Where is the return value of gcloud ai endpoints create defined and documented?
I am following GCP coursera Vertex AI model monitoring Lab: Vertex AI Model Monitoring and the task is asking to get the model endpoint ID from the gcloud ai endpoints create command output.
# Deploy your model to the endpoint
ENDPOINT_NAME = "churn"
output = !gcloud --quiet beta ai endpoints create --display-name=$ENDPOINT_NAME --format="value(name)"
print("endpoint output: ", output)
ENDPOINT = output[-1]
ENDPOINT_ID = # TODO: Your code goes here
gcloud ai endpoints create documentation shows no information of its return value.
Where is it documented?
The command returns long running operation. There is also documentation of it in Python, see Returns section.
See sample curl request for long-running operation:
curl -X GET \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
"https://LOCATION-aiplatform.googleapis.com/v1/OPERATION_NAME"
note: OPERATION_NAME can be found on your request via API, mine was creation of dataset
Result:
Related
From a Kubernetes node, how can I access API server, how can I find out the API endpoint and handle authentication? It is a Windows node by the way.
I'm surprised that there is not much information I could find on the Internet about this, is accessing Kubernetes API from node directly a bad design?
"From the node" sound like a fringe use case, like addons, which are usually covered by using the "admin.conf" file that was deployed during node attachement and contains whatever you would need to connect to the api server.
A more usual approach would be to deploy your workload in a Pod which service account would have the proper role binding to access the API server.
How to access Kubernetes API from node directly?
There are multiple ways , one of the way is from master node
# Get API Server URL:
kubectl cluster-info
#access it using the curl
curl https://<api serverIP>:6443/api/v1/nodes --cacert /etc/srv/kubernetes/pki/ca-certificates.crt --cert /var/lib/kubelet/pki/kubelet-client.crt --key /var/lib/kubelet/pki/kubelet-client.key
how can I find out the API endpoint and handle authentication?
One technique i use is using --v=11 with kubectl commands , it will give endpoints of the kubernetes resources
#example :
kubectl get pods --v=11 2>&1 | grep GET
I1229 10:20:41.098241 42907 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.19.4 (linux/amd64) kubernetes/d360454" 'https://10.157.160.165:6443/api/v1/namespaces/default/pods?limit=500'
I1229 10:20:41.116964 42907 round_trippers.go:443] GET https://<apiserver>:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 18 milliseconds
It is a Windows node by the way
Ideally above steps should work , May be you need to find out equivalent commands for grep & curl. change location of the certs to appropriate locations. you can find the location of certs from admin.conf file.
Most services on the IBM Cloud catalog now support "private endpoints" as described at https://cloud.ibm.com/docs/account?topic=account-service-endpoints-overview
I'm writing some automation for our application and I'd like to obtain the private endpoint for my database from a simple bash script.
I found that I can create a service key and invoke ibmcloud resource service-key (NAME | ID) to list the contents of that key (which includes the service's public endpoint).
Unfortunately, I can't seem to find any command for listing the corresponding private endpoint.
In this particular case I am using the databases-for-postgresql service, but I was hoping for a general way to do this that will work across service types.
I can get the private endpoint information from the UI, so I know the service instance has one.
If I can't get the private endpoint from an existing command, can I piggy-back on the cli's session to invoke a curl command without messing with IAM?
For example, to invoke the curl command mentioned at the bottom of https://www.ibm.com/cloud/blog/introducing-private-service-endpoints-in-ibm-cloud-databases
curl -sS -XPOST "https://api.us-south.databases.cloud.ibm.com/v4/ibm/deployments/<deployment CRN/users/admin/connections/private" \
-H "Authorization: Bearer <IBM API TOKEN>"
The IBM Cloud CLI Cloud Databases plug-in provides this capability. Details about the deployment-connections command can be found here: https://cloud.ibm.com/docs/databases-cli-plugin?topic=databases-cli-plugin-cdb-reference#connections
The syntax is roughly: ibmcloud cdb deployment-connections [the-database] -e private
If you have not already installed this plug-in, you can do so with this command: ibmcloud plugin install cdb
I am wondering how do I create a kube config file for my Kubernetes cluster programatically so I can use it with kubectl in IBM Cloud.
To generate a Kube config file to use with kubectl you can do the following via curl to generate the file.
