Marcus Noble

Investigating and fixing "StopPodSandbox from runtime service failed" Kubelet errors

Sun, 28 Sep 2025 00:00:00 GMT

For months now (maybe years, who knows 🤷) I've had the following error sprinkled throughout my Kubelet logs across multiple of my worker nodes:

StopPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to destroy network for sandbox "055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708": failed to get network "cbr0" cached result: decoding version from network config: unexpected end of JSON input

As there has never been any associated impact with this that I could see I just ignored it... for a long time!

Well, fast forward to last Friday night where a sudden hyper-focus hit and I decided I wanted to know what was going on and how to stop it - here's how it went.

A little context

Before we dive into things I think it's worth providing a bit of context first so we all know what we're working with. The Kubernetes cluster in question is my "homelab" cluster that is running Talos Linux within a Proxmox cluster. The cluster has a single control plane node and 5 worker nodes. The worker nodes are where we'll be focussing. Beyond that there's nothing too special about this cluster. CNI is provided by Flannel with default configuration. The only thing that is kinda unusual is my use of SMB for my CSI driver - I only mention this because it's possible that a failure here might have been the thing that trigger the initial issue but I don't know for sure.

Identifying the issue

As I sad, I had ignored this for months and not thought much of it until Friday. I was cleaning up some unrelated stuff in my cluster and was checking my Kubelet logs stored in Loki to see if my cleaning up had been applied. This is how I (re-)noticed the high number of sandbox errors from various Kubelets. So I took a closer look with:

{service="kubelet"} |= "failed to get network \"cbr0\" cached result"

There was a LOT of these errors in the logs, almost 1000 per hour! 😳

Even though there was a lot of errors there was actually only a handful of sandbox IDs causing the problem so it wasn't widespread, just frequent.

Figuring out what was wrong

Because I'm a Professional Kubernetes Platform Engineer™ I knew exactly how to tackle this... ask the internet! So fired up DuckDuckGo, pasted in my error message and started wading through a LOT of useless results.

I found a couple similar issues that people had experienced with Calico but didn't seem to fit what I was seeing.
There was a closed issue against Containerd where this comment gave me some hope in solving it with a loopback CNI but turned out unrelated also.

These did give me enough info to start looking in the right places though. There was just one problem - Talos Linux doesn't have a shell you can SSH into, it's all API driven.

kubectl debug to the rescue!!!

Thankfully, it's possible to mimic an SSH session using kubectl debug against the node. As I knew I'd need a bunch of container-related tools to help with debugging I launched a debug container using the alpine-containertools image from Rory McCune. Due to how the debug command mounts the host filesystem I also had to override the CONTAINER_RUNTIME_ENDPOINT environment variable to point to the correct location.

kubectl debug -it --image raesene/alpine-containertools \
  --env CONTAINER_RUNTIME_ENDPOINT=unix:///host/run/containerd/containerd.sock \
  node/talos-192-168-1-15 \
  -- sh

Now we can start poking around on the node. First, lets see if we can force delete the sandbox pod ourself.

crictl rmp --force 055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708

Failed to stop sandbox before removing: rpc error: code = Unknown desc = failed to destroy network for sandbox "055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708": failed to get network "cbr0" cached result: decoding version from network config: unexpected end of JSON input

No luck! But we've been able to reproduce what Kubelet is hitting at least.

I spent a bit more time poking at crictl to get an understanding of the state of things. Doing so I was able to identify which pods were broken on each node.

# Get the full details about the pod in containerd
crictl inspectp --output=json 055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708
# List all pods known to containerd, and filter to those in a Notready state
crictl pods | grep NotReady

Eventually, after wading through all the unrelated search results one did seem relevant, a GitHub issue on containerd: "Empty cache files causes "KillPodSandbox" errors when deleting pods".

Cleaning things up

This final GitHub issue contained one important piece of information I was missing - the location of the network cache: /var/lib/cni/results. This is the directory where the CNI stores a JSON file for each network it creates. So let's go take a look:

> ls -la /host/var/lib/cni/results

total 148
drwx------    2 root     root          4096 Sep 27 05:48 .
drwx------    5 root     root            52 Jun 23  2022 ..
-rw-------    1 root     root          1647 Sep 27 05:47 cbr0-01d576d2f808a969bb7cb8da11d1ee3117ec4e9792d4aea33abec55318b74e01-eth0
-rw-------    1 root     root             0 Jun 15 21:28 cbr0-055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708-eth0
-rw-------    1 root     root          1608 Sep 27 05:48 cbr0-225486a2df0c2c8be5038245d099b4c48dc03ede648735a2b4676154650e7741-eth0
-rw-------    1 root     root          2045 Sep 27 05:46 cbr0-2e848e89543e7b6491d0b47eb2be7ec620865024d942012303ede16842aa1108-eth0
-rw-------    1 root     root          1638 Sep 27 05:48 cbr0-415cd18f24ec2740486a7bf254054f871bd8abe4c26bc6e27dbf1f5a10c29f69-eth0
-rw-------    1 root     root          1638 Sep 27 05:46 cbr0-47d021d26d2d1935025cee58941ff68ad28e09f1337b867e0865be56dde64a2a-eth0
-rw-------    1 root     root          1616 Sep 27 05:46 cbr0-5d40d2f86c6f4be7a85969f24e844ea049b41af14b97cfa3f5a655f52d4fc695-eth0
-rw-------    1 root     root          1616 Sep 27 05:48 cbr0-68f252ab057496036e8852a4f6103c1b6c564f6976d04676010858a5588a9a10-eth0
-rw-------    1 root     root          1596 Sep 27 05:48 cbr0-91d8805fe4b95c92f4c53e1321813b5fe9f71467c5692328bb7646649db57b22-eth0
-rw-------    1 root     root          1764 Sep 27 05:48 cbr0-a0eaa73bd701c9b1b1167efd49487b48074936211de1c6be37beec5184e42691-eth0

Notice anything suspicious? The file size of the file associated with our failing sandbox ID is 0. 🤔 That explains why the CNI is unable to load from the cache then - it's empty. Taking a quick look at one of the other files shows a valid JSON object with various network configuration stored within.

So lets delete this file - rm -rf /host/var/lib/cni/results/cbr0-055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708-eth0

With that gone, let's try again to delete the pod:

crictl rmp 055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708

Removed sandbox 055b221e44a28ce8d9120f771d5e1ef201f2457ce49c58999a0147104cca2708

SUCCESS! 🎉

Now we know what to clean up it's time to repeat the process for each filing sandbox ID on each node. Once that is done the kubelet logs are looking muuuucccchhhhhhh better!

Preventing this happening again

As I'm still unclear why or how these pods first failed I can't be sure it wont happen again. My current leading theories are it was either caused by a previous power failure that left the nodes in a bad state or was related to my NAS crashing as the few pods I took a close look at all had SMB volumes associated with them.

Regardless of what caused it I want to make sure I'm being more proactive going forward and leaving my cluster in a better state than it was before. I could set up a dashboard that includes the log query from Loki that we used at the start of this post but that requires me to check it often and... I'm lazy. What we really want is some alerts to annoy me when / if this happens again.

I already have quite a decent monitoring and alerting setup in my homelab made up of VictoriaMetrics, AlertManager and various metric exporters so I'm in a good starting point.

But what I am lacking is containerd metrics.

A quick search lead me to this great post by Abraham Dahunsi covering a lot of details about monitoring containerd. This gave the information on what metrics to work with and what I can do with them but I was still missing the actual metrics. In Talos Linux the containerd metrics aren't enabled by default but thankfully it's quite simple to enable, I just needed to add the following to my machine config for each of my nodes:

machine:
  files:
    - content: |
        [metrics]
          address = "0.0.0.0:11234"
      path: /etc/cri/conf.d/20-customization.part
      op: create

I then just need to instruct vmagent to scrape this new endpoint:

    scrape_configs:
    - job_name: containerd
      scrape_interval: 30s
      scheme: https
      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      kubernetes_sd_configs:
      - role: node
      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
      - target_label: __address__
        replacement: kubernetes.default.svc:443
      - source_labels: [__meta_kubernetes_node_name]
        regex: (.+)
        target_label: __metrics_path__
        replacement: /api/v1/nodes/${1}:11234/proxy/v1/metrics
      - source_labels: [__meta_kubernetes_node_name]
        action: replace
        target_label: kubernetes_node

Now I have the metrics coming in, we can put them to use at identifying issues.

Identify failures starting a pod sandbox:

sum by(grpc_code, instance) (
  rate(grpc_server_handled_total{job="containerd", grpc_code!="OK", grpc_method="RunPodSandbox"})
) > 0

Identify failures stopping or removing a pod sandbox: (This is the issue we handled in this post)

sum by(grpc_code, grpc_method, instance) (
  rate(grpc_server_handled_total{job="containerd", grpc_code!="OK", grpc_method=~"StopPodSandbox|RemovePodSandbox"})
) > 0

Find all pods known to containerd that aren't known to Kubernetes:

(
  container_pids_current{namespace="k8s.io"}
    unless on (container_id)
    label_replace(
        kube_pod_container_info,
        "container_id", "$1", "container_id", "containerd://(.+)"
    )
    unless on (container_id)
    label_replace(
        kube_pod_init_container_info,
        "container_id", "$1", "container_id", "containerd://(.+)"
    )
)
unless on (container_id)
(
  container_memory_swap_limit_bytes > 0
)

This last one has a lot going on but it breaks down to:

List all pids counts for all containers in the k8s.io namespace in containerd
Unless the container_id is also found on the kube_pod_container_info metric (where we need to strip the containerd:// prefix)
Or the container_id is also found on the kube_pod_init_container_info metric
And finally only if the container_memory_swap_limit_bytes is greater than 0 which will filter out the sandbox containers (pause container) which aren't exposed to Kubernetes anyway.

These three then become new alerts that can notify me if any match.

