diff --git a/docs/blog/category/changelog.md b/docs/blog/category/changelog.md index f6bbe15..2f590d0 100644 --- a/docs/blog/category/changelog.md +++ b/docs/blog/category/changelog.md @@ -1,5 +1,5 @@ --- -description: CHANGELOG - What's new in the cookbook +description: The CHANGELOG category lists the posts which highlight new and improved recipes in Funky Penguin's Geek Cookbook. The idea is that subscribing to the RSS feed will provide automatic notification of fresh recipes! search: exclude: true --- diff --git a/docs/blog/category/note.md b/docs/blog/category/note.md index 4d1890a..bb43111 100644 --- a/docs/blog/category/note.md +++ b/docs/blog/category/note.md @@ -1,6 +1,5 @@ --- -description: Funky Penguin's notes-in-progress -title: Blog / Notes +description: Sometimes you discover something which doesn't fit neatly into the "recipe" format. That's what this category of blog posts is for. I note information I don't want to loose, but I don't know (yet) how to fit it into the structure of the cookbook. search: exclude: true --- diff --git a/docs/blog/category/review.md b/docs/blog/category/review.md index f0064c8..14f04b2 100644 --- a/docs/blog/category/review.md +++ b/docs/blog/category/review.md @@ -1,11 +1,10 @@ --- -description: My reviews of popular self-hosted apps -title: Funky Penguin reviews self-hosted tools +description: I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (Plex) don't need a review, in which case I'll just jump straight into the recipe! search: exclude: true --- -# Funky Penguin's Reviews +# Reviews I love experimenting with new self-hosted tools. Typically I'll review a tool while creating a recipe, although popular enough tools (*like [Plex][plex]*) don't **need** a review, in which case I'll just jump straight into the recipe! diff --git a/docs/blog/index.md b/docs/blog/index.md index bc145ab..2211d52 100644 --- a/docs/blog/index.md +++ b/docs/blog/index.md @@ -1,8 +1,9 @@ --- -title: Funky Penguin's Blog +title: Funky Penguin's Geek Blog +description: Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered during my daily work! --- # Funky Penguin's Geek Cookblog -Welcome to Funky Penguin's Geeky Blog! +Welcome to Funky Penguin's Geeky Blog! Here I record largely-unstructured posts on technical subjects including updates / additions to the cookbook, reviews, and fixes / tips discovered in my daily work! --8<-- "common-links.md" diff --git a/docs/blog/posts/changelog/new-recipe-invidious-swarm.md b/docs/blog/posts/changelog/new-recipe-invidious-swarm.md index 17a5648..012e923 100644 --- a/docs/blog/posts/changelog/new-recipe-invidious-swarm.md +++ b/docs/blog/posts/changelog/new-recipe-invidious-swarm.md @@ -7,8 +7,8 @@ tags: links: - Invidious on Docker: recipes/invidious.md - Invidious on Kubernetes: recipes/kubernetes/invidious.md -description: New Recipe Added - Invidious - Private YouTube frontend, running on Docker Swarm -title: Added recipe for Invidious on Docker Swarm +description: New Recipe Added - Invidious - Private YouTube frontend (won't track you or recommend embarassing videos to your mum!), running on Docker Swarm +title: Added / Invidious on Docker Swarm image: /images/invidious.png --- diff --git a/docs/blog/posts/changelog/new-recipe-kavita-swarm.md b/docs/blog/posts/changelog/new-recipe-kavita-swarm.md index b580975..11e4bfe 100644 --- a/docs/blog/posts/changelog/new-recipe-kavita-swarm.md +++ b/docs/blog/posts/changelog/new-recipe-kavita-swarm.md @@ -6,7 +6,7 @@ tags: - kavita links: - Kavita recipe: recipes/kavita.md -description: New Recipe Added - Kavita - "Rocket-fueled" reader for manga/comics/ebooks, able to save reading position across devices/sessions +description: New recipe added for Kavita (docker swarm) - Rocket-fueled reader for manga/comics/ebooks, able to save reading position across devices/sessions title: Added recipe for Kavita on Docker Swarm image: /images/kavita.png --- diff --git a/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md b/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md index 237d632..037ae1c 100644 --- a/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md +++ b/docs/blog/posts/changelog/new-recipe-mastodon-k8s.md @@ -8,11 +8,11 @@ links: - Mastodon Review: blog/posts/reviews/review-mastodon-3.5.3.md - Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md - Mastodon Docker Swarm recipe: recipes/mastodon.md -description: New Kubernetes Recipe - Mastodon - Federated social network. Think "like twitter but also like email" +description: New Kubernetes Recipe - Mastodon - Federated social network. Think 'like twitter but also like email' image: /images/mastodon.png title: Added tutorial for running a Mastodon instance on Kubernetes --- -# New Recipe: Mastodon - Federated social network. Think "like twitter but also like email" +# New Recipe: Mastodon - Federated social network. Think 'like twitter but also like email' New recipe - Mastodon, like Twitter on the Fediverse. Check out the [Kubernetes recipe][k8s/mastodon]! diff --git a/docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md b/docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md new file mode 100644 index 0000000..0302dd7 --- /dev/null +++ b/docs/blog/posts/notes/kubeadm-cant-install-if-coredns-pod-uses-image-digest.md @@ -0,0 +1,52 @@ +--- +date: 2023-02-16 +categories: + - note +tags: + - kubeadm + - kubernetes + - connaisseur +title: Kubeadm will fail to install if you've changed the coredns deployment to use digests +description: I debugged why my kubeadm init command was failing with "start version" .. "not supported" in isCoreDNSConfigMapMigrationRequired +--- + +# Made changes to your CoreDNS deployment / images? You may find kubeadm uncooperative.. + +Are you trying to join a new control-plane node to a kubeadm-installed cluster, and seeing an error like this? + +```bash +start version '8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972' not supported +unable to get list of changes to the configuration. +k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns.isCoreDNSConfigMapMigrationRequired +``` + +You've changed your CoreDNS deployment, haven't you? You're using a custom image, or an image digest, or you're using an admissionwebhook to mutate pods upon recreation? + +Here's what it means, and how to work around it... + + + +We use [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to enforce an internal policy upon our clusters - we don't run any images not signed with [cosign](https://github.com/sigstore/cosign). + +!!! question "Why not use [sigstore's policy-controller admission controller](https://docs.sigstore.dev/policy-controller/overview/)?" + For one, I didn't know it existed before writing this! But having read up on it, here's why I believe that connaisseur is a better choice for our cluster: + + #### connaisseur vs sigstore's policy-controller admission controller + + * [x] Connaisseur can apply to all namespaces by default, and individual namespaces can opt-out + * [x] Connaisseur can "mutate" manifests, replacing tag-based images with their cosign-verified digest + * [x] Connaisseur can post slack webhooks to update an ops team re a policy violation, whether in "enforce" or "audit" mode + +When `kubeadm init` instantiates a new control-plane node, it tries to determine which version of CoreDNS is running in the cluster, by **directly examining the coredns pods**. + +Here's what one of my pods looks like: + +```yaml +Image: registry-internal.elpenguino.net/myorg/coredns:v1.8.6@sha256:8916c89e1538ea3941b58847e448a2c6d940c01b8e716b20423d2d8b189d3972 +``` + +kubeadm doesn't seem to be able to detect that the image above is at `v1.8.6`, and instead assumes it to be `8916...