complexity level, and clear Markdown. Themes, mobile app, tags, everything I needed was there. Unfortunately, again, for short notes, my go-to app becomes <a href="https://www.usememos.com/" rel="noopener noreferrer">memos</a>, for long-form <a href="https://www.bookstackapp.com/" rel="noopener noreferrer">BookStack</a>, seems to be the best solution. Why? Firstly my love for self-hosted solutions boomed, also Joplin even if looks perfect for my use case was some reason hard to describe and did not encourage me to write. Soo.. I back to Obsidian.</p> <h3> Obsidian again </h3> <p>So why Obsidian at the end? The flexibility. This tool can be as simple as I need. My current structure is very clean, with the usage of only 6 plugins:</p> <ul> <li>Calendar</li> <li>Checklist</li> <li>Excalidraw</li> <li>Minimal Theme Settings</li> <li>QuickAdd</li> <li>Self-hosted LiveSync</li> </ul> <p>File backup is done via my regular NAS backup task, and between-device sync is done via self-hosted <a href="https://github.com/vrtmrz/obsidian-livesync" rel="noopener noreferrer">obsidian-livesync</a>.</p> <h3> Honourable mention </h3> <p>Tools used for a short period, but for various reasons do not fit my workflow.</p> <ul> <li> <a href="https://www.usememos.com/" rel="noopener noreferrer">memos</a> - great self-hosted app, but it's a more private social-media platform, than, a note-taking tool. Also, it doesn’t work offline.</li> <li> <a href="https://anytype.io/" rel="noopener noreferrer">anytype</a> - looks like a great Notion alternative, however too complex for me. I need a simple tool.</li> <li> <a href="https://www.zettlr.com/" rel="noopener noreferrer">zettlr</a> - great for long form, but missing some daily use functions.</li> <li> <a href="https://github.com/TriliumNext/Notes" rel="noopener noreferrer">trilium</a> - not sure, about the project's future.</li> <li> <a href="https://github.com/siyuan-note/siyuan" rel="noopener noreferrer">siyuan</a> - a bit too early stage for me.</li> <li> <a href="https://noteplan.co/" rel="noopener noreferrer">Noteplan</a> and <a href="https://www.get-plume.com/" rel="noopener noreferrer">Plume</a> - not a Markdown, more Apple notes competitors.</li> </ul> <h2> Current setup </h2> <p>After 4 years of trying and experimenting, I created a diagram of tools I'm using in the area of knowledge management.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgoikf4e2kgv2bw1l7mcp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgoikf4e2kgv2bw1l7mcp.png" alt="Tools I'm using"></a></p> <p>So how it works you can ask?</p> <ul> <li>First I don't use mobile apps like Obsidian on my phone. I only have Apple Notes for handling ideas and capturing the best quotes from the books I'm reading. Then, day after day, I'm putting it into Obsidian.</li> <li>Then, I have a pocket notebook, with a special note-taking method. It's for the collection of all ideas, During work, or regular life. It's like a life log.</li> <li>At the end, I have my Obsidian Vault, for storing everything else, excluding blog posts.</li> <li>For blog posts, I'm using <a href="https://github.com/MarkEdit-app/MarkEdit" rel="noopener noreferrer">MarkEdit</a> </li> </ul> <p>What does the process look like?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoazk4og0j9qg8ge5f2x.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoazk4og0j9qg8ge5f2x.png" alt="Note-taking process"></a></p> <p>Then how am I taking the handwriting notes? Based on many years of writing, it's still ugly, and hard to read, however, I'm able to guess most of the things. It looks like that:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfnk77kcz8fo32u74ymt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfnk77kcz8fo32u74ymt.png" alt="Just a note"></a></p> <h2> Summary </h2> <p>The idea behind this post is a bit selfish. I want to back into this in a year and see how it evolves. Now I'm trying to use as less tools and corporate-owned solutions as possible. My goal is to build vendor and internet-independent workflow as possible. All my notes are stored on local NAS, and synced via live sync. Notebooks are stored in a box near my desk. Why? Because based on my experience, changing structures or formats introduces a lot of mess. Some notes are missing, some are duplicated. The tags do not match. Hopefully, now I will be able to stick with my idea and use it efficiently. What does it mean? Just use them, and read from time to time. At the beginning of my journal, I made a lot of notes. Poor quality, not-completed, disconnected, at the end hard to use. Which is a waste of time, if we can’t reuse our knowledge, or we're unable to find what we need.</p> obsidian selfhost notetaking career Meetings on demand(with Jitsi) Jakub Wołynko Fri, 26 Jul 2024 09:15:54 +0000 https://dev.to/aws-builders/meetings-on-demandwith-jitsi-3hcl https://dev.to/aws-builders/meetings-on-demandwith-jitsi-3hcl <h2> Welcome </h2> <p>Yesterday I decided to solve another,<br> probably non-existent problem. So for quite a<br> long time, I was looking for a solution that would allow me<br> to schedule meetings with friends, family, and clients<br> (the custom domain looks very professional). Most of them are paid every month.<br> Which in my case is not a very cost-effective solution,<br> if I have one meeting per month, sometimes two. Also let's assume, that<br> being an AI learning material for Google, or Zoom isn't my dream position.</p> <p>Suddenly, I realized that I could use <a href="https://meet.jit.si/" rel="noopener noreferrer">Jitsi</a>,<br> and then self-host it. The problem was that I was looking for an on-demand solution.<br> So I took the official docker image and rewritten it into ECS, which should just work.</p> <p>Also, I'd like to apologize to everyone, who is waiting for<br> part two of setting up Keycloak, or EDA use cases. Someday<br> I will deliver it, just more time is needed. Additionally, during<br> the last month, I received a lot of emails about challenges related to<br> setting up the best open-source SSO solution on ECS. That means, that my article<br> was needed, and at least few people read it. That's cool!</p> <h2> Jitsi </h2> <p>Ok, so let's start with Jitsi. What is it?</p> <blockquote> <p>Jitsi Meet is a set of Open Source projects<br> which empower users to use and deploy video<br> conferencing platforms with state-of-the-art video quality and features.</p> </blockquote> <p>As you see it's open-source software on <a href="https://github.com/jitsi/jitsi-meet#Apache-2.0-1-ov-file" rel="noopener noreferrer">Apache-2.0</a><br> license.</p> <h2> Services list </h2> <p>As you can see, the post structure is very similar to <a href="https://blog.3sky.dev/article/202407-keycloak-install/" rel="noopener noreferrer">latest</a><br> one. However today instead of a database we need CloudMap.</p> <ul> <li>ECS(Fargate)</li> <li>AWS Application Load Balancer</li> <li>AWS CloudMap</li> <li>Route53 for domain management</li> </ul> <blockquote> <p>Ok, good. Finally, we will deploy something different right?</p> </blockquote> <p>Not really, but the use case is super useful!</p> <h2> Implementation </h2> <p>As always it could be simpler, and more elegant, but it does the<br> job. So as a main point, we have tree files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ tree src src ├── base.ts ├── jitsi.ts └── main.ts </code></pre> </div> <p>Based on my splitting approach, I have a dedicated stack for<br> more static resources(and cheap), so we can keep them forever(let’s say).<br> Then we have a file dedicated to our Jitsi ECS stack, at the end<br> you can see the control file aka <code>src/main.ts</code> with needed variables like account ID,<br> Region, container version, and your domain name. The content of mentioned file is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">Tags</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BaseStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./base</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JitsiStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./jitsi</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">devEnv</span> <span class="o">=</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="dl">'</span><span class="s1">471112990549</span><span class="dl">'</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">eu-central-1</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">DOMAIN_NAME</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">3sky.in</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">JITSI_IMAGE_VERSION</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">stable-9584-1</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">base</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BaseStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">jitsi-baseline</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="nx">devEnv</span><span class="p">,</span> <span class="na">stackName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jitsi-baseline</span><span class="dl">'</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">DOMAIN_NAME</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nc">JitsiStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">jitsi-instance</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="nx">devEnv</span><span class="p">,</span> <span class="na">stackName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jitsi-instnace</span><span class="dl">'</span><span class="p">,</span> <span class="na">sg</span><span class="p">:</span> <span class="nx">base</span><span class="p">.