Ultimi Post

PhotoSize, una herramienta para reducir de tamaño de imágenes por lotes y retocarlas un poco si hace falta

PhotoSize, una herramienta para reducir de tamaño de imágenes por lotes y retocarlas un poco si hace falta

Por @Alvy— 8 de Abril de2019

PhotoSize, una herramienta para reducir de tamaño lotes de imágenes y retocarlas un poco si hace falta

PhotoSize es una de esas herramientas sencillas para hacer una tarea concreta que no viene mal tener por ahí guardada. Sirve para reducir el tamaño de las imágenes, y su particularidad frente a otras es que puede hacerlo ” por lotes”, es decir, varias a la vez. Admite fotos de hasta 20 megapíxeles y de un tamaño máximo de 10 MB por fichero.

La forma de usarlo es realmente sencilla, entre tres pasos:

  1. Se arrastra la foto— o fotos– en cualquier formato (admite JPG, TIF, PNG, PSD, BMP, GIF, JP2, PICT, JPC, PCX y SGI.
  2. Se aplican opcionalmente algunos filtros(recorte, brillo, contraste, sepia, blanco y negro, etcétera).
  3. Finalmente se elige el formato de salida y la calidad; hay cerca de 50 opciones y 5 calidades diferentes.

Este tipo de funciones es regular hacerlas con software application especializado del tipo Photoshop, pero tener una herramienta más simple a mano, en el navegador, no viene mal para alguna ocasión especial o para usar desde el teléfono o tableta.

Relacionado:

Compartir en Flipboard

Compartir en Facebook

Tuitear

Learn More

Cai Guo-Qiang & Avant Arte to Introduce Explosive ‘Yin-Yang Peonies’ Print

Cai Guo-Qiang & Avant Arte to Introduce Explosive ‘Yin-Yang Peonies’ Print

cai guo qiang avant arte yin yang peonies limited edition print artworks editions collectibles

Contemporary art platform Avant Arte signed up with forces with renowned Chinese artist Cai Guo-Qiang on a brand-new restricted edition print entitled Yin-Yang Peonies The partnered artwork procedures 93 cm x 123.7 cm, printed using Somerset en Satin 410 gsm paper. The visual on the print was motivated by a massive work by Guo-Qiang with the procedure involving his signature, organized lighting of fireworks on canvas.

A total of 50 prints have actually been made for the edition that will release on May 1 on Avant Arte’s site Each piece will cost $5,431 USD. Funds raised from the sale of the prints will go towards the Cai Structure that provides scholarships to emerging artists and supports modern art programs across the world.

Get a behind-the-scenes take a look at the process listed below. For more dynamic art work, inspect out Robert Lazzarini’s huge, wave-distorted fence sculpture at The Hole NYC.

.

What to Check Out Next

Fredo Bang Shares 'Big Ape' Mixtape Featuring Moneybagg Yo, Tee Grizzley & More

Visitor functions include Moneybagg Yo, Tee Grizzley, YNW Melly, Kevin Gates and more.


UPDATE: NEIGHBORHOOD and adidas' UltraBOOST Collab Has Been Revealed

Black and white runners updated with lightning graphics.


YNW Melly Could Be Facing the Death Penalty

The Florida rapper has actually been charged with 2 counts of first-degree murder.



Lou Phelps & WondaGurl Share New

” These are all renowned albums that I enjoy.”.


121 Drawings by Andy Warhol to Go on Display in Upcoming NYC Exhibition

Taking location at Sperone Westwater in SoHo.


Singapore's Jewel Changi Airport Houses the World's Tallest Indoor Waterfall

The dome-shaped glass complex features over 280 merchants.



More ▾.

Check Out More

Xiaomi lanza su Mi Mural TELEVISION, competidora de Samsung The Frame y nuevos televisores 4K HDR de hasta 65 pulgadas

Xiaomi lanza su Mi Mural TELEVISION, competidora de Samsung The Frame y nuevos televisores 4K HDR de hasta 65 pulgadas

Xiaomi sigue animándose en el competitivo mercado de las Smart TELEVISION y acaba de lanzar cuatro nuevos modelos para la familia E que van desde las 32 hasta las 65 pulgadas.

La novedad más destacable es no obstante la presentación de la Xiaomi Mi Mural TELEVISION, un modelo que claramente competirá con Samsung The Frame y que invita a colgar este televisión “con marco artístico” en la pared para visualizar en ella obras de arte o fotos cuando la usemos para ver la televisión.

Mi Mural TV, el televisor artístico de Xiaomi

Como sucedía con The Frame en el caso de Samsung, el enfoque de este nuevo modelo de Xiaomi está en ese comportamiento como pantalla para exponer arte o fotografías que queramos usar y que estén en pantalla cuando no usemos la televisión para ver otras fuentes de contenidos.

Grosor

Este modelo llega con un tamaño único de 65 pulgadas y ofrece una resolución 4K y soporte HDR, además de contar con un procesador a 1,8 GHz, 2 GB de RAM, 32 GB de almacenamiento, y un sistema de altavoces (dos tweeters, dos woofers y dos altavoces) trick una potencia de 24 W y soporte decodificación Dolby y DTS-HD.

Mural3

El televisor está gobernado por Patchwall OS, la versión de Android TV creada por Xiaomi Desde esta plataforma podremos acceder a las distintas fuentes y, por supuesto, configurar esas obras de arte– hay diversas ya preinstaladas– o fotos que queremos ver de forma permanente o aleatoria cuando usamos el televisor en este modo artístuco.

Mural2

Este sistema también permitirá controlar todos los dispositivos inteligentes desde esta pantalla con facilidad, ya que el televisor forma parte de la iniciativa AIOT de Xiaomi, e incluso ofrece el asistente de voz integrado XiaoAI

El diseño de la Mi Mural TELEVISION es especialmente cuidado sobre todo en su grosor, que es de tan solo 13,9 mm En la parte posterior encontramos además un diseño plano en color negro, lo que deja aún más claro esa vocación de este modelo por estar colgado de la pared.

Mural4

Otro de los elementos diferenciales de esta propuesta es el uso de un nuevo conector propietario de Xiaomi llamado MiPort Es el único cable que necesitaremos utilizar con este televisor.

Miport

Según Xiaomi en él se integran 30 pequeños cable televisions que suministran tanto la alimentación (400 W) como la señal de vídeo necesaria (hasta 18 Gbps). Aún así la televisión cuenta con 3 puertos HDMI, 2 puertos USB, WiFi 802.11 a/c y Bluetooth 4.2.

Nuevos televisores Xiaomi Mi TELEVISION E

Acompañando a ese modelo destacado han estado los Xiaomi Mi TV de la serie E, una familia que contará con cuatro modelos en tamaños de 32, 43, 55 y 65 pulgadas.

