Most Helm adoption kubectl examples will show adding the annotations and label required for Helm 3 to adopt resources, but with Deployments this may cause issues if the nested Pod spec isn’t patched also. Either way you will need to add a app.kubernetes.io/managed-by label and meta.helm.sh/release-name and meta.helm.sh/release-namespace annotations. For most resources you can simply label...
Open Policy Agent example using Terraform
Simple example of how to use Open Policy Agent with Terraform including setting up a GitHub Action. The Agent can either be run as an API (that you can query) or in standalone mode (via the command line) and requires 3 things, Policies, Inputs and a Query. Documentation does not explain particularly well (for a newcomer) what each part of the supplied commands do, so please find a breakdown below...
Setting up Workload Identity on GKE per service/namespace
Workload Identity on Google Kubernetes Engine allows you to access Google Cloud services directly from a container in a Pod. This works by binding the Kubernetes Service Account to the Google Cloud Service Account, which visually looks confusing since they both have a very similar format as email addresses! The Google Cloud documentation for Workload Identity is a little abstract, so I’ve...
Use Bash to wait for Docker container to start by tag
If you run a container in the background and want to wait until it has started up before doing anything else, you can use a combination of docker ps and docker inspect to check within a Bash loop whether it is finally running. This can be useful if you want to run tests checking if the container is responding on a specific port for example. You can remove the --all option for docker ps and the...
jq error key/0 is not defined when selecting fields with numbers and dashes
If you are trying to select a JSON field with a number or dash, you may get a jq compile error. As mentioned in a GitHub issue, the key gets parsed as a substraction so we need to enclose it in additional quotes.
Prevent more than 1 CircleCI tag workflow from running concurrently
If you are using CircleCI for tag-based deployments, you may want to prevent more than 1 deployment happening at once. This code snippet allows you to check within a pipeline whether another pipeline triggered by a Git tag using the same workflow is currently running. Because the list of pipelines does not show you which workflow they are using, we are assuming that there is only a single tag...
Restart all deployments in a Kubernetes namespace
Quick bash script to restart all Kubernetes Deployments in a Namespace. Easily modified for Daemonsets and/or StatefulSets, or to restart all controllers if required.
Ignore Consul Connect container logs in Filebeat on kubernetes
Consul Connect is a great service mesh, but the log output can be very noisy. Using sidecar injection via annotations will cause Envoy proxy and Consul lifecycle containers (consul-connect-envoy-sidecar and consul-connect-lifecycle-sidecar respectively) to be injected into your Pods, meaning that Filebeat will parse their output in stdout the same as your application container. Currently log...
SSH into private GKE nodes using Cloud IAP
If you have created private Google Kubernetes Engine clusters for security reasons, you may still need to SSH into the nodes from time-to-time. Luckily Google Cloud provides Identity-Aware-Proxy tunnelling via gcloud so you do not need a VPN connection to the VPC the cluster resides within. However in order for this to work you will need to create a firewall rule that targets your GKE nodes using...
Convert URL to slug in helm chart template
If you are supplying a domain or URI/URL to a Kubernetes manifest in a Helm chart template, you may need to convert the value to remove the dots/periods since most Kubernetes resources will not allow them.
You can use the Helm template function replace and a pipeline to convert values where necessary.