</span><span class="nx">privateSecurityGroup</span><span class="p">,</span> <span class="na">listener</span><span class="p">:</span> <span class="nx">base</span><span class="p">.</span><span class="nx">listener</span><span class="p">,</span> <span class="na">ecsCluster</span><span class="p">:</span> <span class="nx">base</span><span class="p">.</span><span class="nx">ecsCluster</span><span class="p">,</span> <span class="na">namespace</span><span class="p">:</span> <span class="nx">base</span><span class="p">.</span><span class="k">namespace</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">DOMAIN_NAME</span><span class="p">,</span> <span class="c1">// images version</span> <span class="na">jitsiImageVersion</span><span class="p">:</span> <span class="nx">JITSI_IMAGE_VERSION</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> <span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">description</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Jitsi Temporary Instance</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">synth</span><span class="p">();</span> </code></pre> </div> <h3> Networking </h3> <p>This is up to you, however, I decided to use a separate dedicated VPC with<br> two AZs - ALB requirement. Additionally, I’m using two types of subnets:<br> <code>PUBLIC</code>, and <code>PRIVATE_WITH_EGRESS</code>.</p> <p>Then we have, ALB, Route53 assignment, security groups, ECS Cluster, and<br> a new interesting object <code>namespace</code>. What do I need this for? Let's dive into<br> docker-compose for a while.</p> <p>That's my docker-compose for <a href="https://github.com/actualbudget/actual" rel="noopener noreferrer">Actual</a><br> app, which IMO is a great app for personal budgeting if you're living in the EU.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">actual</span> <span class="na">services</span><span class="pi">:</span> <span class="na">actual_server</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">actual</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/actualbudget/actual-server:24.7.0</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">5006</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">data:/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">proxy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">name</span><span class="pi">:</span> <span class="s">actual_data</span> </code></pre> </div> <p>As you can see we have a construct called <code>networks</code>, in the above case<br> it is the default <code>bridge</code> type of network with the name <code>proxy</code> and annotation<br> <code>external</code> which means that a resource is controlled outside the stack.<br> Mostly is used to connect services between or inside the stack.</p> <p>And we have the same in Jitsi's original docker-compose<br> <a href="https://github.com/jitsi/docker-jitsi-meet/blob/master/docker-compose.yml" rel="noopener noreferrer">file</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">[</span><span class="nv">...</span><span class="pi">]</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">meet.jitsi</span><span class="pi">:</span> <span class="c1"># Custom network so all services can communicate using a FQDN</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">meet.jitsi</span><span class="pi">:</span> </code></pre> </div> <p>Now let's back to the AWS-native landscape. ECS does not support networking<br> in the same way, as docker. To solve that, issue we need to make a private DNS entry<br> pointed to the <code>prosody</code> container and resolved it by the <code>xmpp.meet.jitsi</code> value.<br> Sounds complex, right? Fortunately, there is a service called<br> <a href="https://aws.amazon.com/cloud-map/" rel="noopener noreferrer">AWS Cloud Map</a>.</p> <blockquote> <p>AWS Cloud Map is a cloud resource discovery service.<br> With Cloud Map, you can define custom names for your application resources,<br> and it maintains the updated location of these dynamically changing resources.</p> </blockquote> <p>How to use it? It's simpler, than you could think!</p> <ol> <li>First define a namespace </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="k">namespace</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">servicediscovery</span><span class="p">.</span><span class="nc">PrivateDnsNamespace</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Namespace</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">meet.jitsi</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vpc</span> <span class="p">});</span> </code></pre> </div> <ol> <li>Define the cloud option inside your <code>FargateService</code>. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ecsService</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateService</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EcsService</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cluster</span><span class="p">:</span> <span class="nx">cluster</span><span class="p">,</span> <span class="na">taskDefinition</span><span class="p">:</span> <span class="nx">ecsTaskDefinition</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span> <span class="p">},</span> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span><span class="nx">securityGroup</span><span class="p">],</span> <span class="na">cloudMapOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">xmpp</span><span class="dl">'</span><span class="p">,</span> <span class="na">container</span><span class="p">:</span> <span class="nx">prosody</span><span class="p">,</span> <span class="na">cloudMapNamespace</span><span class="p">:</span> <span class="k">namespace</span><span class="p">,</span> <span class="na">dnsRecordType</span><span class="p">:</span> <span class="nx">servicediscovery</span><span class="p">.</span><span class="nx">DnsRecordType</span><span class="p">.</span><span class="nx">A</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Then all your containers, and other services in VPC will be able to call<br> <code>prosody</code> container by simple <code>xmpp.meet.jitsi</code> FQDN! Which is not always a<br> good thing, which seems to be a good reason for using dedicated VPC.</p> <h3> Containers </h3> <p>As we have structure, and networking, we need to add containers. In our case it is<br> very simple. To our <code>FargateTaskDefinition</code>,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ecsTaskDefinition</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateTaskDefinition</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TaskDefinition</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="mi">8192</span><span class="p">,</span> <span class="na">cpu</span><span class="p">:</span> <span class="mi">4096</span><span class="p">,</span> <span class="na">runtimePlatform</span><span class="p">:</span> <span class="p">{</span> <span class="na">operatingSystemFamily</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">OperatingSystemFamily</span><span class="p">.</span><span class="nx">LINUX</span><span class="p">,</span> <span class="na">cpuArchitecture</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">CpuArchitecture</span><span class="p">.</span><span class="nx">X86_64</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>we are simply adding four containers <code>web</code>, <code>jicofo</code>, <code>jvb</code>, <code>prosody</code><br> just like shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">ecsTaskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="dl">'</span><span class="s1">quay.io/3sky/jitsi-web:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">jitsiImageVersion</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">TZ</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Europe/Warsaw</span><span class="dl">'</span><span class="p">,</span> <span class="na">PUBLIC_URL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://meet.</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">theDomainName</span> <span class="p">},</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">}</span> <span class="p">],</span> <span class="na">logging</span><span class="p">:</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">AwsLogDriver</span><span class="p">(</span> <span class="p">{</span> <span class="na">streamPrefix</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">stackName</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">-web</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)</span> <span class="p">});</span> </code></pre> </div> <h2> Add-ons </h2> <p>If you decided to go through my source code, you could spot two additional<br> points.</p> <ol> <li>Secrets are simplified</li> </ol> <p>That was done on purpose. Even in public repo, you will see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">JICOFO_AUTH_PASSWORD</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">2dAZl8Jkeg5cKT/rbJDZcslGCWt1cA3NnF4QqkFFATY=</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">JVB_AUTH_PASSWORD</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Tph1fJEdU6lFY8aTNPz4EpI5iewQXl+Ot17IeGCmvBs=</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>The reason is the ephemeral nature of service and build time. AWS SecretManager<br> takes more time to generate and after that to destroy. Here, for<br> my production environment I can just change those strings a bit, and be safe<br> enough during my 1h call, or even a bit longer according to this<br> <a href="https://www.oberlin.edu/cit/bulletins/passwords-matter" rel="noopener noreferrer">link</a>.