openssl s_client -connect images.dev.homlish.net:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.pem
openssl x509 -noout -text -in www.pem | grep -A 4 ‘X509v3 CRL Distribution Points’
k8s Helm
installing helm
curl https://baltocdn.com/helm/signing.asc | sudo apt-key add –
sudo apt-get install apt-transport-https –yes
echo “deb https://baltocdn.com/helm/stable/debian/ all main” | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install helm
# we need to add our k8s certificate
helm repo add –ca-file /path/to/certificate.crt repoName https://example/repository
k8s Prometheus
Installing Prometheus
2023-09-20
phomlish@a6:~/kubernetes/prometheus/homlish-monitoring
k apply -f k apply -f homlish-monitor-ns.yaml
kubectl create -f clusterRole.yaml
using helm?
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm search repo prometheus-community/prometheus –versions
prometheus-community/prometheus 19.3.1 v2.41.0 Prometheus is a monitoring system and time seri…
helm install 19.3.1 prometheus-community/prometheus
helm -n homlish-monitor delete prometheus
phomlish@a6:~/kubernetes/prometheus$ helm upgrade –install -n homlish-monitor –version 19.3.1 -f values.yaml prometheus prometheus-community/prometheus
NAME: prometheus
LAST DEPLOYED: Wed Oct 11 07:53:06 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
prometheus-server.default.svc.cluster.local
Get the Prometheus server URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods –namespace default -l “app=prometheus,component=server” -o jsonpath=”{.items[0].metadata.name}”)
kubectl –namespace default port-forward $POD_NAME 9090
The Prometheus alertmanager can be accessed via port on the following DNS name from within your cluster:
prometheus-%!s(
Get the Alertmanager URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods –namespace default -l “app=prometheus,component=” -o jsonpath=”{.items[0].metadata.name}”)
kubectl –namespace default port-forward $POD_NAME 9093
#################################################################################
###### WARNING: Pod Security Policy has been disabled by default since #####
###### it deprecated after k8s 1.25+. use #####
###### (index .Values “prometheus-node-exporter” “rbac” #####
###### . “pspEnabled”) with (index .Values #####
###### “prometheus-node-exporter” “rbac” “pspAnnotations”) #####
###### in case you still need it. #####
#################################################################################
The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
prometheus-prometheus-pushgateway.default.svc.cluster.local
Get the PushGateway URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods –namespace default -l “app=prometheus-pushgateway,component=pushgateway” -o jsonpath=”{.items[0].metadata.name}”)
kubectl –namespace default port-forward $POD_NAME 9091
For more information on running Prometheus, visit:
https://prometheus.io/
janus
systemctl status janus.service
systemctl restart janus.service
more /etc/janus/janus.jcfg
tail -f /usr4/mydetv/logs/janus.log
2021-03-25
Yikes, I’m on version 0.7.6 from 2019-11-27
moving to 0.10.10 from 2021-02-08
k8s tls
openssl x509 -in fullchain.pem -text
openssl x509 -in certs/letsencrypt/secure.homlish.net/fullchain.pem -text|grep DNS
openssl x509 -in certs/letsencrypt/images.homlish.net/fullchain.pem -text|grep DNS
openssl x509 -in certs/letsencrypt/secure.homlish.net/fullchain.pem -text|grep DNS
openssl x509 -in certs/letsencrypt/homlish.net/fullchain.pem -text|grep DNS
kubectl create secret tls secure-tls –cert=secure.dev.homlish.net.2020-05-14.cert.pem –key=secure.dev.homlish.net.2020-05-14.key.pem
pwd:
w01:images phomlish$ pwd
/Users/phomlish/homlishWeb/certs-letsencrypt/images
scp -P 2222 a0:certs/letsencrypt/images.homlish.net/fullchain.pem .
scp -P 2222 a0:certs/letsencrypt/images.homlish.net/privkey.pem .