- name: containerd
  rules:
  - alert: ContainerdPodStartFailed
    annotations:
      description: |
        Containerd on **{{ .Labels.instance }}** has failed to start a pod sandbox due to **{{ .Labels.grpc_code }}**.
    expr: |
      sum by(grpc_code, instance) (rate(grpc_server_handled_total{job="containerd",grpc_code!="OK", grpc_method="RunPodSandbox"})) > 0
    for: 5m
    labels:
      severity: notify

  - alert: ContainerdPodRemoveFailed
    annotations:
      description: |
        Containerd on **{{ .Labels.instance }}** has failed to {{ .Labels.grpc_method }} due to **{{ .Labels.grpc_code }}**.
    expr: |
      sum by(grpc_code, grpc_method, instance) (rate(grpc_server_handled_total{job="containerd", grpc_code!="OK", grpc_method=~"StopPodSandbox|RemovePodSandbox"})) > 0
    for: 5m
    labels:
      severity: notify

  - alert: ContainerdHasLeftoverContainersRunning
    annotations:
      description: |
        Containerd on **{{ .Labels.instance }}** has extra containers that aren't known to Kubernetes.
    expr: |
      (
        container_pids_current{namespace="k8s.io"}
          unless on (container_id)
        label_replace(
            kube_pod_container_info,
            "container_id", "$1", "container_id", "containerd://(.+)"
        )
        unless on (container_id)
        label_replace(
            kube_pod_init_container_info,
            "container_id", "$1", "container_id", "containerd://(.+)"
        )
      )
      unless on (container_id)
      (
        container_memory_swap_limit_bytes > 0
      )
    for: 15m
    labels:
      severity: notify

This I learnt

I'd never really used crictl much before this so it was good to be able to better understand it. One thing I didn't realise was it also has the concept of "pods" and "containers" which are different, but map to, those found in Kubernetes. A "pod" seems to refer to the sandbox container - that is, the container that is created to setup all the networking etc. that is needed for the workloads (this is the "pause container"). Pods can be listed with crictl pods and inspected with crictl inspectp [ID]. Containers can be listed with crictl ps and inspected with crictl inspect.

Before this I didn't really know what a CNI actually did in terms of things it created etc., and I still mostly don't, but I've at least seem some hints of it in the way of the network cache files that it creates.

Debugging Talos when it goes wrong at the host level is tricky as you have limited access to the node itself. This is often good as it prevents you from being able to make live changes that could be forgotten or reverted accidentally but when you actually need to fix something like this it just gets in the way. I'm very thankful for kubectl debug (and Rory's wonderful alpine-containertools image 💙) that makes this debugging possible and relatively painless.

My tips on giving technical talks

Wed, 30 Apr 2025 00:00:00 GMT

Changelog

Building Social Media Bots With Node-RED

Sat, 08 Feb 2025 00:00:00 GMT

I run several bots that post to social media and the number seems to keep growing. I've had a few people in the past ask me how I run them so I thought I'd finally get around to writing down how I manage it by leveraging Node-RED.

Intro to the bots

Before getting into the details, lets take a little look at what bots I actually run.

Blog posts - Whenever I publish a new blog post I automatically create a new post on my personal Bluesky, Mastodon and LinkedIn profiles.
CloudNative.Now - A monthly newsletter that I run that posts to Bluesky and Mastodon whenever a new issue is released.
Conf.Party - Similar to above, this is a site I run to collect parties happening around conferences. It posts to Mastodon and Bluesky when new parties are added.
Kubernetes Releases - I have a bot post to Mastodon and Bluesky whenever there is a new Kubernetes release available on GitHub.
Mastodon Releases - I have a bot post to Mastodon whenever there is a new Mastodon release available on GitHub.
Dropout.Tv Releases - A bot that posts to Mastodon and Bluesky whenever there is a new video on the Dropout.TV new releases page.

The bots each post a customised message template that remains the same for each post.

How this looks in Node-RED

Almost all the bots follow roughly the same flow:

They are triggered by a 15 minute interval inject node.
An RSS feed with the source data is fetched (this is something like my blog RSS feed or the GitHub releases RSS feed).
Parse the RSS feed XML.
Iterate through each item in the feed and for each one check if the guid of that item already exists within a bot-specific context data store.
If guid is not found in existing list include that item in the results then add the guid to the list and store into the context data store.
Split the returned list of items into individual items.
Build a message template for each social media platform.
Send that message to a platform-specific subflow that handles the actual API call needed for each platform. (More on this below)

The Kubernetes Releases bot in Node-RED

The exception to this is the Dropout TV bot. There isn't an RSS feed for the new releases so I had to do some web scraping instead and it took a bit of trial and error. I wont go into detail for this as it's very specific to this bot.

The considerably more complex Dropout TV bot in Node-RED

Lets take a look at each step in a bit more detail...

1. Inject Node

Nothing special here, it's an Inject Node with a repeat interval set to 15 minutes. Set this to whatever makes most sense to your bot but be sure to be respectful of the datasource you're fetching from and not to call too often.

2 & 3. Fetch RSS Feed

Again, nothing special here, just a HTTP request node that fetches the URL of the RSS feed and passes it on to an XML node to parse it to the JSON payload.

4. Check for updates

This is where we start to implement some logic. We use a Function Node with the following custom JavaScript:

// Grab our bots context data store or initialise it as an empty array
let prev = flow.get("kubernetes_releases") || [];
// Grab all the guids from our incoming RSS feed data
let guids = msg.payload.feed.entry.map(a => a.id[0])
// Create an array to store new posts in to return at the end
let newPosts = [];

// For each of the guids check if our existing context data contains it already
// If not, add the guid to the existing and add the whole post to the newPosts array
guids.forEach((guid, i) => {
    if (!prev.includes(guid)) {
        prev.push(guid)
        newPosts.push(msg.payload.feed.entry[i]);
    }
});

// Make sure we update our context data store with our updated list of entries
flow.set("kubernetes_releases", prev);

// Return all the new posts
return {
    payload: newPosts
};

5. Split

Use a Split Node to split the array returned from the previous function into single calls - Array split using fixed length of 1.

6. Generate Post Message

This will likely be different, more or less, for each bot as you'll want to build something that makes sense for the context of your bot.

The result of this function will also vary depending on the platform as different platforms require different values for authentication and similar. I'll cover these in more detail below when I look at each provider individually.

As an example, here's the function I use for the Mastodon release bot:

// Grab the title of the Release from the incoming RSS item.
// Depending on the feed structure this might be different.
let title = msg.payload.title[0];

// Handle some special cases where the release version contains "rc"
// as we want to make it clear that this is a Release Candidate release.
let variant = "";
if (title.includes('rc')) {
  variant = " Release Candidate";
}

// Build the post text
let postBody = `New Mastodon${variant} Release

:mastodon: ${title} :mastodon:

${msg.payload.link[0]['$'].href}

#Mastodon #Mastoadmin
`;

// Return the payload that will be passed into the Mastodon subflow
return {
  // The Mastodon instance the bot belongs to
  instance: "mastodon.social",
  // The dev access token for the bot
  password: "XXXXXXXXXXXXXXX",
  // The post text
  body: postBody
}

7. Post to Platform

This is different for each platform so we'll look at those individually below...

Posting to Mastodon

Reusable Subflow for posting a status update to Mastodon

Posting an update to Mastodon is fairly simple. You'll first need to generate a new application access key (Settings -> Development -> New application) and make sure it has the write:status scope. Make a note of the access token as we'll be using this in our payload.

This subflow expects 3 properties on the input message:

instance - This is the Mastodon instance the bot belongs to and to which the API request will be made.
password - This is the access token of our development applications.
body - The actual text to post as the status update

With these 3 values we then first format the API payload in a function node using the following JavaScript:

return {
  payload: {
    status: msg.body,
    visibility: "public"
  },
  url: `https://${msg.instance}/api/v1/statuses`,
  headers: {
    "Authorization": "Bearer " + msg.password
  }
}

This is then passed to an http request node with the method set to POST which will perform the API call and then finally we output it to a debug node so we can check for any errors returned from the Mastodon API.

Posting to Bluesky

Reusable Subflow for posting a status update to Bluesky

The Bluesky API is somewhat more complex to work with compared to Mastodon.

First off, we'll need to generate a new App Password to authenticate out bot (no need to direct message access).

We also need the Decentralized Identifier (DID) of our bot user. There's a couple ways to get the DID, you can either use the ATProto Browser website and enter the link to the user profile or you can make a CURL request to get the profile details, e.g.:

HANDLE='averagemarcus.bsky.social'
DID_URL="https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile"
curl -G --silent --data-urlencode "actor=$HANDLE" "$DID_URL"

The DID will look something like did:plc:mtepw4cvbmdvu7zygmm5xbop.

This subflow expects 3 properties on the input message:

appPassword - The password we just generated for our bot.
did - The DID of our bot.
body - The actual text to post as the status update

Creating an API session

The first thing we need to do when working with the Bluesky API is to create a new session, using our DID and app password. In a function node we format these into the required payload:

msg.payload = {
  "identifier": msg.did,
  "password": msg.appPassword
};

return msg;

We then pass this to an http request node with the following values set:

Method = POST
URL = https://bsky.social/xrpc/com.atproto.server.createSession
Headers = Content-Type: application/json

And finally have this node output to a json node to parse the response into the payload for us to make use of in the next stage.

Building the post message

This is where things get really complicated. The ATProto isn't as user-friendly as the Mastodon API. You can't just pass it a block of text and it'll handle it and turn it into a nicely processed status post. Instead, you need to send you text along with all the details of the hashtags, links, media and mentions that are contained in your post.

