DEV Community: César M. Cristóbal The latest articles on DEV Community by César M. Cristóbal (@jilgue). https://dev.to/jilgue https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F812900%2F2dc044ea-1f10-4075-8382-b8170f10e962.jpeg DEV Community: César M. Cristóbal https://dev.to/jilgue en Secrets in ArgoCD with Sops César M. Cristóbal Wed, 07 Sep 2022 06:46:46 +0000 https://dev.to/callepuzzle/secrets-in-argocd-with-sops-fc9 https://dev.to/callepuzzle/secrets-in-argocd-with-sops-fc9 <p><a href="https://argoproj.github.io/cd/">ArgoCD</a> is a tool that implements the gitops philosophy for deploying applications on Kubernetes. It is a declarative, Git-based deployment system that uses a simple, human-readable manifest file to define the desired state of your application. In this article, we will explore how to use ArgoCD with <a href="https://github.com/mozilla/sops">Sops</a> to manage secrets in a gitops workflow.</p> <p>We use <a href="https://github.com/mozilla/sops#encrypting-using-gcp-kms">sops with GCP KMS</a>, the first thing we need is a service account with <code>roles/cloudkms.cryptoKeyDecrypter</code> role and create a secret on Kubernetes:</p> <p><code>kubectl create secret generic google-sa --from-file sa.json</code></p> <p>The idea is to use Argo <a href="https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/">Config Management Plugin</a> to decrypt the secret and generate a plane yaml with all Kubernetes objects (deployment, services, ...) and use <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/">Cumstom Tooling</a> to install Sops and other tools required.</p> <p>In the process we have encountered several problems, and one of them is that it is necessary to use yq to correctly format the output yamls and avoid errors such as: <code>error converting YAML to JSON: yaml: line 4: did not find expected ',' or ']'.</code></p> <p>These are the values to install argo-cd by Helm. Configuration assumes that all secrets are in <code>secrets.enc</code> file coding with yaml.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">configManagementPlugins</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- name: sops</span> <span class="s">init:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["echo '---' &gt; secrets.yaml &amp;&amp; sops -d --input-type yaml --output-type yaml secrets.enc &gt;&gt; secrets.yaml"]</span> <span class="s">generate:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["source /virtualenv-python/bin/activate; pip install yq; cat *.yaml | yq -y"]</span> <span class="na">repoServer</span><span class="pi">:</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">virtualenv-python</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">google-sa</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">google-sa</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="na">path</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/local/bin/sops</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">sops</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/local/bin/jq</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">jq</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secrets/sa.json</span> <span class="na">name</span><span class="pi">:</span> <span class="s">google-sa</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/virtualenv-python</span> <span class="na">name</span><span class="pi">:</span> <span class="s">virtualenv-python</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">GOOGLE_APPLICATION_CREDENTIALS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/etc/secrets/sa.json</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine:3.8</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64;</span> <span class="s">chmod a+x sops-v3.7.3.linux.amd64;</span> <span class="s">mv sops-v3.7.3.linux.amd64 /custom-tools/sops;</span> <span class="s">wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64;</span> <span class="s">chmod a+x jq-linux64;</span> <span class="s">mv jq-linux64 /custom-tools/jq;</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/custom-tools</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">virtualenv-python</span> <span class="na">image</span><span class="pi">:</span> <span class="s">python:3.7</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">python3 -m venv /virtualenv-python</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/virtualenv-python</span> <span class="na">name</span><span class="pi">:</span> <span class="s">virtualenv-python</span> </code></pre> </div> <p><code>helm upgrade sops argo/argo-cd --values values-sops.yaml</code></p> <p>And an application example to try it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/Callepuzzle/manifests</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">poc-argocd</span> <span class="na">plugin</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sops</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://kubernetes.default.svc'</span> </code></pre> </div> tutorial kubernetes security cicd Grafana multi-tenant configuration with Terraform César M. Cristóbal Fri, 11 Feb 2022 12:08:08 +0000 https://dev.to/callepuzzle/grafana-multi-tenant-configuration-with-terraform-1d49 https://dev.to/callepuzzle/grafana-multi-tenant-configuration-with-terraform-1d49 <p>A way to configure a multi-tenant environment in Grafana is to use organization to split each tenant. But, how can I configure this by IaC?</p> <p>Grafana provides an active provisioning system that uses config files. Data sources and dashboards can be defined via files which are version controlled.</p> <p>There are many tools to manage these config files:</p> <ul> <li><a href="https://forge.puppet.com/puppet/grafana">Puppet</a></li> <li><a href="https://github.com/cloudalchemy/ansible-grafana">Ansible</a></li> <li><a href="https://github.com/JonathanTron/chef-grafana">Chef</a></li> <li><a href="https://github.com/salt-formulas/salt-formula-grafana">Saltstack</a></li> <li><a href="https://github.com/grafana/grafonnet-lib/">Jsonnet</a></li> </ul> <p>Grafana provisioning allows the configuration of data sources, plugins, dashboards and alert notification channels. All of these “objects” can be created in a specific organization.</p> <blockquote> <p>This is great, what else would you like?<br> I would like a little bit more. What happens with the organization or the users? Can I configure them by IaC?<br> Yes, you can, and Terraform is going to help with that.</p> </blockquote> <h2> Grafana provider </h2> <p>Grafana has an <a href="https://registry.terraform.io/providers/grafana/grafana/latest/docs">official Terraform provider</a> which includes resources for <a href="https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/user">users</a> and <a href="https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/organization">organizations</a>.