The latest articles on DEV Community by ahn4 (@ahn4). https://dev.to/ahn4 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F541973%2Fcc144d53-98e0-408a-aacb-c5a37d7c7fa8.png https://dev.to/ahn4 en ahn4 Mon, 11 Jul 2022 02:16:03 +0000 https://dev.to/ahn4/apply-kubernetes-resources-to-aws-eks-cluster-bitbucket-pipeline-18ic https://dev.to/ahn4/apply-kubernetes-resources-to-aws-eks-cluster-bitbucket-pipeline-18ic <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwunm93fuvadb9whz7ufk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwunm93fuvadb9whz7ufk.png" alt="Relation between EKS and Bitbucket"></a></p> <h2> Apply k8s Deployment. </h2> <p><a href="https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html" rel="noopener noreferrer">Official</a></p> <p>We'll use <a href="https://bitbucket.org/atlassian/aws-eks-kubectl-run/src/master/" rel="noopener noreferrer">this one</a> in the pipeline.</p> <p>The following is needed.</p> <ol> <li>AWS IAM.</li> <li>Role/ClusterRole and Binding.</li> </ol> <h3> AWS IAM </h3> <p>Simply create one of <code>User</code>. This user will not access to Console. We configure this user's key and token to BitBucket.</p> <p>The user should have the following policy at least.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"eks:DescribeCluster"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Role/ClusterRole and Binding. </h3> <p>2 Resources are needed to be applied.</p> <p><strong>ClusterRole</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-cicd</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">patch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apps</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">statefulsets</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">patch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">batch</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">jobs</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">patch</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-cicd-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-group</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-cicd</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <p><code>apiGroups</code>: apiVersion is specified when we create k8s manifest. apiGroups is string up to the first slash in this version. The version should be ignored. If group name was v1 only for example, apiGroups will be empty string, We can get all of api groups, use the command <code>kubectl api-resources</code>. </p> <p><code>verbes</code>: All of verbes are <a href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb" rel="noopener noreferrer">here</a>.</p> <p><strong>ClusterRoleBinding</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-cicd-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-group</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bitbucket-cicd</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <h4> subjects </h4> <p>Specify User, Group, or ServiceAccount to which the role is tied in this field.</p> <p><code>kind</code>: Will be User / Group / ServiceAccount.</p> <p><code>name</code>: Resource name of the kind.</p> <h3> Edit <code>aws-auth</code> </h3> <p>Map ClusterRoleBinding and IAM User.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl edit <span class="nt">-n</span> kube-system configmap/aws-auth </code></pre> </div> <p>Mapping data will be like this...<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mapAccounts</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[] </span> <span class="na">mapRoles</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- "userarn": "arn:aws:iam::{account id}:user/{IAM name}"</span> <span class="s">"username": "bitbucket-cicd-user" # Name you like</span> <span class="s">"groups":</span> <span class="s">- "bitbucket-group" # Group name you specified in ClusterRoleBinding</span> <span class="s">-- omit.....</span> </code></pre> </div> kubernetes aws eks bitbucket ahn4 Sat, 25 Jun 2022 13:17:48 +0000 https://dev.to/ahn4/ecs-service-launch-error-the-role-being-passed-has-the-proper-trust-relationship-and-permissions-2pd https://dev.to/ahn4/ecs-service-launch-error-the-role-being-passed-has-the-proper-trust-relationship-and-permissions-2pd <h1> Error </h1> <p>I got the following error when applied terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>service xxxxx failed to launch a task with (error ECS was unable to assume the role 'xxxxx' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.). </code></pre> </div> <h1> How to fix </h1> <p>Added the <code>assign_public_ip</code> in terraform<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_ecs_service"</span> <span class="s2">"ecs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">ecs_service_name</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">ecs_cluster_name</span> <span class="nx">launch_type</span> <span class="p">=</span> <span class="s2">"FARGATE"</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">task_definition</span> <span class="p">=</span> <span class="nx">xxxxx</span> <span class="nx">network_configuration</span> <span class="p">{</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">[</span><span class="nx">xxxxx</span><span class="p">]</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">xxxxx</span><span class="p">]</span> <span class="c1"># NEW</span> <span class="nx">assign_public_ip</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> terraform ecs aws ahn4 Tue, 05 Apr 2022 01:54:39 +0000 https://dev.to/ahn4/push-docker-image-to-aws-ecr-bitbucket-pipeline-2fin https://dev.to/ahn4/push-docker-image-to-aws-ecr-bitbucket-pipeline-2fin <p>We'll do the following</p> <ul> <li>Create Bitbucket repository</li> <li>Push Docker image to ECR from Bitbucket</li> <li>Configure Bitbucket pipeline.