To be able to do this, we need a couple extra node modules to be made available to our Node-RED setup. In your Node-RED config directory make sure the following packages are also installed:

node-fetch
@atproto/api

Now, in out Format post function node we need to reference these two packages in our "Setup" tab:

Make sure both modules are made available to the function node

The function itself then looks something like this:

const getBlueskyAgent = async () => {
  const agent = new atproto.AtpAgent({
    service: "https://bsky.social",
  })

  await agent.login({
    identifier: msg.did,
    password: msg.appPassword,
  })

  return agent
}

const getUrlMetadata = async (url) => {
  const req = await fetch(`https://cardyb.bsky.app/v1/extract?url=${url}`)
  const metadata = await req.json()

  return metadata
}

const getBlueskyEmbedCard = async (url, agent) => {
  if (!url) return

  try {
    const metadata = await getUrlMetadata(url)
    const blob = await fetch(metadata.image.replaceAll('&', '%26')).then(r => r.blob())
    const { data } = await agent.uploadBlob(blob, { encoding: "image/jpeg" })

    return {
      $type: "app.bsky.embed.external",
      external: {
        uri: url,
        title: metadata.title,
        description: metadata.description,
        thumb: data.blob,
      },
    }
  } catch (error) {
    console.error("Error fetching embed card:", error)
    return
  }
}


const agent = await getBlueskyAgent()
const rt = new atproto.RichText({ text: msg.body })
await rt.detectFacets(agent)

let url = rt.facets.find(f => f.features && f.features.length && f.features[0].uri);
if (url) {
  url = url.features[0].uri
}

return {
  payload: {
    "collection": "app.bsky.feed.post",
    "repo": msg.did,
    "record": {
      "createdAt": (new Date),
      "$type": "app.bsky.feed.post",
      text: rt.text,
      facets: rt.facets,
      embed: await getBlueskyEmbedCard(url, agent),
    }
  },
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer " + msg.payload.accessJwt
  }
};

There's a lot going on here so I'm going to break it down...

First we have a function that generates a new Bluesky client for us to use to handle most of the actual work. We use our DID and app password as the login credentials to be able to perform any actions tat need authorisation.

const getBlueskyAgent = async () => {
  const agent = new atproto.AtpAgent({
    service: "https://bsky.social",
  })

  await agent.login({
    identifier: msg.did,
    password: msg.appPassword,
  })

  return agent
}

Next we have a couple helper functions to help with URL previews. First calls a service that generates metadata about an URL:

const getUrlMetadata = async (url) => {
  const req = await fetch(`https://cardyb.bsky.app/v1/extract?url=${url}`)
  const metadata = await req.json()

  return metadata
}

This returns something along the lines of the following:

{
  "error": "",
  "likely_type": "html",
  "url": "https://marcusnoble.co.uk/index.html",
  "title": "Blog",
  "description": "The blog of Marcus Noble, self-described tinkerer, platform engineer and all round average guy!",
  "image": "https://cardyb.bsky.app/v1/image?url=https%3A%2F%2Fopengraph.cluster.fun%2Fopengraph%2F%3FsiteTitle%3DMarcus%252BNoble%26title%3DBlog%26tags%3D%26image%3Dhttps%253A%252F%252Fmarcusnoble.co.uk%252Fimages%252Fmarcus.jpg%26bluesky%3D%2540averagemarcus.bsky.social%26fediverse%3D%2540marcus%2540k8s.social%26github%3DAverageMarcus%26website%3Dwww.MarcusNoble.co.uk%26bgColor%3D%2523ffffff%26fgColor%3D%2523263943"
}

This output is used in the next helper function to get our preview card details:

const getBlueskyEmbedCard = async (url, agent) => {
  if (!url) return

  try {
    const metadata = await getUrlMetadata(url)
    const blob = await fetch(metadata.image.replaceAll('&', '%26')).then(r => r.blob())
    const { data } = await agent.uploadBlob(blob, { encoding: "image/jpeg" })

    return {
      $type: "app.bsky.embed.external",
      external: {
        uri: url,
        title: metadata.title,
        description: metadata.description,
        thumb: data.blob,
      },
    }
  } catch (error) {
    console.error("Error fetching embed card:", error)
    return
  }
}

This builds an "embed" record for us to use with our post and will cause Bluesky clients to show a preview card of an URL contained in our post message.

With the helper functions defined we can start building our message. First off, we initialise a new client and parse our message body for any "facets". In the ATProto "facets" are things like hashtags, urls and mentions - the things that and up being links when rendered. We need to define these manually in our payload to the API so the @atproto/api module helps us generate these.

const agent = await getBlueskyAgent()
const rt = new atproto.RichText({ text: msg.body })
await rt.detectFacets(agent)

With the facets generated we then want to check if they contain any URLs and if so grab the first one found. We will use this to generate the preview card using our helper functions above.

let url = rt.facets.find(f => f.features && f.features.length && f.features[0].uri);
if (url) {
  url = url.features[0].uri
}

Finally we build our actual API payload. There's a few things going on here that I don't want to go into too much detail about but if you're interested then take a look at the Bluesky docs or the ATProto SDK docs.

return {
  payload: {
    "collection": "app.bsky.feed.post",
    "repo": msg.did,
    "record": {
      "createdAt": (new Date),
      "$type": "app.bsky.feed.post",
      text: rt.text,
      facets: rt.facets,
      embed: await getBlueskyEmbedCard(url, agent),
    }
  },
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer " + msg.payload.accessJwt
  }
};

The main thing to be aware of here is the "collection" of app.bsky.feed.post tells the API that this is a status post, the "repo" is our bot user and then the "record" contains our post text, the "facets" we generated with the @atproto/api module and an "embed" containing details of an URL preview card if an url was found in our message.

Finally, the Authorization header makes use of the accessjwt of the session we created in the previous stage.

With the message now, finally, build we can pass this on to an http request node that sends a POST request to https://bsky.social/xrpc/com.atproto.repo.createRecord and then finally sends the returned output to a debug node so we can check for errors.

Posting to LinkedIn

Reusable Subflow for posting a status update to LinkedIn

I actually wrote about this last week - Posting to LinkedIn via the API. The Node-RED implementation is just formatting the payload and then sending the HTTP request to the LinkedIn API.

let body = msg.body;
let urn = msg.urn;
let access_token = msg.access_token;

return {
  payload: {
    "author": "urn:li:person:"+urn,
    "lifecycleState": "PUBLISHED",
    "specificContent": {
      "com.linkedin.ugc.ShareContent": {
        "shareCommentary": {
          "text": body
        },
        "shareMediaCategory": "ARTICLE",
        "media": [
          {
            "status": "READY",
            "originalUrl": msg.link
          }
        ]
      }
    },
    "visibility": { "com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC" }
  },
  url: `https://api.linkedin.com/v2/ugcPosts`,
  headers: {
    "Authorization": "Bearer " + access_token,
    "LinkedIn-Version": "202210",
    "X-Restli-Protocol-Version": "2.0.0"
  }
}

Twitter

It's dead. The API isn't accessible anymore. Move on.

✨ Bonus ✨ - Archiving to Wayback Machine

As several of my bots are triggered from new posts being created on either this blog or new newsletter posts on CloudNative.Now I realised I could leverage the same flow to also ensure that the Wayback Machine on Archive.org grabs a copy of the new page to cache it.

In addition to sending to the social media subflows I also send to a Wayback Machine subflow

The subflow to handle the Wayback Machine calls isn't too complex:

Subflow to cache page to Wayback Machine

The subflow splits the incoming call into two flows - one that caches the new page and another that re-caches the homepage as this is also updated with the new post included.

Formatting the URL for the new page is very simple, we just take the URL of the page from the incoming message and prepend the Wayback Machine URL - https://web.archive.org/save/:

return {
    url: `https://web.archive.org/save/${msg.payload.link[0]}`
};

This then output to an http request node that calls the Wayback Machine save URL with out new page URL that triggers it to create a new cached copy for us.

The homepage flow is slightly more work, we just need to grab the homepage link from the new post URL:

let link = msg.payload.link[0].replace('https://', '').split('/')[0]

return {
    url: `https://web.archive.org/save/https://${link}`
};

And then again pass this on to the http request node to trigger the cache process.

Wrap Up

Hopefully this is helpful to some of y'all. Even if you don't end up using Node-RED for your bots there should be enough info here on how to make use of the different APIs to help you along.

I'd love to hear about what bots y'all are making - let me know on Bluesky or Mastodon!

Posting to LinkedIn via the API

Sun, 02 Feb 2025 00:00:00 GMT

I have a habit of automating as much of my life as I can. As part of that I have some small automations that handle posting to social media automatically when I publish a new blog post. (More on this in a future post). In the past this was Twitter but that is dead so these days I post to my Mastodon and Bluesky accounts automatically whenever a new blog post is available on my website. Maybe that's how you ended up here today! One platform I had been avoiding for a long time was LinkedIn. I had the impression that they didn't have a free, personal API available for users to use to post status updates. Well, turns out I was mistaken and it's actually not too difficult to setup, there's just a LOT of outdated information out there. So lets fix this...

Creating a new App

I'm going to assume you already have a LinkedIn account, if not you will need to create one or this whole process is pretty pointless. 😅 Once logged in, head over to https://www.linkedin.com/developers/apps/new and fill out the details.

Note: For this you require a "company page" that the app will be associated with. You can create one easily enough that can just be used as a placeholder for the app.

Once your app is created the first thing you'll need to do is head to the "Settings" tab and follow the process to verify your app. Not sure why this isn't part of the app creation flow but whatever. 🤷

With your app verified you now need to enable the "products" you'll be using so switch to the Products tab. For sharing posts to our LinkedIn profile we're going to need to enable the following:

Share on LinkedIn
Sign In with LinkedIn using OpenID Connect

Finally, switch over to the "Auth" tab and scroll down to the "OAuth 2.0 scopes" section, you should hopefully be seeing something similar to the following:

Expected LinkedIn app scopes

Creating an Access Token

Now that we have an app created we need to generate a new access token to use when making API calls. Thankfully, this is now very simple as LinkedIn provide a tool to generate a token whereas previously users were required to run a server to handle callbacks, etc.

Navigate to https://www.linkedin.com/developers/tools/oauth/token-generator, select your app from the dropdown, check all the scopes available and click the "Request access token" button.

You will likely need to login again here but once done you should be presented with an access token that will expire in 2 months.

