Wednesday, November 17, 2021

Tip: kube-apiserver can't start after adding a parameter

 Symptom:

We add a new oidc parameter for kube-apiserver to integrate with openID Dex.

The parameter is  --oidc-groups-prefix=oidc:

After that, kubelet can't start kube-apiserver static pod, and no obvious error reported

Solution:

The issue is to ":"  which is special character. It prevents kubelet to parse the parameter.

The right way is to quote it.  "--oidc-groups-prefix=oidc:" See more details in this github thread

Posted by at No comments:
Labels: , ,

Sunday, October 24, 2021

Tip: Error: vault kv get invalid character - in numeric literal

Symptom:

When we use vault kv get to fetch CA from pki endpoint, we hit error

 $ vault kv get pki/ca/pem
Error reading pki/ca/pem: invalid character '-' in numeric literal

Workaround:

The proper way to fetch it is:

 $ vault kv get -field=certificate pki/ca/pem

or

$ vault read -field=certificate pki/ca/pem


Posted by at No comments:
Labels: , ,

Wednesday, September 22, 2021

Error: invalid bearer token, oidc: verify token: oidc: expected audience

Symptom:

After we implemented dex + github via link. With example-app,we are able to get ID-token via http://127.0.0.1:5555/
With ID-token, we construct kubeconfig, but when we access k8s cluster we hit error:

error: You must be logged in to the server (Unauthorized)

In kube api server logs, we see error:

invalid bearer token, oidc: verify token: oidc: expected audience \"123456\" got [\"example-app\"]]"

 Triage:

Check payload and verify JWT ID-token on https://jwt.io

Check dex container logs 

Find similar issues in github link1 link2

Solution:

It turns out the client-id is not matched. 

The client-id set on K8S API server (--oidc-client-id) link   needs to match the client-id in example-app.

In above example, “123456” is the one I set on K8S API server, while client-id is “example-app”  in the example-app which caused the problem

Posted by at No comments:
Labels: , , ,

Saturday, August 21, 2021

Kubectl Plugin for Oracle Database

 Requirement:

We often need to provision new oracle databases for developers
This is the kubectl plugin to automate the creation of oracle database statefulset in the Kubernetes cluster

Solution:

Full details and source codes are on the GitHub repository

Demo:



Posted by at No comments:
Labels: , , , ,

Friday, August 20, 2021

Tip: what are the GVK GVR CRD CR Scheme in Kuberentes Core API

GVK:
  • GVK stands for Group Version Kind 
  • Each Kind in K8S has Group and Version. i.e. Kind "Pod" is in Group "core" , Version "v1". Refer to official API doc
  • GVK  is defined to associate Group, Version and Kind
  • Each GVK map to a given root Go type in the package
  • Source code definition is  here 
GVR:
  • GVR stands for Group Version Resource
  • GVR is a "use" or "instance" of GVK in the K8S API
  • The command "kubectl api-resources"  gives us a list of GVR in the K8S cluster
CRD:
  • CRD stands for Custom Resource Definition
  • Each CRD is like Kind in K8S, so it also has Group, Version
  • CRD is the extension of the K8S API. Refer to official doc
  • Once it is defined, it acts like GVK in K8S API.
CR:
  • CR stands for Custom Resource
  • CR is a "use" or "instance" of CRD in the K8S API
  • Once it is instantiated, it acts like GVR in K8S API.
  • The command "kubectl api-resources"  gives us a list including both GVR and CR in the cluster.
Scheme:
  • The scheme is defined to keep track of a given GO type mapping to a given GVK. 
    • For example, we define   myexample.io/api/v1.mykind{}
    • The scheme is going to map it to the API group we defined in CRD: batchv1.myexample.io/v1
    • {
          kind:  mykind
          apiVersion: batchv1.myexample.io/v1
      }
  • Source code definition is here.

Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)