techno-tim / launchpad Goto Github PK
View Code? Open in Web Editor NEWA collection of quick starters for ansible, kubernetes, docker, linux, windows, and more. Great for HomeLabs!
Home Page: https://technotim.live
A collection of quick starters for ansible, kubernetes, docker, linux, windows, and more. Great for HomeLabs!
Home Page: https://technotim.live
I ran into this issue while attempting to deploy kube-prometheus-stack as described here: https://www.youtube.com/watch?v=fzny5uUaAeY&t=1210s,
The specific error I got was: msg="Error loading config (--config.file=/etc/prometheus/config_out/prometheus.env.yaml)" file=/etc/prometheus/config_out/prometheus.env.yaml err="parsing YAML file /etc/prometheus/config_out/prometheus.env.yaml: empty duration string"
Per this: prometheus-operator/prometheus-operator#5197 the issue comes from needing to update the Prometheus operator CRDs.
Basically, the scrape and evaluation intervals are no longer defined as default values so you need to add them, I resolved it by adding the following to the Prometheus section of the values.yaml file:
scrapeInterval: 30s
evaluationInterval: 30s
I.e. the easy solution seems to be update the values.yaml, is to pull the latest CRDs in the values.yaml
Went through a bunch of pain trying to set up notifications based off of https://docs.technotim.live/posts/flux-devops-gitops/, turns out the discord-provider/alert files need to be added to the kustomization.yaml resources list for the alert to be actually picked up and created by flux. I don't know if this is supposed to be obvious, but the docs / example should still probably have it.
Were you able to get alerts working without doing this?
refs:
I have my domain example.com pointed to my router. I pointed my ports 80 and 443 to the LoadBalancer IP:
service:
enabled: true
type: LoadBalancer
annotations: {}
labels: {}
spec:
loadBalancerIP: 192.168.178.89 # this should be an IP in the MetalLB range
loadBalancerSourceRanges: []
externalIPs: []
And when I run a curl:
$ curl 192.168.178.89
Moved Permanently%
THis is the result
Because when I try to access treafik.example.com I get no result?
Hey @timothystewart6. I am using k8s on bare metal with talos... i was able to setup the dashboard with tutorial but the issue is, when i try to see etcd metrics it shows "No Data
". Ihonestly i dont know if its a Talos issue or something with my grafana config. any idea where the issue may lie ?
thanks
i updated this section with the IPs of my cluster's control planes
kubeEtcd:
enabled: true
endpoints:
# ips of the controle planes of my cluster
- xx.xx.xx.xxx
- yy.yy.yy.yyy
- zz.zz.zz.zzz
service:
enabled: true
port: 2379
targetPort: 2379
# on talos etcd uses port 2379 for client communication and port 2380 for peer communication in a cluster
Hi Tim!
i have a problem with clusterIssuer. I can't manage why im still getting error like this:
E1005 11:18:39.797876 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="specified key "API token from Cloudflare" not found in secret cert-manager/cloudflare-token-secret" "key"="default/local-mysite-name-gks9v-1493540579-3817414012"
My config is looking like this:
---
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-token-secret
namespace: cert-manager
type: Opaque
stringData:
cloudflare-token: <API token Cloudflare >
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
cloudflare:
email: [email protected]
apiTokenSecretRef:
name: cloudflare-token-secret
key: <API token Cloudflare>
selector:
dnsZones:
- "mysitename.com"
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
cloudflare:
email: [email protected]
apiTokenSecretRef:
name: cloudflare-token-secret
key: <API token Cloudflare>
selector:
dnsZones:
- "mysitename.com"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: local-mysitename-staging-cloud
namespace: default
spec:
secretName: local-mysitename-staging-tls
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: "*.local.mysitename.com"
dnsNames:
- "local.mysitename.com"
- "*.local.mysitename.com"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: local-mysitename
namespace: default
spec:
secretName: local-mysitename-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "*.local.mysitename.com"
dnsNames:
- "local.mysitename.com"
- "*.local.mysitename.com"
After running the docker compose I run the command you have for making a user: docker-compose run --rm panel php artisan p:user:mak
I am getting
Connection.php line 692:
SQLSTATE[HY000] [1045] Access denied for user 'pterodactyl'@'172.20.0.5' (using password: YES) (SQL: select * from information_schema.tables where table_schema = panel and table_name = migrations and table_type = 'BASE T ABLE')
And Both
In PDOConnection.php line 39:
In Exception.php line 18:
are giving the error: SQLSTATE[HY000] [1045] Access denied for user 'pterodactyl'@'172.20.0.5' (using password: YES)
I saw that it is looking for an IP of 172.20.0.5 but when I check all the container IP's with docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -q)
I get this list of IP's:
172.20.0.4 172.20.0.2 172.20.0.3
How can I set the IP for the database in the Docker-Compose file.