Keep this safe and DO NOT SHARE IT.

Using the API

Now that we have an access token we can finally make calls to the API!

First, lets get our own user profile details as we're going to need our URN to use when posting status updated.

curl --silent -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "https://api.linkedin.com/v2/userinfo"

{
    "sub": "XXXXXXX",
    "email_verified": true,
    "name": "☁️Marcus Noble",
    "locale": {
        "country": "US",
        "language": "en"
    },
    "given_name": "☁️Marcus",
    "family_name": "Noble",
    "email": "",
    "picture": ""
}

Replace the ${ACCES_TOKEN} with your newly generated token. The response you get back should look similar to the above JSON but obviously with your LinkedIn details. Make a note of the sub value as we'll be using this next.

To post a status update to your profile:

ACCESS_TOKEN="xxx"
URN="xxx"
POST_BODY="This is a test post"

curl -X POST \
  -H "LinkedIn-Version: 202210" \
  -H "X-Restli-Protocol-Version: 2.0.0" \
  -H "Authorization:  Bearer ${ACCESS_TOKEN}" \
  --data '{"author": "urn:li:person:'${URN}'","lifecycleState": "PUBLISHED","specificContent": {"com.linkedin.ugc.ShareContent": {"shareCommentary": {"text": "'${POST_BODY}'"},"shareMediaCategory": "NONE"}},"visibility": {"com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC"}}' \
  "https://api.linkedin.com/v2/ugcPosts"

Fill in the environment variables with your appropriate values and run the curl command to post a new status update to your profile.

Note: If you include any " in your post body you will need to escape them or it will cause the JSON to be invalid.

For full details on what is available when sharing to LinkedIn check out the official documentation.

Announcing Cloud Native Now

Tue, 14 Jan 2025 00:00:00 GMT

Changelog

Bootstrapping a Civo cluster with OpenTofu and Flux

Fri, 03 Jan 2025 00:00:00 GMT

As part of a side project I'm currently working on I needed to spin up a new Kubernetes cluster that I could manage via GitOps. I decided to take this opportunity to take a look at OpenTofu and see how it handles as it's been several years now since I last used Terraform. My plan was to use OpenTofu to scaffold a fairly basic Civo Kubernetes cluster and then use Flux to handle installing workloads into the cluster. It took me a little trial-and-error so I thought I'd write up my final setup to help others avoid the issues and to help my future self when I come to do this again in a couple years!

If you'd rather skip this blog post and just see the final result you can find all the code in the repo bootstrap-civo-cluster-blog-post-example.

Pre-Requisites

For the purposes of this post the following are assumed:

You have an account with Civo (if not, you can sign up now and get $250 credit to play with)
You have your Civo API Token set as the CIVO_TOKEN environment variable in your terminal
You have the OpenTofu CLI installed
You have a GitHub repo created to contain all your GitOps source (this can be private, if you prefer)
A GitHub personal access token

Repo Structure

First we'll setup our repo file structure so that we have the directories we need for all of our different GitOps resources.

From the root of your new repo:

mkdir -p {apps,flux,infra}

You should end up with something like the following:

📂 .
├── 📂 apps
├── 📂 flux
├── 📂 infra

Infrastructure

The first thing we'll want to do is get our infrastructure setup using OpenTofu. All our infra code will live within our new infra directory so lets go ahead and create the files we'll be working with:

cd infra
touch main.tf # This is our main file containing our resources
touch providers.tf # This contains the config for the providers we will be using
touch variables.tf # This will describe any input variables we plan to use
touch output.tf # This contains all the output variables we will generate from our new infrastructure

With our new project ready lets setup start setting up the providers we will be using. For this we will be making use of two providers: Civo and Flux. In our providers.tf lets define each of these providers (along with their current versions at time of writing this).

terraform {
  required_providers {
    civo = {
      source  = "civo/civo"
      version = ">= 1.1.3"
    }
    flux = {
      source  = "fluxcd/flux"
      version = ">= 1.2"
    }
  }
}

We also need to configure each of the providers with various details. For now we're just going to add placeholders as they will reference some resources we haven't yet created so we'll come back to fill these in later. For now, add the following placeholders to the bottom of your providers.tf file:

provider "civo" {
}

provider "flux" {
}

With our providers defined we can now initialize our project and have the providers downloaded so we can start working.

tofu init

Once this is done you'll notice some new files have been created in our infra directory:

📂 .
├── 📂 .terraform
│  └── 📂 providers
├── 📄 .terraform.lock.hcl
├── 📄 main.tf
├── 📄 output.tf
├── 📄 providers.tf
└── 📄 variables.tf

The .terraform.lock.hcl is our dependency lock file that we will want to commit into git but the .terraform file contains the downloaded providers and ideally we would leave that out of our repo and generate it as needed. So lets take a moment to create a .gitignore in the root our of repo to ensure we are only going to commit the files we care about.

**/.terraform/*
*.tfstate
*.tfstate.*
*.tfvars
*.tfvars.json
.terraform.tfstate.lock.info
.terraformrc
terraform.rc

Great! Now lets start creating some infrastructure!

Let's move over to our main.tf where we're going to define three resources - a Civo Network, a Civo Firewall and a Civo Kubernetes Cluster. In all of my examples, I will be using the imaginative name of example so replace it with whatever makes sense for you.

resource "civo_network" "example" {
  label = "example-network"
}

resource "civo_firewall" "example" {
  name                 = "example-firewall"
  create_default_rules = true
  network_id           = civo_network.example.id
}

resource "civo_kubernetes_cluster" "example" {
  name        = "ExampleCluster"

  firewall_id = civo_firewall.example.id
  network_id  = civo_network.example.id

  cluster_type       = "k3s"
  kubernetes_version = "1.30.5-k3s1"
  cni                = "flannel"

  write_kubeconfig = true

  pools {
    size       = "g4s.kube.small"
    node_count = 2
  }

  # This allows us to make use of cluster autoscaler.
  # If you don't plan to use cluster autoscaler you can remove this `lifecycle` block.
  lifecycle {
    ignore_changes = [
      pools["node_count"],
    ]
  }
}

It's looking good so far but before we attempt to create our infra we need to specify which Civo region we'll be using. Rather than specifying this on every resource we can configure it on our Civo provider which will then apply to all resources it creates if not set.

To make things more configurable, let's create a variable that we can use to set the region at runtime. In our variables.tf lets add a new region variable and give it a default value so we don't always need to provide it:

variable "region" {
  description = "The region to create all our Civo resources in"
  type        = string
  default     = "LON1"
}

With this in place we can return back to our providers.tf and set the region on our Civo provider by updating the civo placeholder we added earlier:

provider "civo" {
  region = var.region
}

We're now at a point where we could create some infrastructure. Lets first confirm everything is looking good by running tofu plan to get an overview of what will be created. You should see something similar to the following:

✨ tofu plan

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

OpenTofu will perform the following actions:

  # civo_firewall.example will be created
  + resource "civo_firewall" "example" {
      + create_default_rules = true
      + id                   = (known after apply)
      + name                 = "example-firewall"
      + network_id           = (known after apply)
      + region               = (known after apply)
    }

  # civo_kubernetes_cluster.example will be created
  + resource "civo_kubernetes_cluster" "example" {
      + api_endpoint           = (known after apply)
      + cluster_type           = "k3s"
      + cni                    = "flannel"
      + created_at             = (known after apply)
      + dns_entry              = (known after apply)
      + firewall_id            = (known after apply)
      + id                     = (known after apply)
      + installed_applications = (known after apply)
      + kubeconfig             = (sensitive value)
      + kubernetes_version     = "1.30.5-k3s1"
      + master_ip              = (known after apply)
      + name                   = "ExampleCluster"
      + network_id             = (known after apply)
      + num_target_nodes       = (known after apply)
      + ready                  = (known after apply)
      + region                 = (known after apply)
      + status                 = (known after apply)
      + target_nodes_size      = (known after apply)
      + write_kubeconfig       = true

      + pools {
          + instance_names      = (known after apply)
          + label               = (known after apply)
          + node_count          = 2
          + public_ip_node_pool = (known after apply)
          + size                = "g4s.kube.small"
        }
    }

  # civo_network.example will be created
  + resource "civo_network" "example" {
      + cidr_v4        = (known after apply)
      + default        = (known after apply)
      + id             = (known after apply)
      + label          = "example-network"
      + name           = (known after apply)
      + nameservers_v4 = (known after apply)
      + region         = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Looking good! But, before we go ahead and apply this there's one more thing we should do first - define some outputs!

We would need at least a couple output values defined so we can access the new cluster. Lets create some outputs that report the cluster name, it's API endpoint and the KubeConfig file we can use to access it with kubectl. We'll define these in our outputs.tf file:

output "kubernetes_name" {
  value       = civo_kubernetes_cluster.example.name
  description = "The name of the Kubernetes cluster"
}

output "kubernetes_api_endpoint" {
  value       = civo_kubernetes_cluster.example.api_endpoint
  description = "The API endpoint of the Kubernetes cluster"
}

output "kubernetes_kubeconfig" {
  value       = civo_kubernetes_cluster.example.kubeconfig
  description = "The KubeConfig for the Kubernetes cluster"
  sensitive   = true
}

Note that for the kubernetes_kubeconfig we've set sensitive = true. This will prevent the contents from being printed out into any logs and leaking our credentials but will still be saved into the state so be careful.

Ok, I think we are ready to create some infra! You can choose to skip this and apply everything together at the end but if you want to check that things are working as expected you can run tofu apply and then follow the instructions output.

If all goes well you should see OpenTofu creating the new Civo Kubernetes cluster.

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

You may notice that a new file has also been created - terraform.tfstate. Assuming you correctly created the .gitignore earlier this file should be ignored by git and not committed into our repo as it will contain sensitive values!

Now is a good time to commit in your changes so far before moving on to the next section!

Installing Flux

Now that we have a Kubernetes cluster created we can now have Flux installed into it to handle our GitOps'd workloads.

