If a customer complains about the OCI notifications service topic complained about not receiving messages from the service.
how to debug issue ?
If OCI notifications service does not receive an ack from a subscription endpoint, the service tries to redeliver messages for up to two hours. Configure an alarm on the NumberofNotificationsFailed metric through the OCI monitoring service to help debug this issue.
Sunday, July 26, 2020
Sunday, July 5, 2020
how to implement the lets encrypt using dns01 challenge ?
step 1 : create namespace
kubectl create ns kaushik
step2: create secret with name azuredns-config and value client-secret
kubectl create secret generic azuredns-config --from-literal=client-secret="" -n kaushik
step3: create nginx-ingress controller
helm install --name nginx stable/nginx-ingress --namespace kaushik
step4: create a record set in the existing hosted zone
az network dns record-set a add-record --resource-group kaushik-rg --zone-name kaushik.net --record-set-name 'kou' --ipv4-address 12.34.56.78
step5: Install cert-manager
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml -n kaushik
kubectl label namespace kaushik cert-manager.io/disable-validation=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install --name cert-manager --namespace kaushik --version v0.13.0 jetstack/cert-manager
step6: dnsissuer
cat dnsissuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: kaushik
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# ACME DNS-01 provider configurations
solvers:
- dns01:
azuredns:
clientID: *************************************
clientSecretSecretRef:
name: azuredns-config
key: client-secret
subscriptionID: ***************************
tenantID: ******************************
resourceGroupName: kaushik-rg
hostedZoneName: kaushik.net
environment: AzurePublicCloud
command : kubectl apply -f dnsissuer.yaml -n kaushik
Test the example application using the letsencrypt
step7:
helm repo add bootc https://charts.boo.tc
helm install --name my-release bootc/netbox --namespace kaushik
step8: create an ingress object in the same namespace
cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: kaushik
name: my-release-netbox
spec:
tls:
- hosts:
- kou.kaushik.net
secretName: tls-secret
rules:
- host: kou.kaushik.net
http:
paths:
- backend:
serviceName: my-release-netbox
servicePort: http
command : kubectl apply -f ingress.yaml -n kaushik
how to verify ?
In the Azure DNS Zones,
two record sets will be created,
kou.kaushik.net
_acme-challenge.kou
references:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
https://dev.to/mimetis/using-dns01-challenge-and-let-s-encrypt-to-secure-your-aks-kubernetes-cluster-5g42
https://github.com/bootc/netbox-chart
kubectl create ns kaushik
step2: create secret with name azuredns-config and value client-secret
kubectl create secret generic azuredns-config --from-literal=client-secret="" -n kaushik
step3: create nginx-ingress controller
helm install --name nginx stable/nginx-ingress --namespace kaushik
step4: create a record set in the existing hosted zone
az network dns record-set a add-record --resource-group kaushik-rg --zone-name kaushik.net --record-set-name 'kou' --ipv4-address 12.34.56.78
step5: Install cert-manager
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml -n kaushik
kubectl label namespace kaushik cert-manager.io/disable-validation=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install --name cert-manager --namespace kaushik --version v0.13.0 jetstack/cert-manager
step6: dnsissuer
cat dnsissuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: kaushik
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# ACME DNS-01 provider configurations
solvers:
- dns01:
azuredns:
clientID: *************************************
clientSecretSecretRef:
name: azuredns-config
key: client-secret
subscriptionID: ***************************
tenantID: ******************************
resourceGroupName: kaushik-rg
hostedZoneName: kaushik.net
environment: AzurePublicCloud
command : kubectl apply -f dnsissuer.yaml -n kaushik
Test the example application using the letsencrypt
step7:
helm repo add bootc https://charts.boo.tc
helm install --name my-release bootc/netbox --namespace kaushik
step8: create an ingress object in the same namespace
cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: kaushik
name: my-release-netbox
spec:
tls:
- hosts:
- kou.kaushik.net
secretName: tls-secret
rules:
- host: kou.kaushik.net
http:
paths:
- backend:
serviceName: my-release-netbox
servicePort: http
command : kubectl apply -f ingress.yaml -n kaushik
how to verify ?
In the Azure DNS Zones,
two record sets will be created,
kou.kaushik.net
_acme-challenge.kou
references:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
https://dev.to/mimetis/using-dns01-challenge-and-let-s-encrypt-to-secure-your-aks-kubernetes-cluster-5g42
https://github.com/bootc/netbox-chart
Friday, July 3, 2020
Ansible debugging shortcuts
How to use the ignore_errors: yes in the task ?
- name: Get resource group information using tags
azure_rm_resourcegroup_info:
list_resources: no
tags: "kaushik_rg"
register: resourcegroup_info
ignore_errors: yes
How to execute specific task inside the role/playbook ?
ansible-playbook playbook.yml --start-at-task="install packages"
what is install packages in the above command ?
it is the name of the task
example :
- name: install packages
how to use combine function in the ansible playbook ?