</li> </ul> <h1> Create Bitbucket repository </h1> <p>1: Created ssh key.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ssh-keygen <span class="nt">-t</span> rsa <span class="nt">-C</span> aaa@example.com </code></pre> </div> <p>2: Add pub key to bitbucket.</p> <p>3: set remote but... password is needed?</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git remote add origin git@bitbucket.org:xxx/yyy.git git push origin master Password <span class="k">for</span> <span class="s1">'https://aaa@bitbucket.org'</span>: <span class="c"># ????</span> </code></pre> </div> <p>4: Get remote URL</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git config <span class="nt">--get</span> remote.origin.url https://aaa@bitbucket.org/bbb/ccc.git </code></pre> </div> <p>5: This should not be https... should be git.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git remote set-url origin git@bitbucket.org:xxxx/yyyy.git </code></pre> </div> <p>error..</p> <p>6: Specify ssh key</p> <p><a href="https://qiita.com/sonots/items/826b90b085f294f93acf" rel="noopener noreferrer">https://qiita.com/sonots/items/826b90b085f294f93acf</a></p> <h1> Push Docker image to ECR from Bitbucket </h1> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh23apole3ic6vbajal78.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh23apole3ic6vbajal78.png" alt="Image description"></a></p> <p><strong>We have to create the IAM Role of OIDC.</strong></p> <h2> Get identity provider of Bitbucket. </h2> <p>You can get the information from Bitbucket.</p> <p><code>{Your repository settings} &gt; Pipelines &gt; OpenID Connect</code></p> <p>Get the following.</p> <ul> <li><strong>Identity provider URL</strong></li> <li><strong>Audience</strong></li> </ul> <h2> AWS IAM Setting. </h2> <h3> Create provider </h3> <ul> <li>Go to <code>IAM &gt; Identity providers &gt; Add provider</code>.</li> <li>Fill in <code>Identity provider URL</code> and <code>Audience</code>.</li> </ul> <h3> Create policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GetAuthorizationToken"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ecr:GetAuthorizationToken"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowPushImage"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecr:InitiateLayerUpload"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecr:UploadLayerPart"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecr:CompleteLayerUpload"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecr:PutImage"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:ecr:ap-northeast-1:{AWS Account ID}:repository/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Create role </h3> <ul> <li>Go to <code>IAM &gt; Role &gt; Create role</code>.</li> <li>Select <code>Web identity</code>.</li> <li>Select <code>Identity provider URL</code> and <code>Audience</code> created by previous step.</li> <li>Choose policy created in previous step.</li> </ul> <h1> Configure bitbucket pipeline. </h1> <p><a href="https://bitbucket.org/product/features/pipelines/integrations?p=atlassian/aws-ecr-push-image" rel="noopener noreferrer">Official</a></p> <p><strong>Minimum configuration</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">image</span><span class="pi">:</span> <span class="s">atlassian/default-image:2</span> <span class="na">definitions</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="nl">&amp;ecrScript</span> <span class="pi">-</span> <span class="s">docker build -t $REPO_NAME .</span> <span class="pi">-</span> <span class="na">pipe</span><span class="pi">:</span> <span class="s">atlassian/aws-ecr-push-image:1.5.0</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">AWS_OIDC_ROLE_ARN</span><span class="pi">:</span> <span class="s">$OIDC_ROLE_ARN</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">$IMAGE_NAME</span> <span class="na">TAGS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${BITBUCKET_TAG}</span><span class="nv"> </span><span class="s">build-$BITBUCKET_BUILD_NUMBER</span><span class="nv"> </span><span class="s">latest"</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">custom</span><span class="pi">:</span> <span class="na">build-custom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to ECR</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> <span class="na">oidc</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">script</span><span class="pi">:</span> <span class="nv">*ecrScript</span> </code></pre> </div> <p><strong>NOTE</strong></p> <p><code>AWS_DEFAULT_REGION</code> must be configured as Variable. Otherwise we will get the error <code>ValueError: Invalid endpoint: https://api.ecr..amazonaws.com</code>. Please check official document.</p> aws kubernetes bitbucket ahn4 Thu, 24 Mar 2022 16:35:55 +0000 https://dev.to/ahn4/kubernetes-problem-related-to-m1-chip-mac-4lem https://dev.to/ahn4/kubernetes-problem-related-to-m1-chip-mac-4lem <h2> What happened </h2> <p><code>standard_init_linux.go:228: exec user process caused: exec format error</code></p> <h2> When </h2> <p>When I Apply Deployment.</p> <h2> Why </h2> <p>Docker image created by M1 Chip didn't work properly.</p> <h2> How to resolve </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># it will not work</span> docker build <span class="nt">-t</span> <span class="o">{</span>tag name<span class="o">}</span> <span class="nb">.</span> <span class="c"># it will work.</span> docker build <span class="nt">--platform</span><span class="o">=</span>linux/amd64 <span class="nt">-t</span> <span class="o">{</span>tag name<span class="o">}</span> <span class="nb">.</span> </code></pre> </div> <p><a href="https://stackoverflow.com/questions/42494853/standard-init-linux-go178-exec-user-process-caused-exec-format-error">cf</a></p>