Mitv1

Todos estos modelos se caracterizan por la delgadez de sus marcos para ofrecer un diseño en el que prácticamente todo el frontal es pantalla. Además cuentan con un mando a distancia con conectividad Bluetooth que permite ser manejado con órdenes de voz. Las especificaciones en cuanto a resolución varían según el modelo:

  • Xiaomi Mi TV E32: 32 pulgadas, resolución de 1.366 x 768 píxeles, 178 ° de ángulo de visión, tasa de refresco de 60 Hz.Procesador quad-core 64 bits, 1 GB de RAM, 4 GB de capacidad, Wi-Fi 802.11 n, Bluetooth, infrarojos, dos altavoces de 6 W.
  • Xiaomi Mi TELEVISION E43: 43 pulgadas, resolución de 1.920 x 1.080 píxeles, HDR10(reescalado), 178 ° de ángulo de visión, tasa de refresco de 60 Hz. Procesador quad-core 64 bits, 1 GB de RAM, 8 GB de capacidad, Wi-Fi 802.11 n, Bluetooth, infrarojos, dos altavoces de 8 W con soporte DTS-HD.
  • Xiaomi Mi TELEVISION E55: 55 pulgadas, resolución 4K/UHD (3.840 x2.160 píxeles), HDR10, 178 ° de ángulo de visión, tasa de refresco de 60 Hz. Procesador quad-core 64 bits, 2 GB de RAM, 8 GB de capacidad, Wi-Fi 802.11 air conditioning doble banda, Bluetooth, infrarojos, dos altavoces de 8 W con soporte Dolby Audio y DTS-HD.
  • Xiaomi Mi TELEVISION E65: 65 pulgadas, resolución 4K/UHD (3.840 x2.160 píxeles), HDR 10, 178 ° de ángulo de visión, tasa de refresco de 60 Hz. Procesador quad-core 64 bits, 2 GB de RAM, 8 GB de capacidad, Wi-Fi 802.11 ac doble banda, Bluetooth, infrarojos, dos altavoces de 8 W con soporte Dolby Audio y DTS-HD.

Todos estos modelos cuentan también con el sistema operativo Patchwall OS, y completan esa renovación del catálogo de televisores inteligentes de Xiaomi.

Precio y disponibilidad de Mi Mural TV y los televisores de la serie E de Xiaomi

El precio del Xiaomi Mi Mural TV es de 6.999 yuan (unos 926 euros), y está disponible a partir de hoy para el mercado chino. No hay datos de si este modelo se venderá fuera de China. En cuanto a los modelos de la familia Mi TELEVISION E, los precios boy los siguientes:

  • Xiaomi Mi TELEVISION E32: 1.099 yuanes (aproximadamente 145 euros)
  • Xiaomi Mi TELEVISION E43: 1.999 yuanes (aproximadamente 265 euros)
  • Xiaomi Mi TELEVISION E55: 2.999 yuanes (aproximadamente 397 euros)
  • Xiaomi Mi TELEVISION E65: 3.999 yuanes (aproximadamente 530 euros)

Los modelos Mi TV E están también disponibles a partir de hoy en China, pero no tenemos datos sobre su potencial llegada a otros mercados.

Check Out More

Berkshire, de Buffett, compra ações da Amazon; confira a carteira atual da gestora

Berkshire, de Buffett, compra ações da Amazon; confira a carteira atual da gestora

Warren Buffett< img alt =" Warren Buffett" class ="" data-interchange =" [https://images.immedia.com.br//31/31037_2_L.jpg?c=201905031046, small],[https://images.immedia.com.br//31/31037_2_EL.jpg?c=201905031046, medium],[https://images.immedia.com.br//31/31037_2_EL.jpg?c=201905031046, large]" src =" https://images.immedia.com.br//31/31037 _ 2_EL. jpg?c =-LRB- ******************************)? quality =-LRB- **********************************************************************************************************************************************************************************************************************************************************************************************************************)" title ="( Shutterstock) ">

.

SÃO PAULO– A gestora Berkshire Hathaway, do megainvestidor Warren Buffett, incluiu ações da Amazon na carteira. Buffett, porém, disse que a escolha pela varejista foi de outra pessoa.


Um dos membros do escritório que gerenciam dinheiro comprou Amazon, então isso irá aparecer” no relatório de alocação deste mês, revelou em entrevista à CNBC.

A fala sugere que a compra foi feita por Todd Combs ou Ted Weschler, cujos portfólios independem da canetada de Buffett. Não foi divulgada a quantidade de ações adquiridas.

.

Anteriormente, Buffett, conhecido por fazer investimentos bem-sucedidos em empresas com alta capacidade de crescimento, já havia elogiado a empresa de Jeff Bezos. Ele afirma que não investiu pessoalmente nos papéis da varejista por falta de conhecimento sobre o setor.

.

O
próprio Buffett acredita ter cometido um erro ao não comprar Amazon antes, mas também não pretende comprar agora. “Venho sendo um fã e fui idiota ao não comprar. Mas quero que vocês saibam que não há mudanças pessoais acontecendo”, pondera.

As ações da Amazon acumulam alta de27%em2019 e de21 %nos últimos12 meses.

Carteira da gestora

Investidores do mundo inteiro usam as escolhas da Berkshire Hathaway como guia para suas próprias escolhas no mercado. A Comissão de Valores Mobiliários norte-americana (Securities Exchange Comission, ou SEC) divulga os papéis de empresas abertas em bolsa que compõem essa carteira– eventualmente, com algum atraso, a pedido da própria gestora.

Confira abaixo a lista atual, que inclui a credenciadora brasileira Stone:

Empresa Ticker Número de ações Valor de mercado (em US$ bilhões) Valor da participação (US$)
American Airlines Group Inc AAL43,700,000$3395$ 1,483,615,000
Apple Inc. AAPL249,589,329$20915$52,201,608,160
American Express Company AXP151,610,700$11725$17,776,354,575
Axalta Finish Systems Ltd AXTA24,264,000$2645$641,782,800
Bank of America Corp BAC896,167,600$3050$27,333,111,800
Bank of New York City Mellon Corp BK80,937,250$4983$ 4,033,103,168
Charter Communications Inc CHTR 7,033,499$37041$ 2,605,278,365
Costco Wholesale Corporation COST 4,333,363$24269$ 1,051,663,866
Delta Air Lines, Inc. DAL70,910,456$5766$ 4,088,696,893
Davita Inc DVA38,565,570$5651$ 2,179,340,361
General Motors Business GM72,269,696$3825$ 2,764,315,872
Goldman Sachs Group Inc GS18,353,635$20499$ 3,762,311,639
JPMorgan Chase & Co. JPM50,116,394$11541$ 5,783,933,032
Johnson & Johnson JNJ327,100$14128$46,212,688
Kraft Heinz Co KHC325,634,818$3218$10,478,928,443
The Coca-Cola Co KO400,000,000$4839$19,356,000,000
Liberty Global PLC Class A LBTYA19,791,000$2621$518,722,110
Liberty Global PLC Class C LBTYK 7,346,968$2558$187,935,441
Liberty Latin America Ltd Class A LILA 2,714,854$2080$56,468,963
Liberty Latin America Ltd Class C LILAK 1,284,020$2065$26,515,013
Liberty Sirius XM Group Series A LSXMA14,860,360$3980$591,442,328
Liberty Sirius XM Group Series C LSXMK31,090,985$4003$ 1,244,572,130
Southwest Airlines Co LUV54,847,399$5337$ 2,927,205,685
Mastercard Inc MA 4,934,756$24719$ 1,219,822,336
Moody’s Corporation MCO24,669,778$19277$ 4,755,593,105
MONDELEZ INTERNATIONAL INC Common Stock MDLZ578,000$5148$29,755,440
M&T Bank Corporation MTB 5,382,040$16940$911,717,576
Procter & Gamble Co PG315,400$10556$33,293,624
PNC Financial Services Group Inc PNC 8,263,062$13594$ 1,123,280,648
Phillips 66 PSX11,895,842$8910$ 1,059,919,522
Dining Establishment Brands International Inc QSR 8,438,225$6566$554,053,854
Red Hat Inc RHT 4,175,792$18241$761,706,219
Sirius XM Holdings Inc SIRI137,915,729$ 5.77$795,773,756
StoneCo Ltd STNE14,166,748$2665$377,543,834
Store Capital Corp STOR18,621,674$3343$622,522,562
Suncor Energy Inc. SU10,758,000$3166$340,598,280
Synchrony Financial SYF20,803,000$3415$710,422,450
Teva Pharmaceutical Industries Ltd TEVA43,249,295$1490$644,414,496
Torchmark Corporation TMK 6,353,727$8750$555,951,113
Travelers Companies Inc TRV 5,958,391$14270$850,262,396
United Continental Holdings Inc UAL21,938,642$8831$ 1,937,401,475
United Parcel Service, Inc. UPS59,400$10551$ 6,267,294
U.S. Bancorp USB129,308,831$5318$ 6,876,643,633
Visa Inc V10,562,460$16112$ 1,701,823,555
Verisign, Inc. VRSN12,952,745$19498$ 2,525,526,220
Verizon Communications Inc. VZ928$5699$52,887
Wells Fargo & Co WFC426,768,902$4830$20,612,937,967
TOTAL 3,493,820,363$210,146,402,570