</p> <h2> Multi-tenant configuration </h2> <p>For managing resources in different organizations with Terraform you have to configure Grafana’s provider with the organization ID.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"http://127.0.0.1:3000"</span> <span class="nx">auth</span> <span class="p">=</span> <span class="s2">"admin:admin"</span> <span class="nx">org_id</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>So, the idea is having two different providers using <a href="https://www.terraform.io/language/providers/configuration#alias-multiple-provider-configurations">alias</a>. The first creates an organization and an admin user with the principal admin user. And the second uses organization and users created in the previous step.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"http://127.0.0.1:3000"</span> <span class="nx">auth</span> <span class="p">=</span> <span class="s2">"admin:admin"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"admin"</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"http://127.0.0.1:3000"</span> <span class="nx">auth</span> <span class="p">=</span> <span class="s2">"admin_org_2:pass_org_2"</span> <span class="nx">org_id</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"config"</span> <span class="p">}</span> </code></pre> </div> <h2> Full example </h2> <p>Enough theory, let’s take a practical example. For this you need:</p> <ul> <li><a href="https://www.terraform.io/downloads">Terraform</a></li> <li><a href="https://kind.sigs.k8s.io/">Kind</a></li> <li>Cloning this repository: <a href="https://github.com/jilgue/medium-grafana-multi-tenant">https://github.com/jilgue/medium-grafana-multi-tenant</a> </li> <li> <a href="https://github.com/sbstp/kubie">Kubie</a> (not necessary)</li> </ul> <p>Deploy Grafana in Kubernetes cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kind create cluster $ kubie ctx kind-kind $ cd 010-environment/010-grafana $ terraform init $ terraform apply $ terraform output admin_password $ kubectl port-forward service/grafana 3000 </code></pre> </div> <p>Our Grafana is accessible from <a href="http://127.0.0.1:3000">http://127.0.0.1:3000</a>. Let’s create a new organization with its admin user and resources (a folder for this example)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ cd ../../020-client-1/010-grafana-config/ $ terraform init $ terraform apply $ terraform output password </code></pre> </div> <p>Now logging with admin or client-1 user and switching the organization we will see the folder created.</p> <p><a href="http://localhost:3000/dashboards?orgId=2">http://localhost:3000/dashboards?orgId=2</a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--0SzGGwCX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/113fg0t1l8e5rjjsil5w.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--0SzGGwCX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/113fg0t1l8e5rjjsil5w.png" alt="http://localhost:3000/dashboards?orgId=2" width="536" height="359"></a></p> grafana terraform How to create custom pod with Kubebuilder César M. Cristóbal Fri, 11 Feb 2022 11:59:55 +0000 https://dev.to/callepuzzle/how-to-create-custom-pod-with-kubebuilder-bd7 https://dev.to/callepuzzle/how-to-create-custom-pod-with-kubebuilder-bd7 <p>In this post we’ll implement a simple Kubernetes controller using the <a href="https://github.com/kubernetes-sigs/kubebuilder">kubebuilder</a>.</p> <p>Kubebuilder has a <a href="https://book.kubebuilder.io/">book</a> but I think that it is too complex for beginning users. I’m going to try to do it easier. We’ll implement a simple operator which manage a pod.</p> <h2> Install Kubebuilder </h2> <p>Kubebuilder doesn’t support Go 1.17, so we need to install Go 1.16. I decided to use <a href="https://github.com/syndbg/goenv">goenv</a> to manager Go versions.</p> <ul> <li>Remove previous Go version</li> <li>Install goenv: <a href="https://github.com/syndbg/goenv/blob/master/INSTALL.md">Install goenv: https://github.com/syndbg/goenv/blob/master/INSTALL.md</a> </li> <li>Install Go 1.16: <code>$ goenv install 1.16.8</code> </li> <li>Use this version: <code>$ goenv global 1.16.8</code> </li> <li>Install Kubebuilder: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ curl -L -o ~/.local/bin/kubebuilder https://go.kubebuilder.io/dl/latest/$(go env GOOS)/$(go env GOARCH) $ chmod a+x ~/.local/bin/kubebuilder </code></pre> </div> <h2> Initialize a project and create new API </h2> <p>We have to follow three steps to create a new white project with one custom resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ mkdir medium-kubebuilder-pod $ cd !$ $ git init $ go mod init simplepod $ kubebuilder init --domain callepuzzle.com $ git add . $ git commit -m "init" $ kubebuilder create api --group medium --version v1alpha1 --kind SimplePod $ git add . $ git commit -m "create api" </code></pre> </div> <p>Great, we have all the necessary scaffolding for our project.</p> <p>If we now run <code>make install</code>, kubebuilder should generate the base CRDs under <code>config/crd/bases</code> and a few other files for us. Running <code>make run</code> should now allow us to launch the operator locally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ make install /home/cesar/projects/k8s-operator/medium-kubebuilder-pod/bin/controller-gen "crd:trivialVersions=true,preserveUnknownFields=false" rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases go: creating new go.mod: module tmp Downloading sigs.k8s.io/kustomize/kustomize/v3@v3.8.7 go get: added sigs.k8s.io/kustomize/kustomize/v3 v3.8.7 /home/cesar/projects/k8s-operator/medium-kubebuilder-pod/bin/kustomize build config/crd | kubectl apply -f - customresourcedefinition.apiextensions.k8s.io/simplepods.medium.callepuzzle.com created$ kubectl get customresourcedefinitions.apiextensions.k8s.io simplepods.medium.callepuzzle.com NAME CREATED AT simplepods.medium.callepuzzle.com 2021-10-13T15:47:52Z$ kubectl apply -f config/samples/medium_v1alpha1_simplepod.yaml$ kubectl get simplepods.medium.callepuzzle.com NAME AGE simplepod-sample 9s </code></pre> </div> <p>Ok, we can create “simplepod” resources but it doesn’t do anything, doesn’t have any logic.