k -n homlish-web-prod create secret tls images-tls –cert=fullchain.pem –key=privkey.pem
w01:images phomlish$ pwd
/Users/phomlish/homlishWeb/certs-letsencrypt/secure
scp -P 2222 a0:certs/letsencrypt/secure.homlish.net/fullchain.pem .
scp -P 2222 a0:certs/letsencrypt/secure.homlish.net/privkey.pem .
k -n homlish-web-prod create secret tls secure-tls –cert=fullchain.pem –key=privkey.pem
k -n grafana create secret tls grafana-tls –cert=cert1.pem –key=privkey1.pem
kubectl create secret tls hcr-tls -ns hcr –cert=hcr.homlish.net.2020-10-27.cert.pem –key=hcr.homlish.net.2020-10-27.key.pem
kubectl –namespace jukebox-prod create secret tls jukebox-tls –cert=cert.pem –key=privkey.pem
kubectl –namespace jukebox-prod delete secret jukebox-tls
kubernetes cert-manager
https://www.nginx.com/blog/automating-certificate-management-in-a-kubernetes-environment/
letsencrypt.homlish.net. IN A 10.11.168.4
cafe.homlish.net. IN A 10.11.168.5
cert-manager.homlish.net. IN A 10.11.168.253
helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –create-namespace –set controller.enableCertManager=true
helm install nginx-kic nginx-stable/nginx-ingress –namespace nginx-ingress –set controller.enableCustomResources=true –set spec.loadBalancerIP=’10.11.168.4′ –create-namespace –set controller.enableCertManager=true
helm install -f values.yaml –namespace nginx-ingress nginx-kic nginx-stable/nginx-ingress –create-namespace
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
–namespace cert-manager \
–create-namespace \
–version v1.10.1
change fw nginx to forward to cert-manager
curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
wget https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
nginx
https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
nginx
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -p tcp -s 10.11.1.200 –sport 443 -j MARK –set-xmark 0x1/0xffffffff
iptables -t mangle -A PREROUTING -p tcp -s 10.11.168.0/24 –sport 443 -j MARK –set-xmark 0x1/0xfffffffe
geoip maxmind
https://github.com/maxmind/libmaxminddb
https://github.com/maxmind/MaxMind-DB-Reader-php
sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin
wget https://github.com/maxmind/MaxMind-DB-Reader-php/archive/v1.8.0.tar.gz
tar xzf v1.8.0.tar.gz
cd MaxMind-DB-Reader-php-1.8.0/
cd ext
./configure –with-php-config=/usr/local/apache2/php/bin/php-config
make
make test
sudo make install
vi /usr/local/apache2/php/php.ini
extension=maxminddb.so
openssl rsa public/private keys
kubectl -n hcr create secret tls hcr-tls-secret \
–cert=hcr.homlish.net.2020-10-27.cert.pem \
–key=hcr.homlish.net.2020-10-27.key.pem
kubectl -n default create secret tls test-tls-secret \
–cert=jbox-api.local.homlish.net.2022-02-13.cert.pem\
–key=jbox-api.local.homlish.net.2022-02-13.key.pem
# generate private
openssl genrsa -out private-key2.pem 4096
cp private-key2.pem private-key2-no-lf.pem
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ private-key2-no-lf.pem > private-key2-no-lf.txt
# generate public
openssl rsa -in private-key.pem -outform PEM -pubout -out public.pem
# remove linefeeds for kubernetes
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ private-key.pem
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ public.pem
Great, I see it on the screen. It works if I use it in VS code launch.json.
How do I get it into kubernetes?
$ kubectl create secret generic my-secret –from-file=ssh-privatekey=/path/to/.ssh/id_rsa –from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ jbox-api.local.homlish.net.2022-02-13.cert.pem > jbox-api.local.homlish.net.2022-02-13.cert.pem.txt
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ jbox-api.local.homlish.net.2022-02-13.key.pem > jbox-api.local.homlish.net.2022-02-13.key.pem.txt
watermarking
Watermarking
Images
convert photo.png logo.png -gravity southeast -geometry +10+10 -composite output.png