Skip to content

Instantly share code, notes, and snippets.

View joemiller's full-sized avatar

joe miller joemiller

View GitHub Profile
@joemiller
joemiller / gke-np-ip-utilization.rb
Last active January 6, 2024 01:05
GKE node-pool pod IP CIDR range usage calc script
#!/usr/bin/env ruby
#
# Show GKE per-node-pool pod IP CIDR range utilization.
#
# Usage:
# gcloud container clusters describe <cluster-name> --location <loc> --format=json | ./gke-np-ip-utilization.rb
require 'json'
require 'ipaddr'
@joemiller
joemiller / auto_shutdown.service
Last active May 12, 2023 15:44
bash script + systemd units for auto-shutting down an idle machine (no active ssh logins)
[Unit]
Description=Auto shutdown service
[Service]
Type=oneshot
ExecStart=/auto_shutdown.sh
@joemiller
joemiller / README.md
Last active April 7, 2023 15:13
Buildkite OIDC JWT example with Vault auth

Get JWT from inside of a running BK job:

curl -s -X POST -H "Authorization: Token ${BUILDKITE_AGENT_ACCESS_TOKEN}" \
  "${BUILDKITE_AGENT_ENDPOINT:-https://agent.buildkite.com/v3}/jobs/${BUILDKITE_JOB_ID}/oidc/tokens" \
  --data '{"audience":"vault"}'

In a future, currently (2022/11/17) unreleased version of buildkite-agent you can run this instead:

@joemiller
joemiller / 71.patch
Created October 20, 2022 18:55
openbsd 7.1 kernel patch to stop a GFE L6F ACPI interrupt storm
--- /usr/src/sys/dev/acpi/acpi.c.orig Mon Oct 3 16:26:55 2022
+++ /usr/src/sys/dev/acpi/acpi.c Mon Oct 3 16:30:29 2022
@@ -2269,6 +2269,18 @@
{
struct aml_node *node = arg;
uint8_t mask, en;
+
+ /* bad bios. mask/ignore the GPE _L6F (0x6f) interrupt */
+ if (gpe == 0x6f && (sc->gpe_table[gpe].flags & GPE_LEVEL)) {
+ static unsigned short i;
@joemiller
joemiller / vault-cert-parse.rb
Last active June 23, 2022 14:55
quick script to parse vault pki issue responses into tls.pem file
#!/usr/bin/env ruby
#
# Usage:
#
# vault write pki/issue/role common_name=foo ttl=1h | ruby vault-cert-parse.rb
#
# Creates the file tls.pem containing private-key, cert, and issuing-ca
#
# Can also be used with curl for living on the edge:
#
@joemiller
joemiller / gist:4c4e22c0795134c5ad7088bc822ae82c
Created April 5, 2022 23:41
vault kv allows for a key to both contain data and have subkeys
$ vault server -dev -dev-root-token-id=root &
$ VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN=root vault kv put secret/foo bar=baz quux=blah
$ VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN=root vault kv put secret/foo/subkey blah=blah
$ VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN=root vault kv list secret/
Keys
----
foo
foo/

Loki log ingestion issue

Loki stops ingesting logs from promtail. The error messages are a stream HTTP 499 errors in the gateway component which is based on nginx. Ex:

10.194.148.169 - - [17/Feb/2022:21:08:28 +0000]  499 "POST /loki/api/v1/push HTTP/1.1" 0 "-" "promtail/" "-"
10.194.90.195 - - [17/Feb/2022:21:08:28 +0000]  499 "POST /loki/api/v1/push HTTP/1.1" 0 "-" "promtail/" "-"
@joemiller
joemiller / run-all-wrapper.sh
Last active January 6, 2022 01:24
terragrunt wrapper to leverage bash/zsh shell globbing support for the run-all command set
#!/bin/bash
#
# uber simple wrapper to leverage bash/zsh shell globbing support with terragrunt's `--terragrunt-include-dir=` flag.
set -eou pipefail
[[ -n "${DEBUG:-}" ]] && set -x
if [[ "$#" -lt 2 ]]; then
echo "Usage: $0 [init|plan|apply] GLOB"
@joemiller
joemiller / Dockerfile
Last active February 11, 2024 11:45
convert RFC 3164 syslog messages to RFC 5424 for ingestion into Loki/promtail
FROM balabit/syslog-ng:3.35.1
COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
#!/bin/bash
#
# Start the server in dev mode:
#
# bash setup-pki-vault-server.sh
#
# In another window, generate a cert:
#
# VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN=root vault write pki/issue/any common_name=foo
#