- https://kubernetes.io/docs/user-guide/kubectl-cheatsheet/
- https://github.com/devoriales/kubectl-cheatsheet
- https://learncloudnative.com/blog/2022-05-10-kubectl-tips
- https://itnext.io/tips-tricks-for-cka-ckad-and-cks-exams-cc9dade1f76d
- https://cloud.google.com/anthos/gke/docs/on-prem/reference/cheatsheet
pydevops
/ cheatsheet-elasticsearch.md
Created
October 2, 2018 23:58
— forked from ruanbekker/cheatsheet-elasticsearch.md
Elasticsearch Cheatsheet
(still a work-in-progress)
Secrets such as aws key and secret, google service account json, database id and password etc. can be easily encrypted and decrypted with https://cloud.google.com/kms/. Cloud KMS does not directly store secrets. It can encrypt secrets that you store elsewhere, i.e. the key itself is stored within KMS.
Let's illustrate with a real world example step by step. We can encrypt and decrypt a service account json file for compute instances. These instances are a part of an elasticsearch cluster. The google cloud admin creates the service account. The service account is used by the Terraform to provision the compute instances as shown in https://www.terraform.io/docs/providers/google/r/compute_instance.html. The developers want a copy of the service account 's json file so that they can develop & test with the elasticsearch cluster. The google cloud admin creates the plain text service json file, where and how to store it safely and securely? Storing on admin's laptop is not 100% safe and secur
pydevops
/ private-k8s.md
Last active
February 2, 2024 03:25
how to set up kubectl on laptop for private GKE cluster and on prem private cluster
- Create a bastion vm in your data center or in cloud with connectivity set up (usually vpn) to the on prem data center.
- Install tinyproxy on the bastion vm and pick a random port as it would be too easy for spam bot with default 8888, set up as systemd service according to https://nxnjz.net/2019/10/how-to-setup-a-simple-proxy-server-with-tinyproxy-debian-10-buster/. Make sure it works by validating with
curl --proxy http://127.0.0.1:<tinyproxy-port> https://httpbin.org/ip. And I don't use any user authentication for proxy, so I locked down the firewall rules with my laptop IP/32. - Download the kubeconfig file for the k8s cluster to your laptop
- From your laptop, run
HTTPS_PROXY=<bastion-external-ip>:<tinyproxy-port> KUBECONFIG=my-kubeconfig kubectl get nodes
- https://www.linuxtrainingacademy.com/systemd-cheat-sheet/
- https://www.linux.com/training-tutorials/understanding-and-using-systemd/
- https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units
- https://www.digitalocean.com/community/tutorials/systemd-essentials-working-with-services-units-and-the-journal
- https://www.youtube.com/watch?v=ZUX9Fx8Rwzg&index=9&list=PLCq0ZVVxGP0Y-xlum2pnhqwsrIf61J6Ka
- https://www.youtube.com/watch?v=AtEqbYTLHfs
pydevops
/ gke-gce-cloud-armor-lb.sh
Created
December 7, 2021 23:42
— forked from mikesparr/gke-gce-cloud-armor-lb.sh
Example Cloud Armor policies protecting Google HTTPS Global Load Balancer in front of GCE instance group and GKE cluster
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # REF: https://cloud.google.com/armor/docs/integrating-cloud-armor#with_ingress | |
| # REF: https://cloud.google.com/armor/docs/configure-security-policies | |
| # REF: https://cloud.google.com/iap/docs/load-balancer-howto | |
| # REF: https://cloud.google.com/sdk/gcloud/reference/compute/url-maps/add-path-matcher | |
| # REF: https://cloud.google.com/load-balancing/docs/https/setting-up-url-rewrite | |
| export PROJECT_ID=$(gcloud config get-value project) | |
| export PROJECT_USER=$(gcloud config get-value core/account) # set current user |
pydevops
/ k8s-crd.md
Last active
September 1, 2023 00:41
— forked from smileisak/operators.md
k8s crd operator
Some useful resources regarding Kubernetes Operators, CRDs, etc.
- Kubernetes sample controller: https://github.com/kubernetes/sample-controller
- Joe Beda's TGIK sample repo and YouTube videos: https://github.com/jbeda/tgik-controller
- Thomas Stringer's blog post: https://medium.com/@trstringer/create-kubernetes-controllers-for-core-and-custom-resources-62fc35ad64a3
- Kube-controller-demo by Aaron Levy: https://github.com/aaronlevy/kube-controller-demo
- Analyzing value of Operator Framework for Kubernetes community: https://itnext.io/analyzing-value-of-operator-framework-for-kubernetes-community-5a65abc259ec
- Steps to generate CRD/Operator code: cloud-ark/kubeplus#14
- kubebuilder: https://github.com/kubernetes-sigs/kubebuilder
- CoreOS operator framework: https://coreos.com/blog/introducing-operator-framework
- A thread on Reddit: https://www.reddit.com/r/kubernetes/comments/8ien90/if_i_were_to_build_an_operator_what_should_i_use/
pydevops
/ artifact-registry-cloud-run-demo.sh
Created
May 21, 2021 18:41
— forked from mikesparr/artifact-registry-cloud-run-demo.sh
Google Cloud Platform demo of Artifact Registry deployment and Cloud Run app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| export PROJECT_ID=$(gcloud config get-value project) | |
| export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
| export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
| export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain | |
| export GCP_REGION="us-east1" # CHANGEME (OPT) | |
| export GCP_ZONE="us-east1-c" # CHANGEME (OPT) | |
| export NETWORK_NAME="default" |
NewerOlder