I found this but I don't understand it: Link
after following instructions for staging cert, traefik didn't use the cert
unknown
upgrade cert-manager
cert_manager_version='v1.13.1'
kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_manager_version}/cert-manager.crds.yaml"
helm upgrade --version "${cert_manager_version}" cert-manager jetstack/cert-manager --namespace cert-manager
Hi,
I'm following along this post:
https://technotim.live/posts/kube-traefik-cert-manager-le/
(Great stuff! Much appreciated!)
Using k3s version v1.29.2+k3s1:
$ k3s -v
k3s version v1.29.2+k3s1 (86f10213)
go version go1.21.7
Then after applying the latest (v1.14.4) cert-manager CRDs:
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged
k3s does not recognize the new CRDs:
$ k get certificates
error: the server doesn't have a resource type "certificates"
The cert-manager helm install works well, but also complains about missing 'Certificate' resources.
Could this be an API mismatch with my version of k3s?
Thanks a lot for any help.
https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/values.yaml
this link is bad for the default values for gitlab-runner
I believe this is the correct link: (looks like they went from master to "main"
https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/main/values.yaml
The docker image that replaced the deprecated ozno is now deprecated.
docker/guacamole/docker-compose.yml
image: maxwaldorf/guacamole is now deprecated.
I spent the last few days trying to figure out how I can use the kubernetes hosted traefik, which does know of the let's encrypt wildcard certificate, to handle also external services not located in kubernetes directly.
I.e. I have a couple of portainer installations which I "grouped up" in the past already via the environment section of portainer on my main server. That portainer was so far reachable via an internal host name I set for my server but it didn't use a valid certificate.
With the configuration below I am now finally able to address external services through traefik which itself is running in kubernetes (k3s to be precise). This allows to utilize the wildcard certificate obtained from let's encrypt on external service which are not yet part of kubernetes.
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: default-headers
namespace: portainer
spec:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
---
apiVersion: v1
kind: Service
metadata:
name: portainer
namespace: portainer
spec:
type: ClusterIP
ports:
- name: https
port: 443
targetPort: 9443
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
name: portainer
namespace: portainer
subsets:
- addresses:
- ip: {ip-of-external-server}
ports:
- name: https
port: 9443
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: portainer
namespace: portainer
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- websecure
routes:
- match: Host(`portainer.local.example.com`)
kind: Rule
services:
- name: portainer
port: 443
middlewares:
- name: default-headers
tls:
secretName: local-example-com-tls
The ingress configuration is rather straight forward, though the service definition differs here. I tried a lot with ExternalName
or ExternalIPs
in the service config, though the primer one doesn't use ports while the latter one didn't show up in traefik dashboard no matter what I tried.
The final clue came while watching this Google Cloud Tech video where Sandeep mentioned all of the hurdles I faced and that on defining an Endpoints
resource and defining the IP and port there directly one can still make use of traefik for external resources.
Hope this helps others :) If there is a simpler approach to get the job done, please feel free to post it here as I'm always keen on learning new tech-tings I can try in my homelab .
Great video series, Definitely some fun stuff learned while migrating my docker swarm to kubernetes.
In the file launchpad/kubernetes/traefik-cert-manager/traefik/dashboard/ingress.yaml, the tls secret, that is now commented out, won't work because the certificate is generated in the default namespace while the ingressRoute defined for the dashboard is defined in the traefik namespace. I think you would need to either create some form of trust, duplication, or have this all in the default namespace. In the video I think you mentioned that having the certificate in the default namespace would make it available to all other services? Perhaps you meant that it would be available to all services in the default namespace? The nginx sample works fine because the whole example is defined in the default namespace, but you can not access secrets between different namespaces without additional configuration.