- name: Set kaushik output info
set_fact:
kaushik_info: "{{ kaushik_info | default({}) | combine({'KAUSHIKInfo': {'resourcegroup': rg, 'kaushik_kv_name': vaultname, 'secret_name': secret,'app_url': app_url
} }) }}"
- name: Create yaml file
copy:
content: "{{ kaushik_info | to_nice_yaml }}"
dest: "/tmp/kaushik-output.yaml"
expected output: ( which is in the yaml file )
KAUSHIKInfo:
kaushik_kv_name: *************
resourcegroup: *****************
secret_name: ******************
app_url: ********************
Thursday, July 2, 2020
how to prevent http connections to azure storage account ?
"Secure transfer required" feature is now supported in Azure Storage account. This feature enhances the security of your storage account by enforcing all requests to your account through a secure connection.
This feature is disabled by default.
This feature is disabled by default.
what is the use of azure log analytics workspace ?
example/scenario :
you need to collect all the audit failure data from the security log of a virtual machine to an azure storage account.
process :
Azure monitor can collect data directly from your azure virtual machines into a log analytics workspace for detailed analysis and correlation.
1. In the Azure Portal, select All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input.
Select Log Analytics workspaces.
you need to collect all the audit failure data from the security log of a virtual machine to an azure storage account.
process :
Azure monitor can collect data directly from your azure virtual machines into a log analytics workspace for detailed analysis and correlation.
1. In the Azure Portal, select All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input.
Select Log Analytics workspaces.
2. Select create and then select choices for the following items.
3. After providing the required information on the Log Analytics workspace panel, select OK.
while the information is verified and the workspace is created, and you can track its progress under notifications from the menu.
4. Enable the log analytics VM extension
Installing the Log Analytics VM extension for windows and linux allows azure monitor to collect data from your Azure VMs.
[ on the left-hand menu, under workspace Data Sources, select Virtual Machines. In the list of virtual machines, select a virtual machine you want to install the agent on. Notice that the log analytics connection status for the VM indicates that it is not connected ].
[ In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the status shows connecting ].
After you install and connect the agent, the Log Analytics connection status will be updated with this workspace.
reference:
Wednesday, July 1, 2020
what are the things you required to transfer the ownership ( means what tool and which user ) ?
User:
Billing Administrator:
Select Transfer billing ownership for the subscription that you want to transfer. Enter the email address of a user who's a billing administrator of the account that will be the new owner for the subscription.
Tool:
Azure Account Center can be used.
reference:
Billing Administrator:
Select Transfer billing ownership for the subscription that you want to transfer. Enter the email address of a user who's a billing administrator of the account that will be the new owner for the subscription.
Tool:
Azure Account Center can be used.
reference:
https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer#transfer-billing-
ownership-of-an-azure-subscription
Eligible type and active type
Eligible type:
A role assignment that requires a user to perform one or more actions to use the role.
If a user has been eligible for a role, that means they can activate the role when they activate the role when they need to perform privileged tasks.
There's no different in the access given to someone with a permanent versus an eligible role assignment.
The only difference is that some people dont need that access all the time.
You can choose from two assignment duration options for each assignment type ( eligible and active ).
when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.
Use the activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. This value can be from one to 24 hours.
Active type:
A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role.
A role assignment that requires a user to perform one or more actions to use the role.
If a user has been eligible for a role, that means they can activate the role when they activate the role when they need to perform privileged tasks.
There's no different in the access given to someone with a permanent versus an eligible role assignment.
The only difference is that some people dont need that access all the time.
You can choose from two assignment duration options for each assignment type ( eligible and active ).
when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.
Use the activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. This value can be from one to 24 hours.
Active type:
A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role.
what is azure front door ?
Get started with Azure Front Door by using the Azure portal to set up high availability for a web application.
In this quickstart, Azure Front Door pools two instances of a web application that run in different Azure regions. You create a Front Door configuration based on equal weighted and same priority backends. This configuration directs traffic to the nearest site that runs the application. Azure Front Door continuously monitors the web application. The service provides automatic failover to the next available site when the nearest site is unavailable.
Azure Front Door enables you to define, manage and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global ( multi-region ) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs and content that reaches a global audience with Azure.
Front Door works at layer 7 or HTTP/HTTPS layer and uses anycast protocol with split TCP and Microsoft's global network for improving global connectivity.
Create two instances of a web app
This quickstart requires two instances of a web application that run in different Azure regions. Both the web application instances run in Active/Active mode, so either one can take traffic. This configuration differs from an Active/Stand-By configuration, where one acts as a failover.
reference:
Subscribe to:
Posts (Atom)