Skip to content

Instantly share code, notes, and snippets.

😄

Sebastiaan van Steenis superseb

😄
Block or report user

Report or block superseb

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@superseb
superseb / rancher-extract-selfsigned-ca.sh
Created Nov 11, 2019
Extract self signed CA certificate from Rancher
View rancher-extract-selfsigned-ca.sh
#!/usr/bin/env bash
CONTID=$(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }')
docker exec $CONTID kubectl get listenconfigs cli-config -o jsonpath={.caCerts} > /tmp/cacerts
curl --cacert /tmp/cacerts https://localhost
@superseb
superseb / local-prom-graph-etcd.md
Created Nov 4, 2019
WIP Local prometheus to graph etcd
View local-prom-graph-etcd.md

WIP Local prometheus to graph etcd

Ability to graph etcd metrics locally to identify issues

Prometheus

scrape_configs:
- job_name: etcd
  static_configs:
@superseb
superseb / eks-in-rancher-debug.md
Last active Sep 18, 2019
EKS in Rancher debug
View eks-in-rancher-debug.md

EKS in Rancher debug

# Configure CLUSTERID (can be found in UI)
CLUSTERID=c-tc6mc

# Get service account token, endpoint and ca certificate
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster  | @base64d' | docker run -i oildex/jq:1.6 jq -r '.rootCACert | @base64d' > ca.crt
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster  | @base64d' | docker run -i oildex/jq:1.6 jq -r '.serviceAccountToken' > token
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.clust
@superseb
superseb / test-local-etcd-kube-apiserver-etcdservers-list.sh
Last active Sep 4, 2019
Test if local etcd is first in kube-apiserver etcd-server list
View test-local-etcd-kube-apiserver-etcdservers-list.sh
#!/bin/bash
if docker inspect kube-apiserver >/dev/null 2>&1; then
if docker inspect etcd >/dev/null 2>&1; then
# We are running on a etcd + controlplane node
API_ADVERTISE_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep advertise-address | awk -F= '{ print $2 }')
API_FIRST_ETCD_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep etcd-servers | awk -F= '{ print $2 }' | awk -F',' '{ print $1 }' | sed -e 's_https://__g' | sed -e 's_:2379__g')
if [ "$API_ADVERTISE_IP" != "$API_FIRST_ETCD_IP" ]; then
echo "FAIL: First etcd IP ($API_FIRST_ETCD_IP) if not equal to kube-apiserver advertise IP ($API_ADVERTISE_IP)"
exit 1
else
@superseb
superseb / intermediate-certificate-rancher.md
Last active Sep 2, 2019
Generate CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher
View intermediate-certificate-rancher.md

Generate CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher

Generate CA, intermediate CA and server certificate

docker run --rm -v $PWD/testcerts:/tmp/certs/files -e TF_VAR_ip_addresses='["127.0.0.1"]' -e TF_VAR_dns_names='["yolo.seb.local"]' superseb/intermediate

Run Rancher

@superseb
superseb / test-pleg.md
Last active Nov 28, 2019
PLEG tester
View test-pleg.md

PLEG tester

A few commands to run to test what triggers PLEG.

Docker response time

When using Docker, all container statuses are compared and it needs to happen within 3 minutes. Else the following log will be shown:

@superseb
superseb / walkthrough-suse-docker-upgrade-kube-proxy.md
Created Aug 20, 2019
Walkthrough on debugging case regarding upgrading Docker on SLES (SuSE) and kube-proxy not starting
View walkthrough-suse-docker-upgrade-kube-proxy.md

Walkthrough on debugging case regarding upgrading Docker on SLES (SuSE) and kube-proxy not starting

Brief walkthrough of steps taken to debug issue seen when Docker was upgraded on a SLES (SuSE) and kube-proxy not being started automatically after the upgrade.

Error seen was:

starting container process caused \"process_linux.go:424: container init caused \\\"process_linux.go:390: setting cgroup config for procHooks process caused \\\\\\\"failed to write a *:* rwm to devices.allow: write /sys/fs/cgroup/devices/docker/8103ad3afeece25eda0d0f7799c35ee9f7986ebf80b36d28dad4472c3542953a/devices.allow: invalid argument\\\\\\\"\\\"\": unknown"
@superseb
superseb / rancher-rke-etcd-snapshot-intro.md
Created Aug 20, 2019
Rancher/RKE etcd snapshot intro
View rancher-rke-etcd-snapshot-intro.md

Rancher/RKE etcd snapshot intro

Brief description of what is done where/how/what etc

Repositories/tools involved:

@superseb
superseb / nginx.conf
Created Aug 14, 2019
Authorized Cluster Endpoint NGINX example
View nginx.conf
events {
worker_connections 4096; ## Default: 1024
}
http {
upstream kubernetes {
server ip_of_controlplane_node1:6443;
server ip_of_controlplane_node2:6443;
server ip_of_controlplane_node3:6443;
@superseb
superseb / kubectl-diagnostic.sh
Last active Aug 7, 2019
kubectl cluster diagnostic
View kubectl-diagnostic.sh
#!/usr/bin/env bash
if [ $# -eq 0 ]; then
# Check if run on controlplane node, we can use that kubeconfig
if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem ]; then
KUBECTLCERT=/opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem
elif [ -f /etc/kubernetes/ssl/kube-controller-manager.pem ]; then
KUBECTLCERT=/etc/kubernetes/ssl/kube-controller-manager.pem
fi
if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem ]; then
KUBECTLKEY=/opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem
You can’t perform that action at this time.