I have a test service registered with Consul with the following service definition:
{
"name": "web",
"tags": ["web1"],
"address": "example.com",
"meta": {
"meta": "cluster",
"acl": "host_test",
"cluster": "test_cluster"
},
"port": 8000
}
And I want to load that information into HAProxy config using consul-template. I can get the address and port as instructed in the documentation:
{{ range service "web" }}{{if in .Tags "web1"}}
server {{.Node}} {{ .Address }}:{{.Port}} cookie A check
{{ end }}{{end}}
But I can't seem to get the meta information. I thought I can access that using something like this within the service range:
{{range .Meta}}
{{.}}{{end}}
Any idea how I can get acl or cluster out of meta?
In order to use key:value pairs from the Meta map you need to use index. Additionally, the Meta map on a service is referred to as .ServiceMeta.
So for example to get the value of the key acl in Meta you would use:
{{index .ServiceMeta "acl"}}
Related
I want view details of IAM Role to how many instances it is attached to with Cloudshell, cli which commands should use give example.
lets assume I have IAM Role TestRole I want to know to how ec2 instances TestRole is attached to.
You can use aws ec2 describe-iam-instance-profile-associations.
It lists Amazon EC2 instances and their associated IAM Roles (the relationship is known as an Instance Profile).
Documentation: describe-instances — AWS CLI Command Reference
Example output:
{
"IamInstanceProfileAssociations": [
{
"AssociationId": "iip-assoc-0c406f0e0208b90e6",
"InstanceId": "i-1234abcd",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::<Account>:instance-profile/role1",
"Id": "AIPAxxx"
},
"State": "associated"
},
{
"AssociationId": "iip-assoc-035f9e94b2bb6f283",
"InstanceId": "i-abcd1234",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::<Account>:instance-profile/role2",
"Id": "AIPAxxx"
},
"State": "associated"
}
]
I would recommend using this command to list all associations, and then check the IamInstanceProfile to determine whether it is using the IAM Role of interest.
I have a bound Postgres service to my spring application in CF (Cloud foundry)
The VCAPS env available are as following:
"postgresql": [
{
"binding_name": null,
"credentials": {
"dbname": "JDusZ6EpE1ixbTKS",
"end_points": [
{
"host": "10.11.241.2",
"network_id": "SF",
"port": "46371"
}
],
"hostname": "10.11.241.2",
"password": "SuVzOf2m5L5oNYSG",
"port": "46371",
"ports": {
"5432/tcp": "46371"
},
"uri": "postgres://eyv6avf27X9Z55Gx:SuVzOf2m5L5oNYSG#10.11.241.2:46371/JDusZ6EpE1ixbTKS",
"username": "eyv6avf27X9Z55Gx"
},
"instance_name": "mypostgres",
"label": "postgresql",
"name": "mypostgres",
"plan": "v9.6-dev",
"provider": null,
"syslog_drain_url": null,
"tags": [
"postgresql",
"relational"
],
"volume_mounts": []
}
],
I need to modefy the value of the uri to include also the current schema, I guess it needs to be as:
"uri": "postgres://eyv6avf27X9Z55Gx:SuVzOf2m5L5oNYSG#10.11.241.2:46371/JDusZ6EpE1ixbTKS?currentSchema=mycurrentschema"
Is this something possible to do? and If not what is the best practice to assign current schema for a spring app?
Thanks in advance
You have a few options.
You can talk to your service provider, the operator of the service broker from which you are obtaining your service. The service broker is the one that sets the credentials, so you could ask them to include the schema by default.
You can create a service key with cf create-service-key. The service key is like a service binding, but free floating so it's not attached to your app. It just exists as long as the service key exists. You can then create a user provided service, with cf cups and manually set whatever credentials or uri you require for your app. The downside of this approach is that you have to do a little more work to manage the service information.
You can read the current uri into your application and modify it before creating your DataSource. This is not particularly easy if you are using Spring Cloud Connectors because it handles creating the DataSource for you. I would not recommend using SCC.
Instead you can do this with the Spring Boot CloudFoundryVcapEnvironmentPostProcessor and property place holders. See the referenced Javadoc for how that works.
The other option is to use java-cvenv. That provides you with an easy way to obtain credentials information, like the URL and use that to create your own DataSource, which allows you to make slight modifications to things like the URL, if necessary.
Hope that helps!