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxiuyi8fe72ruhhtz96lc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxiuyi8fe72ruhhtz96lc.png" alt="password break" width="800" height="878"></a></p> <ol> <li>Images are using <code>quay.io</code> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="dl">'</span><span class="s1">quay.io/3sky/jitsi-web:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">jitsiImageVersion</span><span class="p">),</span> </code></pre> </div> <p>Due to testing and spanning multiple times containers,<br> it was very easy to be bothered with the Docker Hub rate limit.<br> As a lazy person, I just created a bash script to migrate everything<br> To free, no limited <code>quay.io</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Define the container version as a variable</span> <span class="nv">CONTAINER_VERSION</span><span class="o">=</span><span class="nv">$1</span> <span class="c"># Define an array of images</span> <span class="nv">IMAGES</span><span class="o">=(</span><span class="s2">"web"</span> <span class="s2">"prosody"</span> <span class="s2">"jvb"</span> <span class="s2">"jicofo"</span><span class="o">)</span> <span class="c"># Check if skopeo is installed</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">command</span> <span class="nt">-v</span> skopeo &amp;&gt; /dev/null <span class="k">then </span><span class="nb">echo</span> <span class="s2">"skopeo could not be found, please install it first."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Function to copy image from Docker Hub to Quay</span> copy_image<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">IMAGE_NAME</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">DOCKERHUB_IMAGE</span><span class="o">=</span><span class="s2">"docker.io/jitsi/</span><span class="nv">$IMAGE_NAME</span><span class="s2">:</span><span class="nv">$CONTAINER_VERSION</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">QUAY_IMAGE</span><span class="o">=</span><span class="s2">"quay.io/3sky/jitsi-</span><span class="nv">$IMAGE_NAME</span><span class="s2">:</span><span class="nv">$CONTAINER_VERSION</span><span class="s2">"</span> <span class="c"># Copy the image using skopeo</span> skopeo copy docker://<span class="nv">$DOCKERHUB_IMAGE</span> docker://<span class="nv">$QUAY_IMAGE</span> <span class="c"># Check if the skopeo command was successful</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Image </span><span class="nv">$IMAGE_NAME</span><span class="s2">:</span><span class="nv">$CONTAINER_VERSION</span><span class="s2"> successfully copied from Docker Hub to Quay."</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Failed to copy image </span><span class="nv">$IMAGE_NAME</span><span class="s2">:</span><span class="nv">$CONTAINER_VERSION</span><span class="s2"> from Docker Hub to Quay."</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Iterate over the images and copy each one</span> <span class="k">for </span>IMAGE <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">IMAGES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="k">do </span>copy_image <span class="nv">$IMAGE</span> <span class="k">done</span> </code></pre> </div> <h2> Summary </h2> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh4tttcrvlwn5uessqdsz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh4tttcrvlwn5uessqdsz.png" alt="the face" width="800" height="645"></a></p> <p>As you can see, I'm hosting my meeting platform with the usage of open-source software, AWS, and a bit of code. The solution is rather cheap, not tested against very big meetings, but stable enough to talk with the wife or friend during summertime.<br> There is no risk of being recorded, or dependent of<br> Google account ownership. With that in mind, I'm going<br> to finish overdue articles... or maybe self-host Ollama<br> at home and replace ChatGPT. Who knows?</p> <blockquote> <p>Ah and to be fully open, the source code could be found on<br> <a href="https://github.com/3sky/meeting-on-demand" rel="noopener noreferrer">GitHub</a>.</p> </blockquote> aws ecs jitsi Install Keycloak on ECS(with Aurora Postgresql) Jakub Wołynko Fri, 21 Jun 2024 11:06:27 +0000 https://dev.to/aws-builders/install-keycloak-on-ecs-5dbo https://dev.to/aws-builders/install-keycloak-on-ecs-5dbo <h2> Welcome </h2> <p>If you have read my latest post about accessing RHEL in the cloud,<br> you may notice that we’re accessing the cockpit console,<br> via SSM Session manager port forwarding.<br> That’s not an ideal solution. I’m not talking in bed,<br> it’s just not ideal(but cheap). Today I realised that using<br> Amazon WorkSpaces Secure Browser could be interesting, and fun as well.</p> <p>Unfortunately, this solution required an Identity Provider,<br> which can serve us with SAML 2.0. The problem is, that most of the<br> providers like <a href="https://www.okta.com/pricing/" rel="noopener noreferrer">Okta</a> or <a href="https://www.pingidentity.com/en/platform/pricing.html" rel="noopener noreferrer">Ping</a>,<br> are enterprise-oriented, and you can’t play with them easily.<br> Of course, you can request a free trial, but it’s 30 days only,<br> and there is no single-user account.</p> <p>That is why I decided to use <a href="https://www.keycloak.org/" rel="noopener noreferrer">Keycloak</a>.<br> Then I just need to decide where to deploy it, in the cloud or in the home lab.<br> Thankfully we have a mind map.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6q51cdnwinid4lorzwt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6q51cdnwinid4lorzwt.png" alt="Mind map" width="800" height="319"></a></p> <p>That is why, today we will install Keycloak on AWS,<br> and in part two, we will connect it with WorkSpaces<br> and access the RHEL console over the cockpit, as an enterprise-like user.</p> <h2> Keycloak intro </h2> <p>But hey! What is the Keycloak? In simple words it is<br> Open Source Identity and Access Management tool.</p> <p>Also, Keycloak provides user federation, strong authentication,<br> user management, fine-grained authorization, and more.<br> You can read more on the GitHub project<br> <a href="https://github.com/keycloak/keycloak" rel="noopener noreferrer">page</a>, and star it as well.</p> <h2> Services list </h2> <p>To make it a bit more interesting, I will deploy it with:</p> <ul> <li>ECS(Fargate)</li> <li>AWS Application Load Balancer</li> <li>separate database, where today we will play with Serverless Aurora in MySQL mode</li> <li>Route53 for domain management</li> </ul> <p>Ok, good. Finally, we will deploy something different right?</p> <h2> First steps </h2> <p>At the beginning, I’d recommend building basic projects with networks,<br> ECS components, database, and ALB. Let’s call it <em>an almost dry test</em>.<br> Just take a look at the code, and break it into smaller parts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">rds</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-rds</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ecs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ecs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">elbv2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-elasticloadbalancingv2</span><span class="dl">'</span> </code></pre> </div> <p>On top, as you can see, I have imports. It’s worth to mention,<br> that AWS Aurora Serverless V2 is using <code>aws-rds</code> package, and modern load balancers,<br> like ALB is included in <code>aws-elasticloadbalancingv2</code>, not standard <code>aws-elasticloadbalancing</code>.</p> <p>Firstly we have a network. Today we will have regular 3-tier architecture,<br> with a really small mask - <code>/28</code>, which means 11 IPs; regular 16 - 5 (AWS specific).<br> Besides of that two AZs for Aurora HA, so 2 NAT Gateways as well.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="dl">"</span><span class="s2">10.192.0.0/20</span><span class="dl">"</span><span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">restrictDefaultSecurityGroup</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">private</span><span class="dl">"</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">database</span><span class="dl">"</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_ISOLATED</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p>Next we very simple setup of the application load balancer.<br> It’s listed on port 80(no TLS), it’s internet facing, and exists in our VPC,<br> inside subnets with type “PUBLIC”.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">alb</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nc">ApplicationLoadBalancer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ApplicationLB</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="na">internetFacing</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">listener</span> <span class="o">=</span> <span class="nx">alb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listener</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">open</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Here the same, we have a very basic setup of Postgres Aurora, without security groups<br> or deletion protection.</p> <p>However, we’re setting it in the correct set of subnets,<br> and what is more important we’re checking our Postgres engine version,<br> as <code>the latest</code> is not always supported. If you would like to check it<br> on our own, here is the command, which shows you available engines.