Go back to our providers.tf where we'll configure our Flux provider to make use of our new Kubernetes cluster. For this we are going to reference output values from our Civo Kubernetes Cluster and make use of two built in OpenTofu functions - yamldecode and base64encode.

provider "flux" {
  kubernetes = {
    host = civo_kubernetes_cluster.example.api_endpoint

    client_certificate = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).users[0].user.client-certificate-data
    )
    client_key = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).users[0].user.client-key-data
    )
    cluster_ca_certificate = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).clusters[0].cluster.certificate-authority-data
    )
  }
}

As you can see above, we're making use of the api_endpoint output value for the host and we're using the kubeconfig output value with our two functions to parse the specific values we need from the yaml file and then encode them into base64 for use by Flux.

Flux also needs a git repo configured that it will use for all it's gitops source. To make this dynamic, lets define some variables in our variables.tf that we can use to configure this at runtime. We're going to add three new variables - one will be to pass in a GitHub Token and the other two will define the repo.

variable "github_token" {
  description = "GitHub token"
  sensitive   = true
  type        = string
  default     = ""
}

variable "github_org" {
  description = "GitHub organization"
  type        = string
  default     = "AverageMarcus"
}

variable "github_repository" {
  description = "GitHub repository"
  type        = string
  default     = "bootstrap-civo-cluster-blog-post-example"
}

Here you can see I've set default values that point to the example code repo for this blog post.

Now, lets go back to our Flux provider config and add the git config, using our variables:

provider "flux" {
  kubernetes = {
    host = civo_kubernetes_cluster.example.api_endpoint

    client_certificate = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).users[0].user.client-certificate-data
    )
    client_key = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).users[0].user.client-key-data
    )
    cluster_ca_certificate = base64decode(
      yamldecode(civo_kubernetes_cluster.example.kubeconfig).clusters[0].cluster.certificate-authority-data
    )
  }

  git = {
    url = "https://github.com/${var.github_org}/${var.github_repository}.git"
    http = {
      username = "git"
      password = var.github_token
    }
  }
}

Great! We're almost there! The last thing we need to set up Flux is define a flux_bootstrap_git resource. Back in our main.tf add the following to the bottom:

resource "flux_bootstrap_git" "example" {
  embedded_manifests = true

  # This is the path within our repo where Flux will watch by default
  path               = "flux"
}

Now, let's install Flux!

Before we do so, this is a good place to commit and push your latest changes before Flux adds files into your repo.

We're going to run apply again but this time we need to pass in our GitHub personal access token so that it has access to write to our repo.

tofu apply -var="github_token=${GITHUB_TOKEN}"

Once done you should see a new directory created in your repo on GitHub containing the flux files - flux/flux-system. Let's pull these down into our local copy before we continue - git pull.

Confirming Our Cluster Is Setup

Now that we've got our Civo infrastructure created and Flux setup and installed I think it might be a good time to take a look in our cluster and confirm everything looks as we expect.

We can extract our cluster's KubeConfig by grabbing it from our outputs:

tofu output -raw kubernetes_kubeconfig > ~/.kube/civo-example.yaml
export KUBECONFIG=~/.kube/civo-example.yaml

With our new KubeConfig set, lets take a little look at our cluster, feel free to skip over this section if you are happy with your cluster running.

✨ kubectl get nodes
NAME                                                  STATUS   ROLES    AGE   VERSION
k3s-examplecluster-94d9-fc72b3-node-pool-910d-4znod   Ready       23m   v1.30.5+k3s1
k3s-examplecluster-94d9-fc72b3-node-pool-910d-esen4   Ready       23m   v1.30.5+k3s1

✨ kubectl get namespaces
NAME              STATUS   AGE
default           Active   24m
flux-system       Active   6m29s
kube-node-lease   Active   24m
kube-public       Active   24m
kube-system       Active   24m

✨ kubectl get gitrepo --all-namespaces
NAMESPACE     NAME          URL                                                                             AGE     READY   STATUS
flux-system   flux-system   https://github.com/AverageMarcus/bootstrap-civo-cluster-blog-post-example.git   6m57s   True    stored artifact for revision 'main@sha1:d1f3a4272b26ebc97b2698dd59dbbc4f462485fa'

✨ kubectl get kustomizations --all-namespaces
NAMESPACE     NAME          AGE     READY   STATUS
flux-system   flux-system   6m46s   True    Applied revision: main@sha1:d1f3a4272b26ebc97b2698dd59dbbc4f462485fa

Installing Workloads

What's the point of having a cluster setup if we don't install anything on it? Finally, we're going to define some workloads in our git repo and have Flux automatically pick them up and install them into our cluster for us.

First thing we're going to do is define a new Kustomization that will point to our apps directory in our cluster. Create a new file at flux/apps.yaml with the following contents:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: apps
  namespace: flux-system
spec:
  interval: 5m0s
  path: ./apps
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system

This will create a new Kustomization in our cluster that will use the already-existing flux-system GitRepository that is pointing to our GitHub repo.

Before we commit that, lets first add an application into our /apps directory for it to pick up. For our example, we're going to install ingress-nginx as a Helm chart. Create the file apps/ingress-nginx.yaml with the following:

apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: nginx
  namespace: default
spec:
  url: https://kubernetes.github.io/ingress-nginx
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: nginx
  namespace: default
spec:
  interval: 5m
  targetNamespace: kube-system
  chart:
    spec:
      chart: ingress-nginx
      version: "4.11.3"
      sourceRef:
        kind: HelmRepository
        name: nginx
        namespace: default
  values: {}

This will create two new resources in our cluster - a HelmRepository and a HelmRelease. These two together will install ingress-nginx into our cluster with the version 4.11.3 and the default values for the chart. If you want to provide any values, you can do so now.

Commit those changes and push them up to GitHub.

It may take a few minutes but eventually Flux will pick up the new resources and start processing them. You can watch for the changes with the following:

kubectl get kustomizations --all-namespaces --watch

Once the Kustomization is there and showing as ready we can then check for ingress-nginx being installed:

✨ kubectl get pods --namespace kube-system
NAME                                                          READY   STATUS    RESTARTS        AGE
civo-ccm-7967db4cfc-md7jg                                     1/1     Running   2 (6m49s ago)   38m
civo-csi-controller-0                                         4/4     Running   0               38m
civo-csi-node-b29h9                                           2/2     Running   0               38m
civo-csi-node-h9b8p                                           2/2     Running   0               38m
coredns-7b98449c4-t5zz4                                       1/1     Running   0               38m
kube-system-nginx-ingress-nginx-controller-7ff945b767-tc5fz   1/1     Running   0               72s

🎉

There's our app, managed by GitOps with Flux, running in our Civo cluster created as Infrastructure as Code with OpenTofu!

Wrapping Up

We've now got a cluster setup that we can easily install and manage workloads via git. From here you can add more applications under the apps directory and they will be automatically picked up and processed by Flux.

Want to take things further?

How about setting up Renovate to handle automatic version upgrades?
Maybe you need more infra for your workloads - how about a Database or an Object Store?
What about using Remote State and leveraging GitHub Actions to automatically apply changes in the infra directory?

These are out of scope for this post but if I get the time they may feature in a future post. 😉

Hopefully this is helpful for someone! I'd love to hear how you get on and any feedback you have, let me know on Mastodon at @Marcus@k8s.social or Bluesky at @averagemarcus.bsky.social!

My Recommended Kubernetes Resources for Newbies

Mon, 24 Jun 2024 00:00:00 GMT

Changelog

My First EMF Camp

Fri, 07 Jun 2024 00:00:00 GMT

Last weekend I finally went to my first ever EMF Camp after wanting to go for 4+ years now. I had a thoroughly good time while I was there and wanted to share my experience to encourage others to go in the future.

What is it?

For those that don't know, the event is described as "Electromagnetic Field is a non-profit camping festival for those with an inquisitive mind or an interest in making things". What this basically means is it's a multi-day camping festival for nerds of all kinds! The event takes places from Thursday to Monday (if you want to stay that long) in a large deer park in Eastnor in a lovely part of the UK. Throughout the long weekend you will be able to attend talks and workshops on a large range of diverse and interesting topics, dance and party the night away at a couple different music areas, play some fun and geeky games around the site and marvel at the creativity and imagination of the other attendees and their installations.

The event is 100% run by volunteers and a lot of love and effort goes into making it successful for everyone. All attendees are encouraged to volunteer for a shift helping out at various things around the site from bar shifts to infrastructure support.

The run-up

As this was my first time I was quite anxious in the run up to it as I'm not really one for camping or for festivals but I was very excited that several people I knew were also going, including several old friends from my JSOxford days! 💙

Mini JSOxford reunion!

I was also helping Sam Machin with some of the phone infrastructure for the event by setting up and configuring a Kubernetes cluster that ran on-site and handled almost all of the applications that allowed the various telephone networks to work and be built on top of. As I'm sure you can imagine, I really enjoyed helping out with this and already have a bunch of ideas on how to make it better and more reliable for the next event! We did have to deal with a couple bugs during the weekend but for the most part it went well! 😅

On-site

The main thing you'll notice while walking around the site is that there is no shortage of interesting things to look at or interact with. Some of the things are organised by the event and others are just cool things that people have brought along with them for the enjoyment of others.

Some highlights include...

A light up van with controlable lights from a web app!

Blacksmithing!

Lasers!!!

A musical Tesla coil

Duck Hunt! With LASERS!

... plus many more cool, interesting and striaght up weird and wonderful things.

One thing EMF Camp has that you likely won't see at many other festivals is a very impressive amount of network infrastructure that serves the whole site. Almost the entire site is covered in WiFi backed by a 40Gb fibre connection to the internet (into the middle of a field!!! 🤯) that is useable by all attendees. The site is also covered in an impressive network of phone systems operated by the POC (Phones Operations Centre) that includes DECT coverage on the whole site, the ability to use SIP clients, a plain old telephone service and a 2G GSM network. It was also possible for attendees to build apps using the phone network that other attendees can then use over the weekend. Along with all of this was a fantastic network of electric hookup points across the site for all to use that ended up leading to my most millennial camping experience..

