Configuring X509 and Azure AD authentication in the Kubernetes cluster

I am continuing my quest to configure my homelab’s Kubernetes cluster. As for now I’ve done: Setup the cluster using vSphere/vCenter Configuring HAProxy as the load balancer for the masters Today, I want to configure authentication so that I can login to the cluster from my computer and not from one of the masters directly. There are plenty of authentication mechanisms in Kubernetes, but I want 2 focus on 2 techniques that are discussed in the documentation: x509 client certificates and OpenId Connect. For the OpenId Connect provider, I will use Azure Active Directory. Authentication using X509 client certificates The documentation describes pretty well how to create a certificate for a normal user. First, I need to generate a private/public…

September 10, 2020 | by Dominique St-Amand | Leave a comment

Server administration

Adding HAProxy as load balancer to the Kubernetes cluster

As I mentioned in my Kubernetes homelab setup post, I initially setup Kemp Free load balancer as an easy quick solution.While Kemp did me good, I’ve had experience playing with HAProxy and figured it could be a good alternative to the extensive options Kemp offers. It could also be a good start if I wanted to have HAProxy as an ingress in my cluster at some point. There’s a few things here we need in order to make this work: 1 – Make HAProxy load balance on 6443 2- Make HAProxy health check our nodes on the /healthz path Configuring HAProxy Since I’m using debian 10 (buster), I will install HAProxy using apt install haproxy -y Next step is to configure HAProxy. Its…

September 8, 2020 | by Dominique St-Amand | Leave a comment

Docker, Kubernetes, Server administration

Installing a Kubernetes cluster on VMware vSphere and what I’ve learned

The topic of containers has been a hot topic for some time now. As a developer and architect, I want to be able to include them in my development SDLC for the various reasons you guys know. I won’t go in detail about them in this article, because after all you came to see how it was done right? :-). After having some container images waiting in a registry and awaiting to be used, I asked myself, how do I manage the deployment, management, scaling, and networking of these images when they will be spanned in containers? Using an orchestrator of course! Kubernetes (k8s) has become one of the widely used orchestrator for the management of the lifecycle of containers….

September 7, 2020 | by Dominique St-Amand | 2 Comments

Path based routing in Azure Application Gateway with Azure WebApps

So it may occur to you that you may want to do path based routing so that you can reach multiple applications under 1 hostname. To represent this, I’ve drawn an example of what we are trying to accomplish In this post, I’ll show you how I can use the hostname dev.domstamand.com to respond to different backends when hit on 3 paths: /identity : redirects to the identity web app /authorization : redirects to the authorization web app / : redirects all other requests to the default web app As a side note, I’m using the v2 of the Application Gateway. Setup To understand better how all the components are layed out, I made a diagram. For the sake of…

August 14, 2020 | by Dominique St-Amand | 1 Comment

Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

As you all know, I’ve been playing around with the Azure Active Directory login extensions for both Linux and Windows. I came across a problem where the first sudo worked (after re-authenticating) and the second, with the same command, failed with sudo: PAM account management error: System error Trying to debug this was tricky. Along with a support engineer we were able to enable enough log to get to the bottom of the problem. First, edit /etc/pam.d/system-auth-aad and add the debug keyword whenever you see pam_aad.so. Adding “debug” will switch to verbose logging. For example:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth [success=done ignore=ignore default=die] pam_aad.so debug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account [success=done ignore=ignore default=die] pam_aad.so debug
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

auth required pam_env.so

auth sufficient pam_fprintd.so

auth [success=done ignore=ignore default=die] pam_aad.so debug

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth required pam_deny.so

account [success=done ignore=ignore default=die] pam_aad.so debug

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

Once that is done, execute in one terminal the following command tail -f /var/log/secure. Execute the sudo that you know will fail (that is the…

August 4, 2020 | by Dominique St-Amand | Leave a comment

Accessing raw dd images in a Docker Linux container

I was backing up a Linux server of mine the other day and I wanted to have a full backup (along with regular tar.gz backups) of the main disk mounted on the /dev/sda partition. You can backup your partition using dd with a command such as dd if=/dev/sda | dd of=/home/archive/disk.img If everything works, you will get an output similar to below:

4096000+0 records in
4096000+0 records out
2097152000 bytes (2.1 GB) copied, 371.632 seconds, 5.6 MB/s

1

2

3

4096000+0 records in

4096000+0 records out

2097152000 bytes (2.1 GB) copied, 371.632 seconds, 5.6 MB/s

I was then looking to mount that backup raw image in order to check if everything was OK. You can do that by using the loop device in Linux. A loop device is a pseudo (“fake”) device (actually just a file) that acts as a block-based device1. My main OS is Windows and I did not have access to a Linux…