</p> <h2> Make our custom resource </h2> <p>In <code>api/v1alpha1/simplepod_types.go</code> is defined struct of our resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ git diff api/v1alpha1/simplepod_types.go config/samples/medium_v1alpha1_simplepod.yaml diff --git a/api/v1alpha1/simplepod_types.go b/api/v1alpha1/simplepod_types.go index f5f3fde..e4f0630 100644 --- a/api/v1alpha1/simplepod_types.go +++ b/api/v1alpha1/simplepod_types.go @@ -29,7 +29,7 @@ type SimplePodSpec struct { // Important: Run "make" to regenerate code after modifying this file // Foo is an example field of SimplePod. Edit simplepod_types.go to remove/update - Foo string `json:"foo,omitempty"` + Command string `json:"command,omitempty"` } // SimplePodStatus defines the observed state of SimplePod diff --git a/config/samples/medium_v1alpha1_simplepod.yaml b/config/samples/medium_v1alpha1_simplepod.yaml index 671c617..dd8cda0 100644 --- a/config/samples/medium_v1alpha1_simplepod.yaml +++ b/config/samples/medium_v1alpha1_simplepod.yaml @@ -4,4 +4,4 @@ metadata: name: simplepod-sample spec: # Add fields here - foo: bar + command: ls </code></pre> </div> <p>Every time we change the struct of our resource we have to run make install to regenerate the manifests.</p> <p>Now, we implement the logic of our operator. Create a pod object and execute the command given by simplepod object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ git diff controllers/simplepod_controller.go diff --git a/controllers/simplepod_controller.go b/controllers/simplepod_controller.go index 2f13668..89b63d0 100644 --- a/controllers/simplepod_controller.go +++ b/controllers/simplepod_controller.go @@ -18,7 +18,10 @@ package controllers import ( "context" + "strings" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -36,6 +39,7 @@ type SimplePodReconciler struct { //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods/status,verbs=get;update;patch //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods/finalizers,verbs=update +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -47,16 +51,62 @@ type SimplePodReconciler struct { // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.8.3/pkg/reconcile func (r *SimplePodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - _ = log.FromContext(ctx) + log := log.FromContext(ctx) - // your logic here + var instance mediumv1alpha1.SimplePod + errGet := r.Get(ctx, req.NamespacedName, &amp;instance) + if errGet != nil { + log.Error(errGet, "Error getting instance") + return ctrl.Result{}, client.IgnoreNotFound(errGet) + } + + pod := NewPod(&amp;instance) + + _, errCreate := ctrl.CreateOrUpdate(ctx, r.Client, pod, func() error { + return ctrl.SetControllerReference(&amp;instance, pod, r.Scheme) + }) + + if errCreate != nil { + log.Error(errCreate, "Error creating pod") + return ctrl.Result{}, nil + } + + err := r.Status().Update(context.TODO(), &amp;instance) + if err != nil { + return ctrl.Result{}, err + } return ctrl.Result{}, nil } +func NewPod(pod *mediumv1alpha1.SimplePod) *corev1.Pod { + labels := map[string]string{ + "app": pod.Name, + } + + return &amp;corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: pod.Name, + Namespace: pod.Namespace, + Labels: labels, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "busybox", + Image: "busybox", + Command: strings.Split(pod.Spec.Command, " "), + }, + }, + RestartPolicy: corev1.RestartPolicyOnFailure, + }, + } +} + // SetupWithManager sets up the controller with the Manager. func (r *SimplePodReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&amp;mediumv1alpha1.SimplePod{}). + Owns(&amp;corev1.Pod{}). Complete(r) } </code></pre> </div> <p>Every time we change the struct of our resource we have to run make install to regenerate the manifests.</p> <p>Now, we implement the logic of our operator. Create a pod object and execute the command given by simplepod object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ git diff controllers/simplepod_controller.go diff --git a/controllers/simplepod_controller.go b/controllers/simplepod_controller.go index 2f13668..89b63d0 100644 --- a/controllers/simplepod_controller.go +++ b/controllers/simplepod_controller.go @@ -18,7 +18,10 @@ package controllers import ( "context" + "strings" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -36,6 +39,7 @@ type SimplePodReconciler struct { //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods/status,verbs=get;update;patch //+kubebuilder:rbac:groups=medium.callepuzzle.com,resources=simplepods/finalizers,verbs=update +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -47,16 +51,62 @@ type SimplePodReconciler struct { // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.8.3/pkg/reconcile func (r *SimplePodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - _ = log.FromContext(ctx) + log := log.FromContext(ctx) - // your logic here + var instance mediumv1alpha1.SimplePod + errGet := r.Get(ctx, req.NamespacedName, &amp;instance) + if errGet != nil { + log.Error(errGet, "Error getting instance") + return ctrl.Result{}, client.IgnoreNotFound(errGet) + } + + pod := NewPod(&amp;instance) + + _, errCreate := ctrl.CreateOrUpdate(ctx, r.Client, pod, func() error { + return ctrl.SetControllerReference(&amp;instance, pod, r.Scheme) + }) + + if errCreate != nil { + log.Error(errCreate, "Error creating pod") + return ctrl.Result{}, nil + } + + err := r.Status().Update(context.TODO(), &amp;instance) + if err != nil { + return ctrl.Result{}, err + } return ctrl.Result{}, nil } +func NewPod(pod *mediumv1alpha1.SimplePod) *corev1.Pod { + labels := map[string]string{ + "app": pod.Name, + } + + return &amp;corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: pod.Name, + Namespace: pod.Namespace, + Labels: labels, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "busybox", + Image: "busybox", + Command: strings.Split(pod.Spec.Command, " "), + }, + }, + RestartPolicy: corev1.RestartPolicyOnFailure, + }, + } +} + // SetupWithManager sets up the controller with the Manager. func (r *SimplePodReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&amp;mediumv1alpha1.SimplePod{}). + Owns(&amp;corev1.Pod{}). Complete(r) } </code></pre> </div> <p>Then, install our changes and run the operator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ go get k8s.io/api/core/v1@v0.20.2 $ make install $ kubectl delete -f config/samples/medium_v1alpha1_simplepod.yaml $ kubectl apply -f config/samples/medium_v1alpha1_simplepod.yaml $ make run (in another terminal) $ kubectl get pod NAME READY STATUS RESTARTS AGE simplepod-sample 0/1 Completed 0 3s $ kubectl logs simplepod-sample bin dev etc home proc root sys tmp usr var </code></pre> </div> <p>Entire final code: <a href="https://github.com/jilgue/medium-kubebuilder-pod">https://github.com/jilgue/medium-kubebuilder-pod</a></p> kubernetes go Running Nextcloud on OPNsense César M. Cristóbal Fri, 11 Feb 2022 11:52:26 +0000 https://dev.to/callepuzzle/running-nextcloud-on-opnsense-1gl0 https://dev.to/callepuzzle/running-nextcloud-on-opnsense-1gl0 <p>In this article we’re going to see how to run <a href="https://nextcloud.com/" rel="noopener noreferrer">Nextcloud</a> on a <a href="https://opnsense.org/" rel="noopener noreferrer">OPNsense</a>.