-
Helm Chart for Cloudflare Tunnels
Tuesday, April 9, 2024
I’m a big fan of Cloudflare’s tunnels. They allow me to run lots of services behind my firewall and still access them either over the open internet, or via their Zero Trust system. This gives me the ability to run public services, like this blog, or to give myself or my friends access to services behind my firewall without using my VPN. In the beginning to get this working I was adding a sidecar container to every deployment that needed a tunnel. While this worked, it was annoying and tedious to have to copy entire Helm charts locally to make modifications to them. I recently created a new Helm chart that I’ve been using that deploys a container running the Cloudflare Tunnel binary and then connects to the Kubernets service of whatever I want to tunnel. …
-
Using Atlantis with OpenTofu
Thursday, April 4, 2024
With Terraform moving from Open Source to the much more restrictive BSL I decided to move away from using it both personally and professionally. Luckily I am in a position to make these decisions and after a short (and painful) stint with Pulumi, I’ve decided to move forward using OpenTofu. At this point OpenTofu is a drop-in replacement for Terraform, being a fork of it. One question that was left open was whether Atlantis would work with OpenTofu or not. Well, the answer is yes, and here is how I got it working. …
-
gitlab, gitlab runners, k3s, and building all the things
Saturday, June 25, 2022
Although originally using Gitea for hosting, and Drone for my CI engine, this setup proved to be difficult. I continually had problems with Done, and actually had the Gitea database corrupt at one point. With all this I decided to just move back to Gitlab. They run a great service, and it’s what we use at work so I am quite familiar with them and their CI/CD setup. I installed the Gitlab Runner on my internal K3s cluster, and am now using that to do all my builds and deployments behind my firewall. I hit a few bumps along the way, so I wanted to document the final setup for posterity and anyone else who might be having issues as well. …
-
nginx-ingress, cert-manager, and default wildcard certificates
Friday, January 28, 2022
I have quite a few internal only services running on my Kubernetes cluster. For all these services I wanted to use SSL, but using the default method of getting an ACME certificate from Let’s Encrypt (HTTP-01) wouldn’t work due to my setup. I also didn’t want to have to generate a certificate for every service I decided to spin up. Using cert-manager I was able to generate an ACME wildcard certificate and then set it to the default certificate on the nginx-ingress. …
-
Drone and Hugo
Wednesday, August 4, 2021
This blog is deployed using a series of technologies from Kubernetes and Helm down to its core using Hugo. One of the annoyances with Hugo is that one needs to build the static content before it is deployed. This is easy enough to do, all you need to do is invoke the hugo command while in the correct directory, but I constantly forget to to this manual step. Instead of manually trying to remember to run this, I built out my Drone CI to do it for me. …
-
Cloudflared and Internal Services
Tuesday, July 20, 2021
In my new position I work more with Kubernetes than I ever have in the past. This is a great thing, because I think Kubernetes is an amazingly powerful tool, and is quite enjoyable to work with once you understand the in’s and out’s of it. As such I decided to migrate just about everything I run over to a new Kubernetes cluster. Initially I ran two clusters: one internal to my firewall for non-world accessible stuff, and one in the cloud for world accessible stuff. Then I found out about Cloudflare Tunnels (formerly Argo Tunnel) and moved to a single cluster proxying through Cloudflare. …
-
Quickly deploying Python code to Lambda
Thursday, December 12, 2019
Lambda is pretty awesome, and we use it for a ton of things at work. I’ve deployed around 20 different scripts at this point, that do everything from monitoring type of tasks to a full Slackbot. Although generally we use Ansible to deploy everything (including our Lambda tasks), there are times when things need to go and they need to go now. For this I wrote a simple script that zips up a package that can be manually deployed to Lambda with all the necessary libraries and things your script needs. …
-
drone.io and the GCR
Wednesday, May 22, 2019
For the last week or so I’ve been evaluating drone.io as a replacement for our current CI engine (spoiler: we aren’t going to use it). Something that I ran across that wasn’t immediately obvious on how to achieve was pulling private images from Google Container Repository. Although there is a thread on the Discouse forums that touches on it, I had to do some testing on my own to actually get it working. Here is what I did. …
-
Testing Ansible AWX/Tower roles
Friday, September 21, 2018
As I continue to push forward the use of AWX in our infrastructure, there is continued need to test what we are producing. Much like any other kind of development, sometimes we need a local environment to test something. This came up recently for me in AWX because I was testing a role that modified the AWS Task container in order to provide enhanced functionality. I wrote the following little shell provisioner that gets AWX up and running quickly for testing. …
-
Using Nginx in front of AWX for SSL
Wednesday, August 8, 2018
I’ve got AWX deployed in production currently. Obviously for production, you need to SSL for authentication. Since AWX doesn’t offer this currently, and I’m not paying $20/month just for a ELB for this, I decided to slap Nginx in front of the containers to proxy SSL. This ended up being a larger pain than I expected because of the websockets. Finally got it figured out and wanted to post my nginx config for anyone else trying to do the same thing. …