Currently AWS AppSync provides an option to add test context to test your resolver to make sure everything is correct. However, because I am using API Key for authentication, I'm not sure of a way to set this in the request mapping template so that the test context can run and I can test the validity of my API (especially since this is the only auth that doesn't have an identity section in the test context)? Can anyone help?
You are correct in the fact that API Key Authorization mode does not populate the identity, even when you are calling your API from a client.
However, you can still add an identity object in your test context. To do this, you need to:
Get the authorization mode you will be using in the future (IAM, Cognito, OIDC).
Find the fields that authorization mode provides in the ctx.identity. You can find that here: Resolver Context Reference
Add those fields to your test context. For example, IAM test context might look like this:
{
"identity": {
"accountId": "my aws account",
"cognitoIdentityPoolId": "string",
"cognitoIdentityId": "string",
"sourceIp": ["string"],
"username": "string",
"userArn": "string"
},
"arguments": {},
"source": {
"lambda": "Hello, world!",
"testCtx": "Hello, world!"
},
"result": "Hello, world!"
}
The request mapping template could look like this:
{
"account: "$ctx.identity.accountId"
}
and the evaluated request mapping template would look like this when your test context is run:
{
"account: "my aws account"
}
Note: You may also just want to switch your API to the authorization mode you plan on using, and then try queries as a logged-in user.
I am registering an external service in consul through Catalog API http://127.0.0.1:8500/v1/catalog/register with a payload as follows :
{
"Datacenter": "dc1",
"Node": "pedram",
"Address": "www.google.com",
"Service": {
"ID": "google",
"Service": "google",
"Address": "www.google.com",
"Port": 80
},
"Check": {
"Node": "pedram",
"CheckID": "service:google",
"Status": "passing",
"ServiceID": "google",
"script": "curl www.google.com > /dev/null 2>&1",
"interval": "10s"
}
}
The external service registers successfully and I see it in the list of registered services, but after a while it disappears. It seems that it's got unregistered automatically.
I am running the consul in -dev mode.
What's the problem?
I found that I should register external services in separate node. My application's local services are getting registered in a node named
"Node": "pedram"
when I register external services in this node, they will be get removed automatically.
But when I register my external services in a new node, all the new external services are get registered durably and ready to be used as all other local services.
my new payload is as follows :
{
"Datacenter": "dc1",
"Node": "newNode",
"Address": "www.google.com",
"Service": {
"ID": "google",
"Service": "google",
"Address": "www.google.com",
"Port": 80
},
"Check": {
"Node": "newNode",
"CheckID": "service:google",
"Status": "passing",
"ServiceID": "google"
}
}
This is excepted behavior. In Consul Anti-Entropy docs
If any services or checks exist in the catalog that the agent is not aware of, they will be automatically removed to make the catalog reflect the proper set of services and health information for that agent. Consul treats the state of the agent as authoritative; if there are any differences between the agent and catalog view, the agent-local view will always be used.
In your settings, the agent in the host 'pedram' didn't aware of the service register. so the anti-entropy strategy removes the service.
You shouldn't be using -dev mode, except for testing/playing around. for your health check, I'd recommend not using a "script": "curl www.google.com > /dev/null 2>&1",
Instead I'd recommend using a http health check:
"http": "https://www.google.com",
More about health checks is available here: https://www.consul.io/docs/agent/checks.html
Also, you should probably move to HTTPS (on port 443) if you can.
it also might help to save this as a .JSON file, and let consul read it as part of it's startup, as I'm guessing you want this to be a long-running external service. You can do that with a command like:
/usr/local/bin/consul agent -config-dir=/etc/consul/consul.d
and every .json file in /etc/consul/consul.d/ will be read as part of it's config. If you change the files, consul reload will restart.
I'd make those changes(not run in dev mode, etc) and see if the problem still exists. I'm guessing it won't.
When creating an unmanaged instance group through GCP Console, I can see the REST request as:
POST https://www.googleapis.com/compute/v1/projects/my-project/zones/us-east1-d/instanceGroups
{
"name": "ig-web",
"network": "https://www.googleapis.com/compute/v1/projects/my-project/global/networks/nomad-network",
"namedPorts": [
{
"name": "http",
"port": 11080
}
]
}
However, according to the API docs and client library generated code, one has no way to set the network URL.
Anyone care to clarify?
It's actually a documentation bug. The following will work:
op, err := gce.service.InstanceGroups.Insert(projectID, zone, &compute.InstanceGroup{
Name: name,
NamedPorts: namedPorts,
Network: networkURL}).Do()