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws rds describe-db-engine-versions <span class="se">\</span> <span class="nt">--engine</span> aurora-mysql <span class="se">\</span> <span class="nt">--filters</span> <span class="nv">Name</span><span class="o">=</span>engine-mode,Values<span class="o">=</span>serverless </code></pre> </div> <p><strong>BUT</strong>, if you would like to use Aurora Serverless V2, you need to use <code>rds.DatabaseCluster</code>,<br> so our code will be, and as you can see we can use a higher version of Postgres:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseCluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AuroraCluster</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">engine</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseClusterEngine</span><span class="p">.</span><span class="nf">auroraMysql</span><span class="p">(</span> <span class="p">{</span><span class="na">version</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">AuroraMysqlEngineVersion</span><span class="p">.</span><span class="nx">VER_2_11_4</span><span class="p">}</span> <span class="p">),</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// WARNING: This is wrong, do not work this way</span> <span class="na">password</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">SecretValue</span><span class="p">.</span><span class="nf">unsafePlainText</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="c1">// NOTE: use this rather for testing</span> <span class="na">deletionProtection</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span><span class="nx">auroraSecurityGroup</span><span class="p">],</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_ISOLATED</span> <span class="p">},</span> <span class="na">writer</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">ClusterInstance</span><span class="p">.</span><span class="nf">serverlessV2</span><span class="p">(</span><span class="dl">'</span><span class="s1">ClusterInstance</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">scaleWithWriter</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">});</span> </code></pre> </div> <p>Great, now we can configure:</p> <ul> <li>ECS Cluster with Fargate Capacity Providers</li> <li>Fargate Task Definition</li> <li>container</li> <li>ECS Service</li> <li>ALB TargetGroup registration</li> </ul> <p>and check if we will be able to<br> access our container from the regular Internet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ecsCluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">Cluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EcsCluster</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keycloak-ecs-cluster</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// NOTE: add some logging</span> <span class="na">containerInsights</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableFargateCapacityProviders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">ecsTaskDefinition</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateTaskDefinition</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TaskDefinition</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="mi">512</span><span class="p">,</span> <span class="na">cpu</span><span class="p">:</span> <span class="mi">256</span><span class="p">,</span> <span class="na">runtimePlatform</span><span class="p">:</span> <span class="p">{</span> <span class="na">operatingSystemFamily</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">OperatingSystemFamily</span><span class="p">.</span><span class="nx">LINUX</span><span class="p">,</span> <span class="na">cpuArchitecture</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">CpuArchitecture</span><span class="p">.</span><span class="nx">X86_64</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nx">ecsTaskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="dl">'</span><span class="s1">nginx</span><span class="dl">'</span><span class="p">),</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">ecsService</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateService</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EcsService</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cluster</span><span class="p">:</span> <span class="nx">ecsCluster</span><span class="p">,</span> <span class="na">taskDefinition</span><span class="p">:</span> <span class="nx">ecsTaskDefinition</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">ecsService</span><span class="p">.</span><span class="nf">registerLoadBalancerTargets</span><span class="p">({</span> <span class="na">containerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">newTargetGroupId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ECS</span><span class="dl">'</span><span class="p">,</span> <span class="na">listener</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ListenerConfig</span><span class="p">.</span><span class="nf">applicationListener</span><span class="p">(</span> <span class="nx">listener</span><span class="p">,</span> <span class="p">{</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">ApplicationProtocol</span><span class="p">.</span><span class="nx">HTTP</span> <span class="p">})</span> <span class="p">},);</span> </code></pre> </div> <p>As you see the logic here is straightforward.<br> First, we need a cluster, with enabled FargateCapacityProvider,<br> and we would like to place it in our VPC.<br> Then we have a task, that needs to be an instance of class <code>ecs.FargateTaskDefinition</code>.<br> Next, we’re adding a container object with a Nginx docker image and port mapping.<br> Additionally, we need a service that combines all elements.<br> At the end, we register our service, as Load Balancer Target.</p> <p>This configuration should allow us to validate our application skeleton,<br> and make sure that basic components are up, and we don’t mess something.<br> That is how I like to work, make a simple landscape, then tweak it according to the needs.</p> <h2> Keycloak configuration </h2> <p>Now, we need to clarify a few things.<br> First, as we’re planning to run Keycloak in container, that is why we need<br> to go through <a href="https://www.keycloak.org/server/containers" rel="noopener noreferrer">this doc</a>,<br> then as we’re using Aurora, we need <a href="https://www.keycloak.org/server/db#preparing-keycloak-for-amazon-aurora-postgresql" rel="noopener noreferrer">this</a>.</p> <p>Second, there is no support for IAM Roles, which is why we need to use a username/password.<br> However, if you feel stronger than me with AWS SDK for Java,<br> and have some time, I’m sure that the Keycloak team will be more than happy to review your PR.</p> <p>So after reading the documentation, looks like I need to add the JDBC driver to the image,<br> which requires building a custom image. It will be very simple<br> but require some project modification. Additionally, we need some environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nx">ecsTaskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="dl">'</span><span class="s1">quay.io/keycloak/keycloak:24.0</span><span class="dl">'</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">KEYCLOAK_ADMIN</span><span class="p">:</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="na">KEYCLOAK_ADMIN_PASSWORD</span><span class="p">:</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="na">KC_DB</span><span class="p">:</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">,</span> <span class="na">KC_DB_USERNAME</span><span class="p">:</span> <span class="dl">"</span><span class="s2">keycloak</span><span class="dl">"</span><span class="p">,</span> <span class="na">KC_DB_PASSWORD</span><span class="p">:</span> <span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">,</span> <span class="na">KC_DB_SCHEMA</span><span class="p">:</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="na">KC_LOG_LEVEL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">INFO, org.infinispan: DEBUG, org.jgroups: DEBUG</span><span class="dl">"</span> <span class="p">},</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h2> Stop. Why it doesn’t work? </h2> <p>Look good right? No, no, and no! Making this project work<br> forced me to spend much more time than I expected. Why? That’s simple,<br> Keycloak is complex software, which is why a lot of configuration is<br> needed. However, let’s start from the beginning.</p> <h3> Building custom docker image </h3> <p>I decided, that a public docker image from Aurora support would be great,<br> and maybe helpful for someone. That is why you can find it on <a href="https://quay.io/repository/3sky/keycloak-aurora" rel="noopener noreferrer">quay</a>.<br> Also whole project repo is public, and accessible <a href="https://github.com/3sky/keycloak-aurora" rel="noopener noreferrer">here</a>.<br> Besides GitHub Actions, Dockerfile is the most important part, so here we go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">ARG</span><span class="s"> VERSION=25.0.1</span> <span class="k">ARG</span><span class="s"> BUILD_DATE=today</span> <span class="k">FROM</span><span class="w"> </span><span class="s">quay.io/keycloak/keycloak:${VERSION}</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">LABEL</span><span class="s"> vendor="3sky.dev" \</span> maintainer="Kuba Wolynko &lt;kuba@3sky.dev&gt;" \ name="Keyclock for Aurora usage" \ arch="x86" \ build-date=${BUILD_DATE} # Enable health and metrics support <span class="k">ENV</span><span class="s"> KC_HEALTH_ENABLED=true</span> <span class="k">ENV</span><span class="s"> KC_METRICS_ENABLED=true</span> <span class="k">ENV</span><span class="s"> KC_DB=postgres</span> <span class="k">ENV</span><span class="s"> KC_DB_DRIVER=software.amazon.jdbc.Driver</span> <span class="k">WORKDIR</span><span class="s"> /opt/keycloak</span> <span class="c"># use ALB on top, self-sign is fine here</span> <span class="k">RUN </span>keytool <span class="nt">-genkeypair</span> <span class="se">\ </span> <span class="nt">-storepass</span> password <span class="se">\ </span> <span class="nt">-storetype</span> PKCS12 <span class="se">\ </span> <span class="nt">-keyalg</span> RSA <span class="se">\ </span> <span class="nt">-keysize</span> 2048 <span class="se">\ </span> <span class="nt">-dname</span> <span class="s2">"CN=server"</span> <span class="se">\ </span> <span class="nt">-alias</span> server <span class="se">\ </span> <span class="nt">-ext</span> <span class="s2">"SAN:c=DNS:localhost,IP:127.0.0.1"</span> <span class="se">\ </span> <span class="nt">-keystore</span> conf/server.keystore <span class="k">ADD</span><span class="s"> --chmod=0666 https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/2.3.6/aws-advanced-jdbc-wrapper-2.3.6.