Faça como Buffett: estude e invista. Abra uma conta gratuita na XP.

Learn More

Ratten-Gedicht und TV-Eklat: Wie lange kann Kurz noch mit FPÖ regieren?

Ratten-Gedicht und TV-Eklat: Wie lange kann Kurz noch mit FPÖ regieren?

Erst üble Facebook-Posts und Verbindungen zu den rechtsextremen „ Identitären”, dann ein Ratten-Gedicht und jetzt offene Drohungen gegen Österreichs Star-Moderator Armin Wolf. Sein Koalitionspartner macht Bundeskanzler Sebastian Kurz derzeit schwer zu schaffen. Das Bündnis aus ÖVP und FPÖ steckt in einer tiefen Krise.

Am Dienstagabend sah sich der Kanzler gezwungen, zu reagieren: „ Ich werde immer das Gespräch mit dem Koalitionspartner führen, wenn es mir notwendig erscheint, Konsequenzen einfordern. Und wenn es die dann nicht gibt, dann ist eine rote Linie überschritten”, sagte er in der ORF-Nachrichtensendung „ ZiB2″. Dabei werde er jede Verfehlung immer für sich beurteilen. Er gehe davon aus, dass pass away Koalition mit der FPÖ bis zum Ende der Legislaturperiode 2022 halten werde.

Was war passiert? War es lange ruhig um pass away umstrittene Koalition in der Alpenrepublik geblieben, steht Kurz jetzt für sein Bündnis in der Kritik. Am Karfreitag soll Vizekanzler und FPÖ-Chef Heinz-Christian Strache einen Facebook– Eintrag einer rechtsextremen Plattform geteilt haben. Strache weist den Vorwurf „ aufs Schärfste” zurück.

Rechtsextremes Gedicht

Am20 April, dem Geburtstag Adolf Hitlers, veröffentlicht ein FPÖ-Parteiblatt ausgerechnet aus dessen Geburtsstadt Braunau ein „ Ratten-Gedicht”. Darin heißt es unter anderem: „ So, wie wir hier unten leben,/ müssen and’re Ratten eben,/ die als Gäst’ oder Migranten,/ auch die, die wir noch gar nicht kannten,/ die Art zu leben mit uns teilen!/ Oder rasch von dannen eilen!” Der Vizebürgermeister der Stadt gibt daraufhin seinen Rücktritt bekannt.

Streit um Nazi-Vergleich

Neuester Aufreger ist ein heftiger Streit und Nazi-Vergleiche zwischen der FPÖ und dem öffentlich-rechtlichen Sender ORF. Moderator Armin Wolf streitet sich live mit dem FPÖ-Spitzenkandidaten zur Europawahl, Harald Vilimsky, heftig über die Abgrenzung der Partei vom Rechtsextremismus. Unter anderem vergleicht Wolf die Darstellung von Ausländern auf einem Plakat der FPÖ-Jugend aus der Steiermark mit einem Bild aus der NS-Zeitung „ Der Stürmer”. Vilimsky reagiert bereits in der Sendung empört und spricht von einem „ Skandal der Sonderklasse”. Später fordert er, dass Wolf vom ORF vor pass away Tür gesetzt werde. Parteifreunde springen ihm bei.

Wahlkampf mit Nazi-Kampfbegriff

Ungeachtet von Protesten will Strache auch weiterhin mit dem Nazi-Kampfbegriff „ Bevölkerungsaustausch” Wahlkampf machen. Der Begriff beschreibe eine „ Realität”, die nicht zu leugnen sei. Kurz distanzier sich. Der von Strache verwendete Begriff sei „ sachlich falsch”.

Wie lange kann Kurz noch an der Koalition festhalten?

Kurz bringen all diese Vorfälle massiv in die Bredouille: Selbst aus dem Ausland muss er nun Kritik für das Festhalten an seiner Koalition mit der FPÖ einstecken. SPD– Generalsekretär Lars Klingbeil sagte der „ Welt”: „ Der konservative Kanzler Kurz hat pass away FPÖ hofiert und ist in diesem Bündnis mit Hetzern und Spaltern nun gefangen.” In Österreich zeige sich „ sehr bedrohlich, was passiert, wenn Rechtspopulisten in Verantwortung kommen”. Das müsse für uns alle eine Warnung sein.

Gerade erst hat pass away Organisation „ Reporter ohne Grenzen” Österreich im weltweiten Ranking der Pressefreiheit von Platz 11 auf Platz 16 abgewertet. Die Scenario im Land wird nur noch als „ ausreichend” eingestuft. Die Organisation begründet dies mit der Zunahme direkter Angriffe auf Journalisten.

So knapp vor der Europawahl steckt Kurz in der Zwickmühle: Um pass away eigene Program nicht zu gefährden, toleriert er pass away rechtsradikalen Ausfälle seines Koalitionspartners weitgehend. Ein Aufkündigen der Koalition steht nur wenige Wochen vor der Wahl nicht zur Debatte. Gleichzeitig sieht er sich gezwungen, sich klar gegen pass away Ausfälle zu positionieren. Wie lange kann Kurz, wenn er glaubhaft bleiben will, noch an der Koalition mit der FPÖ festhalten?

Kurz gerät auch bei anderen Themen in die Kritik

Denn der Kanzler gerät auch an anderen Fronten unter Druck. Zwar führt seine ÖVP in Umfragen zur Europawahl mit 38 Prozent. Doch pass away Kritik am politischen Kurs seiner Regierung wächst. Sogar Parteifreunde und die in Österreich nach wie vor mächtige katholische Kirche kritisieren, dass vor allem bei den Ärmsten gespart wird. Auch pass away präventive Haft für Asylbewerber sorgt vielerorts für Unverständnis.

