mitzen

Time to get excited again   https://www.youtube.com/watch?v=1u5LtsJqyrA&list=PLj6h78yzYM2N8nw1YcqqKveySH6_0VnI0

To install dapr in a kubernetes environment  dapr init -k Then fire up the dashboard using  dapr dashboard -k

If you try to install kubevela on k1.29, you would get error. The reason for this is kubevela is only supported in v1.19 to v1.26.  https://github.com/kubevela/kubevela/issues/6497 I have tried using vela cli and helm approach - it is still failing for me.  Currently, the issue above is open and hopefully get fixed at some point.  

 https://catalog.workshops.aws/cfn101/en-US/basics

 Client secret rotation is disabled by default but you can turn it on with the following command:- docker run --name mykeycloak -v c:\work\keycloak\conf:/opt/keycloak/conf -p 5000:8080 -e KEYCLOAK_ADMIN=admin -e KC_METRICS_ENABLED=true -e  KC_FEATURES= client-secret-rotation  -e KC_HEALTH_ENABLED=true -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak start-dev -cache-config-file=cache.xml Next is about configuring your keycloak. Goto Realm Settings -> Client Policies -> Profile.  Everything you need to do will be in this page. So we will  1. Create profile (Profiles tab) 2. Create policies (Policies tab)  Now that we have our bearing right, go ahead create a Profile by clicking on "Create client profile" and that brings you to a new page. Provide a name and click "Save". Next you will see a screen below - click on "Add Executor". Then choose "secret-rotation" Configure your secret rotation configuration and then click 'Save'

 This error often comes up and if you google it, you will hit this page. https://azure.github.io/azure-workload-identity/docs/troubleshooting.html#aadsts90061-request-to-external-oidc-endpoint-failed To give an idea what the error message means, " the OIDC issuer endpoint is not exposed to the internet or is inaccessible "" - This simply means Microsoft Azure AD is trying to hit the endpoint you've provided in the issuer section.  So it is not just a static value that you provided in your federated credential and provided the necessary field in your JWT.  The endpoint will be access and jwks key checked against the token you have provided.  SERVICE_ACCOUNT_ISSUER - is the issuer endpoint you specified/provided in your JWT. This must be publicly accessible along with the following endpoint curl ${SERVICE_ACCOUNT_ISSUER} /.well-known/openid-configuration curl ${SERVICE_ACCOUNT_ISSUER} /openid/v1/jwks

  Goto your service bus -> Workbook -> Select the request tab -> You can see server errors, throttling without doing much clicking.  

 You can terraform your client and their configurations. please check out  https://github.com/auth0/terraform-provider-auth0?tab=readme-ov-file

Goto Dashboard -> User -> Select your the user and under Devices ->  Unlink the token tied to your client 

  It is quite common to exchange for a new set of token with new expiry times in an oauth application. You typically need the following setup as shown here. Before you can do this, you must have logged in gotten your 1st set of access token / refresh token - and it has scope to offline_access. Then in the POST endpoint below (first red rectangle) - provide your token endpoint.  Then provide the setup shown below:  You should get a new sets of token  I guess altho client in auth0 are protected with a secret - I can get away without providing client_secret.  Altho for the record, i did setup the client as a SPA application which is an open client and can't hold password.  If you prefer the curl  curl --location 'YOUR-TOKEN-ENDPOINT' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Bearer YOUR-ACCESS-TOKEN' \ --header 'Cookie: did=s%3Av0%3A699f7290-f0b8-11ee-b580-9d803a0bd79c.3XA2ahamJPcJWt7b35fbqtFq%2FqoXEKWSHGigUkAug

  To get your refresh_token from auth0 - we need just need to provide a offline_access scope for react sdk as shown in the code below:- import { Auth0Provider } from '@auth0/auth0-react' ; const root = ReactDOM . createRoot (   document . getElementById ( 'root' ) as HTMLElement   );   root . render (     < React.StrictMode >         < Auth0Provider         domain = "your-domain.auth0.com"         clientId = "your-client-id"         authorizationParams = { {           redirect_uri : window . location . origin ,           audience : "https://your-api-identifier" ,           scope : "offline_access"         } }         >           < App />         </ Auth0Provider >     </ React.StrictMode >     ); Right after you login, you would be able to see refresh token being provided in your jwt. From this point onwards you can exchange that for a fresh new set of access token to keep you logged in. Fr

Bump into an issue where we found out outgoing port for postgres 5432 are forwarded to a k8s external name service.  It wasn't clear to us as this service resides in another namespace. To troubleshoot, how istio do the routing I use  istioctl ps listerners <pod-name> -n your-nanespace  Sure enough detected that: 0.0.0.0    ALL  5432 ---> External-serviceName.Other-Namespace.svc.kubernetes.local  So how do you ensure istio route these to the right postgres instance in Azure or AWS, You need a serviceEntry .  apiVersion : networking.istio.io/v1beta1 kind : ServiceEntry metadata :   name : external-svc-postgres   namespace : my-namespace spec :   hosts :   - mypostgress.database.azure.com   exportTo :   - "."   # Ensure this is not available to other namespace.   location : MESH_EXTERNAL   ports :   - number : 5432     name : mypostgres     protocol : TCP   resolution : DNS