` (*the digest*). + +The error can't be worked-around by ignoring a pre-flight test, since this particular failure happens "post-flight", and causes the entire install process to fail. The only viable solution currently (*I'll report this upstream, but it may end up being a "this-is-by-design" issue*), is to explicitly prevent connaisseur from meddling with pods in the `kube-system` namespace, by labelling the namespace with `securesystemsengineering.connaisseur/webhook=ignore`. + +Aside from the fact that kubeadm could handle this failure more gracefully, I believe that excluding `kube-system` from admissionwebhooks is a smart move anyway, since `kube-system` should really be inviolate, and any unexpected changes **may** interfere with current and future Kubernetes upgrades anyway! diff --git a/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md b/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md index a3abe19..f19cabe 100644 --- a/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md +++ b/docs/blog/posts/notes/pod-guid-can-cause-istio-proxy-bypass.md @@ -4,8 +4,8 @@ categories: - note tags: - renovate -title: How running a pod as GID 1337 can cause a Kubernetes pod to bypass istio-proxy -description: Is your pod bypassing istio-proxy? Check your GUID isn't set to 1337! +title: Why your Kubernetes pod is bypassing istio-proxy +description: Is your pod sending traffic which is unexpectedly bypassing istio-proxy? Check your GUID isn't set to 1337! --- # Is your pod bypassing istio-proxy? Check your GUID diff --git a/docs/blog/posts/reviews/review-mastodon-3.5.3.md b/docs/blog/posts/reviews/review-mastodon-3.5.3.md index 1639dd1..cafdccd 100644 --- a/docs/blog/posts/reviews/review-mastodon-3.5.3.md +++ b/docs/blog/posts/reviews/review-mastodon-3.5.3.md @@ -8,7 +8,7 @@ links: - Mastodon Kubernetes recipe: recipes/kubernetes/mastodon.md - Mastodon Docker Swarm recipe: recipes/mastodon.md title: Review / Mastodon v3.5.3 - Open, Federated microblogging platform -description: Mastodon is like a self-hosted Twitter on the Fediverse. Here's a review! +description: Mastodon is a twitter-inspired, federated, microblogging community ("social network"), which anybody can partricipate in by joining a public instance, or running their own instance. Here's a review! image: /images/mastodon.png upstream_version: v3.5.3 --- diff --git a/docs/blog/posts/reviews/review-nextcloud-24.md b/docs/blog/posts/reviews/review-nextcloud-24.md index 892d16b..0c0d9b1 100644 --- a/docs/blog/posts/reviews/review-nextcloud-24.md +++ b/docs/blog/posts/reviews/review-nextcloud-24.md @@ -4,7 +4,7 @@ categories: - Review tags: - nextcloud -description: My review of NextCloud 24 +description: An opinionated geek's review of NextCloud 24, how to make 'reliable' sexy! title: Review / Nextcloud v24 - Sexy on the outside, boring on the inside upstream_version: v24 image: /images/nextcloud.jpg diff --git a/docs/blog/tags.md b/docs/blog/tags.md index 9c1e27d..ab18fe7 100644 --- a/docs/blog/tags.md +++ b/docs/blog/tags.md @@ -1,4 +1,5 @@ --- +title: Funky Penguin's Geeky Blog Tags search: exclude: true --- diff --git a/docs/community/index.md b/docs/community/index.md index 837e31d..09bf657 100644 --- a/docs/community/index.md +++ b/docs/community/index.md @@ -1,6 +1,6 @@ --- title: Funky Penguin's Geeky Communities -description: Engage with your fellow geeks, wherever they may be! +description: Join Funky Penguin and your fellow geeks, wherever they be in, including Discord, Reddit, Mastodon, GitHub, and more... --- # Geek Community diff --git a/docs/community/mastodon.md b/docs/community/mastodon.md index ab03040..27030aa 100644 --- a/docs/community/mastodon.md +++ b/docs/community/mastodon.md @@ -1,11 +1,11 @@ --- title: Join our geeky, Docker/Kubernetes-flavored Mastdon instance -description: Looking for your geeky niche in the "fediverse"? Join our Mastodon instance! +description: Looking for your geeky niche in the "fediverse"? Join our Mastodon instance, focussed on self-hosting, technical news, supporting full-text search! icon: fontawesome/brands/mastodon status: new --- -# Join geeky / selfhosted Mastodon +# Join our geeky / selfhosted Mastodon instance Mastondon is a self-hosted / open-source microblogging platform (*heavily inspired by Twitter*), which supports federation, rather than centralization. Like email, any user on any Mastodon instance can follow, "toot" (*not tweet!