Is it possible to extend Definition?
For example, lets say that we want to have Connection definition like this
Connection :: {
protocol: "tcp" | "udp"
port: int
host: string
}
And we also want to have SecureConnection that has everything that Connection has, but we also like to add username and password. How to achieve this?
I can do it like this
Connection :: {
protocol: "tcp" | "udp"
port: int
host: string
...
}
SecureConnection :: Connection & {
username: string & >""
password: string & >""
}
and it will work, but this also means, that this is not closed. Because of that three dots in Connection definition, we can add anything we want to secure connection
for example
tcp: SecureConnection & {
protocol: "tcp"
port: 8080
host: "localhost"
username: "guest"
password: "guest"
test: "testing"
oneUnimportantVariable: "I am not important"
}
when I run cue export myfile.cue this will give me following JSON
{
"tcp": {
"protocol": "tcp",
"port": 8080,
"host": "localhost",
"username": "guest",
"password": "guest",
"test": "testing",
"oneUnimportantVariable": "I am not important"
}
}
So, how to extend Connection definition and create SecureConnection definition, and not be able to specify any variable that isn't specify in this definition?
You can use definition embedding as below
Connection :: {
protocol: "tcp" | "udp"
port: int
host: string
}
SecureConnection :: {
Connection
username: string & >""
password: string & >""
}
Related
I am trying to install rabbitmq:8.6.1 from bitnami chart repository using terraform:0.12.18.
My helm version is 3.4.2
while installing I am getting following error
Error: validation: chart.metadata is required
My terraform file is as below
resource "kubernetes_secret" "rabbitmq_load_definition" {
metadata {
name = "rabbitmq-load-definition"
namespace = kubernetes_namespace.kylas_sales.metadata[0].name
}
type = "Opaque"
data = {
"load_definition.json" = jsonencode({
"users": [
{
name: "sales",
tags: "administrator",
password: var.rabbitmq_password
}
],
"vhosts": [
{
name: "/"
}
],
"permissions": [
{
user: "sales",
vhost: "/",
configure: ".*",
write: ".*",
read: ".*"
}
],
"exchanges": [
{
name: "ex.iam",
vhost: "/",
type: "topic",
durable: true,
auto_delete: false,
internal: false,
arguments: {}
}
]
})
}
}
resource "helm_release" "rabbitmq" {
chart = "rabbitmq"
name = "rabbitmq"
version = "8.6.1"
timeout = 600
repository = "https://charts.bitnami.com/bitnami"
namespace = "sales"
depends_on = [
kubernetes_secret.rabbitmq_load_definition
]
}
After looking issue(509) at terraform-provider-helm,
If your module/subdirectory name is same as your chart name (In my case directory name is rabbitmq and my helm_resource name is also same rabbitmq), so I am getting this error, still not able to identify why, With reference to,
Solution: I change my directory name from rabbitmq to rabbitmq-resource and this error is gone.
We have set up Istio, and we are using ISTIO ingress gateway for inbound traffic. We have set up TLS for TCP port. Sample code can be found here.
We also enabled logs by following this ISTIO guide
We tested the TLS connection using openssl and it works fine.
However, when we try to connect from an application, the TLS negotiation fails. I have provided more details with wireshark here
We would like to get logs from ISTIO on the TLS negotiation ... and find why it fails.
Istio Gateway YAML
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: dremio-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- testdomain.net
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: testdomain-credentials
hosts:
- testdomain.net
- port:
number: 31020
name: odbc-dremio-tls
protocol: tls
tls:
mode: SIMPLE
minProtocolVersion: TLSV1_0
maxProtocolVersion: TLSV1_3
credentialName: testdomain-credentials
hosts:
- testdomain.net
Virtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: dremio
spec:
hosts:
- testdomain.net
gateways:
- dremio-gateway
http:
- match:
- port: 443
- port: 80
route:
- destination:
host: dremio-client
port:
number: 9047
tcp:
- match:
- port: 31020
route:
- destination:
host: dremio-client
port:
number: 31010
Partial Config Dump
{
"name": "0.0.0.0_31020",
"active_state": {
"version_info": "2020-07-21T12:11:49Z/9",
"listener": {
"#type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "0.0.0.0_31020",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 31020
}
},
"filter_chains": [
{
"filter_chain_match": {
"server_names": [
"testdomain.net"
]
},
"filters": [
{
"name": "istio.stats",
"typed_config": {
"#type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"type_url": "type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm",
"value": {
"config": {
"root_id": "stats_outbound",
"vm_config": {
"vm_id": "tcp_stats_outbound",
"runtime": "envoy.wasm.runtime.null",
"code": {
"local": {
"inline_string": "envoy.wasm.stats"
}
}
},
"configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
}
}
}
},
{
"name": "envoy.tcp_proxy",
"typed_config": {
"#type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"stat_prefix": "outbound|31010||dremio-client.dremio.svc.cluster.local",
"cluster": "outbound|31010||dremio-client.dremio.svc.cluster.local",
"access_log": [
{
"name": "envoy.file_access_log",
"typed_config": {
"#type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
"path": "/dev/stdout",
"format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
}
}
]
}
}
],
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"#type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"common_tls_context": {
"tls_params": {
"tls_minimum_protocol_version": "TLSv1_0",
"tls_maximum_protocol_version": "TLSv1_3"
},
"alpn_protocols": [
"h2",
"http/1.1"
],
"tls_certificate_sds_secret_configs": [
{
"name": "testdomain-credentials",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [
{
"google_grpc": {
"target_uri": "unix:/var/run/ingress_gateway/sds",
"stat_prefix": "sdsstat"
}
}
]
}
}
}
]
},
"require_client_certificate": false
}
}
}
],
"listener_filters": [
{
"name": "envoy.listener.tls_inspector",
"typed_config": {
"#type": "type.googleapis.com/envoy.config.filter.listener.tls_inspector.v2.TlsInspector"
}
}
],
"traffic_direction": "OUTBOUND"
},
"last_updated": "2020-07-21T12:11:50.303Z"
}
}
By enabling tracing on Envoy conn_handler, We can see the following message:
closing connection: no matching filter chain found
After getting the message of no matching filter chain, I found the filter chain for the port 31020 with the domain that I have provided in my Gateway config. It looks like while connecting my application(ODBC), the host was not being provided.