</p> <p>The first question is:</p> <h2> Why do you do this? </h2> <p>Well, I haven’t used Google services for many years, except maps. I haven’t found a good alternative to Google Maps. I had a Nextcloud installed on a virtual machine hosted in <a href="https://www.hetzner.com/cloud" rel="noopener noreferrer">Hetzner</a>. It’s ok, it worked perfectly. But I needed more resources, more space for photos and videos, so I decided to migrate Nextcloud to my home.</p> <p>I have a OPNsense router and firewall for my home. It has enough memory, so why have another device running when I can just use Nextcloud?</p> <p>The next question is:</p> <h2> Can OPNsense run Nextcloud? </h2> <p>At first, I thought about using Docker, but the <a href="https://github.com/kvasdopil/docker" rel="noopener noreferrer">FreeBSD port of Docker project</a> hasn’t been updated in 6 years.</p> <p>The second idea was to try to install Nextcloud on FreeBSD using the <a href="https://github.com/opnsense/ports" rel="noopener noreferrer">OPNsense ports</a>. Bad idea. Nextcloud has a lot of dependencies, it’s too complex to install and impossible to maintain.</p> <p>And then I found this article <a href="https://yom.iaelu.net/2020/05/freebsd-using-docker-and-kubernetes/" rel="noopener noreferrer">https://yom.iaelu.net/2020/05/freebsd-using-docker-and-kubernetes/</a>. Really? Can I have a virtual machine inside OPNsense and run Docker inside this virtual machine?</p> <p>Perfect, welcome to Inception.</p> <h2> Create a Debian virtual machine </h2> <p>The project we’re going to use is <a href="https://github.com/churchers/vm-bhyve" rel="noopener noreferrer">https://github.com/churchers/vm-bhyve</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># cd /usr/ports/sysutils/vm-bhyve/ # make install clean # cd /usr/ports/sysutils/grub2-bhyve/ # make install clean # sysrc vm_enable="YES" # mkdir -p /srv/vm # sysrc vm_dir="/srv/vm" # vm init # curl -o /srv/vm/.templates/debian.conf https://raw.githubusercontent.com/churchers/vm-bhyve/master/sample-templates/debian.conf # vm switch create -p -a 192.168.23.0/24 bridge # vm create -t debian -s 80G debian </code></pre> </div> <p>Ok, at this point we need to enabled the interface created by vm-bhyve and to allow the network traffic in OPNsense.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy972t6ul74xbvb4djy3y.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy972t6ul74xbvb4djy3y.png" alt="opnsense interfaces"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F79zqy2x4o4mx9hku64xw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F79zqy2x4o4mx9hku64xw.png" alt="opnsense ip configuration"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31mefvtwtg4bv5qtpz2g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31mefvtwtg4bv5qtpz2g.png" alt="opnsense firewall"></a></p> <p>All ready to install Debian:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># vm install debian debian-10.9.0-amd64-netinst.iso # vm console debian </code></pre> </div> <p>In the network configuration step, we have to select manual configuration and set a static IP.</p> <h2> Install Nextcloud </h2> <p>Perfect, we have a Debian machine with its own IP. The good thing about this method is that I can use the same Ansible playbook to install Nextcloud that I used in previous machine hosted in Hetzner:</p> <p>[In the network configuration step, we have to select manual configuration and set a static IP.<br> Install Nextcloud</p> <p>Perfect, we have a Debian machine with its own IP. The good thing about this method is that I can use the same Ansible playbook to install Nextcloud that I used in previous machine hosted in Hetzner:</p> <p><a href="https://github.com/CallePuzzle/ansible-playbook-nextcloud-debian" rel="noopener noreferrer">https://github.com/CallePuzzle/ansible-playbook-nextcloud-debian</a></p> linux freebsd nextcloud Switchable graphics Nvidia / Intel in Linux César M. Cristóbal Fri, 11 Feb 2022 11:38:56 +0000 https://dev.to/callepuzzle/switchable-graphics-nvidia-intel-in-linux-2jld https://dev.to/callepuzzle/switchable-graphics-nvidia-intel-in-linux-2jld <p>Many laptops have two graphics; Intel, which saves power, and Nvidia, which gives better performance.</p> <p>There are <a href="https://wiki.archlinux.org/title/NVIDIA_Optimus#Use_switchable_graphics">several options</a> to use switchable graphics, PRIME, Bumblebee, nvidia-xrun…</p> <p>None of these programs functions perfectly, there is always a problem. For example, Nvidia is still active in the background so there is not any power saving or Nvidia works but with any issue (games in Steam doesn’t work or not well)</p> <p>At the end I choose to play any video game and then find a way to disable Nvidia when I want.</p> <p>Following <a href="https://wiki.archlinux.org/title/NVIDIA#DRM_kernel_mode_setting">Archlinux Nvidia guide</a>, I created an Ansible playbook to enable and disable Nvidia<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Nvidia DRM switch (disable)</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">X11</span> <span class="na">ansible.builtin.file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/X11/xorg.conf.d/10-nvidia-drm-outputclass.conf</span> <span class="na">state</span><span class="pi">:</span> <span class="s">absent</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SDDM</span> <span class="na">blockinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/usr/share/sddm/scripts/Xsetup</span> <span class="na">insertafter</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">#!/bin/sh</span> <span class="s"># Xsetup - run as root before the login dialog appears</span> <span class="na">block</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">GRUB</span> <span class="na">ansible.builtin.lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/default/grub</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^GRUB_CMDLINE_LINUX_DEFAULT='</span> <span class="na">line</span><span class="pi">:</span> <span class="s">GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet resume=/dev/mapper/Vol-swap"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">grub</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Modules</span> <span class="na">ansible.builtin.lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/mkinitcpio.conf</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^MODULES='</span> <span class="na">line</span><span class="pi">:</span> <span class="s">MODULES=()</span> <span class="na">register</span><span class="pi">:</span> <span class="s">modules</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Backlist modules</span> <span class="na">blockinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/modprobe.d/blacklist.conf</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">blacklist nvidia</span> <span class="s">blacklist nvidia_modeset</span> <span class="s">blacklist nvidia_uvm</span> <span class="s">blacklist nvidia_drm</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Re-generate the grub.cfg</span> <span class="na">ansible.builtin.command</span><span class="pi">:</span> <span class="s">grub-mkconfig -o /boot/grub/grub.cfg</span> <span class="na">when</span><span class="pi">:</span> <span class="s">grub.