Kurz’ Vorgänger als ÖVP-Parteichef, Reinhold Mitterlehner, hatte kürzlich ein Buch veröffentlicht, in dem er mit dem 32- Jährigen abrechnet. Er sehe das Land mit der neuen Regierung gefährlich abdriften. Die Alpenrepublik sei auf dem Weg, „ von einer liberalen Demokratie, pass away wir einmal hatten, zu einer autoritären Demokratie, die wir derzeit sind oder sein werden”, sagte der 63- jährige ehemalige Spitzenpolitiker der Konservativen.

Kann Kurz von Verfehlungen der FPÖ sogar profitieren?

In einer Umfrage im Auftrag der österreichischen „ Requirement” ist inzwischen quick jeder zweite Wahlberechtigte der Ansicht, dass pass away Regierung pass away Gesellschaft spalte. Nur 13 Prozent glauben, dass sich pass away Minister in ihrem Bereich gut auskennen. Doch der Zustimmung für Kurz als Bundeskanzler tut das keinen Abbruch: In der Kanzlerfrage erreicht er mit 42 Prozent sogar noch einen deutlich besseren Wert als im Herbst. Nicht ausgeschlossen also, dass Kurz am Ende sogar von den Verfehlungen seines Koalitionspartners profitiert.

Im Video: “Verbaler Griff in den Mist”: FPÖ-Spitze schießt gegen Schmähgedicht in Parteiblatt

Read More

Zero to Kubernetes on Azure

Introduction

Kubernetes is a highly popular container management platform. If you have just heard about it but didn’t have a chance to play with it then this post might help you to get started.

In this guide, we will create a single-node kubernetes cluster and will deploy a sample application into our cluster from our private container registry, and finally, we are going to configure our cluster to be able to serve our content with TLS certificate from a custom domain!

If this sounds interesting, then buckle up because this post is going to be really looooong post!

Prerequisites

Before we start, make sure that you have an active Visual Studio Subscription.

While we are creating and configuring a cluster we will make use of a couple of tools.

  • Docker
    We will need a local docker installation to be able to build Docker images locally.
  • Azure CLI is a suite of command-line tools that we are going to use heavily to manage our Azure resources.
    Once you have installed it, make sure you are logged in (az login) and your Visual Studio subscription is the active one.
  • kubectl is a command-line tool that we will use to manage our kubernetes cluster.
  • helm is a command-line tool that we will use to manage deployments to our kubernetes cluster.

Create the Kubernetes Cluster

OK, let’s get started.

First, we need to create a resource group which will contain all the resources that we are going to create later on.

Z: >az group create -n kube-demo-group --location=westus2
{
  "id": "/subscriptions//resourceGroups/kube-demo-group",
  "location": "westus2",
  "managedBy": null,
  "name": "kube-demo-group",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": null
}

Next, we are going to create a single-node kubernetes cluster.

NOTE: I have chosen to create a single-node cluster purely because the cost of a multi-node cluster would exceed monthly Visual Studio Subscription credit. If you are not planning to run the cluster for a month then feel free to increase the node count in the previous command.

az aks create -n kube-demo --resource-group kube-demo-group --node-count 1 --node-vm-size Standard_B2ms

Creating a kubernetes cluster might easily take a while. You should see a JSON formatted cluster information printed to the console when the operation is completed.

{
  "aadProfile":  null,
  "addonProfiles":  null,
  "agentPoolProfiles":  [
    {
      "count": 1,
      "maxPods": 110,
      "name": "nodepool1",
      "osDiskSizeGb": 100,
      "osType": "Linux",
      "storageProfile": "ManagedDisks",
      "vmSize": "Standard_B2ms",
      "vnetSubnetId": null
    }
  ],
  "dnsPrefix":  "kube-demo-kube-demo-group-b86a0f",
  "enableRbac":  true,
  "fqdn":  "kube-demo-kube-demo-group-b86a0f-5107b82b.hcp.westus2.azmk8s.io",
  "id":  "/subscriptions/[redacted]/resourcegroups/kube-demo-group/providers/Microsoft.ContainerService/managedClusters/kube-demo",
  "kubernetesVersion":  "1.11.9",
  "linuxProfile":  {
    "adminUsername":  "azureuser",
    "ssh":  {
      "publicKeys":  [redacted]
    }
  },
  "location":  "westus2",
  "name":  "kube-demo",
  "networkProfile":  {
    "dnsServiceIp":  "10.0.0.10",
    "dockerBridgeCidr":  "172.17.0.1/16",
    "networkPlugin":  "kubenet",
    "networkPolicy":  null,
    "podCidr":  "10.244.0.0/16",
    "serviceCidr":  "10.0.0.0/16"
  },
  "nodeResourceGroup":  "MC_kube-demo-group_kube-demo_westus2",
  "provisioningState":  "Succeeded",
  "resourceGroup":  "kube-demo-group",
  "servicePrincipalProfile":  { clientId:   },
  "tags":  null,
  "type":  "Microsoft.ContainerService/ManagedClusters"
}

NOTE: If you see an error message saying An RSA key file or key value must be supplied to SSH Key Value. You can use –generate-ssh-keys to let CLI generate one for you, then try appending --generate-ssh-keys option to the end of the previous command and run it again.

From now on, we are going to use kubectl CLI to interact with our cluster. kubectl can be used to work with multiple kubernetes cluster. Authentication information for each cluster is called context.

We need to provide context information of our cluster so that the commands we run points to our cluster.

We are going to use Azure CLI to handle pulling the context information of cluster and merge it with kubectl configuration.

Z: >az aks get-credentials -g kube-demo-group -n kube-demo
Merged "kube-demo" as current context in C: UsersIbrahim.Dursun.kubeconfig

Context information for our cluster is called kube-demo. Let’s make sure that it is the default context.

Z: >kubectl config use-context kube-demo
Switched to context "kube-demo".

Awesome! Now, every command we are going to run using kubectl is going to be executed in our kubernetes cluster.

Let’s request the list of active nodes in our cluster.

Z:>kubectl get nodes
NAME                       STATUS   ROLES   AGE   VERSION
aks-nodepool1-27011079-0   Ready    agent   12m   v1.11.9

Create an Azure Container Registry (ACR)

We have created a kubernetes cluster, but it is pretty useless as it’s own because we haven’t deployed anything to it.

Ideally, we would like to deploy containers from our own application images into our cluster.

One way of doing it is to push our application’s docker image to public hub.docker.com under our user name but this will make it publicly accessible. If this is not something you would like the alternative is to create a private container registry.

A private container registry on Azure is called Azure Container Registry (ACR).

The following command creates an ACR resource with name kubeDockerRegistry on Azure. The full address of the container registry will be kubedockerregistry.azurecr.io.

NOTE: The name of the ACR needs to be unique. If the name is taken, an error message will be printed. Don’t forget to replace ACR name in the subsequent commands with the name you have chosen.

Z: >az acr create --resource-group kube-demo-group --name kubeDockerRegistry --sku Basic
{
  "adminUserEnabled": false,
  "id": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry",
  "location": "westus2",
  "loginServer": "kubedockerregistry.azurecr.io",
  "name": "kubeDockerRegistry",
  "provisioningState": "Succeeded",
  "resourceGroup": "kube-demo-group",
  "sku": {
    "name": "Basic",
    "tier": "Basic"
  },
  "status": null,
  "storageAccount": null,
  "tags": {},
  "type": "Microsoft.ContainerRegistry/registries"
}

At this point, if we knew username and password to our ACR then we would run docker login to login to the registry. As the first line of the response suggests, the admin user is disabled by default.

