Skip to content

Instantly share code, notes, and snippets.

View pydevops's full-sized avatar
🏠
Working from home

Victor Yang pydevops

🏠
Working from home
View GitHub Profile
@pydevops
pydevops / irsa-in-eks-within-and-across-aws-accounts.md
Created September 30, 2024 22:26 — forked from piyushjajoo/irsa-in-eks-within-and-across-aws-accounts.md
IRSA in EKS within same and across AWS Accounts

IRSA in EKS within same and across AWS Accounts

This is a gist of examples also mentioned in the blog IAM Roles for Service Accounts (IRSA) in AWS EKS within and cross AWS Accounts. Prerequisite for this gist is to create the EKS Cluster as explained in my earlier blog Create Amazon EKS Cluster within its VPC using Terraform, OR you can use this github repository.

Running Example for IRSA within same account

Assuming you have the EKS Cluster running and your AWS CLI is configured to talk to the AWS Account where your EKS Cluster is running. If not please follow the our earlier blog on How to create an EKS Cluster using Terraform

@pydevops
pydevops / gke-gce-cloud-armor-lb.sh
Created December 7, 2021 23:42 — forked from mikesparr/gke-gce-cloud-armor-lb.sh
Example Cloud Armor policies protecting Google HTTPS Global Load Balancer in front of GCE instance group and GKE cluster
#!/usr/bin/env bash
# REF: https://cloud.google.com/armor/docs/integrating-cloud-armor#with_ingress
# REF: https://cloud.google.com/armor/docs/configure-security-policies
# REF: https://cloud.google.com/iap/docs/load-balancer-howto
# REF: https://cloud.google.com/sdk/gcloud/reference/compute/url-maps/add-path-matcher
# REF: https://cloud.google.com/load-balancing/docs/https/setting-up-url-rewrite
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
@pydevops
pydevops / core-arch-training.md
Created May 21, 2021 18:54 — forked from mikesparr/core-arch-training.md
Core cloud architecture training videos

The following videos, or playlists, can help ensure consistent knowledge amongst all core team members and help make customer support easier.

  • CS fundamentals - 12-min videos (9 hr)

    • Learn about computer origins, transistors, logic gates, and computer architecture

    • Learn about binary, bits, and bytes (bits, bytes, and octets key in networking)

    • Computer architecture, programming, languages, ML, robotics

@pydevops
pydevops / cloud-scheduler-run-demo.sh
Created May 21, 2021 18:49 — forked from mikesparr/cloud-scheduler-run-demo.sh
Google Cloud demo invoking a Cloud Run app in Ruby using Cloud Scheduler with OIDC
#!/usr/bin/env bash
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain
export GCP_REGION="us-central1" # CHANGEME (OPT)
export GCP_ZONE="us-central1-a" # CHANGEME (OPT)
export NETWORK_NAME="default"
@pydevops
pydevops / artifact-registry-cloud-run-demo.sh
Created May 21, 2021 18:41 — forked from mikesparr/artifact-registry-cloud-run-demo.sh
Google Cloud Platform demo of Artifact Registry deployment and Cloud Run app
#!/usr/bin/env bash
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain
export GCP_REGION="us-east1" # CHANGEME (OPT)
export GCP_ZONE="us-east1-c" # CHANGEME (OPT)
export NETWORK_NAME="default"
@pydevops
pydevops / gcp-iam-restrict-user-bucket.sh
Created March 20, 2021 17:15 — forked from mikesparr/gcp-iam-restrict-user-bucket.sh
Google Cloud Platform example to add IAM role restricting user to specific storage buckets with conditions
#!/usr/bin/env bash
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain
export GCP_REGION="us-central1"
export GCP_ZONE="us-central1-a"
@pydevops
pydevops / istio-gke-tls-example.sh
Created March 20, 2021 16:49 — forked from mikesparr/istio-gke-tls-example.sh
Example GKE ingress with TLS certificate for secure traffic to backend Istio ingress gateway
#!/usr/bin/env bash
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain
export GCP_REGION="us-west1"
export ISTIO_VERSION="1.9.1"
@pydevops
pydevops / cloudbuild-pr.yaml
Created March 20, 2021 16:45 — forked from mikesparr/cloudbuild-pr.yaml
Google Cloud Build PR deploy
steps:
# Build image and push to GCR
- name: 'gcr.io/cloud-builders/docker'
id: Build
args:
- 'build'
- '-t'
- 'gcr.io/$PROJECT_ID/$_SERVICE_NAME:v$_PR_NUMBER'
- '.'
# TODO: look into [images]
@pydevops
pydevops / kube-env.md
Last active August 21, 2020 00:26
gke kube-env
curl -s -H "Metadata-flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env

curl -s -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env' | grep ^KUBELET_CERT | awk '{print $2}' | base64 -d > kubelet.crt
curl -s -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env' | grep ^KUBELET_KEY | awk '{print $2}' | base64 -d > kubelet.key
curl -s -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env' | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod 755 ./kubectl

KUBERNETES_MASTER_NAME=$(curl -s -H "Metadata-flavor: Google" http://1