July 12, 2020 | by Dominique St-Amand | Leave a comment

Azure Active Directory login extensions and errors you can come across

I’ve been playing with the Azure Active Directory login extensions for both Linux and Windows in the past months and I’ve came across a few errors and problems I wanted to share with you. But before sharing the problems with you, lets see how you can install the extension Linux extension setup As there as multiple ways to enable the extension, you can follow the documentation here. If you are using ARM to deploy, use the following resource snippet

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2019-12-01",
  "name": "[concat(variables('vmName'),'/', 'AADLoginForLinux')]",
  "location": "[parameters('location')]",
  "dependsOn": [
      "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]"
  ],
  "properties": {
      "publisher": "Microsoft.Azure.ActiveDirectory.LinuxSSH",
      "type": "AADLoginForLinux",
      "typeHandlerVersion": "1.0",
      "autoUpgradeMinorVersion":true
  }
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

{

"type": "Microsoft.Compute/virtualMachines/extensions",

"apiVersion": "2019-12-01",

"name": "[concat(variables('vmName'),'/', 'AADLoginForLinux')]",

"location": "[parameters('location')]",

"dependsOn": [

"[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]"

],

"properties": {

"publisher": "Microsoft.Azure.ActiveDirectory.LinuxSSH",

"type": "AADLoginForLinux",

"typeHandlerVersion": "1.0",

"autoUpgradeMinorVersion":true

}

}

Windows extension setup Similarly, like the linux extension, you can following the documentation here. If you are using ARM to deploy, use the following resource snippet

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2019-12-01",
  "name": "[concat(variables('vmName'),'/', 'AADLoginForWindows')]",
  "location": "[parameters('location')]",
  "dependsOn": [
      "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]"
  ],
  "properties": {
      "publisher": "Microsoft.Azure.ActiveDirectory",
      "type": "AADLoginForWindows",
      "typeHandlerVersion": "1.0",
      "autoUpgradeMinorVersion":true
  }
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

{

"type": "Microsoft.Compute/virtualMachines/extensions",

"apiVersion": "2019-12-01",

"name": "[concat(variables('vmName'),'/', 'AADLoginForWindows')]",

"location": "[parameters('location')]",

"dependsOn": [

"[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]"

],

"properties": {

"publisher": "Microsoft.Azure.ActiveDirectory",

"type": "AADLoginForWindows",

"typeHandlerVersion": "1.0",

"autoUpgradeMinorVersion":true

}

}

Errors and problems Along with the problems/troubleshooting that appears in the documentation, here…

July 2, 2020 | by Dominique St-Amand | 2 Comments

Live notifications from an Azure Keyvault to your Slack

In a world where monitoring is key for sensitive information, or even for alerts that can put your system down (such as an expired certificate), it is necessary sometimes to be alerted “right away”. Azure Alerts are great, but they have a delay, as the data needs to get ingested into your analytics and then need to run with the alert frequency you have set for you to be aware that something is going on. In this post I will show a way where you can be alerted somewhat instantly. We will consume 2 types of event data from a keyvault, that is the diagnostics AuditEvent and the events that Azure provides us out of the box. Once consumed, we…

June 3, 2020 | by Dominique St-Amand | Leave a comment

AzureFunctions, Personal

Introducting Azure Functions Slack binding

I am proud to announce the first version of my Slack Azure WebJobs Extension. The binding extension eases out the integration with Slack for sending messages. It also includes an easy way to create rich messages using Slack’s Block Kit. The blocks and its related elements also have implement validation to adhere to Slack’s API validation rules. This helps to have a first level validation before sending the requests to Slack and get a response of type 400: invalid_blocks. You can find the extension here. So for the ones who care a little bit more, here’s a of bit of context as to why I spent some time creating the binding extension. I was looking for an easy way to…

June 3, 2020 | by Dominique St-Amand | 1 Comment

Debugging, Tools

Changing requests status codes to test your front-end behaviors

A developer I work with came across an interesting problem where he needed to test the error handling on the front-end side of a SPA without adding extra “hacks” in the APIs that were consumed by the front-end. I helped him with this task, without adding “hacks”, by using Fiddler. Setup Download yourself a copy of Fiddler. Once installed, you need to configure Fiddler to intercept and decrypt HTTPS requests (as I hope your APIs are chatting on HTTPS). To do so, go in Tools -> Options and under the HTTPS tab, check Capture HTTPS CONNECTs and Decrypt HTTPS traffic and select …from browsers only. Accept all the dialogs that come after checking all of those. You will see that…

May 12, 2020 | by Dominique St-Amand | Leave a comment

Automating your OpenAPI updates to API Management through your CI/CD pipeline

Microservices are the trend in today’s day and age, even if you may have read that some are going back the monolith way. Most microservices architectures are built to communicate through REST: each service is an API that shares a contract for other services to consume. Since your product ecosystem will (hopefully) evolve over time, your contracts are to evolve overtime as well. If you decided to consolidate your contracts consumption into one point of entry (using the API Gateway pattern), how do you actually make sure that those contracts are properly updated in your gateway for each of your environments up to your production environment? In this post, I will show you how you can update your APIs contracts…