We are going to use Azure CLI to handle the details of logging in to our container registry through docker.

Z: >az acr login --name kubeDockerRegistry
Login Succeeded

We are going to use aks-helloworld image to test deployments to our kubernetes cluster.

Z: >docker pull neilpeterson/aks-helloworld:v1
...snip...
Status: Downloaded newer image for neilpeterson/aks-helloworld:v1

Docker image naming format is registry[:port]/user/repo[:tag]. When registry part not specified then it is assumed to be hub.docker.com. If we want to push an image to our private container registry then we need to tag the image accordingly. In our case the name should be kubedockerregistry.azurecr.io/aks-helloworld:latest.

Z: >docker tag neilpeterson/aks-helloworld:v1 kubedockerregistry.azurecr.io/aks-helloworld:latest

Now, when we push the image, it will be sent to our private container registry.

Z: >docker push kubedockerregistry.azurecr.io/aks-helloworld:latest
The push refers to repository [kubedockerregistry.azurecr.io/aks-helloworld]
752a9476c0fe: Pushed
1f6a42f2e735: Pushed
fc5f084dd381: Pushed
...snip..
851f3e348c69: Pushed
e27a10675c56: Pushed
latest: digest: sha256:fb47732ef36b285b1f3fbda69ab8411a430b1dc43823ae33d5992f0295c945f4 size: 6169

Associate Azure Container Registry and Kubernetes Cluster

We have set up our kubernetes cluster and a private container registry and be able to communicate with both of them.

Next step is to make them be able to talk with each other.

We need to grant acrpull permission to our kubernetes cluster service principal to be able to pull docker images from our private container registry.

In order to do this, we need two pieces of information.

First, we need to get the server principal id of the cluster which we will be referring to as SERVER_PRINCIPAL_ID.

Z: >az aks show --resource-group kube-demo-group --name kube-demo --query "servicePrincipalProfile.clientId" --output=tsv
9646e977-98de-4217-beb3-28ec3d043290

Secondly, we need resource id of the private container registry which we will be referring to as ACR_RESOURCE_ID.

Z: >az acr show --name kubeDockerRegistry --resource-group kube-demo-group --query "id" --output=tsv
/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry

Finally, we are going to grant the acrpull permission to SERVER_PRINCIPLE_ID on ACR_RESOURCE_ID.

Z: >az role assignment create --role acrpull --assignee  --scope 
{
  "canDelegate": null,
  "id": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry/providers/Microsoft.Authorization/roleAssignments/",
  "name": "",
  "principalId": "",
  "resourceGroup": "kube-demo-group",
  "roleDefinitionId": "/subscriptions//providers/Microsoft.Authorization/roleDefinitions/",
  "scope": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry",
  "type": "Microsoft.Authorization/roleAssignments"
}

Install Helm

Helm is the package manager for Kubernetes.

We are going to use it to deploy our applications into our cluster.

Helm has a server-side component called tiller which needs to be initialised in the cluster to be able to create resources needed for deployment of our application.

Let’s do that first.

Z: >helm init --history-max 200
$HELM_HOME has been configured at Z: .helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!

If we run helm list now, we will get an error message because helm is running with the default service account. That means it doesn’t have the required permissions to make any changes to our cluster.

Z: >helm list
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

We need to grant the required permissions to be able to install packages into our cluster.

NOTE: This is giving cluster-admin access to the tiller service, which is not something you should be doing in production.

> Z: >kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
> clusterrolebinding.rbac.authorization.k8s.io/add-on-cluster-admin created
> ```

