Skip to content

Instantly share code, notes, and snippets.

View timroster's full-sized avatar

Tim Robinson timroster

34 followers · 7 following
View GitHub Profile
@timroster
timroster / ibm-cloud-roks-private.md
Last active January 25, 2023 23:12
Step-by-step - setting up private console endpoints for Red Hat OpenShift on IBM Cloud

Setting up private endpoints and dashboard for VPN to VPC

Begin with a Red Hat OpenShift on IBM Cloud (ROKS) cluster with private endpoints only (public endpoints disabled). Private endpoints resolve in the DNS to IP addresses that are provided by Private Service Endpoints which typically begin with IP address octets of 166. Although the Private Service Endpoints are routable through the implicit internal router that VPC hosts can reach, these addresses are not routed over VPN connections to a VPC. Therefore, in order to manage this cluster from off the VPC, an additional load-balanced service will be added for Kubernetes API access. For more information in the IBM documentation see Accessing VPC clusters through the private service endpoint

The most straightforward way to initially manage a VPC-based ROKS cluster is by adding a Linux VM to one of the subnets where the workers reside (install the ibmcloud and oc cli's

@timroster
timroster / scc-petclinic.md
Last active January 17, 2022 18:43
Fun with Security Context Constraints

Running SpringBoot (or for that matter any) Application as a non-root user on OpenShift on IBM Cloud

Everyone gets that you need to run containers as non-root users whenever possible. This is preferred everywhere, and I think it's just a good habit overall. For trivial applications, this isn't a very big deal, but what about applications which depend on mounting to persistent storage, especially of the NFS flavor. And it might be that when you get the NFS export, the userid for the mount needs to be changed, perhaps to a random userid that's being dictated to you. If you're looking for an example scenario like this, look no further.

I'll assume you have a Dockerfile already, probably one that looks a bit like the one attached to this gist. This is a straight up example where during the container build, some things are done as root and ultimately we specify that the container intends to run as a specific user java_user in this example:

FROM adoptopenjdk/openjdk8-openj9:ubi-jre

USER root
@timroster
timroster / lets-encrypt-free-iks.md
Last active September 1, 2022 02:29
Creating Let's Encrypt certificates for IBM free Kubernetes clusters

Creating Let's Encrypt certificates for IBM free Kubernetes clusters

The IBM Kubernetes service free clusters consist of a single worker node with 2 CPU and 4 GB of memory for experimenting with Kubernetes. Unlike the fee-based service, these clusters do not include capabilities for application load balancing using ingress out-of-the-box. However, if you manage a DNS domain (any provider will suffice) and can add an A record, it's possible for you to configure your own ingress that can provide http and https session termination for your containerized applications. Getting a TLS-enabled website or simply an external REST API couldn't be easier!

Prerequisites

  • Free IBM Kubernetes Cluster (IKS) - upgrade your account from Lite plan to create one. In the example commands, we'll assume that this cluster is named mycluster
  • kubectl - match your cluster API version (as of 12/5/20 - this is ~1.18.12)
  • helm v3
  • DNS domain that you can edit to configure
@timroster
timroster / icd-postgres-spring.md
Last active May 11, 2020 14:10

Notes: Using IBM Cloud Databases (ICD) Postgresql from Spring applications

Background

Spring provides handy abstractions for java data persistence across a number of database platforms. When using Spring with postgresql, it's generally simply a matter of providing a JDBC connection string, username and password to wire up a connection. When using ICD Postgresql, this connection information needs to be supplemented with a certificate for the signing CA which is used to sign server identity certificates for each postgresql database instance. For the postgresql jdbc client, the file for the root certificate defaults to ${user.home}/.postgresql/root.crt (*nix) or %appdata%/postgresql/root.crt (windows), but can be overridden with the sslrootcert property.

The IBM Developer tutorial Connect a Spring Boot application to a cloud hosted database is a good starting point that i

@timroster
timroster / terraform_debug_vpc_subnet
Created May 1, 2020 21:45
titan:terraform-vpc timro$ terraform apply
2020/05/01 14:40:44 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
Use TF_LOG=TRACE to see Terraform's internal logs.
----
2020/05/01 14:40:44 [INFO] Terraform version: 0.12.24
2020/05/01 14:40:44 [INFO] Go runtime version: go1.12.13
2020/05/01 14:40:44 [INFO] CLI args: []string{"/usr/local/bin/terraform", "apply"}
2020/05/01 14:40:44 [DEBUG] Attempting to open CLI config file: /Users/timro/.terraformrc
2020/05/01 14:40:44 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/05/01 14:40:44 [DEBUG] checking for credentials in "/Users/timro/.terraform.d/plugins"
@timroster
timroster / kube-helm-clean.md
Last active March 26, 2020 16:34

Quick clean up

start off by removing the helm releases that were deployed in the helm lab:

helm delete guestbook-demo --namespace repo-demo
helm delete guestbook-demo --namespace helm-demo

remove the guestbook application components in the default namespace (ok to ignore errors)

@timroster
timroster / DockerExample.md
Created March 25, 2020 13:10

Some Docker examples

running a container image with simple command:

docker run centos echo "hello world"

docker run -it centos bash
@timroster
timroster / CloudShell-access-kube101-oc.md
Last active November 13, 2021 11:37

Kubernetes Introduction using the IBM Cloud Shell

To begin this hands on lab, you will need to log in to the IBM Cloud Workshop shell and also connect to an OpenShift Cluster. If you received an inviation to an IBM Cloud account by e-mail, please click on the invitation link and set the password for your IBMid before proceeding.

  1. Open IBM Cloud Shell

  2. If the Login text appears in the upper right, sign in using your IBMid, otherwise continue.

  3. Check that the right cloud account is selected in the upper right and click on the terminal icon to open the Cloud Shell

@timroster
timroster / CloudShell-access-docker101.md
Last active November 13, 2021 11:37

Docker Introduction using the IBM Cloud Shell

To begin this hands on lab, you will need to log in to the IBM Cloud Workshop shell. The log in process will require that you have an existing IBMid with access to an IBM Cloud account. If you received an inviation to an IBM Cloud account by e-mail, please click on the invitation link and set the password for your IBMid before proceeding.

  1. Open IBM Cloud Shell, click on Login in the upper right.

  2. Log in using your IBMid

  3. A workshop passcode request will be shown if this is the first use of IBM Cloud Shell:

@timroster
timroster / SCA-ingress-setup.md
Last active July 17, 2019 01:12

Creating Ingress resources for Kubernetes applications

Workstation setup

Log in to your virtual machine in the LinuxONE Community Cloud. Next, configure environment variables to match the settings for this lab.

export PROXYIP=148.100.92.103
export CLUSTER_URL=https://148.100.92.103:8443/