May 10, 2020 | by Dominique St-Amand | 4 Comments

Azure, SQL Server

Backing up SQL Server databases to Blob Storage using Impersonation

One of the main goals I’m trying to achieve when developing solutions is giving as much autonomy to individuals and teams while still keeping the boat tight. I had an interesting challenge that came up recently where a developer was doing massive changes in the data and needed to take incremental backups of the database, as he was working, to give himself a safety net in case he screwed up. We can say this is the source control way, database style. The physical hardware space of the server is limited. Taking backups often can become expensive in terms of size. Thanks to the SQL Server team, we can backup (and restore) a database to (or from) an Azure Blob Storage….

April 12, 2020 | by Dominique St-Amand | 2 Comments

Server administration

Connecting to Windows Server 2019 core through WinRM and Windows Admin Center

If you’re familiar with the Microsoft offering, Windows Server 2019 Datacenter Core does not have a UI. My goal was to be able to connect to it remotely, without having to remote desktop on it (the remote desktop is only a command line prompt). There’s plenty of articles around the internet about WinRM, but I wanted demonstrate here a quick way of getting started without researching too much. Thanks to Scott Sutherland WinRM cheatsheet and Matt Wrock post on understand and troubleshooting WinRM. For this demo I provisioned a VM on Azure, using the Windows Server 2019 Datacenter Core Image. I also installed the Windows Admin Center, which you can download from here. TL;DR Open PowerShell Enable WinRM: Enable-PsRemoting -Force Make…

February 19, 2020 | by Dominique St-Amand | Leave a comment

Migrating your applications to Azure using Virtual Machine Scale Sets, Packer and Virtual Machine extensions – Part 3

This is a continuation of the previous post about migrating your not ready cloud application to the Azure cloud. The last post discussed about creating a managed image to be able to be used by a virtual machine scale set for provisioning. What will we do in this series I decided to do a series of posts about this topic as it touches a variety of aspects. I will use a concrete example that may or may not have happened to you and I plan to cover Building a managed image from an Ubuntu image as base, and setting up a web server (Tomcat for instance) to host an application Creating a Virtual Machine Scale Set using ARM templates Adding…

February 18, 2020 | by Dominique St-Amand | 1 Comment

Migrating your applications to Azure using Virtual Machine Scale Sets, Packer and Virtual Machine extensions – Part 2

This is a continuation of the previous post about migrating your not ready cloud application to the Azure cloud. The last post discussed about creating a managed image to be able to be used by a virtual machine scale set for provisioning. What will we do in this series I decided to do a series of posts about this topic as it touches a variety of aspects. I will use a concrete example that may or may not have happened to you and I plan to cover Building a managed image from an Ubuntu image as base, and setting up a web server to host an application Creating a Virtual Machine Scale Set using ARM templates (this post) Adding a…

February 17, 2020 | by Dominique St-Amand | Leave a comment

About me

I'm a Canadian Software Developer and Architect that is programming his life away while still maintaining a healthy lifestyle with a passion for fitness. The world of 0's and 1's got injected into my DNA at an early age, which made me turn a passion into a job.
Follow
Categories
- AI (2)
- Angular (4)
- ASP.NET Core (2)
- Azure (33)
- AzureFunctions (3)
- C# (26)
- Continuous Integration (3)
- Database (1)
- Debugging (2)
- Development (6)
- DevOps (6)
- Docker (7)
- Documentation (1)
- GitHub (1)
- Identity Provider (1)
- Kubernetes (2)
- Microsoft365 (2)
- Personal (3)
- PowerShell (3)
- React (1)
- Server administration (6)
- Software Architecture (2)
- SQL Server (1)
- Team Services (1)
- Tools (8)
- Visual Studio (5)
- VMware (1)
- Web (13)
- WebApi (7)
Tags

.net .net core angular angular2 application gateway arm asp.net authentication azure azure-functions azure active directory azuread azure devops c# containers csom debugging docker dotnet-standard2 git github github copilot identity3 identityserver iis keyvault kubernetes linux node npm octopusdeploy packer powershell dsc react scaleset software tests totp two-factor vmss vmss-extensions vsts webapi webapps windows

About me

I'm a Canadian Software Developer and Architect that is programming his life away while still maintaining a healthy lifestyle with a passion for fitness. The world of 0's and 1's got injected into my DNA at an early age, which made me turn a passion into a job.
Tags

.net .net core angular angular2 application gateway arm asp.net authentication azure azure-functions azure active directory azuread azure devops c# containers csom debugging docker dotnet-standard2 git github github copilot identity3 identityserver iis keyvault kubernetes linux node npm octopusdeploy packer powershell dsc react scaleset software tests totp two-factor vmss vmss-extensions vsts webapi webapps windows