Posts

Introduction In this article, we will discuss a common issue encountered in Kubernetes deployments involving the expiration of the etcD Prometheus certificate. We will also provide a step-by-step guide on how to renew the certificate using OpenSSL. Problem In our Kubernetes deployment, we encountered an error related to the etcD. The error message was as follows: etcd-manager-main-i-0ee1f712d597448db etcd-manager {"level":"warn","ts":"2024-02-21T12:24:18.774Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"10.239.31.99:41644","server-name":"","error":"tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2024-02-21T12:24:18Z is after 2021-10-04T20:49:28Z"} This error indicates that the client’s certificate has expired or is not yet valid....

Solution To unlock your user in ESXi web UI you need to connect to go through the following steps: Connect to your server over SSH: ssh <your-esxi-user>@<your-esxi-ip> Run PAM command to unlock user: [<your-esxi-user>@r710:~] pam_tally2 --user <user-to-unlock> --reset Login Failures Latest failure From <user-to-unlock> 33 12/27/23 11:23:24 unknown

How to enable cgroups V2 in Alpine Linux I am running K3S cluster to host some of my applications. After trying to start some of the Helm chart (especially some PostgreSQL charts) I got an error saying that containerD is not able to read some cgroups data. Actuall error message was saying following: Warning Unhealthy 3m46s kubelet Readiness probe errored: rpc error: code = Unknown desc = failed to exec in container: failed to start exec "<container_id>": OCI runtime exec failed: exec failed: unable to start container process: error adding pid 18381 to cgroups: failed to write 18381: open /sys/fs/unified/kubepods/burstable/pod<random_id>/<some_id>/cgroup....

Introduction It seems like I’m not one lucky person who needs something weird when it comes to DNS names resolution :). Recently I had a problem at work: we have a very secure datacenter. It has no direct access to the Internet and internally resolves only our company internal domain names. Since my team was doing step-by-step migration to AWS and we introduced a new way CNAME records to our subdomains....

Introduction At some point, I wanted to try something different from k8s and decided to have a look at Nomad from Hashicorp. And it has a pretty simple configuration to integrate with Traefik. You could find some details on this topic in the official documentation for Nomad here. Since this configuration is running on my personal server and resources are not publicly exposed, there would be not so many info about securing configuration....

Basic info about kube-aws and problem Kube-aws is an open-source tool to provision Kubernetes cluster in Amazon AWS cloud. It provision ec2 instances with CoreOS to run Kubernetes. We’re running our clusters in eu-west-1 region and at some point we started getting problems with syncing time on our node. One day it resulted outage for our ETCd instances. After some investigation I found out that sometimes timesyncd is not able to synchronize time with NTP pool server:...

How to setup proxy from nginx-ingress to S3 bucket Long story short. I got a task to proxy few pages from our main website to files hosted in S3 bucket. I tried different ways to do so which I found in internet, but I had not luck with them. Everytime something was broken. But source of my problem was in attempts to configure this with nginx.ingress.kubernetes.io/server-snippet annotation. In real life configuration for this task in my case look much easier....