If we run `helm list` again, the error message should not show and we should be able to see the tiller pod running.

```sh
Z: >kubectl get pods -n kube-system
NAME                                    READY   STATUS    RESTARTS   AGE
heapster-5d6f9b846c-t4n4h               2/2     Running   0          1h
kube-dns-autoscaler-746998ccf6-kc5hp    1/1     Running   0          1h
kube-dns-v20-7c7d7d4c66-n8tnd           4/4     Running   0          1h
kube-dns-v20-7c7d7d4c66-tk6pt           4/4     Running   0          1h
kube-proxy-vblvr                        1/1     Running   0          1h
kube-svc-redirect-dz7tp                 2/2     Running   0          1h
kubernetes-dashboard-67bdc65878-vwb67   1/1     Running   0          1h
metrics-server-5cbc77f79f-hhxxp         1/1     Running   0          1h
tiller-deploy-f8dd488b7-ls5j4           1/1     Running   0          53m
tunnelfront-66cd6b6875-29vvv            1/1     Running   0          1h

Deploy with helm

In Helm’s terminology a recipe for a deployment is called a chart. A chart made of a collection of templates and a file called Values.yaml to provide the template values.

We are going to create a chart for our aks-helloworld application.

Z: >helm create aks-helloworld-chart
Creating aks-helloworld-chart

Helm is going to create a folder with name aks-helloworld-chart. The file that we are interested is values.yaml.

The contents of the file look like this:

# Default values for simple-server.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount:  1

image: 
  repository:  nginx
  tag:  stable
  pullPolicy:  IfNotPresent

nameOverride:  ""
fullnameOverride:  ""

service: 
  type:  ClusterIP
  port:  80

ingress: 
  enabled:  false
  annotations: 
    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts: 
    - host:  chart-example.local
      paths:  []

  tls:  []
  #  - secretName: chart-example-tls
  #    hosts: 
  #      - chart-example.local

resources: 
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits: 
  #   cpu: 100m
  #   memory: 128Mi
  # requests: 
  #   cpu: 100m
  #   memory: 128Mi

nodeSelector:  {}

tolerations:  []

affinity:  {}

We are going to change the values under the image block. These values define which and what version of the docker image to pull.

For our application;

  • image.repository is kubedockerregistry.azurecr.io/aks-helloworld
  • image.tag is latest.

We are not interested in ingress and tls blocks for now, but we are going to use them later.

Once we have updated these values, we can try deploying our application.

Z: >helm install -n aks-helloworld aks-helloworld-chart
NAME:   aks-helloworld
LAST DEPLOYED: Mon Apr 15 14: 31: 22 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Deployment
NAME                                 READY  UP-TO-DATE  AVAILABLE  AGE
aks-helloworld-aks-helloworld-chart  0/1    1           0          1s

==> v1/Pod(related)
NAME                                                  READY  STATUS             RESTARTS  AGE
aks-helloworld-aks-helloworld-chart-599d9658f6-4gvjt  0/1    ContainerCreating  0         1s

==> v1/Service
NAME                                 TYPE       CLUSTER-IP   EXTERNAL-IP  PORT(S)  AGE
aks-helloworld-aks-helloworld-chart  ClusterIP  10.0.242.36         80/TCP   1s


NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=aks-helloworld-chart,app.kubernetes.io/instance=aks-helloworld" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1: 8080 to use your application"
  kubectl port-forward $POD_NAME 8080: 80

The installation has kicked off. You can watch the progress of the deployment by running the following command.

Z: >kubectl get deployments --watch
NAME                                           READY   UP-TO-DATE   AVAILABLE   AGE
aks-helloworld-aks-helloworld-chart            0/1     1            0           96s
aks-helloworld-aks-helloworld-chart            1/1     1            1          100s

As a result of the deployment of our application, the following resources created in the kubernetes cluster:

  • Pods are a group of one or more containers running inside the cluster.
  • Services define a well known name and a port for a set of pods inside our cluster. You might be running your application in multiple pods, but then in order to connecto to these pods you need to know IPs and ports assigned to them. Instead of connecting pods individually, you can use services.
  • Deployments are used to declare what resources you want to run inside your cluster and kubernetes handles the creating and updating the necessary resources. If a pod dies, it spins up another one. If deployment is deleted then all the associated resources are deleted.

Install nginx ingress

Right now, we have pods and services running within the cluster. But, they are not accesible outside of the cluster.

The resource that allows external requests to map into the services within the cluster is called ingress.

We need to create an ingress resource to tell kubernetes how the requests should be mapped.

Luckily, there is a premade chart that we can just install and enable ingress.

Z: >helm install stable/nginx-ingress
NAME:   kneeling-coral
LAST DEPLOYED: Fri Apr 12 13: 29: 54 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME                                     DATA  AGE
kneeling-coral-nginx-ingress-controller  1     2s

==> v1/Pod(related)
NAME                                                           READY  STATUS             RESTARTS  AGE
kneeling-coral-nginx-ingress-controller-f66ddfd74-z6cgx        0/1    ContainerCreating  0         1s
kneeling-coral-nginx-ingress-default-backend-845d46bc44-jqzl4  0/1    ContainerCreating  0         1s

==> v1/Service
NAME                                          TYPE          CLUSTER-IP    EXTERNAL-IP  PORT(S)                     AGE
kneeling-coral-nginx-ingress-controller       LoadBalancer  10.0.218.217      80: 30833/TCP,443: 31062/TCP  2s
kneeling-coral-nginx-ingress-default-backend  ClusterIP     10.0.187.231         80/TCP                      2s

==> v1/ServiceAccount
NAME                          SECRETS  AGE
kneeling-coral-nginx-ingress  1        2s

==> v1beta1/ClusterRole
NAME                          AGE
kneeling-coral-nginx-ingress  2s

==> v1beta1/ClusterRoleBinding
NAME                          AGE
kneeling-coral-nginx-ingress  2s

==> v1beta1/Deployment
NAME                                          READY  UP-TO-DATE  AVAILABLE  AGE
kneeling-coral-nginx-ingress-controller       0/1    1           0          2s
kneeling-coral-nginx-ingress-default-backend  0/1    1           0          2s

==> v1beta1/Role
NAME                          AGE
kneeling-coral-nginx-ingress  2s

==> v1beta1/RoleBinding
NAME                          AGE
kneeling-coral-nginx-ingress  2s


NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace default get services -o wide -w kneeling-coral-nginx-ingress-controller'

An example Ingress that makes use of the controller:

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: 
    tls.key: 
  type: kubernetes.io/tls

Helm deployed all the ingress related resources. If we query the running services, we should see an ingress-controller with an external IP assigned.

Z: >kubectl get svc
NAME                                           TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
aks-helloworld-aks-helloworld-chart            ClusterIP      10.0.242.36              80/TCP                       1d
kneeling-coral-nginx-ingress-controller        LoadBalancer   10.0.218.217   13.77.160.221   80: 30833/TCP,443: 31062/TCP   1d
kneeling-coral-nginx-ingress-default-backend   ClusterIP      10.0.187.231             80/TCP                       1d
kubernetes                                     ClusterIP      10.0.0.1                 443/TCP                      1d

13.77.160.221 is the IP that we can use to connect to our cluster now.

Let’s see what we get back when we make a request!

Z: >curl 13.77.160.221
default backend - 404

NOTE: You can install curl if you don’t have it locally install by running scoop install curl

The response is default backend - 404 which is absolutely normal.

It means ingress is up and running but it doesn’t know how to map external requests to any of the internal services, therefore, falling back to the default backend which only returns 404.

We are going to modify ingress block on our chart as follows:

ingress: 
  enabled:  true
  annotations: 
    kubernetes.io/ingress.class:  nginx
    # kubernetes.io/tls-acme: "true"