Breakfast was easy with an AirFryer

While talking about food it's worth noting that the food and drink options on site were amazing. There was several fantastic food stalls open most of the time and there was two bars available to get drinks from.

This was so delicious I had to get it again the next day!

While I didn't get to see as many talk as I might have liked (the seats weren't very comfortable) I did manage to get to see some of my wonderful friends speak!

Jo Franchetti - Is everything difficult, or is it just me?

Terence Eden - Lessons learned Open Sourcing the UK's Covid Tracing App

I also managed to catch a showing of "An Evening Of Unnecessary Detail" which I very much enjoyed.

An Evening Of Unnecessary Detail

Things I think could be improved

On the whole everything I experienced was great! There's only some very minor annoyances that I'd like to see improved next time around.

While the toilets on site were quite nice (besides the fetilizer ones that grossed me out) I found them quite tight to squeeze into. Not a big deal compared to camping I've done in the past though.

There was a "night market" on site where some vendors were set up selling some funky, geeky crafts. I loved this idea but the room they were in was so small and crowded that I couldn't handle being in there for very long at all. It was a shame as I'd have liked to have chatted with some of the vendors while I was there.

As a non-(alcoholic)-drinker I would have liked to have seen more non-alcoholic options available in the bars. The selection they had was perfectly fine, it just would have been nice to have some 0% beers or similar.

The programmable badges had issues. This was kinda to be expected as they were brand new and very ambitious but it was still frustrating not really being able to use them right away. I'm looking forward to re-using mine in 2026 when I'm sure the software will be rock solid!

Not something for the event itself to improve on but something for me next time - I'd like to take part more in the various activities around the site. I was taking things steady this year as I didn't want to get overwhelemd by everything but I do now wish I took part in the Clippy Murder Mystery or the capture the flag style game with the badges. There's so much going on all over the site that you're bound to miss out on something you wish you'd managed to do.

Summary

If it wasn't obvious by now I had a fantastic weekened at EMF Camp and will certainly be attending the next one in 2026 if possible. I hope to see even more of my friends (new and old) there so we can hang out and nerd out on all the cool experiences that EMF Camp has on offer.

Custom Renovate datasource

Wed, 04 Oct 2023 00:00:00 GMT

I'm quite a fan of Renovate for automating my dependancy updates. I've been using it quite extensively - at Giant Swarm, with my personal infrastructure and with k8s.social - to keep things up-to-date in the various Kubernetes clusters I manage. This has been working great for container images and Helm charts, with both being managed via GitOps and Renovate automating the version updates via PRs, but I have now found myself wanting to automate the updating of the Kubernetes version for my Civo cluster. Renovate doesn't have built in support for this but we can make it work with the use of custom datasources!

Before we dig in to the Renovate configuration, lets take a look at what exactly we're trying to achieve...

The Goal

All of the infrastructure for k8s.social is managed in git and available on GitHub. The Civo Kubernetes cluster is managed using Pulumi, using Go, and applied from a GitHub Action. The Kubernetes version is included in the main.go file:

k8SCluster, err := civo.NewKubernetesCluster(ctx, "k8sCluster", &civo.KubernetesClusterArgs{
    Name:       pulumi.String("k8s.social"),
    KubernetesVersion: pulumi.String("1.27.1-k3s1"),
})
if err != nil {
    return err
}

(Lines removed for clarity)

So as you can see above, we're currently using the version 1.27.1-k3s1 but I'm aware that 1.28.2-k3s1 is now available to use. Rather than me having to update that value myself each time a new release is published (and to prevent me forgetting) lets have Renovate update that string for us automatically when it detects a new version.

Getting the versions

The first thing we need, before we can even start on the Renovate configuration, is some way of getting a list of available versions. As Renovate supports using a JSON file from an URL (spoiler!) it would be best if we have an API we could call to get the versions.

As it turns out, Civo does have an API you can call to get a list of versions. Unfortunately, this requires you to be authenticated when calling it and I'd rather not provide Renovate with my API token just to get a list of available versions.

Instead I put together a very quick API app, civo-versions, that calls the Civo API with authentication and returns the versions as a JSON object. If y'all want to make use of it yourself it is available at https://civo-versions.cluster.fun/. (Different endpoints are available for different filtering, take a look at the README.md for more info).

Creating the custom datasource in Renovate

ℹ️ Note: As I write this, Renovate is currently in the process of renaming / migrating the regexManagers to be customManagers (see PR). This made the documentation currently quite confusing and hard to follow as things aren't quite completed yet. For the purpose of this post I shall be using the old regexManagers which should still work for a while as there is a migration step built in to Renvoate to convert it to the new customManagers.

Now that we have somewhere that lists the available versions we can configure renovate!

For this to work we'll be making use of two properties in the Renovate configuration: customDatasources and regexManagers.

{
    "customDatasources": {

    },
    "regexManagers": [

    ]
}

According to the documentation the resulting JSON must match the following format (with the version being the only required field):

{
  "releases": [
    {
      "version": "v1.0.0",
      "isDeprecated": true,
      "releaseTimestamp": "2022-12-24T18:21Z",
      "changelogUrl": "https://github.com/demo-org/demo/blob/main/CHANGELOG.md#v0710",
      "sourceUrl": "https://github.com/demo-org/demo",
      "sourceDirectory": "monorepo/folder"
    }
  ],
  "sourceUrl": "https://github.com/demo-org/demo",
  "sourceDirectory": "monorepo/folder",
  "changelogUrl": "https://github.com/demo-org/demo/blob/main/CHANGELOG.md",
  "homepage": "https://demo.org"
}

While Renovate does have capabilities to perform transformations on the JSON is retrieves I decided to make things easier and have civo-versions return the JSON in a compatible format to start with. Because of this, our customDatasources will look quite sparse:

{
  "customDatasources": {
    "civo-k3s": {
      "defaultRegistryUrlTemplate": "https://civo-versions.cluster.fun/k3s/"
    }
  }
}

Here we're giving our custom datasource the name of civo-k3s and the defaultRegistryUrlTemplate points to the URL where we can get a list of the current k3s versions available from Civo. If our returned JSON wasn't already in the required format we could use transformTemplates to perform some manipulation of the data - see the documentation for more details if needed.

Now that we have our new custom datasource we can make use of it just like we would with the built in datasources.

We'll be using the regex manager to parse main.go and extract the line that contains our Kubernetes version string, then we'll then use our new custom datasource to replace the version if a newer one is found.

{
  "customDatasources": {
    "civo-k3s": {
      "defaultRegistryUrlTemplate": "https://civo-versions.cluster.fun/k3s/"
    }
  },
  "regexManagers": [
    {
      "fileMatch": ["main.go"],
      "matchStrings": ["KubernetesVersion: pulumi.String\\(\"(?\\S+)-k3s1\"\\)"],
      "datasourceTemplate": "custom.civo-k3s",
      "depNameTemplate": "civo-k3s",
      "extractVersionTemplate": "^(?.*)-k3s1$"
    }
  ]
}

In the above you can see the following:

fileMatch tells Renovate which files we want to try and replace versions within.
matchStrings is a list of regex strings to match on. The (?\\S+) capture group is used to extract the current version number that Renovate will replace.
datasourceTemplate is the name of the datasource we want to use for this manager. For custom datasources it is the name we defined prefixed with custom..
depNameTemplate is the name to use for the dependancy. This will be used in the PR title / body for example.
extractVersionTemplate is a regex string to perform on the new version.

Putting it all together

With all this in place and committed into git we should now have Renoate creating PRs to bump our Kubernetes version. 🎉

Renovate very quickly opened this PR as soon as the new configuration was pushed

Bonus

To make the use of this Civo version datasource easier for others I've added it to my renovate-config repo that contains reusable Renovate configuration presets.

My Civo preset contains multiple datasources covering both k3s and Talos cluster types as well as limiting the versions just to stable releases. To make use of the presets, add the following to your Renovate configs extends property:

github>averagemarcus/renovate-config:civo

Resources

Migrating Redis data within Kubernetes

Mon, 04 Sep 2023 00:00:00 GMT

I’ve recently been seeing some stability issues with Redis that I have running for the k8s.social Mastodon instances. After looking into it I realised that I had it configured in a master/replica architecture but I wasn’t actually making any use of the replicas as Mastodon was configured to do everything via the master. There’s two things wrong with this - firstly I’m wasting resources by having the replicas running but more importantly I created a single point of failure. When the Redis master went down, so did Mastodon.

Not good!

To improve on this situation I decided to switch to making use of Redis Sentinel to take advantage of its failover capabilities. I wanted to keep the same configuration for everything else so I was sure it would behave the same with Mastodon. This mainly meant I wanted to keep a single endpoint that Mastodon connected to Redis with and that Redis was configured with persistence in Append Only File (AOF) mode.

In most situations where I’ve used Redis it’s been as a caching layer so to switch to a new setup all I would need to do is point my app at the new endpoint. Mastodon, however, makes use of persistence in Redis and uses it as a data store for various things including users home feeds. So I needed to migrate across the existing data.

Migration Steps

After hours of trial and error I finally got a set of steps to follow that allowed me to migrate the data safely with only a small windows of time where I missed out on new updates from the live server. This was acceptable for me in this instance but might not always be suitable so please keep that in mind.

Before you plan to follow these steps yourself, please make sure you also take a look at the Gotchas below!

Assumptions

You are using the Redis Helm chart by Bitnami
You’re Redis instance is running in a Kubernetes cluster and it has enough resources available to run another instance alongside
You have Redis configured in master/replica mode with Append Only File persistence.
Your current Redis instance is deployed into the redis namespace.
Your data is in the Redis database 1

Not all of these are required to follow these steps (I wasn’t actually using the Helm charts) but it helps to establish some common groundwork.

