Frank Kloeker eumel8

## composition-s3-backup.yaml
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  annotations:
  name: vcluster.caas.telekom.de
spec:
  compositeTypeRef:
    apiVersion: caas.telekom.de/v1alpha1
    kind: Vcluster
  mode: Resources

## vcluster-backup.yaml
# adjust s3 access_key,host_base, secret_key, and s3 bucketname
apiVersion: v1
kind: Secret
metadata:
  name: s3cfg
type: Opaque
stringData:
  .s3cfg: |-
    [default]
    access_key = xxxxx

## create-vcluster-for-istio.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                eumel8
                / create-vcluster-for-istio.md
            
            
              Last active
              January 2, 2024 18:01
            
              
                vcluster-demo
              
          
    prerequisites

have a Rancher project with 2 namespaces where the Pods and Services seen each other
create vcluster

service exposes via IngressRoutesTCP
helm -n vc1 upgrade vc1 --set isolation.networkPolicy.enabled=false --version 0.15.7 oci://mtr.devops.telekom.de/caas/charts/vcluster

  
## mystruct2.go
package mystruct


// LoggingSpec defines the desired state of Logging
type MyStruct struct {
        // Reference to the logging system. Each of the `loggingRef`s can manage a fluentbit daemonset and a fluentd statefulset.
        LoggingRef string `json:"loggingRef,omitempty"`
        // Disable configuration check before applying new fluentd configuration.
        FlowConfigCheckDisabled bool `json:"flowConfigCheckDisabled,omitempty"`
        // Whether to skip invalid Flow and ClusterFlow resources

## getpod.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    name: getpods
  name: getpods
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

## curl.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: curl-client
  name: curl-client
spec:
  serviceName: curl-client
  replicas: 1

## migrate-keycloak-user.sh
#!/bin/sh

# keycloak saml user object:
# principalIds:
# - keycloak_user://john.do@example.com
# - local://u-pxxxxxxx
#
# keycloak oidc user object:
# principalIds:
# - keycloakoidc_user://john.do@example.com

## 01-recommended.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,

## gist:60a2d96aad4d6938625f0d535578fd3f
# This behaviour comes in Kubernetes 1.21 with a change of Serviceaccount token format. Bound tokens become default, legacy
# token still alive. In prometheus-auth, a middleware
# for bearer token auth in front of prometheus, a SubjectAccessReview will looking for a token, provided by the federated
# prometheus instance via http endpoint. This token is searched in a list of secrets cluster-wide and if there is a match,
# comparing process started for ServiceAccount and Namespace. After success, a hijack federate will provide access to the
# related cluster metrics. Normaly, the token in the federate call and the content of the related secret of the
# ServiceAccount is equal. In newer Kubernetes version this format is rewritten and internally the new format of bound token
# is stored.
ä With this difference, the SubjectAccessReview is denied and no metrics are accessable. Unfortunatelly the related
# ServiceMonitor for federate is UP, no errors are visiable.

## check-mon-cron.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: fix-project-monitoring
data:
  fix-project-monitoring.sh: |
    #!/usr/bin/env bash

    set -e
	apiVersion: apiextensions.crossplane.io/v1
	kind: Composition
	metadata:
	annotations:
	name: vcluster.caas.telekom.de
	spec:
	compositeTypeRef:
	apiVersion: caas.telekom.de/v1alpha1
	kind: Vcluster
	mode: Resources
	# adjust s3 access_key,host_base, secret_key, and s3 bucketname
	apiVersion: v1
	kind: Secret
	metadata:
	name: s3cfg
	type: Opaque
	stringData:
	.s3cfg: \|-
	[default]
	access_key = xxxxx
	package mystruct


	// LoggingSpec defines the desired state of Logging
	type MyStruct struct {
	// Reference to the logging system. Each of the `loggingRef`s can manage a fluentbit daemonset and a fluentd statefulset.
	LoggingRef string `json:"loggingRef,omitempty"`
	// Disable configuration check before applying new fluentd configuration.
	FlowConfigCheckDisabled bool `json:"flowConfigCheckDisabled,omitempty"`
	// Whether to skip invalid Flow and ClusterFlow resources
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	labels:
	name: getpods
	name: getpods
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	---
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	labels:
	app: curl-client
	name: curl-client
	spec:
	serviceName: curl-client
	replicas: 1
	#!/bin/sh

	# keycloak saml user object:
	# principalIds:
	# - keycloak_user://john.do@example.com
	# - local://u-pxxxxxxx
	#
	# keycloak oidc user object:
	# principalIds:
	# - keycloakoidc_user://john.do@example.com
	# Copyright 2017 The Kubernetes Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# This behaviour comes in Kubernetes 1.21 with a change of Serviceaccount token format. Bound tokens become default, legacy
	# token still alive. In prometheus-auth, a middleware
	# for bearer token auth in front of prometheus, a SubjectAccessReview will looking for a token, provided by the federated
	# prometheus instance via http endpoint. This token is searched in a list of secrets cluster-wide and if there is a match,
	# comparing process started for ServiceAccount and Namespace. After success, a hijack federate will provide access to the
	# related cluster metrics. Normaly, the token in the federate call and the content of the related secret of the
	# ServiceAccount is equal. In newer Kubernetes version this format is rewritten and internally the new format of bound token
	# is stored.
	ä With this difference, the SubjectAccessReview is denied and no metrics are accessable. Unfortunatelly the related
	# ServiceMonitor for federate is UP, no errors are visiable.
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: fix-project-monitoring
	data:
	fix-project-monitoring.sh: \|
	#!/usr/bin/env bash

	set -e