*), and reply to any user on any *other* instance. diff --git a/docs/index.md b/docs/index.md index 15ad37d..0c34777 100644 --- a/docs/index.md +++ b/docs/index.md @@ -87,17 +87,17 @@ So if you're familiar enough with the concepts above, and you've done self-hosti I’ve spent 20+ years working with technology. I’m a solution architect, with a broad range of experience and skills. I'm a full-time [AWS Certified Solution Architect (Professional)][cert_aws], a [CNCF-Certified Kubernetes Administrator][cert_cka], [Application Developer][cert_ckad] and [Security Specialist][cert_cks]. -### What do you want from me? +## What do you want from me? I want your [support](https://github.com/sponsors/funkypenguin), either in the [financial](https://github.com/sponsors/funkypenguin) sense, or as a member of our [friendly geek community](http://chat.funkypenguin.co.nz) (*or both!*) -#### Get in touch 💬 +### Get in touch 💬 - Come and say hi to me and the friendly geeks in the [Discord](http://chat.funkypenguin.co.nz) chat or the [Discourse](https://forum.funkypenguin.co.nz/) forums - say hi, ask a question, or suggest a new recipe! - Toot me up, I'm [@funkypenguin](https://so.fnky.nz/@funkypenguin)! 🐘 - [Contact me](https://www.funkypenguin.co.nz/contact/) by a variety of channels -#### [Sponsor](https://github.com/sponsors/funkypenguin) me ❤️ +### [Sponsor](https://github.com/sponsors/funkypenguin) me ❤️ The best way to support this work is to become a [GitHub Sponsor](https://github.com/sponsors/funkypenguin) / [Patreon patron](https://www.patreon.com/bePatron?u=6982506). You get: @@ -110,15 +110,15 @@ The best way to support this work is to become a [GitHub Sponsor](https://github Impulsively **[click here (NOW quick do it!)](https://github.com/sponsors/funkypenguin)** to [sponsor me](https://github.com/sponsors/funkypenguin) via GitHub, or [patronize me via Patreon](https://www.patreon.com/bePatron?u=6982506)! -#### Work with me 🤝 +### Work with me 🤝 Need some Cloud / Microservices / DevOps / Infrastructure design work done? This stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk! -#### Buy me a coffee ☕️ +### Buy me a coffee ☕️ A sponsorship is too much commitment, and a book is TL;DR? Hit me up with a [one-time caffine shot](https://www.buymeacoffee.com/funkypenguin)! -### Sponsored Projects +### Projects I sponsor I'm supported and motivated by [GitHub Sponsors](https://github.com/sponsors/funkypenguin) and [Patreon patrons](https://www.patreon.com/funkypenguin) who have generously sponsored me. diff --git a/docs/kubernetes/cluster/digitalocean.md b/docs/kubernetes/cluster/digitalocean.md index b0154ad..6c8013e 100644 --- a/docs/kubernetes/cluster/digitalocean.md +++ b/docs/kubernetes/cluster/digitalocean.md @@ -1,6 +1,8 @@ --- -description: Creating a Kubernetes cluster on DigitalOcean +description: One of the easiest ways to experiment with a "real" managed Kubernetes cluster is with DigitalOcean's Kubernetes offering +title: Create your Kubernetes cluster on Digital Ocean --- + # Kubernetes on DigitalOcean IMO, the easiest Kubernetes cloud provider to experiment with is [DigitalOcean](https://m.do.co/c/e33b78ad621b) (_this is a referral link_). I've included instructions below to start a basic cluster. diff --git a/mkdocs.yml b/mkdocs.yml index 9981548..f3e8f56 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -405,7 +405,8 @@ markdown_extensions: - codehilite: linenums: true - toc: - permalink: true + permalink: false + toc_depth: 3 # ignore H4/5/6 - footnotes - pymdownx.critic - pymdownx.arithmatex