Steps

Setup Redis Sentinel alongside old setup (ideally in a new namespace) with the following configuration changes:

1. `appendonly` config set to `no` (we’ll change this later)
2. Replicas set to `1`

Once new PVC has been created and Redis has started scale down Redis Sentinel’s StatefulSet replicas to 0
On old Redis master, snapshot the current state:

1. `kubectl exec -n redis -it redis-master-0 -- bash`
2. `redis-cli -a ${REDIS_PASSWORD} -n 1 SAVE`

On your local machine copy backup: kubectl cp redis/redis-master-0:/data/dump.rdb ./dump.rdb

Launch a temporary pod that mounts the new PVC to upload dump into:

kubectl run --namespace redis-sentinel -i --rm --tty temp --overrides='
  {
      "apiVersion": "v1",
      "kind": "Pod",
      "metadata": {
          "name": "temp"
      },
      "spec": {
          "containers": [{
             "command": [
                  "tail",
                  "-f",
                  "/dev/null"
             ],
             "image": "bitnami/minideb",
             "name": "mycontainer",
             "volumeMounts": [{
                 "mountPath": "/mnt",
                 "name": "redisdata"
              }]
          }],
          "restartPolicy": "Never",
          "volumes": [{
              "name": "redisdata",
              "persistentVolumeClaim": {
                  "claimName": "redis-data-redis-node-0"
              }
          }]
      }
  }' --image="bitnami/minideb"

On your local machine upload backup to the temporary pod:

1. `kubectl cp ./dump.rdb redis-sentinel/temp:/mnt/dump.rdb`

Delete the temporary pod (kubectl delete pod -n redis-sentinel temp) and restore the Redis Sentinel’s StatefulSet to 1 replica
Once the new Redis Sentinel is running, instruct it to switch to appendonly:

1. `kubectl exec -n redis-sentinel -it redis-node-0 -- bash`
2. `redis-cli -a $REDIS_PASSWORD -n 1 bgrewriteaof`

(👆 This step seemed to be missing from all the backup/restore guides I found for Redis and was required to continue making use of the Append Only File.)

Update the Redis Sentinel’s config to set appendonly back to yes
Restart the Redis Sentinel pod
Once Redis is up and running scale the StatefulSet back up to 3 (or however many replicas you plan to run)
Deploy redis-sentinel-proxy to act as a single entrypoint to Redis that points to the current leader. (You can take a look at my configuration if you’re not sure how it needs to be set up)
Update your applications to point to the new redis-sentinel-proxy Service.

Gotchas

CoreDNS Changes

Redis Sentinel makes use of a headless Kubernetes service to discover and connect to the Redis replicas. For this to work correctly, CoreDNS must be configured with endpoint_pod_names within the kubernetes block (see the CoreDNS documentation for more info). This allows pods to be resolved by hostnames such as redis-node-0.Redis-headless.redis.svc instead of 1-2-3-4.redis-headless.redis.svc.

If the endpoint_pod_names properly already exists in your CoreDNS config you don’t need to do anything but it wasn’t default in my cluster.

Example:

kubernetes cluster.local in-addr.arpa ip6.arpa {
    pods insecure
    endpoint_pod_names
    fallthrough in-addr.arpa ip6.arpa
}

Re-enabling `appendonly`

It turns out that simply re-enabling appendonly yes and performing a server restart will lead to all your previous data (in the dump.rdb) being ignored and Redis starting fresh with the Append Only File mode.

To get around this issue you must first inform Redis that you are enabling appendonly by performing redis-cli -a $REDIS_PASSWORD -n 1 bgrewriteaof.

This wasn’t mentioned in any of the backup / restore instructions I found for Redis until I came across “Migrating to AOF from RDB with Redis” by Laurent. I went through two attempts where I lost the data before I realised this was needed so I’m very thankful for discovering this post!

No write endpoint

it turns out that Redis Sentinel, and more specifically the Bitnami Hem chart, doesn’t have a service specifically for the leader instance. This means if you attempt to use the redis.redis-sentinel.svc Service for both reads and writes you’ll eventually receive an error telling you that Redis is in read only mode as the service load balances across all the pods, not just the leader. Instead you’re expected to have your app query Sentinel to request the endpoint of the current leader. This was a problem for me as I couldn’t make changes to Mastodon to support this. Instead I deployed redis-sentinel-proxy that acts as a small proxy to the current write-capable pod and updates as it fails over to a new pod.

There is now a slight concern that this has become the single point of failure. The proxy is fairly lightweight and launches quickly so I’m pretty confident that if errors do occur a replacement will be available quickly. I’ve made sure it is running with at least 2 replicas with a pod anti-affinity to hopefully avoid node failures taking it down.

Migration window

I didn’t set up any replication from the old Redis to the new, instead I was making use of a snapshot from the old and restoring it into the new. Because of this there was a small window of time where new data was being created in the old Redis that wouldn’t be available in the new as I was in the process of switching over. For my purposes this was acceptable and I scheduled the move during a period of time I know saw less activity but I know this approach wont be suitable for all situations.

To minimize this window I worked with only a single Redis Sentinel replica during the migration and I set sentinel.getMasterTimeout to a very small value to ensure that first pod came up quickly so I could move traffic over. Just remember to put that timeout back up once you’re done!

The scripts in the Helm chart didn’t work correctly

It’s entirely possible I did something wrong here but the prestop scripts within the Bitnami chart didn’t work correctly and weren’t actually triggering the failover on shutdown. I only discovered this while I was testing out redis-sentinel-proxy and noticed there was a couple minutes where it was still attempting to connect to the old leader that had shutdown.

From what I could tell, the main thing missing was the prestop script for the Sentinel container didn’t trigger the failover command. In the end I decided not to use the Helm chart but instead use it to generate manifests to use directly. You can see the scripts I use on GitHub.

Summary

In the end, after a few hours of trial and error, the actual migration process was fairly smooth. I think I had a migration window of about a minute or less where new data was lost.

I was pretty annoyed that none of the backup / restore guides I came across actually handled the AOF issues. They all stated that it needed disabling at the start to generate the dump.rdb but there was then no mention about it for the resulting Redis instance upon restoring. Hopefully this post will help someone else avoid that issue in the future.

I found the Bitnami Helm chart to be a pain to work with. It has so many different configurations it was hard to know for sure what the result would be, plus the above issue about the scripts not working. I feel better having used it as a base and generating the yaml manifests to then further work with.

My only outstanding concern now is the redis-sentinel-proxy being a single point of failure. It’s only a small concern though, it has been running smoothly for the past few days now and it’s configured to be resilient enough to handle failures but I’ll be keeping an eye on this going forward.

If you’ve found this useful, or found issues with it, I’d love to hear! You can find me on Mastodon at @marcus@k8s.social.

Resources & References

Managing Kubernetes without losing your cool

Mon, 04 Jul 2022 00:00:00 GMT

Changelog

Restricting cluster-admin Permissions

Thu, 20 Jan 2022 00:00:00 GMT

If you've managed multi-user / multi-tenant Kubernetes clusters then there's a good chance you've come across RBAC (Role-Based Access Control). RBAC provides a strong method of providing permissions to users, groups or service accounts withing a cluster. These permissions can either be cluster-wide, with ClusterRole, or namespace scoped, with Role. Roles can be combined together to build up all the rules stating what the associated entity is allowed to perform. These rules are additive, starting from a base of no permissions to do anything, building up what is allowed to be performed and there's no syntax to take away a permission that is granted by another rule.

Generally, and by default, operators of the cluster are assigned to the cluster-admin ClusterRole. This gives the user access and permission to do all operations on all resources in the cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

There's very good reason for this, an admin generally needs to be able to setup and manage the cluster, including the ability to define and assign roles. But what if we need to block an action performed by cluster admins? We can't do it with RBAC, it only allows for adding of permissions, not taking them away.

Well, recently at Giant Swarm we had an issue in one of our CLIs used by cluster admins that incorrectly deleted more resources than intended. This was causing issues authenticating with the cluster and we needed to get a fix in place fast. The problem was we had no control over when people would update their CLI even once we'd released the fix.

We couldn't hot-fix this by updating RBAC rules as we couldn't subtract the specific permission, but what we could do was leverage an admission controller to block the request to the API.

At Giant Swarm we're pretty big users of Kyverno (which deploys an admission controller) and use it for a lot of validation and defaulting of resources in all our clusters. Not only can Kyverno validate and block based on a resource's values but it can also validate the operation being performed, and by who.

With this functionality available we were able to deploy a cluster policy that would block cluster-admin (and anyone else) from performing the specific delete all action that was causing us issues.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-bulk-certconfigs-delete
  annotations:
    policies.kyverno.io/title: Block bulk certconfig deletes
    policies.kyverno.io/subject: CertConfigs
    policies.kyverno.io/description: >-
      A bug in an old kubectl-gs version causes all certconfigs to
      be deleted on performing a login, this policy blocks that
      action while still allowing the single delete.
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: block-bulk-certconfigs-delete
    match:
      any:
      - resources:
          kinds:
          - CertConfig
    preconditions:
      any:
      - key: ""
        operator: Equals
        value: ""
    validate:
      message: "Your current kubectl-gs version contains a critical bug, please update to the latest version using `kubectl gs selfupdate`"
      deny:
        conditions:
        - key: ""
          operator: In
          value:
          - DELETE

There's a few things going on here so I'm going to explain each bit individually.

First up we specify the Kind of resource we want this policy to apply to, in our case that's CertConfig but it can be anything within the cluster. It's also possible to target specific groups and API versions if needed.

match:
    any:
    - resources:
        kinds:
        - CertConfig

Next up we're setting a precondition that allows us to do some filtering based on the details of the request. In this instance we're only interested in requests that don't have a name specified (this is the case when operating on a list of resources rather than a single resource) which allows us to target only those "delete all" requests.

preconditions:
    any:
    - key: ""
    operator: Equals
    value: ""

Finally we have the actual validation rule. We're specifying a deny rule that'll block requests (matching the previous match and preconditions) with the DELETE operation. We're also able to define a message that'll be returned to the client as the reason for why the admission controller rejected the request. We're using this to inform users about the bug and encouraging them to upgrade.

validate:
    message: "Your current kubectl-gs version contains a critical bug, please update to the latest version using `kubectl gs selfupdate`"
    deny:
    conditions:
    - key: ""
        operator: In
        value:
        - DELETE

With this single policy deployed to our clusters we've been able to block the bug in our CLI, even when the user performing the action has cluster-admin level permissions.