First you will need to get your bearer and refresh token. There are a couple ways to do this. If you have an API key you [can generate your tokens here.
Once you have your tokens you can call the following API.
POST https://containers.cloud.ibm.com/global/v1/clusters/clusterid/config.
That will give you a zipped file with the kube config and relevant certificates.
curl --location --request GET 'https://containers.cloud.ibm.com/global/v1/clusters/xxx/config' \
--header 'Authorization: mybearertoken' \
--header 'X-Auth-Refresh-Token: myrefreshtoken' >> kubeconfig.zip
Replace mybearertoken and myrefreshtoken with the correct values from here.
I would like to allow anyone to trigger a job I've created in Rundeck.
I can't understand from the API documentation how to do that.
Any one knows, and can give simple examples (my understanding of the subject is minimal to none)?
What I've found is of the sort:
POST /api/1/job/[ID]/run
In order to use the Rundeck API, you need to authenticate first.
Authentication can be done in two different ways:
Using a Token
Using a username and a password
Here is an example of running a Rundeck job using its API (Token based authentication)
curl -X POST http://rundeck_server:port/api/19/job/87bdc26ce-9893-49bd-ad7a-97f4c4a39196/run?authtoken=AVy8jZdcpTYOyPcOVbfcfOQmB6b92zRu --header "Content-Type:text/xml"
Explanation:
19: the API version or Rundeck installation version (19 matchs
Rundeck 2.8.2)
87bdc26ce-9893-49bd-ad7a-97f4c4a39196: Job UUID
run: Runs a job
PS: To obtain an API Token, you must first log in to the Rundeck GUI using a user account. Click on your username in the header of the page, and you will be shown your User Profile page. From this page you can manage your API Tokens.
To update the answer above, this is an example of running a job and feeding it arguments
You will need to replace hostname/API version/job UID/token
Also the current version can be used with JSON only
curl -X POST https://rundeck-hostname.com/api/41/job/7087d3b7-e454-4983-abd5-a211d21d6f27/run?authtoken=[redacted] -H "Accept: application/json" -H "Content-Type: application/json" -d '{
"options": {
"optionName":"optionValue",
}
}
'
And if you need additional arguments for running a job you can find the updated documentation at https://docs.rundeck.com/docs/api/rundeck-api.html#running-a-job
I'm writing an application to monitor a kubernetes cluster running on Google Container Engine. On the host where my application deployed, there are no kubectl and gcloud CLI nor are they allowed to be installed. So I am trying to do everything through REST API.
For creating the cluster through REST, I can use GCE Rest API with bearer token retrieved from Google OAuth Playground. Something like:
curl -i -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-Length: 0" -H "Authorization: Bearer $MyBearerToken https://container.googleapis.com/v1/projects/$PROJECT_ID/zones/$ZONE/serverconfig
I can also find Kubernetes REST API reference here. So my question is: How do I retrieve, say pod information, from my GCE Kubernetes cluster, using REST api and REST api only?
I tried with kubectl get pods --v=8, and it's using GET https://${Kubenetes_IP}/api/v1/namespaces/default/pods. But when I use the same api endpoint to curl with my GCE bearer. It gives me Unzuthorized error message.
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Unauthorized
I am guessing because I need to use a different bearer token, or some other authentication method. I am wondering if anyone got a quick programtic one-liner? (Without resorting to kubectl or gcloud)
Reference
This answer affirms that there is a way using bearer token, but didn't give a pointer or example
This answer also seems promising, but all the link provided are broken (and api are deprecated as well)
This answer assumes kubectl and gcloud are installed, which is not allowed in my current use case.
Token can be retrieve from Google OAuth Playground
Kubernetes can be reached by the following curl command via REST API
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Kubernetes Master IP can be retrieved with kubectl get pods --v=8 and it could probably be retrieved somewhere from GCE Web GUI as well.
Full Kubernetes REST API can be found here
Make sure the token has not yet expired, and I think right now the default TTL is 1 hour.
When you authorize the OAuth2 playground to give you a token, it exchanges an Authorization Code for a Refresh Token and an Access Token.
The Access Token (from the OAuth2 playground) is valid for 1 hour.
The Refresh Token is a long-lived credential that is used to obtain new Access Tokens from the Authorization Server.
If you try to authenticate to the "Resource Owner" (in this case, Kubernetes) with an expired access token, it will respond with an HTTP 401 error.