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Re-generate image</span> <span class="na">ansible.builtin.command</span><span class="pi">:</span> <span class="s">mkinitcpio -P</span> <span class="na">when</span><span class="pi">:</span> <span class="s">modules.changed</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Nvidia DRM switch (enable)</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">X11</span> <span class="na">ansible.builtin.copy</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">playbook_dir</span><span class="nv"> </span><span class="s">}}/10-nvidia-drm-outputclass.conf"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/etc/X11/xorg.conf.d/10-nvidia-drm-outputclass.conf</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">root</span> <span class="na">group</span><span class="pi">:</span> <span class="s">root</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0644'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SDDM</span> <span class="na">blockinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/usr/share/sddm/scripts/Xsetup</span> <span class="na">insertafter</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">#!/bin/sh</span> <span class="s"># Xsetup - run as root before the login dialog appears</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">xrandr --setprovideroutputsource modesetting NVIDIA-0</span> <span class="s">xrandr --auto</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">GRUB</span> <span class="na">ansible.builtin.lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/default/grub</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^GRUB_CMDLINE_LINUX_DEFAULT='</span> <span class="na">line</span><span class="pi">:</span> <span class="s">GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet resume=/dev/mapper/Vol-swap nvidia-drm.modeset=1"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">grub</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Modules</span> <span class="na">ansible.builtin.lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/mkinitcpio.conf</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^MODULES='</span> <span class="na">line</span><span class="pi">:</span> <span class="s">MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)</span> <span class="na">register</span><span class="pi">:</span> <span class="s">modules</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Re-generate the grub.cfg</span> <span class="na">ansible.builtin.command</span><span class="pi">:</span> <span class="s">grub-mkconfig -o /boot/grub/grub.cfg</span> <span class="na">when</span><span class="pi">:</span> <span class="s">grub.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Re-generate image</span> <span class="na">ansible.builtin.command</span><span class="pi">:</span> <span class="s">mkinitcpio -P</span> <span class="na">when</span><span class="pi">:</span> <span class="s">modules.changed</span> </code></pre> </div> <p>The changes require a reboot the laptop but since I don’t play every day this issue is acceptable for me.</p> <p>There are two more commands to execute when you are using the battery:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># echo '\_SB.PCI0.PEG0.PEGP._OFF' &gt; /proc/acpi/call</span> <span class="c"># rmmod nvidia</span> </code></pre> </div> <p>These commands increase three or four hour using the battery, I will research how to add them to my <code>/etc/acpi/handler.sh</code> <a href="https://dev.to/callepuzzle/how-to-save-power-consumption-in-linux-4a2e">script</a> to run automatically.</p> linux laptop How to save power consumption in Linux César M. Cristóbal Fri, 11 Feb 2022 11:31:50 +0000 https://dev.to/callepuzzle/how-to-save-power-consumption-in-linux-4a2e https://dev.to/callepuzzle/how-to-save-power-consumption-in-linux-4a2e <p><a href="https://wiki.archlinux.org/title/Powertop">Powertop</a> is a great tool to save battery power and with the help of another tool, <a href="https://wiki.archlinux.org/title/Acpid">acpid</a>, to observe the acpi event and configure it automatically.</p> <p>Acpid comes with predefined actions for triggered events. By default, these actions are defined in <code>/etc/acpi/handler.sh</code></p> <p>The action “ac_adapter” has a default option<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>*) logger "ACPI action undefined: $2" </code></pre> </div> <p>So, whether or not you are plugged in the ac, you can see the log with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>journalctl -f ene 12 20:54:49 msi root[3888]: ACPI action undefined: ACPI0003:00 </code></pre> </div> <p>In this case you must to change the <code>/etc/acpi/handler.sh</code> with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ac_adapter) case "$2" in ACPI0003:00) </code></pre> </div> <p>Saving the changes and unplug the ac, the following appears in the log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ene 12 21:00:31 msi root[6101]: AC unpluged </code></pre> </div> <p>The change works. Now you can add the powertop commands. This is my <code>handler.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ac_adapter) case "$2" in ACPI0003:00) case "$4" in 00000000) powertop --auto-tune echo 'on' &gt; '/sys/bus/usb/devices/3-2/power/control' # USB USB Receiver [Logitech] echo 'enabled' &gt; '/sys/class/net/wlo1/device/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/usb1/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/usb2/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/usb3/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/usb4/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/3-2/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/3-5/power/wakeup' echo 'enabled' &gt; '/sys/bus/usb/devices/3-10/power/wakeup' logger 'AC unpluged' ;; 00000001) echo 'disabled' &gt; '/sys/class/net/wlo1/device/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/usb1/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/usb2/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/usb3/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/usb4/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/3-2/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/3-5/power/wakeup' echo 'disabled' &gt; '/sys/bus/usb/devices/3-10/power/wakeup' logger 'AC pluged' ;; </code></pre> </div> <p>Remember, this doesn’t work if you start the laptop without an ac. How do you solve it?