Other Use Cases

While we needed this to work around a bug in our client there are other situations where this approach could be useful.

A policy that prevents deletion of any resource that has a do-not-delete: "true" annotation on it to prevent accidental deletion of critical resources (such as persisten volumes or secrets).
A policy that prevents fetching the details of secrets in a specific namespace while still allowing in every other namespace (including those that may not yet exist).
A policy that blocks deletes, updates or patches from everyone except a specific user that can be used to prevent others "cleaning up" resources that you may be trying to debug.

So, if you haven't already, I recommend taking a look at Kyverno and especially taking a look at the example Policies that they have for an idea of what can be done.

My Recommended Go Resources

Thu, 02 Sep 2021 00:00:00 GMT

I was recently asked by a collegue at work if there are any resource I recommend with getting familiar with Go. It turned into quite a list so I thought i'd share it with everyone (and hopefully keep updating it) in the hopes that others will find it useful.

📚 Books

My favourite book for learning Go is - ✨ The Go Programming Language ✨ by Alan A. A. Donovan & Brian W. Kernighan. This was the book I used to pick Go up in the first place. If you already have previous programming experience it's quite a nice book to first read about the specifics of the go language then flip through as needed to the various topics (such as Goroutines) that you might not know about.

Some 🆓 books I've seen recommended:

Go With The Domain by Three Dots Labs
Go Design Patterns by Mario Castro Contreras (Free with trial)

I've also got the following books but haven't yet had a chance to read any of them so can't comment on their usefulness just yet:

Let's Go by Alex Edwards
Let's Go Further by Alex Edwards
Ultimate Go Notebook by Ardan Labs

There's also Everyday Golang by Alex Ellis which I haven't had a chance to pick up yet but if it's anything like Alex's other writing it'll be a great resource!

🧰 Tools and Libraries

In terms of useful resources, tools and libraries I use a lot:

The Go Playground is a fantastic tool for learning and experimenting.
Fiber - My favourite web server framework. Very similar to the Express framework available for NodeJS.
Viper - Config management (env vars, config files, cli flags).
Cobra - Framework for building amazing CLI tools.
Afero - Filesystem framework (very useful for tests).
ZeroLog - Very useful logging framework. Support log levels, metadata attributes and different log output styles.
GORM - ORM database library with official support for MySQL, PostgreSQL, SQLite and SQL Server.

🔗 Websites / Blog Posts

Awesome Go - List of all things Go.
Embedding Static Files in Golang - Embedding static files into a Go binary.
Go Recipes - a collection of handy Go commands you can run to help with things like module updates.
Multi-arch Dockerfile - Example multi-stage Dockerfile for building tiny, multi-arch container images for Go applications.
Go Weekly Newsletter - A fantastic weekly newsletter on all things Go (RSS feed also available).
Writing Unit Tests - Writing Go unit tests.

🧑‍💻 Suggested by others

https://github.com/quii/learn-go-with-tests - Learn Go with TDD.
https://gobyexample.com/ - Common program examples.
https://changelog.com/gotime - Good podcast on the Go community.
My friend Michael Cade has shared his Journey To Learning Golang that has some great tips included!

If anyone has any other resources they recommend I'd love to hear about them and update this list. Please feel free to reach out to me on Twitter at @Marcus_Noble_.

Migrating from Docker to Podman

Wed, 01 Sep 2021 00:00:00 GMT

Changelog

Job hunting / hiring during a pandemic

Tue, 10 Aug 2021 00:00:00 GMT

Changelog

Multicloud Kubernetes

Sun, 08 Aug 2021 00:00:00 GMT

Changelog

T.I.L. CLI flag handling in Bash using getopts

Wed, 04 Aug 2021 19:49:37 GMT

I'm not sure how I've never come across this before but while looking through the Scaleway Kosmos multi-cloud init script I dicovered the getopts utility.

getopts makes it easier to parse arguments passed to a shell script by defining which letters your script supports. It supports both boolean and string style arguments but only supports single letter flags. (e.g. -h and not --help)

Example usage:

#!/bin/bash

NAME="World"
FORCE=false

showHelp() {
    echo "Usage: example.sh [args]"
    exit 0
}

while getopts 'hfn:' FLAG
do
  case $FLAG in
    h) showHelp ;;
    f) FORCE=true ;;
    n) NAME=$OPTARG ;;
    *) echo "Unsupported argument flag passed" ;;
  esac
done

echo "Hello, $NAME"

Notice the : following the n? That indicates that a value should follow the argument flag (n in this example) and will be made available as the OPTARG variable.

T.I.L. YAML keys allow for spaces in them

Tue, 11 May 2021 00:00:00 GMT

While browsing through some of Frenck's Home Assistant Config for ideas I came across this interesting line of YAML:

---
# This handles the loading of my automations
#
# https://www.home-assistant.io/docs/automation/
#
automation: !include ../automations.yaml
automation split: !include_dir_list ../automations    # <--

I found myself staring at this for a while, followed by searching the Home Assistant documentation website to see if split was a special keyword I wasn't aware of.

And then it dawned on me! As all JSON is valid YAML, and JSON keys can be pretty much any string it makes sense that YAML supports it.

The above example converted to JSON using yq looks like this:

// yq config.yaml -o json
{
  "automation": "../automations.yaml",
  "automation split": "../automations"
}

Knowing this, I decided to try out a few more variations to see what works...

YAML:

---
123: Valid
---: also valid
5.5: yup! this too
#how about this?: nope, this is treated as a comment
//: yeah, totally valid
✨: yep!
[1]: Works
[1, 2]: Still works, treated as string
{another}: This one is interesting

JSON:

{
  "123": "Valid",
  "---": "also valid",
  "5.5": "yup! this too",
  "//": "yeah, totally valid",
  "✨": "yep!",
  "[1]": "Works",
  "[1, 2]": "Still works, treated as string",
  "{\"another\"=>nil}": "This one is interesting"
}

Depending on the library used, varying results can be generated. For example, yamlonline (update: website no longer online) returns the following for the same input:

{
	"1": "Works",
	"123": "Valid",
	"---": "also valid",
	"5.5": "yup! this too",
	"//": "yeah, totally valid",
	"✨": "yep!",
	"1,2": "Still works, treated as string",
	"[object Object]": "This one is interesting"
}

T.I.L. Kubernetes label length

Tue, 20 Apr 2021 14:10:37 GMT

It turns out that label values in Kubernetes have a limit of 63 characters!

I discovered this today when none of my nodes seemed to be connecting to the control plane. Eventually discovered the hostname of the node was longer than 63 characters (mainly due to multiple subdomain levels) and so the kubernetes.io/hostname label being automtically added to the node was causing Kubernetes to reject it.

If you hit this like me, the hostname used for the label can be overridden using the --hostname-override flag on kubelet or by setting the value of the label yourself with the --node-labels flag.

T.I.L. How to get the favicon of any site

Tue, 10 Nov 2020 08:49:37 GMT

If you ever find yourself needing to display a small icon for a 3rd party URL but don't want to have to crawl the site to pull out the favicon URL then you can make use of a Google CDN:

https://s2.googleusercontent.com/s2/favicons?domain_url=https://marcusnoble.co.uk/

Example:

You can even provide any page, not just the root URL.

e.g. https://s2.googleusercontent.com/s2/favicons?domain_url=https://marcusnoble.co.uk/2020-11-10-t-i-l-how-to-get-the-favicon-of-any-site/

Marcus Noble

Investigating and fixing "StopPodSandbox from runtime service failed" Kubelet errors

A little context

Identifying the issue

Figuring out what was wrong

Cleaning things up

Preventing this happening again

This I learnt

My tips on giving technical talks

Building Social Media Bots With Node-RED

Intro to the bots

How this looks in Node-RED

1. Inject Node

2 & 3. Fetch RSS Feed

4. Check for updates

5. Split

6. Generate Post Message

7. Post to Platform

Posting to Mastodon

Posting to Bluesky

Creating an API session

Building the post message

Posting to LinkedIn

Twitter

✨ Bonus ✨ - Archiving to Wayback Machine

Wrap Up

Posting to LinkedIn via the API

Creating a new App

Creating an Access Token

Using the API

Announcing Cloud Native Now

Bootstrapping a Civo cluster with OpenTofu and Flux

Pre-Requisites

Repo Structure

Infrastructure

Installing Flux

Confirming Our Cluster Is Setup

Installing Workloads

Wrapping Up

My Recommended Kubernetes Resources for Newbies

My First EMF Camp

What is it?

The run-up

On-site

Things I think could be improved

Summary

Custom Renovate datasource

The Goal

Getting the versions

Creating the custom datasource in Renovate

Putting it all together

Bonus

Resources

Migrating Redis data within Kubernetes

Migration Steps

Assumptions

Steps

Gotchas

CoreDNS Changes

Re-enabling appendonly

No write endpoint

Migration window

The scripts in the Helm chart didn’t work correctly

Summary

Resources & References

Managing Kubernetes without losing your cool

Restricting cluster-admin Permissions

Other Use Cases

My Recommended Go Resources

📚 Books

🧰 Tools and Libraries

🔗 Websites / Blog Posts

🧑‍💻 Suggested by others

Migrating from Docker to Podman

Job hunting / hiring during a pandemic

Multicloud Kubernetes

T.I.L. CLI flag handling in Bash using getopts

T.I.L. YAML keys allow for spaces in them

T.I.L. Kubernetes label length

T.I.L. How to get the favicon of any site

Re-enabling `appendonly`