Category: Systems Admin

  • A Simple and Interactive Decoder for Kubernetes Secrets

    TL; DR: Here’s a simple shell function which can decode Kubernetes secrets interactively and should work in any Bash and compatible environments. Requirements: Here’s the code. This can be chained together with other commands too, eg. on a Mac, I can do Then the decoded content of selected secret key will be put into clipboard.…

  • A GKE Issue: Metadata Service Is Unreachable In Nodes

    Recently I encountered some errors in a GKE cluster where a lot of pods were stuck at crash loop backoff state, which means the pods couldn’t recover on their own. When taking a closer look, I saw errors like: It’s a DNS issue then. However when I created a pod and ran some DNS tests…

  • ArgoCD, Jsonnet and Tanka in 2024

    A few years ago, I got to know Jsonnet and I loved it at first sight. I used a nice little tool called tanka to manage my Jsonnet manifests and I got them working together with ArgoCD, and finally I re-deployed my blog using this combo. Everything worked like a charm, until… Recently I upgraded…

  • How to Enable Gzip Compression for Istio Ingress Gateway

    TL; DR: here’s a code snippet to turn on gzip compression for Istio’s ingress gateway, using Envoy filter. Tested with Istio 1.16 and Kubernetes 1.26. To test it with curl: 🙂

  • How to Mount an Existing Google Persistent Disk to a Pod in GKE

    TL; DR: Below are steps to mount an existing Google Persistent Disk to a pod in a GKE cluster in the same region. Most of the time I’d prefer to run stateless pods in Kubernetes clusters – they come, they go, as if nothing happened. When there are things to be persisted, a Persistent Volume…

  • How to Run Tableau Server in GKE(Google Kubernetes Engine)

    TL; DR: here are my notes to host a fully working Tableau Server in a GKE cluster. It’s not fully Kubernetes native but still I think it’s better than running as a VM. This is correct as of Dec 2023. The Docker Container Image There doesn’t seem to have an official docker image for Tableau…

  • Github Hosted Runners and Their Access to GCP VPC

    TL; DR: Given plenty of free time of Github hosted runners, I’m tempted to use it instead of running self-hosted ones in my GCP environment. Here are some options to grant network access to my GCP VPC. Prerequisites: Google Workload Identity Federation for Github Runners Option #1, grab the public IP of the runner on-the-fly…

  • How to Setup Google Workload Identity Federation for Github Actions Runners

    When using GHA(Github Actions) for CI/CD purposes, the Github-hosted runners are free unless you use it quite a lot. But if I want to use GHA to build a docker container image and save it to my private repository in Google Artifact Registry, I have to grant the permission to some VMs I don’t even…