AWS Elasticsearch supports following encryption option:
* Require HTTPS for all traffic to the domain
But there is no available option in CloudFormation resource:
* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html
Do you know if there are any way to set it using CloudFormation?
As feature was recently released, it is not yet available in CloudFormation or Terraform, but it could be done via CLI after Domain will be provisioned:
aws es update-elasticsearch-domain-config --domain-name <name> \
--domain-endpoint-options EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07
This feature has been released to Cloudformation August 11th 2020 and is now available both in Cloudformation as well as Terraform:
Cloudformation: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-configuration-api.html#es-configuration-api-datatypes-domainendpointoptions
Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https
Related
I have a Kubernetes cluster running on IBM Cloud and I'm trying to deploy the Couchbase operator.
When running the command:
cbopctl apply --kubeconfig /home/jenkins/.bluemix/cluster.yml -f couchbase-autonomous-operator-kubernetes_1.0.0-linux_x86_64/couchbase-cluster.yaml
I get the following error.
panic: No Auth Provider found for name "oidc"
goroutine 1 [running]:
github.com/couchbase/couchbase-operator/pkg/client.MustNew(0xc4201e2e00, 0xc4201e2e00, 0x0)
/var/tmp/foo/goproj/src/github.com/couchbase/couchbase-operator/pkg/client/client.go:21 +0x71
main.(*ApplyContext).Run(0xc4207e8570)
How do I authenticate this service?
Looks like you have your ~/.kube/config file configured to use OpenID with the oidc authenticator. The ~/.kube/config is with the client-go library uses to authenticate and cbopctl uses the client-go library.
This explains how to set it up in Kubernetes. If you are using an IBM cloud managed Kubenetes cluster, it's probably already configured on the kube-apiserver and you would have to follow this
To manually configure kubectl you would have to do something like this.
The other answers are correct. To provide the IBM Cloud-specific steps, you can download your config file by using ibmcloud ks cluster-config <cluster-name>. That will give you the KUBECONFIG variable to export by copying and pasting. It will also give you the path that you can use to target the config in your couchbase command.
I've followed the instructions to create an EKS cluster in AWS using Terraform.
https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html
I've also copied the output for connecting to the cluster to ~/.kube/config-eks. I've verified this successfully works as I've been able to connect to the cluster and manually deploy containers. However, now i'm trying to use the Terraform Kubernetes provider to connect to the cluster but cannot seem to be able to configure the provider properly.
I've configured the provider to use my kubectl configuration but when attempting to push a simple configmap, i get an error stating the following:
configmaps is forbidden: User "system:anonymous" cannot create configmaps in the namespace "kube-system"
I know that the provider is picking up part of the configuration but I cannot seem to get it to authenticate. I suspect this is because EKS uses heptio for authentication and i'm not sure if the K8s Go client used by Terraform can support heptio. However, given that Terraform released their AWS EKS support when EKS went GA, I'd doubt that they wouldn't also update their Terraform provider to work with it.
Is it possible to even do this now? Are there alternatives?
Exec auth was added here: https://github.com/kubernetes/client-go/commit/19c591bac28a94ca793a2f18a0cf0f2e800fad04
This is what is utilized for custom authentication plugins and was published Feb 7th.
Right now, Terraform doesn't support the new exec-based authentication provider, but there is an issue open with a workaround: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/161
That said, if I get some free time I will work on a PR.
I'm setting up Spinnaker in K8s with aws-ecr. My setup and steps are:
on AWS side:
Added policies ecr-pull, ecr-push, and ecr-generate-token
Attached the policy to a role
Spinnaker setup:
Modified values.yaml with below above settings:
```accounts:
name: my-ecr
address: https://123456xxx.dkr.ecr.my-region.amazonaws.com
repositories:
123456xxx.dkr.ecr..amazonaws.com/spinnaker-test-project
```
Annotated clouddriver.yaml: deployment to use created role (using the IAM role in a pod by referencing the role name in an annotation on the pod specification)
But it doesn't work and the error on the cloudrvier side is :
.d.r.p.a.DockerRegistryImageCachingAgent : Could not load tags for 1234xxxxx.dkr.ecr.<my_region>.amazonaws.com/spinnaker-test-project in https://1234xxxxx.dkr.ecr.<my_region>.amazonaws.com
Would like to get some help or advice what I'm missing, thank you
Got the answer from an official Spinnaker slack channel. That adding an iam policy to the clouddriver pod won't work unfortunately since it uses the docker client instead of the aws client. The workaround to make it work can be found here
Note* Ecr support currently is broken in halyard.This might get fixed in future after halyard migrates from the kubernetes v1 -> v2 or earlier so please verify with community or docs.
I am trying to find a way to update the cloud watch Arn in AWS APIGateway using AWS CLI or API method if available.
The CloudWatch ARN can be set using the API Gateway by performing a PATCH on the cloudwatchRoleArn property of the Account resource. See http://docs.aws.amazon.com/apigateway/api-reference/resource/account/#cloudwatchRoleArn
Using the AWS CLI, the CloudWatch ARN can be set by calling update-account. See http://docs.aws.amazon.com/cli/latest/reference/apigateway/update-account.html
Using the Java SDK, the CloudWatch ARN can be set by calling updateAccount.
I am using the existing single master Mesosphere DCOS cloud formation template:
https://s3.amazonaws.com/downloads.mesosphere.io/dcos/stable/cloudformation/single-master.cloudformation.json
I am trying to figure out how to indicate that I want to spin this up in an existing VPC that is already configured with a NAT/Internet gateway.
New to cloud formation and can't find any docs on the Mesosphere site around what the template actually creates and why. In addition there doesn't appear to be an all up manual setup tutorial. Just this template.
Thanks!
You can easily change the CF template, just delete the VPC resource, include the vpc-id as a parameter and change all the references to the VPC resource to point the new parameter.
In the same way you could replace the subnets in the template and remove the NAT instance.
I have made the changes in cloudformation script to install mesosphere in existing VPC/NAT.
https://github.com/navidurrahman/dcos-cloudformation
Let me know, if you face any problems
This cloud formation template installs dcos version 1.3. I have written a terraform module for latest mesosphere installation.
https://github.com/navidurrahman/terraform_mesosphere