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar</span> <span class="k">RUN </span>/opt/keycloak/bin/kc.sh build <span class="k">FROM</span><span class="s"> quay.io/keycloak/keycloak:${VERSION}</span> <span class="k">COPY</span><span class="s"> --from=builder /opt/keycloak/ /opt/keycloak/</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/opt/keycloak/bin/kc.sh"]</span> </code></pre> </div> <p>Worth mentioning is the fact, that the <code>build</code> command needs to be<br> executed after getting <code>aws-advanced-jdbc-wrapper</code>,<br> or enabling health checks. Also, I’m using a self-sign certificate<br> as AWS will provide public cert on the ALB level.</p> <h3> Documentation </h3> <p>When you are going through official Keycloak documentation<br> you will be able to read something like this:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9b7szvpcfaz5oa2sjyly.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9b7szvpcfaz5oa2sjyly.png" alt="Documentation" width="800" height="144"></a></p> <p><del>I’m not a native speaker, so for me, it means:<br> <em>Put <code>aws-wrapper</code> into your JDBC URL</em>. But, it’s not true.<br> It means that the result will be <code>jdbc:aws-wrapper:postgresql://</code>,<br> which is not what the application can consume!<br> To work with Aurora Postgresql, our connection string must be:</del></p> <p><strong>Edit</strong>: I was wrong. <code>aws_wrapper</code> needs to be included in JDBC URL,<br> to use advanced wrapper's functions. However environment variable <code>KC_DB_DRIVER=software.amazon.jdbc.Driver</code>,<br> need to be present in Dockerfile before running <code>/opt/keycloak/bin/kc.sh build</code> command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">KC_DB_URL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jdbc:aws-wrapper:postgresql://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">theAurora</span><span class="p">.</span><span class="nx">clusterEndpoint</span><span class="p">.</span><span class="nx">hostname</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">:5432/keycloak</span><span class="dl">'</span><span class="p">,</span> </code></pre> </div> <p><strong>Note</strong>: <code>keycloak</code> at the end is the database name, and can be customized.</p> <p>Believe it or not, this misunderstanding costs me around the week of debugging...</p> <h3> Cookie not found </h3> <p>When after a while I was able to start an app and type admin/admin,<br> I was welcomed with this error message:</p> <p><strong>Cookie not found. Please make sure cookies are enabled in your browser.</strong></p> <p>After some investigation, and reading <a href="https://dev.tostackoverflow">stackoverflow</a> threads,<br> the decision was to add TLS and see what would happen. To do that in rather a simple<br> manner, a hosted zone with a public registered domain was needed. And you can read about it<br> setting it up <a href="https://blog.3sky.dev/article/202406-cheap-tld/" rel="noopener noreferrer">here</a>. In case of adding it to project we can simply write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">zone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Zone</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">domainName</span><span class="p">:</span> <span class="nx">DOMAIN_NAME</span><span class="p">});</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">CnameRecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cnameForAlb</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sso</span><span class="dl">'</span><span class="p">,</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">zone</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">alb</span><span class="p">.</span><span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">albcert</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">acme</span><span class="p">.</span><span class="nc">Certificate</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Certificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sso.</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">DOMAIN_NAME</span><span class="p">,</span> <span class="na">certificateName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Testing keyclock service</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Optionally provide an certificate name</span> <span class="na">validation</span><span class="p">:</span> <span class="nx">acme</span><span class="p">.</span><span class="nx">CertificateValidation</span><span class="p">.</span><span class="nf">fromDns</span><span class="p">(</span><span class="nx">zone</span><span class="p">)</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">listener</span> <span class="o">=</span> <span class="nx">alb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listener</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">443</span><span class="p">,</span> <span class="na">open</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">certificates</span><span class="p">:</span> <span class="p">[</span><span class="nx">albcert</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> Health check </h3> <p>This one is tricky. The target Group attached to the Application Load Balancer requires healthy targets.<br> Using the native ECS method as described above does not meet our needs, as we expected:</p> <ul> <li>dedicated path <code>/health</code> </li> <li>different port(9000), than main container port(8433)</li> <li>if we decide to stick with <code>/</code> path, we need to accept port <code>302</code> </li> </ul> <p>As you see we need to change a method to a more traditional one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">theListner</span><span class="p">.</span><span class="nf">addTargets</span><span class="p">(</span><span class="dl">'</span><span class="s1">ECS</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">8443</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="nx">ecsService</span><span class="p">],</span> <span class="na">healthCheck</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="dl">'</span><span class="s1">9000</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="na">interval</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="na">healthyHttpCodes</span><span class="p">:</span> <span class="dl">'</span><span class="s1">200</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>NOTE:</strong> default HC port could be changed, but it adds additional complexity.</p> <h3> Build time </h3> <p>Playing with ECS and database in the same CDK stack is not the best possible idea. Why?<br> Let's imagine the situation when your health checks are failing.<br> Deployment is in progress and still rolling. During this period,<br> you can't change your stack. But you can delete it…, and recreate it.<br> Even if the networking part is fast, spanning Aurora up and down,<br> could add to our change time by around 12 minutes.<br> That's not a bed, but still, it's quite easy to avoid it.<br> The change was simple. I created a new stack, dedicated to ECS,<br> and split the app into two parts:</p> <ul> <li>infra (network and database)</li> <li>ECS (container and services)</li> </ul> <p>This simple action shows that the modularity of Infrastructure as Code could be more<br> important than we're usually thinking.</p> <h3> Final declaration </h3> <p>Slowly going to the end, the ECS dedicated part will look like that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">ecsTaskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromRegistry</span><span class="p">(</span><span class="nx">CUSTOM_IMAGE</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">KEYCLOAK_ADMIN</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">KEYCLOAK_ADMIN_PASSWORD</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_DB</span><span class="p">:</span> <span class="dl">'</span><span class="s1">postgres</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_DB_URL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jdbc:postgresql://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">theAurora</span><span class="p">.</span><span class="nx">clusterEndpoint</span><span class="p">.</span><span class="nx">hostname</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">:5432/keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_DB_USERNAME</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_DB_PASSWORD</span><span class="p">:</span> <span class="nx">theSecret</span><span class="p">.</span><span class="nf">secretValueFromJson</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">(),</span> <span class="na">KC_HOSTNAME_STRICT</span><span class="p">:</span> <span class="dl">'</span><span class="s1">false</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_HTTP_ENABLED</span><span class="p">:</span> <span class="dl">'</span><span class="s1">false</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_DB_DRIVER</span><span class="p">:</span> <span class="dl">'</span><span class="s1">software.amazon.jdbc.Driver</span><span class="dl">'</span><span class="p">,</span> <span class="na">KC_HEALTH_ENABLED</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="p">},</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">8443</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">},</span> <span class="p">{</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">9000</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Protocol</span><span class="p">.