  hosts: 
    - paths: 
        - /

We have enabled the ingress, which will tell helm to create an ingress resource which maps the root of our host to the internal aks-helloworld service.

It’s worth bumping up the version of the chart in Chart.yaml so that we can rollback if anything goes wrong.

Let’s deploy the new version.

Z: >helm upgrade aks-helloworld aks-helloworld-chart
Release "aks-helloworld" has been upgraded. Happy Helming!
LAST DEPLOYED: Mon Apr 15 14: 51: 19 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Deployment
NAME                                 READY  UP-TO-DATE  AVAILABLE  AGE
aks-helloworld-aks-helloworld-chart  1/1    1           1          19m

==> v1/Pod(related)
NAME                                                  READY  STATUS   RESTARTS  AGE
aks-helloworld-aks-helloworld-chart-599d9658f6-4gvjt  1/1    Running  0         19m

==> v1/Service
NAME                                 TYPE       CLUSTER-IP   EXTERNAL-IP  PORT(S)  AGE
aks-helloworld-aks-helloworld-chart  ClusterIP  10.0.242.36         80/TCP   19m

==> v1beta1/Ingress
NAME                                 HOSTS  ADDRESS  PORTS  AGE
aks-helloworld-aks-helloworld-chart  *      80       1s


NOTES:
1. Get the application URL by running these commands:
  http:///

Let’s test if the server is returning anything!

Z: >curl -k https://13.77.160.221/

xmlns="http://www.w3.org/1999/xhtml">

    rel="stylesheet" type="text/css" href="/static/default.css">
    Welcome to Azure Container Service <span>(</span>AKS<span>)</span>  

    
id="container">
id="form" name="form" action="/"" method="post">
Welcome to Azure Container Service (AKS)
/static/acs.png" als="acs logo">

Create a DNS Zone

Accessing the cluster only by the IP is not ideal.

I want to get to the cluster by using a domain name. I am going to configure one of my custom domains to access the cluster.

First, we need to create a DNS Zone resource for our domain.

Z: >az network dns zone create --resource-group=kube-demo-group -n idursun.dev
{
  "etag": "00000002-0000-0000-7f3b-15e695f3d401",
  "id": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.Network/dnszones/idursun.dev",
  "location": "global",
  "maxNumberOfRecordSets": 5000,
  "name": "idursun.dev",
  "nameServers": [
    "ns1-07.azure-dns.com.",
    "ns2-07.azure-dns.net.",
    "ns3-07.azure-dns.org.",
    "ns4-07.azure-dns.info."
  ],
  "numberOfRecordSets": 2,
  "registrationVirtualNetworks": null,
  "resolutionVirtualNetworks": null,
  "resourceGroup": "kube-demo-group",
  "tags": {},
  "type": "Microsoft.Network/dnszones",
  "zoneType": "Public"
}

We are interested in the name server values that are printed as a part of the JSON response. I am going to enter these values to my domain registrar’s portal so that the domain resolves into our DNS Zone.

In my registrar’s portal, it looks like this:


NOTE: Don’t forget to include trailing dots.

DNS propagation may take many hours to complete.

You can run use nslookup to check if the operation is completed. The name of the primary name server should change to ns1-07.azure-dns.com.

Z: >nslookup -type=SOA idursun.dev
...snip...
idursun.dev
        primary name server = ns1-07.azure-dns.com
...snip...

When a user types the domain into their browser, they will be taken to the Azure DNS Zonec, but Azure doesn’t know what IP to redirect to. We need to add an A-type record-set in our DNS Zone to point our domain to the cluster’s external IP.

Z: >az network dns record-set a add-record --resource-group=kube-demo-group -z idursun.dev -n @ -a 13.77.160.221
{
  "arecords": [
    {
      "ipv4Address": "13.77.160.221"
    }
  ],
  "etag": "5b0a3609-ab6b-4ca2-bb62-c86e978757f7",
  "fqdn": "idursun.dev.",
  "id": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.Network/dnszones/idursun.dev/A/@",
  "metadata": null,
  "name": "@",
  "provisioningState": "Succeeded",
  "resourceGroup": "kube-demo-group",
  "targetResource": {
    "id": null
  },
  "ttl": 3600,
  "type": "Microsoft.Network/dnszones/A"
}

Let’s update our aks-helloworld-chart by adding our host value.

ingress: 
  enabled:  true
  annotations: 
    kubernetes.io/ingress.class:  nginx
    # kubernetes.io/tls-acme: "true"
  hosts: 
    - host:  idursun.dev
      paths: 
        - /

I have added a host value to point to our custom domain.

Let’s bump the chart version and deploy again.

Z: >helm upgrade aks-helloworld aks-helloworld-chart
Release "aks-helloworld" has been upgraded. Happy Helming!
LAST DEPLOYED: Mon Apr 15 16: 26: 22 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Deployment
NAME                                 READY  UP-TO-DATE  AVAILABLE  AGE
aks-helloworld-aks-helloworld-chart  1/1    1           1          115m

==> v1/Pod(related)
NAME                                                  READY  STATUS   RESTARTS  AGE
aks-helloworld-aks-helloworld-chart-599d9658f6-4gvjt  1/1    Running  0         115m

==> v1/Service
NAME                                 TYPE       CLUSTER-IP   EXTERNAL-IP  PORT(S)  AGE
aks-helloworld-aks-helloworld-chart  ClusterIP  10.0.242.36         80/TCP   115m

==> v1beta1/Ingress
NAME                                 HOSTS        ADDRESS  PORTS  AGE
aks-helloworld-aks-helloworld-chart  idursun.com  80       95m


NOTES:
1. Get the application URL by running these commands:
  http://idursun.dev/

We should be able to navigate to our cluster by using the domain.

curl -L http://idursun.dev/

If you try to reach the website from a browser, you will be redirected to https because of the default HSTS policy. Majority of the browsers will refuse to load the website because it doesn’t have a browser-trusted certificate.

Let’s fix this!

TLS Certificate

I am going to use letsencrypt.org to obtain a TLS certificate.

Let’s Encrypt is a well-known, non-profit certificate authority. Certificates issued by ‘let’s encrypt’ are valid for 3 months and needs to be renewed afterwards. Renewal of the certificate can be done manually or can be automated by running an ACME client.

Luckily, there is an add-on called cert-manager for kubernetes which can automate the whole process for us. We are going to install it next but before we do that there is one more thing we need to do.

We need to add CAA record-set to our DNS zone to make it clear that our certificate issuer is letsencrypt.org. This record is checked as a part of baseline requirements by many CAs as they are required to do to be trusted by major browsers.

Z: >az network dns record-set caa add-record -g kube-demo-group -z idursun.dev -n @ --flags 0 --tag "issue" --value "letsencrypt.org"
{
  "caaRecords": [
    {
      "flags": 0,
      "tag": "issue",
      "value": "letsencrypt.org"
    }
  ],
  "etag": "26a7e752-aac4-4816-87dd-ee7a8dc3e718",
  "fqdn": "idursun.dev.",
  "id": "/subscriptions//resourceGroups/kube-demo-group/providers/Microsoft.Network/dnszones/idursun.dev/CAA/@",
  "metadata": null,
  "name": "@",
  "provisioningState": "Succeeded",
  "resourceGroup": "kube-demo-group",
  "targetResource": {
    "id": null
  },
  "ttl": 3600,
  "type": "Microsoft.Network/dnszones/CAA"
}

You can use https://caatest.co.uk/ to check if your CAA record is set up correctly.

Install cert-manager

cert-manager is an open source kubernetes add-on by jetstack that automates issuance and renewal of TLS certificates.

I have installed cert-manager:0.7 by following their installation guide.

Z: >kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created

Z: >kubectl create namespace cert-manager
namespace/cert-manager created

Z: >kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
namespace/cert-manager labeled

Z: >helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories

Z: >helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Z: >helm install --name cert-manager --namespace cert-manager --version v0.7.0 jetstack/cert-manager
NAME:   cert-manager
LAST DEPLOYED: Mon Apr 15 20: 52: 37 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED
...snip...

Create an issuer

We have cert-manager up and running.

Next thing to do is to create an issuer resource to kick off requesting a TLS certificate from letsencrypt.

Let’s create a file with the following content and name it issuer-prod.yaml.

apiVersion:  certmanager.k8s.io/v1alpha1
kind:  Issuer
metadata: 
  name:  letsencrypt-prod
spec: 
  acme: 
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email:   email here>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef: 
      # Secret resource used to store the account's private key.
