Develop Reference

k3s gitlab ci-cd issue with default service account

I am trying to deploy a simple angular app on k3s have installed GitLab-runner have GitLab service with a Role as a cluster-admin and it is supposed to be able to run all but I can't get it to deploy :
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
I also tried specifically adding the verb 'apps' - no change in behavior
from server for: "deployment.yaml": deployments.apps "gitlab-master" is forbidden: User "system:serviceaccount:gitlab-managed-apps:default" cannot get resource "deployments" in API group "apps" in the namespace "gitlab-managed-apps"

So far the only solution is to use the SA with privileges as Gitlab-admin...

Cube.js timing out in serverless environment

I've been following the guide on https://cube.dev/docs/deployment#express-with-basic-passport-authentication to deploy Cube.js to Lambda. I got it working against an Athena db such that the /meta endpoint works successfully and returns schemas.
When trying to query Athena data in Lambda however, all requests are resulting in 504 Gateway Timeouts. Checking the CloudWatch logs I see one consistent error:
/bin/sh: hostname: command not found
Any idea what this could be?
Here's my server.yml:
service: tw-cubejs
provider:
name: aws
runtime: nodejs12.x
iamRoleStatements:
- Effect: "Allow"
Action:
- "sns:*"
# Athena permissions
- "athena:*"
- "s3:*"
- "glue:*"
Resource:
- "*"
# When you uncomment vpc please make sure lambda has access to internet: https://medium.com/#philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12
vpc:
securityGroupIds:
# Your DB and Redis security groups here
- ########
subnetIds:
# Put here subnet with access to your DB, Redis and internet. For internet access 0.0.0.0/0 should be routed through NAT only for this subnet!
- ########
- ########
- ########
- ########
environment:
CUBEJS_AWS_KEY: ########
CUBEJS_AWS_SECRET: ########
CUBEJS_AWS_REGION: ########
CUBEJS_DB_TYPE: athena
CUBEJS_AWS_S3_OUTPUT_LOCATION: ########
CUBEJS_JDBC_DRIVER: athena
REDIS_URL: ########
CUBEJS_API_SECRET: ########
CUBEJS_APP: "${self:service.name}-${self:provider.stage}"
NODE_ENV: production
AWS_ACCOUNT_ID:
Fn::Join:
- ""
- - Ref: "AWS::AccountId"
functions:
cubejs:
handler: cube.api
timeout: 30
events:
- http:
path: /
method: GET
- http:
path: /{proxy+}
method: ANY
cubejsProcess:
handler: cube.process
timeout: 630
events:
- sns: "${self:service.name}-${self:provider.stage}-process"
plugins:
- serverless-express

Even this hostname error message is in logs however it isn't an issue cause.
Most probably you experiencing issue described here.
#cubejs-backend/serverless uses internet connection to access messaging API as well as Redis inside VPC for managing queue and cache.
One of those doesn't work in your environment.
Such timeouts usually mean that there's a problem with internet connection or with Redis connection. If it's Redis you'll usually see timeouts after 5 minutes or so in both cubejs and cubejsProcess functions. If it's internet connection you will never see any logs of query processing in cubejsProcess function.

Check the version of cube.js you are using, according to the changelog this issue should have been fixed in 0.10.59.
It's most likely down to a dependency of cube.js assuming that all environments where it will run will be able to run the hostname shell command (looks like it's using node-machine-id.

lambda#edge cloudfront resource creation

I'm a little lost here, I'm trying to deploy a simple function that uses Lambda#edge but I having some problems creating the Cloudfront resource and attaching that CF to the lambda function.
Here is an example of the serverless.yml
service: some-service
plugins:
- serverless-pseudo-parameters
provider:
name: aws
runtime: nodejs10.x
stage: ${env:STAGE}
region: us-east-1
resources:
- ${file(./resources.yml):resources}
functions:
- ${file(./lambda-at-edge/function.yml):functions}
The function definition:
functions:
lambda-at-edge-function:
description: Lambda at edge authentication
handler: serverless/index.handler
events:
- cloudFront:
eventType: viewer-response
origin: s3://some.s3.amazonaws.com/
One thing if I don't define the Cloudfront resources it's not created and If I define the resource and attach that to the serverless definition it's create the resource, but then I don' know how to attach that cloudfront to the function.
Edit:
So I'm deploying everithing with sls deploy, so my question now is how can I attach the funtion name to be used in LambdaFunctionAssociations from cloudfront distribution.

