A ClustrerIssuer is running. It is configured with the lestencrypt staging url. How do I change the server url to production? Is it possible to patch or is replacing the complete issuer mandatory?
I tried:
kubectl patch ClusterIssuer letsencrypt --type json -p '[{"op": "replace", "path": "/spec/acme/sever", "value":"https://acme-v02.api.letsencrypt.org/directory"}]'
The result is:
clusterissuer.cert-manager.io/letsencrypt patched (no change)
kubectl describe ClusterIssuer letsencrypt | grep letsencrypt.org
Server: https://acme-staging-v02.api.letsencrypt.org/directory
Uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/xyz
*** This works, but I am trying to make the path work:
cat ../include/letsencypt.yaml | sed -E "s/acme-staging-v02/acme-v02/g" | kubectl apply -n cert-manager -f -
With the config below the issued certificate works for www.example.org and abc.example.org.but doesn't work for www.abc.example.org.
http:
routers:
web-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web
middlewares:
- redirect
- csrf
service: django
web-secure-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web-secure
middlewares:
- csrf
service: django
tls:
certResolver: letsencrypt
domains:
- main: "*.example.org"
sans:
- "example.org"
certificatesResolvers:
letsencrypt:
acme:
email: "email#example.com"
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: route53
delayBeforeCheck: 0
In the DNS I have A records for example.org and *.example.org.
Is it possible to get a certificate that works for www.*.example.org and *.example.org in the same time?
LetsEncrypt doesn't do nested wildcards. You can get a certificate for *.example.org or for *.sub.example.org, but *.example.org doesn't include . in the definition of *.
Furthermore, DNS itself doesn't support nested or embedded wildcards.
You can see this if you create a record for www.*.example.com and then query for something like www.foo.example.com. You'll get an NXDOMAIN response. If you query for www.\*.example.com (or wrap the FQDN in single quotes to avoid shell expansion), then you'll get the A record you created. The asterisk becomes a literal character when not at the beginning of the record.
➤ host www.sub.productionwebsite.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host www.sub.productionwebsite.com not found: 3(NXDOMAIN)
~
➤ host 'www.*.productionwebsite.com' 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
www.*.productionwebsite.com has address 10.68.0.73
I am new to sed and almost confused.
Here is what I have in the nginx folder of my project:
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 8080;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
logger -t nginx_rw "https rewrite rules added"
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
The above code works like a charm and basically redirects all the request to https if they are http request.
However I need to add a piece to check if the url has www and redirect to non www.
so for example www.test.com will be redirected to test.com.
How can I achieve this?
The AWS recommended solution was to completely rewrite "/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf"
You can do this by adding this file in .ebextensions: https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/docker-sc/https-redirect-docker-sc.config
I made one extra tweak for www redirect:
location / {
set $redirect 0;
if ($http_x_forwarded_proto != "https") {
set $redirect 1;
}
if ($host ~ ^www\.(?<domain>.+)$) {
set $redirect 1;
}
if ($http_user_agent ~* "ELB-HealthChecker") {
set $redirect 0;
}
if ($redirect = 1) {
return 301 https://ADDYOURDOMAINREDIRECTHERE$request_uri;
}
*One more note, your ec2 instance may already have a bunch of config files that you tried while finding a solution. I suggest deploying your app with NO config in .ebextensions, and then Rebuild Environment from the ELB console. This should give you a blank slate. Then simply add the file above to .ebextensions and redeploy.
*another note, you can ssh into your ec2 instance and verify that the file looks correct
Source: istio/templates/sidecar-injector-configmap.yaml ,
What is the purpose of this sidecar-injector-configmap.yaml file?
Can I configure the part related to accessing the external network in this file?
please focus on how to add IP ranges into below sections?
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
[[ else -]]
- "*"
[[ end -]]
- "-x"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
[[ else -]]
- ""
[[ end -]]
- "-b"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
I am not that experienced with Istio, but it seems like you are not looking into right direction. Purpose of sidecar-injector-configmap is:
Manual and automatic injection both use the configuration from the
istio-sidecar-injector and istio ConfigMaps in the istio-system
namespace. Manual injection can also optionally load configuration
from local files.
You can find more information about the sidecar injector here.
By default, Istio-enabled services are unable to access URLs outside
of the cluster because the pod uses iptables to transparently redirect
all outbound traffic to the sidecar proxy, which only handles
intra-cluster destinations.
