Route requests to an AWS Bedrock AgentCore agent through Solo Agent Gateway — no proxy, no custom code, no AWS SDK. The gateway handles authentication to AgentCore using a Cognito JWT stored in a Kubernetes Secret, so clients don't need any AWS credentials or tokens.
your auth (optional) Cognito JWT (from K8s Secret)
API key, OAuth, none backend.auth.secretRef
│ │
source .env.sh
Based on this documentation: https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/google-gke.html
Create a cluster with CPU nodes and we'll add GPU nodes later
| # Install Ambient Mesh with Helm Charts | |
| REPO="https://istio-release.storage.googleapis.com/charts" | |
| VERSION=1.19.0 | |
| helm_opts="upgrade -i --namespace istio-system --create-namespace --repo ${REPO} --version ${VERSION}" | |
| # base | |
| helm $(echo $helm_opts) istio-base base | |
| # istiod |
| apiVersion: gloo.solo.io/v1 | |
| kind: Upstream | |
| metadata: | |
| name: green-cell1 | |
| namespace: gloo-system | |
| spec: | |
| healthChecks: | |
| - timeout: 1s | |
| interval: 1s | |
| unhealthyThreshold: 1 |
(Scraped from the Internet Wayback Machine. Original content by Eran Hammer / hueniverse.com July 26, 2012)
They say the road to hell is paved with good intentions. Well, that’s OAuth 2.0.
Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing.
There wasn’t a single problem or incident I can point to in order to explain such an extreme move. This is a case of death by a thousand cuts, and as the work was winding down, I’ve found myself reflecting more and more on what we actually accomplished. At the end, I reached the conclusion that OAuth 2.0 is a bad
| #!/bin/bash | |
| set -x #echo on | |
| ## PREREQ: SET CONTEXTS for management-plane-context and remote-cluster-context | |
| #### Cleanup | |
| kubectl config use-context management-plane-context | |
| meshctl uninstall | |
| kubectl -n service-mesh-hub delete secret -l solo.io/kubeconfig=true | |
| kubectl delete istiooperator istiocontrolplane-default -n istio-operator --context management-plane-context |
This details a reference deployment of Istio w/ Multus CNI to demonstrate a problem where annotations are being clobbered by the Istio webhook. It also provides a patch and workflow for a possible fix.
This article first demonstrates how to reproduce the article, then proposes a patch, and demonstrates a way to build and deploy Istio with the modified code.
NOTE: Ignore the 1.5.1 through the install, I replicate it with latest (Nov 2021), and provide further steps following the rest of the installation.
TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.
If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)
A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/
The reason to avoid JWTs comes down to a couple different points:
In a terminal start a server.
$ python -m SimpleHTTPServer 8000In another terminal set up the cgroups freezer.
| # based on the "patch deployment" strategy in this comment: | |
| # https://github.com/kubernetes/kubernetes/issues/13488#issuecomment-372532659 | |
| # requires jq | |
| # $1 is a valid namespace | |
| function refresh-all-pods() { | |
| echo | |
| DEPLOYMENT_LIST=$(kubectl -n $1 get deployment -o json|jq -r .items[].metadata.name) | |
| echo "Refreshing pods in all Deployments" | |
| for deployment_name in $DEPLOYMENT_LIST ; do |