</span><span class="nx">TCP</span> <span class="p">}</span> <span class="p">],</span> <span class="na">logging</span><span class="p">:</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">AwsLogDriver</span><span class="p">(</span> <span class="p">{</span><span class="na">streamPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keycloak</span><span class="dl">'</span><span class="p">}</span> <span class="p">),</span> <span class="na">command</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">start</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">--optimized</span><span class="dl">'</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> Final architecture </h3> <p>As we all love images, that's the final digram of our setup:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq06v8hrq40a8ch97er42.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq06v8hrq40a8ch97er42.png" alt="Architecuture" width="800" height="486"></a></p> <h2> Summary </h2> <p>That's the end of setting keycloak on ECS with the usage of Aurora Postgres.<br> I didn't see it anywhere on the Internet, so for at least a moment, that is<br> the only working example and blog post available publicly.<br> Additionally, a solution was tested with versions 24.0 and the latest 25.0.1 of<br> Keycloak base images. What will be next? As I mentioned at the beginning.<br> Setting up Worksapces with my own SSO solution, however, firstly we need to<br> configure Keyclock, which I’m almost sure, will be fun as well.<br> Ah and to be fully open, source code could be found on <a href="https://github.com/3sky/keycloak-on-ecs" rel="noopener noreferrer">GitHub</a>.</p> aws keyclock ecs cdk Red Hat Enterprise Linux on AWS Cloud Jakub Wołynko Thu, 23 May 2024 11:26:23 +0000 https://dev.to/aws-builders/red-hat-enterprise-linux-on-aws-cloud-56gb https://dev.to/aws-builders/red-hat-enterprise-linux-on-aws-cloud-56gb <h2> Welcome </h2> <p>Let’s talk about basic IT operations included in the everyday tasks range. For example, accessing VMs. As you may realize (or not) - not everyone is using immutable infrastructure. Especially when their core business isn’t IT, and they are a bit bigger than 2-pizza team. That is why today we will talk about accessing the console of Red Hat Enterprise Linux 9.3 in AWS Cloud. I will show you the 3 most useful methods - in my opinion; there are no statistics. </p> <h2> Initial note </h2> <p>Due to the fact, that I appreciate AWS CDK, all examples today will be written in TypeScript. <br> Additionally, I decided to use shared stacks and store VPC config separately,<br> as well as default instance properties. <br> The network is very simple, one public subnet,<br> one private subnet, and one NAT(default option when using <code>subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SharedNetworkStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">App</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">"</span><span class="s2">description</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Shared Network</span><span class="dl">"</span><span class="p">);</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">"</span><span class="s2">organization</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">3sky.dev</span><span class="dl">"</span><span class="p">);</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">3sky</span><span class="dl">"</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TheVPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="dl">"</span><span class="s2">10.192.0.0/20</span><span class="dl">"</span><span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">restrictDefaultSecurityGroup</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">private</span><span class="dl">"</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As a base AMI for all instances, I will be using the publicly available latest RH build: <code>amazon/RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3</code>. With the smallest possible instance size. Everything is sorted in file called <code>bin/rhel.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="k">import</span> <span class="dl">'</span><span class="s1">source-map-support/register</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SSHStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/ssh-stack</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ICStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/ic-stack</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SSMStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/ssm-stack</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SharedNetworkStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/shared-network</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">network</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SharedNetworkStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SharedNetworkStack</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">defaultInstanceProps</span> <span class="o">=</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">genericLinux</span><span class="p">({</span> <span class="c1">// amazon/RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3</span> <span class="dl">"</span><span class="s2">eu-central-1</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ami-0134dde2b68fe1b07</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">BURSTABLE2</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">,</span> <span class="p">),</span> <span class="p">};</span> <span class="k">new</span> <span class="nc">SSHStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SSHStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceProps</span><span class="p">:</span> <span class="nx">defaultInstanceProps</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nc">ICStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ICStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceProps</span><span class="p">:</span> <span class="nx">defaultInstanceProps</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">network</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nc">SSMStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SSMStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceProps</span><span class="p">:</span> <span class="nx">defaultInstanceProps</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> SSH </h2> <p>Let’s start with the basics. Regular SSH, what do we need to make this possible? </p> <ul> <li>SSH Key Pair</li> <li>ssh-server and ssh-client installed </li> <li>connection to configured port(default: 22)</li> <li>Bastion Host, as we’re simulating enterprise </li> </ul> <h3> setup </h3> <p>The initial assumption is, that we already have a key pair if not, please generate it with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="se">\</span> <span class="nt">-t</span> ed25519 <span class="se">\</span> <span class="nt">-C</span> <span class="s2">"aws@local-testing"</span> <span class="se">\</span> <span class="nt">-f</span> ~/.ssh/id_ed25519_local_testing </code></pre> </div> <p>Let’s back to code, we’re using a much too open Security Group for the Bastion host, regular in-VPC SG, and two hosts with the same ssh-key configured. That is why the created stack definition is rather simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">SSHStackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">;</span> <span class="nl">instanceProps</span><span class="p">:</span> <span class="kr">any</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SSHStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">SSHStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">theVPC</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">theProps</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">instanceProps</span><span class="p">;</span> <span class="c1">// WARNING: change key material to your own</span> <span class="kd">const</span> <span class="nx">awsKeyPair</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnKeyPair</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">localkeypair</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">publicKeyMaterial</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxYZEBNRLXmuign6ZgNbmaSK7cnQAgFpx8cCscoqVed local</span><span class="dl">"</span><span class="p">,</span> <span class="na">keyName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">localawesomekey</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">myKeyPair</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">KeyPair</span><span class="p">.</span><span class="nf">fromKeyPairAttributes</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">mykey</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">keyPairName</span><span class="p">:</span> <span class="nx">awsKeyPair</span><span class="p">.