<br> Inspired by the following <a href="https://bbs.archlinux.org/viewtopic.php?id=139980">post</a> I created a new systemd unit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/usr/lib/systemd/system/acpid-boot.service [Unit] Description=ACPI boot handle Documentation=man:acpid(8) [Service] Type=oneshot ExecStart=/usr/local/sbin/acpi-boot-handle.sh [Install] WantedBy=multi-user.target </code></pre> </div> <p>And the script <code>/usr/local/sbin/acpi-boot-handle.sh</code> contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="k">if</span> <span class="o">[[</span> <span class="si">$(</span>acpi <span class="nt">-a</span> | <span class="nb">grep </span>on<span class="si">)</span> <span class="o">]]</span> <span class="k">then </span><span class="nv">onBit</span><span class="o">=</span>1 <span class="k">else </span><span class="nv">onBit</span><span class="o">=</span>0 <span class="k">fi</span> /etc/acpi/handler.sh ac_adapter ACPI0003:00 foo 0000000<span class="nv">$onBit</span> </code></pre> </div> <p>In this way you simulate the acpi action when the laptop starts.</p> <p>In my case a MSI Modern 14 the battery has 3 hours more when all of the powertop options are enabled.</p> linux laptop Como ejecutar varios tests en Terratest César M. Cristóbal Fri, 11 Feb 2022 09:31:27 +0000 https://dev.to/callepuzzle/como-ejecutar-varios-tests-en-terratest-4l8o https://dev.to/callepuzzle/como-ejecutar-varios-tests-en-terratest-4l8o <p>Terratest es un framework para ejecutar test en Terraform. En este caso yo tenía un módulo muy sencillo que compone un nombre y quería probar que todas las posibles entradas funcionasen.</p> <p>A la hora de ejecutar varios tests en Terratest, lo primero que se me vino a la cabeza fue crear varias funciones con cada caso que quería probar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestTerraformComplete</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"function"</span><span class="o">:</span> <span class="s">"dns"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-dns-01"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestTerraformNoFunction</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-01"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Con la sorpresa de que apareció un mensaje de error como este:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TestTerraformNoFunction 2020-08-11T22:35:11+02:00 logger.go:66: avs-hb01-hub01-shs01-weu-dns-01 terraform_azure_test.go:52: Error Trace: terraform_azure_test.go:52 Error: Not equal: expected: "avs-hb01-hub01-shs01-weu-dns-01" actual : "avs-hb01-hub01-shs01-weu-01" Diff: --- Expected +++ Actual @@ -1 +1 @@ -avs-hb01-hub01-shs01-weu-dns-01 +avs-hb01-hub01-shs01-weu-01 Test: TestTerraformNoFunction --- FAIL: TestTerraformNoFunction (4.74s) TestTerraformComplete 2020-08-11T22:35:11+02:00 logger.go:66: avs-hb01-hub01-shs01-weu-dns-01 --- PASS: TestTerraformComplete (4.77s) FAIL exit status 1 FAIL test 4.780s </code></pre> </div> <p>Después de revisarlo no veía error en el código, pero parecía que estuviese mezclando las variables de las dos funciones.</p> <p>¿Cuál era el problema? Pues resultó ser el “t.Parallel()”. Yo sé de Golang lo justo para pasar el día pero tiene toda la pinta de que el ejecutar cada paso en paralelo Terraform se vuelve un poco loco.</p> <p>Solución:</p> <ul> <li>Quitar la ejecución en paralelo </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestTerraformComplete</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"function"</span><span class="o">:</span> <span class="s">"dns"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-dns-01"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">TestTerraformNoFunction</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-01"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Ejecutar los tests desde una misma función </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestTerraform</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">Complete</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="n">NoFunction</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Complete</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"function"</span><span class="o">:</span> <span class="s">"dns"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-dns-01"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NoFunction</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"type"</span><span class="o">:</span> <span class="s">"avs"</span><span class="p">,</span> <span class="s">"company"</span><span class="o">:</span> <span class="s">"hb01"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"hub01"</span><span class="p">,</span> <span class="s">"project"</span><span class="o">:</span> <span class="s">"shs01"</span><span class="p">,</span> <span class="s">"location"</span><span class="o">:</span> <span class="s">"weu"</span><span class="p">,</span> <span class="s">"num"</span><span class="o">:</span> <span class="s">"01"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"name"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="s">"avs-hb01-hub01-shs01-weu-01"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Espero que os sirva de ayuda :)</p> terraform testing go Desplegar Nextcloud en Docker usando Ansible César M. Cristóbal Fri, 11 Feb 2022 08:46:05 +0000 https://dev.to/callepuzzle/desplegar-nextcloud-en-docker-usando-ansible-5dfl https://dev.to/callepuzzle/desplegar-nextcloud-en-docker-usando-ansible-5dfl <p>Nextcloud nos permite tener nuestro propio <a href="https://nextcloud.com/files/" rel="noopener noreferrer">servidor de archivos</a> a lo Dropbox. Pero a mí lo que más me gusta es poder tener <a href="https://nextcloud.com/groupware/" rel="noopener noreferrer">mi calendario y mis contactos</a> independiente del todopoderoso Google.</p> <p>Vamos a ver como podemos desplegar Nextcloud en una Debian usando Docker y todo ello automatizado con Ansible.</p> <p>El esquema que vamos a tener es una máquina Debian con tres contenedores dentro:</p> <ul> <li>haproxy</li> <li>nextcloud</li> <li>mariadb</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra2nzpd55nde9ixykdul.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra2nzpd55nde9ixykdul.png" alt="Nextcloud containerized"></a></p> <h2> Requisitos </h2> <ul> <li>Tener acceso root a la máquina Debian.</li> <li>Tener instalado Ansible.</li> </ul> <p>A mí personalmente me gusta instalar Ansible en un virtualenv de python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>virtualenv3 venv/py3 <span class="nv">$ </span><span class="nb">source </span>venv/py3/bin/activate <span class="o">(</span>py3<span class="o">)</span><span class="nv">$ </span>pip <span class="nb">install </span>ansible </code></pre> </div> <p>Instalamos los roles necesarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">(</span>py3<span class="o">)</span><span class="nv">$ </span>ansible-galaxy <span class="nb">install </span>jilgue.ansible_role_docker_nextcloud <span class="o">(</span>py3<span class="o">)</span><span class="nv">$ </span>ansible-galaxy <span class="nb">install </span>jilgue.ansible_role_docker_haproxy </code></pre> </div> <h2> Playbook </h2> <p>A continuación vamos a generar la configuración de Ansible.