From what I was able to find the IP ranges should be configured in Ingress or Egress depending what exactly you want to do. You can find more about configuring network access in this sections - Ingress, Egress.
here is my sample file:
Host dns2
HostName 172.20.4.80
User root
Port 22
Host dns1
HostName 172.20.4.75
User root
Port 22
Host dns3
HostName 172.20.4.76
User root
Port 22
Host dns4
HostName 172.20.4.77
User root
Port 22
Host dns5
HostName 172.20.4.78
User root
Port 22
Host dns6
HostName 172.20.4.79
User root
Port 22
i want to print only one block means for example
Host dns1
HostName 172.20.4.75
User root
Port 22
output :
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
but in this example all blocks have 4 lines maybe they reach to 5 or more lines later so i want to print from Host to first blank line or remove from Host to first blank line
im really bad at regex and need this to complete my script
thank you
I think that you basically want this:
awk -v RS='' '/dns1/' file
Unset the record separator so that each block is treated as a record, then print whichever record matches the pattern.
Or to use a shell variable:
host=dns1
awk -v host="$host" -v RS='' '$0 ~ host' file
In both of these examples, I'm using the fact that the default action is { print }. As you will likely be changing the output by using { printf ... } you may want to consider adding an exit statement to avoid processing the rest of the file unnecessarily.
a similar awk
$ awk -v RS= -v OFS=' ' '{for(i=1;i<NF;i+=2) $i=$i":"}1' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
will give you all records in the desired output format. You can filter either this output further or add a pattern such as
$ awk -v RS= -v OFS=' ' '{for(i=1;i<NF;i+=2) $i=$i":"} /dns2/' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
if want to exit after processing the selected record, you need to slightly change the script
$ awk -v RS= -v OFS=' ' '/dns2/{for(i=1;i<NF;i+=2) $i=$i":"; print; exit}' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
If you want to select everything except one record you can negate the pattern (and remove exit)
$ awk -v RS= -v OFS=' ' '!/dns2/{for(i=1;i<NF;i+=2) $i=$i":"; print}' hosts
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
Note that sed inplace replacement needs an intermediary file. If you want to replace the original file with the formatted one sans one record, you can use this command pattern on the last awk statement
$ awk ... > temp && mv temp original
UPDATE:
setting OFS will change all the separators between fields. You want to logically group them by name: value, so change the script as such
$ awk -v RS= '{for(i=1;i<NF;i++) $i=$i (i%2?":":"\t")}1' hosts
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
Host: dns5 HostName: 172.20.4.78 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
which sets a tab delimiter after even positioned fields.
To print the 3rd record:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' 'NR==3{$1=$1; gsub(/ +/,": "); print}' file
Host: dns3 HostName: 172.20.4.76 User: root Port: 22
To print the records that contains dns4:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' '/dns4/{$1=$1; gsub(/ +/,": "); print}' file
Host: dns4 HostName: 172.20.4.77 User: root Port: 22
To print all records except those that contain dns3, dns4, or dns5:
$ awk -v RS= -F'\n[[:blank:]]+' -v OFS='\t' '!/dns[345]/{$1=$1; gsub(/ +/,": "); print}' file
Host: dns2 HostName: 172.20.4.80 User: root Port: 22
Host: dns1 HostName: 172.20.4.75 User: root Port: 22
Host: dns6 HostName: 172.20.4.79 User: root Port: 22
Not different than Tom Fenech approach, since it uses the record separator, but it plays with the field separator too to obtain the desired output:
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '/dns1/{$1=$1;print}' file
When you change the output field separator, you need to use $1=$1 (or $0=$0 or with any other field) to force awk to re-evaluate the record and to take in account the new field separator.
Notes: you can exit awk when a matching block is found with the exit command. This avoids to process all the end of the file.
You can also only test the pattern /dns1/ with the first field.
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '$1~/dns1/{$1=$1;print;exit}' file
If you add semi-colons to the result, since you modify the fields, the $1=$1 trick becomes useless. You can write:
awk -v RS='' -F'\n[\t ]*' -v OFS=' ' '$1~/dns1/{for(i=1;i<=NF;i++){sub(" ", ": ", $i)};print;exit}' file
This might work for you (GNU sed):
sed -n '/Host dns1/{:a;N;/^\s*$/M!ba;s/\n\s*/ /g;s/\s*$//p}' file
This focuses in on the required string, then appends following lines until a blank one and finally manipulates the new string that is gathered into the required output.