When using Lambda#edge you have to respect the limits.
Check them out here:
Requirements and Restrictions on Lambda Functions
This should work:
service: some-service
plugins:
- serverless-pseudo-parameters
provider:
name: aws
runtime: nodejs10.x
stage: ${env:STAGE}
region: us-east-1
memorySize: 128
timeout: 5
resources:
- ${file(./resources.yml):resources}
functions:
- ${file(./lambda-at-edge/function.yml):functions}

ElasticsearchClientException: Request failed to execute. Call: Status code 403 from: POST /index/

I am having a problem executing a lambda that makes calls to a public ES in the context of AWS. This lambda is executed by HTTP API Gateway events. Everything seems to indicate that it is a permissions issue of the lambda trying to access the ES but my serverless configuration seems valid:
service: my-service
provider:
name: aws
runtime: dotnetcore2.1
stage: ${opt:stage, "Development"}
region: ${opt:region, "us-east-1"}
iamRoleStatements:
- Effect: "Allow"
Action:
- "lambda:invokeFunction"
Resource: "*"
- Effect: "Allow"
Action:
- es:ESHttpPost
- es:ESHttpPut
- es:ESHTTPGet
Resource: "arn:aws:es:us-east-1:account:domain/domain-name/*"
environment:
ES_ENDPOINT: ${file(appsettings.${self:provider.stage}.json):ES_ENDPOINT}
STAGE: ${self:provider.stage}
REGION: ${self:provider.region}
apiKeys:
- myservice-api-key
package:
individually: true
functions:
myservice_api:
handler: com.myservice::com.myservice.LambdaEntryPoint::FunctionHandlerAsync
package:
artifact: bin/release/netcoreapp2.1/myservice.zip
events:
- http:
path: /{proxy+}
method: ANY
cors: true
private: true
The error that is logging me is the following:
Invalid NEST response built from a unsuccessful (403) low level call on POST
OriginalException: Elasticsearch.Net.ElasticsearchClientException: Request failed to execute. Call: Status code 403 from: POST /index/_search?typed_keys=true
Package Versions:
NEST 7.4.1

I finally solved the problem. The internal Exception I found was: "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.". I solved the issue by changing the version of Elasticsearch.Net.Aws from 6.0.0 to 7.0.4.

How to create a lambda permission for a custom websocket request authorizer with CloudFormation for API Gateway?

I've been trying to create a lambda permission for a websockets request authorizer for API Gateway and the $connect route. The AWS documenation mentions nothing about creating the proper lambda permission for a websocket authorizer. I keep getting a 500 error when I try to connect to my custom authorizer.
Since the AWS documenation (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-lambda-auth.html) does not mention anything about this permission, I assume one would have to create a lambda permission just like a TOKEN authorizer.
The custom authorizer was created with my CloudFormation script as follows:
# ***************************************************************
# API Gateway Websocket Authorizer
# ***************************************************************
WebsocketAuthorizer:
Type: 'AWS::ApiGatewayV2::Authorizer'
DependsOn: Lambda
Properties:
Name: WebsocketAuthorizer
ApiId:
Fn::ImportValue:
!Sub ${Env}-${AWS::Region}-altosignal-global-websockets
AuthorizerType: REQUEST
AuthorizerCredentialsArn:
Fn::ImportValue:
!Sub ${Env}-${AWS::Region}-global-iamprocesscommandsfromapigateway-arn
AuthorizerUri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Lambda.Arn}/invocations
IdentitySource:
- route.request.querystring.token
When I create an authorizer manually using the console, I get this prompt at the end:
This manually created authorizer works once I hook it up with the $connect endpoint.
So, it is this permission I'm trying to set in my CloudFormation script. I have tried the following settings but it does not work. I keep getting a 500 error:
LambdaPermission:
Type: AWS::Lambda::Permission
DependsOn:
- Lambda
- WebsocketAuthorizer
Properties:
Action: lambda:*
FunctionName: !GetAtt Lambda.Arn
Principal: apigateway.amazonaws.com
SourceArn: !Sub
- arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${apiId}/${Env}/$connect
- apiId:
Fn::ImportValue:
!Sub ${Env}-${AWS::Region}-altosignal-global-websockets
Does anybody know the proper lambda permission settings for a custom authorizer for a websocket API Gateway $connect endpoint?

You definitely need a Lambda Permission. This is what I have for setting the permission and it works well. The only difference I can see here is that the SourceArn is not given. This will hopefully give you a place to start.
Permission:
Type: "AWS::Lambda::Permission"
DependsOn:
- "WebsocketApi"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt Lambda.Arn
Principal:
Fn::Join:
- ""
- - "apigateway."
- Ref: "AWS::URLSuffix"

I am using samcli and have this as authorizer permission and this works for me.
AuthorizerFunctionPermission:
Type: AWS::Lambda::Permission
DependsOn:
- WebSocketApi
Properties:
Action: lambda:InvokeFunction
FunctionName: arn:aws:lambda:AWS_REGION:YOUR_ACCOUT_ID:function:AUTHORIZER_FUNCTION_NAME
Principal: apigateway.amazonaws.com
Just substitute AWS_REGION, YOUR_ACCOUNT_ID, and AUTHORIZER_FUNCTION_NAME