If I am mistaken please disregard
Hello,
I was following your "2 Factor Auth and Single Sign on with Authelia" video and I have an issue with the whitelist middleware on traefik. for some reason is not quite working.
here is the section of the config.yml
file. In here, I'm not sure if you need some indentation on the IP field.
default-whitelist:
ipWhiteList:
sourceRange:
- "98.143.96.201/32" # you have it like this
- "98.143.96.201/32" # I think it should be like this
It doesn't matter from what IP I try to connect, I always reach both traefik and portainer portals.
I even added these two lines on both docker-compose files (traefik and portainer) and recreate the containers but nothing changed.
labels:
...
- "traefik.http.routers.traefik.middlewares=default-whitelist"
- "traefik.http.middlewares.default-whitelist.ipwhitelist.sourcerange=98.143.96.201/32"
Does the order of the lines matter? I tried at the end of the labels section, then right after you define the host and set the login credentials. Made no difference.
I also tried to add the middleware directly on an external service that I'm running but nothing, it doesn't work. I can reach the site from any IP.
Here is a section of the config.yml
file.
http:
routers:
rancher:
entryPoints:
- "https"
rule: "Host(`rancher.example.com`)"
middlewares:
- authelia
- default-headers
- default-whitelist
tls: {}
service: rancher
Do we need both the labels and the middleware set? what else can I try to make it work?
Thanks.
ERROR! the role 'gantsign.oh-my-zsh' was not found
Hello!
thank you for this beauty! I lost 3 hours of my life because that nginx cert tls secret was not in staging.
Otherwise top documentation / video !
I usw ur Setup many Times now , works great, but now i become 404 in Traefik Dashboard. Set it up 4 Times now, but i got it not work.
Using "here" links in any document is regarded as very bad practice....
Usability & Web Accessibility - Link Text
Why Your Links Should Never Say “Click Here”
There are LOTS more such pages all over the net.
Also when writing a README you should write it as if a 'random person' just came across for the first time.
You may know what you are looking at, they may not! Do not assume they are coming from your video.
Making this your "README.md" will make it a lot better...
# Linux Desktop, in a container, in a browser? A Webtop
An example compose file to complement a YouTube Video on webtops in a container.
[Youtube Video](https://www.youtube.com/watch?v=Gd9bvdkIXOQ)
[Webtop Documentation](https://docs.technotim.live/posts/webtop-container/)
Recently worked on a way to optimize the Traefik Config/Labels to reduce the amount of per container config that I thought might be a good idea:
traefik.yml would look like (entrypoints):
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
https:
http:
middlewares:
- default-headers@file
address: ":443"
forwardedHeaders:
insecure: true
This allows the default-headers to be truly default and will apply globally. Also allows http traffic to be routed to https by default on the entry, removing the need for it to be defined on a per container basis.
A compose label section would go from:
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.entrypoints=http"
- "traefik.http.routers.web.rule=Host(`sub.domain.tld`)"
- "traefik.http.middlewares.web-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.web.middlewares=web-https-redirect"
- "traefik.http.routers.web-secure.entrypoints=https"
- "traefik.http.routers.web-secure.rule=Host(`sub.domain.tld`)"
- "traefik.http.routers.web-secure.tls=true"
- "traefik.http.routers.web-secure.service=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
- "traefik.http.routers.web.middlewares=sslheader@docker"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
to:
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.entrypoints=https"
- "traefik.http.routers.web.rule=Host(`sub.domain.tld`)"
- "traefik.http.routers.web.tls=true"
- "traefik.http.routers.web.service=web"
- "traefik.http.services.web.loadbalancer.server.port=3000"
- "traefik.docker.network=proxy"
It will also allow for a clear way to demonstrate how to apply middlewares to an entryPoint for ones that you want to have apply to all services, which took me a bit longer then i care to admit to figure out on my own.
Hey tim.
I'm trying to create my own setup with your "Wildcard Certificates with Traefik + cert-manager" video and I think I found an interesting behavior.
as you describe both cloudflare and configs have wildcard dns entry
for example: *.example.com
Everything works fine with 1st degree subdomains like "a.example.com"
But it breaks when using multi-level subdomains like "a.b.example.com"
I spent hours trying to realize this. I would like to leave this painful experience as a note here, maybe you can consider adding it in your documentation.
(don't worry i know this is not related to you 😅)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.