</span><span class="nx">keyName</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tooopenSG</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">tooopenSG</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow all SSH traffic</span><span class="dl">"</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">theVPC</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">tooopenSG</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="c1">// NOTE: we should use a more specific network range with</span> <span class="c1">// ec2.Peer.ipv4("x.x.x.x/24")</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Allow SSH</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">defaultSG</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">regularSG</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Regular in-VPC SG</span><span class="dl">"</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">theVPC</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">defaultSG</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">theVPC</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Allow SSH inside VPC only</span><span class="dl">"</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">bastion</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bastion-host</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bastion-host</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">tooopenSG</span><span class="p">,</span> <span class="na">keyPair</span><span class="p">:</span> <span class="nx">myKeyPair</span><span class="p">,</span> <span class="p">...</span><span class="nx">theProps</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">host</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">host</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">defaultSG</span><span class="p">,</span> <span class="na">keyPair</span><span class="p">:</span> <span class="nx">myKeyPair</span><span class="p">,</span> <span class="p">...</span><span class="nx">theProps</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">bastionIP</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">bastion</span><span class="p">.</span><span class="nx">instancePublicIp</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Public IP address of the bastion host</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">instnaceIP</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">instancePrivateIp</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Private IP address of thsh host</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then after executing <code>cdk deploy SSHStack</code>, and waiting around 200s, we should be able to see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ✅ SSHStack ✨ Deployment <span class="nb">time</span>: 200.17s Outputs: SSHStack.bastionIP <span class="o">=</span> 3.121.228.159 SSHStack.instnaceIP <span class="o">=</span> 10.192.0.24 </code></pre> </div> <p>Great, now we can use our ssh key and <strong>ec2-user</strong>, for connection with our instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>ssh ec2-user@3.121.228.159 <span class="nt">-i</span> ~/.ssh/id_ed25519_local Register this system with Red Hat Insights: insights-client <span class="nt">--register</span> Create an account or view all your systems at https://red.ht/insights-dashboard <span class="o">[</span>ec2-user@ip-10-192-0-6 ~]<span class="nv">$ </span>clear <span class="o">[</span>ec2-user@ip-10-192-0-6 ~]<span class="err">$</span> <span class="nb">logout </span>Connection to 3.121.228.159 closed. </code></pre> </div> <p>Ok, for accessing our regular target host I strongly recommend using a regular <code>~/.ssh/config</code> file, with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Host aws-bastion PreferredAuthentications publickey <span class="nv">IdentitiesOnly</span><span class="o">=</span><span class="nb">yes </span>IdentityFile ~/.ssh/id_ed25519_local User ec2-user Hostname 3.76.116.53 Host aws-host PreferredAuthentications publickey <span class="nv">IdentitiesOnly</span><span class="o">=</span><span class="nb">yes </span>ProxyJump jump IdentityFile ~/.ssh/id_ed25519_local User ec2-user Hostname 10.192.0.24 </code></pre> </div> <p>The good thing about it is that it’s very easy to configure Ansible with it. Our inventory file will be just simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>bastion] aws-bastion <span class="o">[</span>instance] aws-host <span class="o">[</span>aws:children] aws-bastion aws-host </code></pre> </div> <p>However, in the case of a real-world system, I would recommend using Ansible dynamic inventory, based on proper tagging. </p> <h3> props </h3> <ul> <li>easy-to-implement solution</li> <li>standard SSH, so we can use Ansible just after deployment</li> <li>no additional costs(besides Bastion host)</li> </ul> <h3> cons </h3> <ul> <li>exposing VMs to the public internet isn’t the most secure solution</li> <li>we need to manage SSH key pair</li> <li>we need to manage users</li> <li>we need to manage accesses manually, from the OS level </li> <li>no dedicated logging solution, besides Syslog</li> </ul> <h2> SSM Session Manager </h2> <p>Setting SSM based on <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html">documentation</a> could be a bit more challenging, as we need to:</p> <ul> <li>install SSM agent</li> <li>configure role and instance profile </li> </ul> <h3> setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">SSMStackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">instanceProps</span><span class="p">:</span> <span class="kr">any</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SSMStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">SSMStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">theProps</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">instanceProps</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ssmRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">SSMRole</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">"</span><span class="s2">ec2.amazonaws.com</span><span class="dl">"</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">"</span><span class="s2">AmazonSSMManagedInstanceCore</span><span class="dl">"</span><span class="p">)</span> <span class="p">],</span> <span class="na">roleName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SSMRole</span><span class="dl">"</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">InstanceProfile</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">SSMInstanceProfile</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="nx">ssmRole</span><span class="p">,</span> <span class="na">instanceProfileName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SSMInstanceProfile</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forLinux</span><span class="p">();</span> <span class="nx">userData</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span> <span class="dl">'</span><span class="s1">set -o xtrace</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sudo dnf install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sudo systemctl enable amazon-ssm-agent</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sudo systemctl start amazon-ssm-agent</span><span class="dl">'</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">instnace</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">instance-with-ssm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">instance-with-ssm</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="na">role</span><span class="p">:</span> <span class="nx">ssmRole</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">detailedMonitoring</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userData</span><span class="p">:</span> <span class="nx">userData</span><span class="p">,</span> <span class="p">...</span><span class="nx">theProps</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">HostID</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instnace</span><span class="p">.</span><span class="nx">instanceId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ID of the regular host</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">hostDNS</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instnace</span><span class="p">.</span><span class="nx">instancePrivateDnsName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Hostname of the regular host</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As you can see, we need to specify the role and instance profile(which can’t be displayed in GUI), and then we place the instance in a private subnet with specific user data and role. After a while we should be able to connect via CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws ssm start-session <span class="nt">--target</span> i-0110d03f4713d475c Starting session with SessionId: kuba@3sky.dev-6n5goh43iisz45cmvpht54ize4 sh-5.1<span class="nv">$ </span><span class="nb">sudo </span>su <span class="o">[</span>root@ip-10-192-0-26 bin]# </code></pre> </div> <p>Or via GUI:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnmb7v2is7sh65dprmn1l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnmb7v2is7sh65dprmn1l.png" alt="ssm-s1" width="800" height="387"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80bsym6uixnh3sjuf29k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80bsym6uixnh3sjuf29k.png" alt="ssm-s2" width="800" height="413"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1pdy9hlqroohm15i0trz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1pdy9hlqroohm15i0trz.png" alt="ssm-s3" width="800" height="168"></a></p> <h3> bonus: cockpit </h3> <p>As we’re using the Red Hat system(however also available on Ubuntu etc), and SSM supports port forwarding we can utilize the power of the cockpit. For example, manage subscriptions, check security recommendations, and connect with <a href="https://www.redhat.com/en/technologies/management/insights">Red Hat Insights</a>. How to do it? Login to our instance, create an admin user with a password, and then start the port forwarding