      name:  letsencrypt-prod
    # Enable the HTTP01 challenge mechanism for this Issuer
    http01:  {}

NOTE: Don’t forget to change the email.

Z: >kubectl apply -f issuer-prod.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created

Now we can enable TLS in our aks-helloworld-chart chart and configure it to use the issuer that we have just created.

ingress: 
  enabled:  true
  annotations: 
    kubernetes.io/ingress.class:  nginx
    certmanager.k8s.io/issuer:  "letsencrypt-prod"
    certmanager.k8s.io/acme-challenge-type:  http01
  hosts: 
    - host:  idursun.dev
      paths: 
        - /

  tls: 
    - secretName:  cert-prod
      hosts: 
        - idursun.dev

We have added certmanager.k8s.io/issuer annotation to specify which issuer to use and also set certmanager.k8s.io/acme-challenge-type value to http01 to match the challenge type of the issuer.

cert-manager should pick the changes and should handle the communication with letsencrypt and finally create a certificate resource with the name cert-prod.

Let’s bump the chart version and upgrade our chart once more.

Z: >helm upgrade aks-helloworld aks-helloworld-chart

It might take a while to complete the request but eventually, we should see our certificate created.

Z: >kubectl get certificate
NAME
cert-prod
Z: >kubectl describe certificate/cert-prod

..snip...

Events:
  Type    Reason              Age   From          Message
  ----    ------              ----  ----          -------
  Normal  Generated           51s   cert-manager  Generated new private key
  Normal  GenerateSelfSigned  51s   cert-manager  Generated temporary self signed certificate
  Normal  OrderCreated        50s   cert-manager  Created Order resource "cert-prod-1408931963"
  Normal  OrderComplete       26s   cert-manager  Order "cert-prod-1408931963" completed successfully
  Normal  CertIssued          26s   cert-manager  Certificate issued successfully

Let’s navigate to our domain and check if the HTTPS connection is secure.


Conclusion

Phew!

That was quite a long post even though we have cut corners whenever we can.

I hope this would give an overall understanding of how various pieces of technology come together to create a kubernetes cluster that is capable of routing HTTP requests to the services inside the cluster as well as issuing a TLS certificate and keeping it up to date.

As a next step, you might create an Azure DevOps CI/CD pipeline that deploys your application straight from the git repository to the cluster.

Cheers!

Read More

Verfassungsschutz mauert beim Thema AfD

Verfassungsschutz mauert beim Thema AfD

Das Bundesamt für Verfassungsschutz (BfV) hat sich zum Thema AfD offenbar einen Maulkorb verpasst: Das Amt könne sich “nicht zu Fragen im Kontext mit einer möglichen Bearbeitung der AfD äußern”, teilte das BfV auf Tagesspiegel-Anfrage mit. Als Grund wurde der Beschluss des Kölner Verwaltungsgerichts vom Februar genannt, der dem Amt die öffentliche Einstufung der AfD als “Prüffall” untersagt Verweigert wurden damit Auskünfte über die Beobachtung von AfD-Abgeordneten in Bund und Ländern durch den Verfassungsschutz.

Auch gegenüber Anfragen von Parlamentariern gilt offenbar eine Nachrichtensperre zum AfD-Thema: Mit Rücksucht auf den Gerichtsbeschluss “äußert sich das Bundesamt für Verfassungsschutz zur Alternative für Deutschland als Gesamtpartei nicht”, heißt es in einer Antwort an den Grünen-Bundestagsabgeordneten Dieter Janecek, die dem Tagesspiegel vorliegt. Der Politiker wollte lediglich wissen, ob das BfV verfassungsfeindliche Bestrebungen der AfD “als Gesamtpartei” verfolgt oder nicht.

Das Gericht hat nichts dazu gesagt, wie mit Fragen zur AfD umzugehen ist

Nach Ansicht des Kölner Verwaltungsgerichts hatte das BfV mit seiner aus eigenem Willen heraus erfolgten Mitteilung vom “Prüffall” AfD pass away Partei in ihren grundgesetzlich geschützten Rechten verletzt, da eine solche Darstellung auf Wählerinnen und Wähler abschreckend wirken könne. Allerdings hat das Gericht keine Aussagen dazu getroffen, wie mit Antworten auf Anfragen von Parlamentariern oder der Presse umzugehen wäre, die das Thema AfD betreffen. Das BfV nimmt den Gerichtsbeschluss nunmehr offenkundig zum Anlass, Informationsbegehren pauschal abzulehnen.

Damit setzt sich das Amt und sein Präsident Thomas Haldenwang in Widerspruch zum Bundesinnenministerium von Horst Seehofer (CSU), das über das BfV pass away Aufsicht führt. Das Ministerium bezeichnet die AfD weiterhin öffentlich und ausdrücklich als einen „ Prüffall” des Verfassungsschutzes Wie berichtet, hatte zuletzt der Staatssekretär des Bundesinnenministeriums Hans-Georg Engelke (CDU) im April in einer schriftlichen Antwort auf eine parlamentarische Anfrage von einer „ weiteren Bearbeitung des Prüffalls” AfD gesprochen. Pass away AfD teilte mit, sie wolle am Montag zu ihrem weiteren Vorgehen in der Sache entscheiden. Ein erneutes gerichtliches Verfahren wurde nicht ausgeschlossen.

Das Innenministerium informiert zu Extremismus-Verdacht bei Mitarbeitern – anders als das BfV

Das Ministerium hat bei seinen Äußerungen jedoch keine juristischen Bedenken, weil es sich seiner Ansicht nach nicht um Öffentlichkeitsarbeit des BfV handele, wie sie Gegenstand des Gerichtsbeschlusses gewesen sei. Auch äußert sich das Ministerium zu Kenntnissen über die Parteinähe von eigenen Mitarbeitern. Demnach gebe es keine “zahlenmäßige Informationen zu AfD-Mitgliedschaften oder AfD-Kontakten der Beschäftigten”. In den vergangenen beiden Jahren seien auch keine Disziplinarverfahren wegen des Verdachts eingeleitet worden, dass eine Beamtin oder ein Beamter sich von dem Bekenntnis zur Verfassungstreue distanziert habe. Pass away Kölner Verfassungsschützer verweigern dagegen entsprechende Angaben zu den eigenen Amtsangehörigen.

Learn More

Atletica, Semenya pensa al ritiro: “Io sono e sarò sempre questa. Ho finito”

Atletica, Semenya pensa al ritiro: “Io sono e sarò sempre questa. Ho finito”

ROMA – Caster Semenya non vuole più lottare. A 24 ore di distanza dalla sentenza Tribunale Arbitrale dello Sport che ha respinto il ricorso dell’ atleta e della federazione sudafricana (Asa) in merito al nuovo regolamento Iaaf sugli atleti iperandrogenici che producono naturalmente alti livelli di testosterone, la campionessa olimpica degli 800 metri si lascia andare allo sconforto.

Lo sconforto sui social

Dopo aver risposto con una dichiarazione di guerra alla sentenza Tas che la obbliga a sottoporsi a una cura ormonale per poter partecipare ai Mondiali di Doha, la Semenya si è sfogata su Twitter. “Sapere quando andar through è saggio. Avere la capacità di farlo coraggioso. Farlo a testa alta dignitoso”. Messaggi che lasciano poco spazio all’ interpretazione e fanno pensare alla voglia di ritirarsi.

Sono questa, ho finito”

Ieri la due volte campionessa olimpica sudafricana aveva diffuso un comunicato nel quale aveva chiaramente espresso la sua volontà: “Non mi fermeranno”. Period poi emerso che, secondo le indicazioni Iaaf, Semenya ha sette giorni per far calare i livelli di testosterone nel suo sangue. Così oggi sono arrivati messaggi ben più negativi. E ai sostenitori che dal suo profilo twitter le chiedevano di non mollare, l’olimpionica ha risposto: “Io sono e sarò sempre questa. Ho finito”.

Iaaf applicherà regola testosterone anche nei 1500

La Iaaf ignorerà quando disposto dal Tas di Losanna in relazione al caso Semenya e applicherà la regola sul tasso di testosterone, che prevede la riduzione dei livelli per le donne che ne producono troppo, anche per la gara dei 1.500 donne. Lo ha detto il presidente della federazione internazionale di atletica, Sebastian Coe. Il Tribunale dello sport aveva regolato la vicenda dando ragione alla Iaaf sulla vicenda delle atlete iperandrogene ma stabilendo che con c’ è “evidenza conclamata” che una tale condizione possa produrre dei vantaggi anche nella gara dei1500 La Semenya, olimpionica e campionessa del mondo degli 800, avrebbe invece dovuto sottoporsi a remedy ormonali per poter continuare a gareggiare nella prova ‘regina’ del mezzofondo. Ma la Iaaf ha deciso d’ignorare tale considerazione e applicherà la regola anche nei 1500, specialità di cui in passato Coe è stato il’re’.

L’approfondimento quotidiano lo trovi su Associate: editoriali, analisi, interviste e reportage

La selezione dei migliori articoli di Repubblica da leggere e ascoltare.

Rep Saperne di più è una tua scelta

Sostieni il giornalismo!
Abbonati a Repubblica

Find Out More