The solution is simply to replace the host domain by '*'
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: dremio-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- testdomain.net
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: testdomain-credentials
hosts:
- testdomain.net
- port:
number: 31020
name: odbc-dremio-tls
protocol: tls
tls:
mode: SIMPLE
minProtocolVersion: TLSV1_0
maxProtocolVersion: TLSV1_3
credentialName: testdomain-credentials
hosts:
- '*'
I am new to Ocelot API Gateway and trying to figure out how to perform a response host rewrite?
My ocelot api gateway is hosted on localhost:5000, the downstream server is on another host example.com. I am able to proxy from localhost:5000 to example.com, however, when example.com sends a response I get redirected to example.com. I need to stay within one domain (localhost:5000).
Any help is appreciated
{
"ReRoutes": [
{
"DownstreamPathTemplate": "/example/{all}",
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "example.com",
"Port": 443
}
],
"UpstreamPathTemplate": "/example/{all}",
}
],
"GlobalConfiguration": {
"BaseUrl": "https://localhost:5000"
}
}
A bit late, but I think you need a "DownstreamHeaderTransform", which will change back example.com to localhost:9000. (not sure if the port will be mapped correctly). In our use case, we use the IP address of the downstream server, and then map that back to the host that the outside world sees. For you, try something along these lines:
{
"ReRoutes": [
{
"DownstreamPathTemplate": "/example/{all}",
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "example.com",
"Port": 443
}
],
"DownstreamHeaderTransform": {
"Referrer": "https://example.com, https://localhost:5000",
"Host": "example.com, localhost:9000",
"Origin": "https://example.com, https://localhost:5000"
},
"UpstreamPathTemplate": "/example/{all}",
}
],
"GlobalConfiguration": {
"BaseUrl": "https://localhost:5000"
}
}
Personally, I found Ocelot to be rather finiky, and would try Kestrel instead.
i have a problem with remote connections.
my vhost is : redis.test
i added this on blade file:
<script src="//redis.test:6001/socket.io/socket.io.js"></script>
.env file
BROADCAST_DRIVER=redis
REDIS_HOST=redis.test
REDIS_PASSWORD=null
REDIS_PORT=6379
echo configuration
import Echo from "laravel-echo"
window.Echo = new Echo({
broadcaster: 'socket.io',
host: 'http://redis.test:6001'
});
laravel-exho-server.json
{
"authHost": "http://redis.test",
"authEndpoint": "/broadcasting/auth",
"clients": [
{
"appId": "f27485125ac2627f",
"key": "6328e672f42cbf4cba1de3da215ec41a"
}
],
"database": "redis",
"databaseConfig": {
"redis": {
"port": "6379",
"host": "redis.test"
},
"sqlite": {
"databasePath": "/database/laravel-echo-server.sqlite"
}
},
"devMode": true,
"host": "redis.test",
"port": "6001",
"protocol": "http",
"socketio": {},
"sslCertPath": "",
"sslKeyPath": ""
}
it works when i try to broadcast with a local connection (2 browsers - same pc), but when i try to send a "message" from other pc on lan network (192.168.1.50) i have this error
GET: http://redis.test:6001/socket.io/socket.io.js net::err_connection_refused
[vue_warn] error in created hook
how ca i resolve this?
It may be a firewall issue as I can see, try to open redis port in the firewall
Currently, I use curl to send an HTTP PUT to my API:
curl -k -s -u icinga:icinga -H 'Accept: application/json' -X PUT 'https://localhost:5665/v1/objects/hosts/dbserver.example.com' -d '{ "templates": [ "generic-host" ], "attrs": { "zone": "vienna", "address": "xxx.xx.xx.x", "check_command": "hostalive", "vars.os" : "Linux", "vars.agent" : "ssh" } }' | python -m json.tool
This works like a charm.
I'm trying to convert this api call to an ansible playbook. I know that ansible offer the URI module, so I tried to use that, but perhaps something is not configured properly.
---
- name: Add new host
uri:
url: icinga2.example.com:5665/v1/objects/hosts/client.example.com
method: PUT
user: admin
password: xxxxxxx
body: { templates: [ "generic-host" ], attrs: { "zone": "vienna",
"address": "172.x.x.xx", "check_command": "hostalive", "vars.os" : "Linux", "vars.agent" : "ssh" } }
headers: "application/json"
register: icinga_log
when: inventory_hostname in groups ['vienna']
with_items: "{{ groups['icinga-monitoring'] }}"
Usually you could follow error messages that ansible produces and fix your syntax.
Try to start with this modification:
- name: Add new host
uri:
url: http://icinga2.example.com:5665/v1/objects/hosts/client.example.com
method: PUT
user: admin
password: xxxxxxx
body: '{ templates: [ "generic-host" ], attrs: { "zone": "vienna", "address": "172.x.x.xx", "check_command": "hostalive", "vars.os" : "Linux", "vars.agent" : "ssh" } }'
body_format: json
headers:
Content-Type: application/json