session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># login to host</span> <span class="nv">$ </span>aws ssm start-session <span class="nt">--target</span> i-0113d03f4713d412b <span class="c"># become a root and create the needed user</span> sh-5.1<span class="nv">$ </span><span class="nb">sudo </span>su <span class="o">[</span>root@ip-10-192-0-24:~]<span class="nv">$ </span><span class="nb">sudo </span>useradd kuba <span class="o">[</span>root@ip-10-192-0-24:~]<span class="nv">$ </span><span class="nb">sudo </span>passwd kuba <span class="o">[</span>root@ip-10-192-0-24:~]<span class="nv">$ </span><span class="nb">sudo </span>usermod <span class="nt">-aG</span> wheel kuba <span class="o">[</span>root@ip-10-192-0-24:~]<span class="nv">$ </span><span class="nb">exit </span>sh-5.1<span class="nv">$ </span><span class="nb">exit</span> <span class="c">## start port-forwarding from the workstation</span> <span class="nv">$ </span>aws ssm start-session <span class="se">\</span> <span class="nt">--target</span> i-0113d03f4713d412b <span class="nt">--document-name</span> AWS-StartPortForwardingSessionToRemoteHost <span class="se">\</span> <span class="nt">--parameters</span> <span class="s1">'{"portNumber":["9090"],"localPortNumber":["9090"],"host":["ip-10-192-0-24"]}'</span> </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpi22c48qk5a3t9qgehnn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpi22c48qk5a3t9qgehnn.png" alt="ssm-4" width="800" height="315"></a></p> <h3> props </h3> <ul> <li>straightforward setup</li> <li>allow the user to access the instance from GUI and CLI</li> <li>does not require using or storing ssh-keys</li> <li>has built in monitoring with CloudWatch</li> <li>provides the ability to restrict access based on IAM</li> <li>support port forwarding (useful for DB access)</li> </ul> <h3> cons </h3> <ul> <li>using Ansible will be challenging(however supported)</li> <li>requires more AWS-specific knowledge than Bastion host</li> <li>in case of failure, push us to annoying debugging</li> </ul> <h2> EC2 instance connect </h2> <p>Our EC2 Instance Connect setup and configuration will be based on <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html">official documentation</a>. <br> Here are the main prerequisites we have:</p> <ul> <li>installed ec2-instance-connect packages on our host, which are not included in the default Red Hat build</li> <li>EC2 instance connect endpoint placed in the corresponding network </li> <li>open network connection to instance security group on TCP/22 </li> <li>open network connection from EC2 instance to connect security group to instances on TCP/22</li> </ul> <h3> setup </h3> <p>Based on these prerequisites content of our file is as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">ICStackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">;</span> <span class="nl">instanceProps</span><span class="p">:</span> <span class="kr">any</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">ICStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">ICStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">theVPC</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">theProps</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">instanceProps</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">iceSG</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">iceSG</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Instance Connect SG</span><span class="dl">"</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">theVPC</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">iceSG</span><span class="p">.</span><span class="nf">addEgressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">theVPC</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Allow outbound traffic from SG</span><span class="dl">"</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// WARNING: We need outbound for package installation</span> <span class="kd">const</span> <span class="nx">iceSGtoVM</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">iceSGtoVM</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow access over instance connect</span><span class="dl">"</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">theVPC</span><span class="p">,</span> <span class="p">});</span> <span class="nx">iceSGtoVM</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">iceSG</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Allow SSH traffic from iceSG</span><span class="dl">"</span><span class="p">,</span> <span class="p">);</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnInstanceConnectEndpoint</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">myInstanceConnectEndpoint</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">iceSG</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">],</span> <span class="na">subnetId</span><span class="p">:</span> <span class="nx">theVPC</span><span class="p">.</span><span class="nx">privateSubnets</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">subnetId</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forLinux</span><span class="p">();</span> <span class="nx">userData</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span> <span class="dl">'</span><span class="s1">set -o xtrace</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">mkdir /tmp/ec2-instance-connect</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect.rpm</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux.noarch.rpm -o /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sudo yum install -y /tmp/ec2-instance-connect/ec2-instance-connect.rpm /tmp/ec2-instance-connect/ec2-instance-connect-selinux.rpm</span><span class="dl">'</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">instnace</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">instance-with-ic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">instance-with-ic</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">iceSGtoVM</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">detailedMonitoring</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userData</span><span class="p">:</span> <span class="nx">userData</span><span class="p">,</span> <span class="p">...</span><span class="nx">theProps</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">HostIP</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instnace</span><span class="p">.</span><span class="nx">instanceId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Public IP address of the regular host</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As you can see, the longest part is just user-data for downloading and installing needed packages. What is important in my opinion, we always should test it before deploying it on production. In case of errors with the installation process, debugging will be hard and will require adding a bastion host with keys, and instance recreation. </p> <p>After deploying a stack(a bit longer this time), we should be able to access our instance with CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws ec2-instance-connect ssh <span class="nt">--instance-id</span> i-08385338c2614df28 The authenticity of host <span class="s1">'10.192.0.26 (&lt;no hostip for proxy command&gt;)'</span> can<span class="s1">'t be established. ED25519 key fingerprint is SHA256:BAxtwbZYKsK6hTJbvqOGgulGYftNQHZHMSpBkIGRTeY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '</span>10.192.0.26<span class="s1">' (ED25519) to the list of known hosts. Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard [ec2-user@ip-10-192-0-26 ~]$ </span></code></pre> </div> <p>or via GUI:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyp3e6ti6tp0j6dbly7t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyp3e6ti6tp0j6dbly7t.png" alt="ic-1" width="800" height="428"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpwffd4rol5wxfpouvqa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpwffd4rol5wxfpouvqa.png" alt="ic-2" width="800" height="847"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmegh93liexhguzw92xu2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmegh93liexhguzw92xu2.png" alt="ic-3" width="800" height="194"></a></p> <h3> props </h3> <ul> <li>straightforward setup</li> <li>allow the user to access the instance from GUI and CLI</li> <li>does not require using or storing ssh-keys</li> <li>has built in monitoring with CloudWatch</li> <li>provides the ability to restrict access based on IAM</li> </ul> <h3> cons </h3> <ul> <li>using Ansible will be very challenging(no official support or plugin)</li> <li>requires more AWS-specific knowledge than Bastion host</li> <li>in case of failure, push us to annoying debugging</li> </ul> <h2> Final notes </h2> <ul> <li>network setup was simplified; one AZ; 2 subnets</li> <li>security groups were to open, especially outbound rules(due to package downloading)</li> <li>SSM could be used over endpoints as well: <ul> <li>com.amazonaws.:aws-region:.ssm</li> <li>com.amazonaws.:aws-region:.ssmmessages</li> <li>com.amazonaws.:aws-region:.ssmmessages</li> </ul> </li> <li>we should use already pre-built AMI to avoid this issue</li> <li>repo as always can be find <a href="https://github.com/3sky/rhel-on-cloud">here</a> </li> </ul> <h2> Summary </h2> <p>As you can see setting up RHEL in AWS isn’t such hard, for sure it’s more expensive and requires ec2-connect-instance or SSM agent installation(Amazon Linux does not), but if we’re going to use RHEL in the cloud, probably we have good reason to do so. For example, great support, Insights, or Cloud Console, but my job was to show possibilities and do it with style.</p> aws rhel security beginners