</p> <p>Necesitamos generar el inventario:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="err">nextcloud</span> <span class="py">ansible_ssh_host</span><span class="p">=</span><span class="s">192.168.56.20</span> </code></pre> </div> <p>También la configuracion del haproxy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:80 mode http default_backend servers backend servers server server1 nextcloud:80 maxconn 32 </code></pre> </div> <p>Y por último el playbook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">become_method</span><span class="pi">:</span> <span class="s">sudo</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">nextcloud_trusted_domains</span><span class="pi">:</span> <span class="s">192.168.56.20</span> <span class="na">nextcloud_ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">haproxy_cfg_template_path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">playbook_dir</span><span class="nv"> </span><span class="s">}}/"</span> <span class="na">haproxy_links</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nextcloud</span> <span class="na">haproxy_ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">80:80</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">role</span><span class="pi">:</span> <span class="nv">nextcloud</span><span class="pi">,</span> <span class="nv">tags</span><span class="pi">:</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">nextcloud'</span> <span class="pi">]</span> <span class="pi">}</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">role</span><span class="pi">:</span> <span class="nv">haproxy</span><span class="pi">,</span> <span class="nv">tags</span><span class="pi">:</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">haproxy'</span> <span class="pi">]</span> <span class="pi">}</span> </code></pre> </div> <p>Y con esto tendríamos todo, al aplicar el playbook y entrar en la url <a href="http://192.168.56.20" rel="noopener noreferrer">http://192.168.56.20/</a> podremos ver nuestro nextcloud instalado.</p> <p>El usuario y contraseña por defecto son <a href="https://github.com/CallePuzzle/ansible-role-docker-nextcloud/blob/master/defaults/main.yml" rel="noopener noreferrer">admin / admin</a>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fig698ei6i7c833bsuvc1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fig698ei6i7c833bsuvc1.png" alt="Nextcloud welcome"></a></p> <p>Podéis ver la configuración de mi propio servidor en <a href="https://github.com/CallePuzzle/ansible-playbook-hetzner-cloud" rel="noopener noreferrer">github</a>.</p> docker ansible nextcloud Autenticar nginx mediante el método service-to-service en GCP César M. Cristóbal Fri, 11 Feb 2022 08:35:22 +0000 https://dev.to/callepuzzle/autenticar-nginx-mediante-el-metodo-service-to-service-en-gcp-2chk https://dev.to/callepuzzle/autenticar-nginx-mediante-el-metodo-service-to-service-en-gcp-2chk <p>Imaginad que estamos montado una serie de microservicios en Cloud Run donde el endpoint es un nginx y no queremos tener el resto de servicios públicos.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--_aWZ4im9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yfvwxbwofae925pw22ls.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--_aWZ4im9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yfvwxbwofae925pw22ls.png" alt="Cloud run diagram" width="446" height="441"></a></p> <p>Google nos provee de un método de autenticación <a href="https://cloud.google.com/run/docs/authenticating/service-to-service">service-to-service</a>. Perfecto, ¿cómo hacemos eso en nginx? Pues usando el módulo <a href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html">ngx_http_auth_request_module</a> y el <a href="https://nginx.org/en/docs/njs/">njs scripting language</a>.</p> <p>El código que necesitamos en nginx es el siguiente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">js_include</span> <span class="nx">conf</span><span class="p">.</span><span class="nx">d</span><span class="o">/</span><span class="nx">auth</span><span class="p">.</span><span class="nx">js</span><span class="p">;</span> <span class="nx">server</span> <span class="p">{</span> <span class="nx">listen</span> <span class="mi">80</span> <span class="nx">default_server</span><span class="p">;</span> <span class="nx">server_name</span> <span class="nx">_</span><span class="p">;</span> <span class="nx">location</span> <span class="o">/</span> <span class="p">{</span> <span class="nx">auth_request</span> <span class="o">/</span><span class="nx">_oauth2</span><span class="p">;</span> <span class="nx">auth_request_set</span> <span class="nx">$authorization</span> <span class="nx">$sent_http_authorization</span><span class="p">;</span> <span class="nx">proxy_set_header</span> <span class="nx">Authorization</span> <span class="nx">$authorization</span><span class="p">;</span> <span class="nx">proxy_pass</span> <span class="na">https</span><span class="p">:</span><span class="c1">//patinando-int-api-tfezajqgva-ew.a.run.app;</span> <span class="p">}</span> <span class="nx">location</span> <span class="o">=</span> <span class="sr">/_oauth2 </span><span class="err">{ </span> <span class="nx">internal</span><span class="p">;</span> <span class="nx">js_content</span> <span class="nx">introspectAccessToken</span><span class="p">;</span> <span class="p">}</span> <span class="nx">location</span> <span class="o">=</span> <span class="sr">/_oauth2_send_request </span><span class="err">{ </span> <span class="nx">internal</span><span class="p">;</span> <span class="nx">proxy_set_header</span> <span class="nx">Metadata</span><span class="o">-</span><span class="nx">Flavor</span> <span class="nx">Google</span><span class="p">;</span> <span class="nx">proxy_pass</span> <span class="nx">http</span><span class="p">:</span><span class="c1">//metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://patinando-int-api-tfezajqgva-ew.a.run.app;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">introspectAccessToken</span><span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="p">{</span> <span class="nx">r</span><span class="p">.</span><span class="nx">subrequest</span><span class="p">(</span><span class="dl">"</span><span class="s2">/_oauth2_send_request</span><span class="dl">"</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">reply</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">reply</span><span class="p">.</span><span class="nx">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="nx">r</span><span class="p">.</span><span class="nx">headersOut</span><span class="p">[</span><span class="dl">'</span><span class="s1">AUTHORIZATION</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">responseBody</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">=</span> <span class="mi">204</span><span class="p">;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">sendHeader</span><span class="p">();</span> <span class="nx">r</span><span class="p">.</span><span class="nx">finish</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">r</span><span class="p">.</span><span class="k">return</span><span class="p">(</span><span class="mi">401</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>En nuestro caso nuestro servicio interno es <em><a href="https://patinando-int-api-tfezajqgva-ew.a.run.app">https://patinando-int-api-tfezajqgva-ew.a.run.app</a></em> y si lanzamos un <em>wget</em> obtenemos un bonito 403:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP request sent, awaiting response… HTTP/1.1 403 Forbidden Date: Sun, 03 May 2020 11:36:33 GMT Content-Type: text/html; charset=UTF-8 Server: Google Frontend Content-Length: 295 2020–05–03 11:36:33 ERROR 403: Forbidden </code></pre> </div> <p>Lo que estamos haciendo con este código es decir que toda petición se tiene que autorizar con <code>/_oauth2</code> que es una llamada interna y contiene el código de la función en javascript.</p> <p>El código javascript a su vez llama a <code>/_oauth2_send_request</code> para obtener el token.</p> <p>Para poder usar la cabecera que seteamos en javascript con<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>r.headersOut[‘AUTHORIZATION’] = ‘Bearer ‘ + reply.responseBody </code></pre> </div> <p>es necesario añadir estas líneas en el location principal<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>auth_request_set $authorization $sent_http_authorization; proxy_set_header Authorization $authorization; </code></pre> </div> <p>Si ahora hacemos peticiones al nginx la api nos devolverá un 200:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK Server: nginx/1.17.10 Date: Sun, 03 May 2020 11:44:56 GMT Content-Type: application/json Content-Length: 5436 Connection: keep-alive vary: Authorization x-powered-by: PHP/7.4.5 cache-control: no-cache, private </code></pre> </div> <p>Referencias:</p> <ul> <li><a href="https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/">https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/</a></li> </ul> googlecloud nginx microservices Configurar Emacs usando Doom César M. Cristóbal Fri, 11 Feb 2022 08:02:07 +0000 https://dev.to/callepuzzle/configurar-emacs-usando-doom-315j https://dev.to/callepuzzle/configurar-emacs-usando-doom-315j <h2> ¿Por qué Emacs? </h2> <p><a href="https://www.gnu.org/software/emacs/">Emacs</a> fue el primer IDE que aprendí a usar, por aquel entonces todos programábamos en la misma máquina conectándonos por ssh.</p> <p>Más tarde nos "modernizamos" y empezamos a usar PhpStorm. Así que cuando dejé Php de lado y empecé a programar en Terraform, Ansible y Python, opté por usar PyCharm ya que es un productor de la misma compañía y el cambio iba a ser más sencillo.</p> <p>Ahora bien el mundo JetBrains tiene su pega, para cada lenguaje necesitas un maldito editor distinto, y cuando empecé a hacer cosillas en Go me negué a instalar otro más.</p> <p>Vale, Emacs mola mucho y todo lo que tu quieras pero configurarlo es un dolor. Por eso opté por probar <a href="https://github.com/hlissner/doom-emacs">Doom</a>.</p> <h2> Doom </h2> <p>Doom es un framework para configurar Emacs.</p> <p>Básicamente nuestra configuración se guarda en <code>~/.doom.d/</code> donde tenemos tres ficheros:</p> <ul> <li>init.el: desde el cual activas o desactivas extensiones</li> <li>packages.el: desde el que puedes instalar paquetes de MELPA, ELPA o emacsmirror</li> <li>config.el: donde va tu configuración personal</li> </ul> <p>y ejecutando <code>~/.emacs.d/bin/doom sync</code> se generará nuestra configuración en <code>~/.emacs.d/</code>.</p> <h2> Instalación </h2> <p>Seguimos los pasos del <a href="https://github.com/hlissner/doom-emacs/blob/develop/docs/getting_started.org#install">getting started</a> y al arrancar por primera vez Emacs veremos algo como esto:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--GHJxZmbv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/iakiz9v3itbauzb3i9at.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--GHJxZmbv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/iakiz9v3itbauzb3i9at.png" alt="Primera carga de Emacs con Doom" width="800" height="610"></a></p> <h2> Configuración </h2> <p>Después de jugar un poco me di cuenta de que había demasiados paquetes instalados que hacían demasiadas cosas que no sabía usar y me “estorbaban”.</p> <p>Me habían aconsejado fuertemente que probase la extensión <a href="https://github.com/emacs-evil/evil">evil</a> pero de momento prefiero el modo de edición de emacs “puro”. Me quedo sin galletas :(</p> <p>Así que comenté las siguientes extensiones:</p> <ul> <li>evil +everywhere</li> <li>+bindings +smartparens</li> </ul> <p>Además de los lenguajes que fuese a utilizar.<br> Añadimos la configuración para borrar los espacios en blanco al guardar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>;; Hooks (add-hook ‘before-save-hook ‘delete-trailing-whitespace) </code></pre> </div> <p>Arrancamos el servidor, de manera que luego podamos abrir un fichero desde otra terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>;; Server (server-start) $ emacsclient -n .bashrc </code></pre> </div> <p>Añadimos keybindings que para mí son necesarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>;; Keybindings (global-set-key “\M-p” ‘backward-paragraph) (global-set-key “\M-n” ‘forward-paragraph) (global-set-key (kbd “C-7”) ‘undo) (global-set-key (kbd “C-x p”) ‘counsel-projectile-switch-project) </code></pre> </div> <p>Y con esto ya estaría para funcionar.</p> <h2> Autocompletado </h2> <p><a href="https://company-mode.github.io/">Company</a> ya viene por defecto y en principio con activar lsp sería suficiente. Aunque esta parte aún la tengo algo verde y hay cosas que no terminan de ir fino.</p> <h2> NeoTree </h2> <p>Es una extensión para ver el árbol de ficheros y directorios de un proyecto. Para activarlo con su extensión de iconos hay que realizar los siguientes cambios:</p> <ul> <li>instalar “all-the-icons” </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>(package! all-the-icons) </code></pre> </div> <ul> <li>descomentar “neotree” del init.el</li> <li>añadir la siguiente configuración: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>;; NeoTree (setq neo-theme (if (display-graphic-p) ‘icons ‘arrow)) (global-set-key (kbd “C-x t”) ‘neotree-show) (setq projectile-switch-project-action ‘neotree-projectile-action) </code></pre> </div> <p>Mi configuración al final ha quedado así:</p> <p><a href="https://github.com/jilgue/doom-emacs-config">Ver repositorio en GitHub</a></p> emacs linux