Stackdriver logging not showing up for GKE - stackdriver

I appear to be missing some configuration somewhere but have no idea where.
My app (golang) is using stackdriver logging. When I run locally it works fine and my log messages show up in Stackdriver. When I run in GKE then my custom logger messages do not show up.
Any standard out messages (fmt.println()) will show up in stack driver. They just wont' ahve proper severity and would rather us the logging API. What could I have misconfigured in my GKE instance to make google logging not show up?
Sorry for the vague post but I don't have much to go on, not getting any errors.
Here is my code for sending messages if it helps.
func logMessage(message string, transactionID string, severity logging.Severity) {
ctx := context.Background()
// Creates a client.
client, err := logging.NewClient(ctx, loggingData.ProjectID)
if err != nil {
log.Fatalf("Failed to create client: %v", err)
}
// Selects the log to write to.
logger := client.Logger(loggingData.LogName)
logger.Log(logging.Entry{Payload: message, InsertID: transactionID, Severity: severity})
// Closes the client and flushes the buffer to the Stackdriver Logging
// service.
if err := client.Close(); err != nil {
log.Panicln("Failed to close client: \n", err.Error())
return
}
return
}
Update:
I got my SSH working into the Node (VM Instance) and confirmed that it looks like FluentD is working and picking up changes. I opened the log files and only saw things from fmt.Println and nothing from the golang cloud Logger.
Maybe I am not understanding how Google Stackdriver Logging (https://godoc.org/cloud.google.com/go/logging) is supposed to work? Clearly I am missing something and just not sure what yet.
Thanks

On GKE, fluentd agent is used and it's included in the VM image (node).
His role is to watch changes to Docker log files that live in the directory /var/lib/docker/containers/ and are symbolically linked to from the /var/log/containers directory using names that capture the pod name and container name. These logs are then submitted to Google Cloud Logging which assumes the installation of the cloud-logging plug-in.
You can customize your agent configuration for Streaming logs from additional inputs such as Streaming unstructured (text) or structured (JSON) logs via log files.
By default fluentd extract local_resource_id from tag for 'k8s_container' monitored:
The resource. The format is:
'k8s_container.<namespace_name>.<pod_name>.<container_name>'.
The fluentd agent rename the field 'log' to a more generic field 'message'. This way the fluent-plugin-google-cloud knows to flatten the field as textPayload instead of jsonPayload after extracting 'time', 'severity' and 'stream' from the record.
If 'severity' is not set, assume stderr is ERROR and stdout is INFO.
The agent can be enabled when creating the cluster, then the default fluentd pod will created.
You can as well perform a manual installation of stackdriver-logging-agent in GKE (fluentd).
First I will suggest you to find if you have an agent running.
To do, SSH to your node and check if the agent is running, run the below command line
ps ax | grep fluentd
Output example:
2284 ? Sl 0:00 /opt/google-fluentd/embedded/bin/ruby /usr/sbin/google-fluentd [...]
2287 ? Sl 42:44 /opt/google-fluentd/embedded/bin/ruby /usr/sbin/google-fluentd [...]
Do a test by running the below command line :
logger "Some test message"
Check stackdriver logging for your test message

I had similar issue with golang app running in Cloud Run
Was able to find stackdriver logs in Logs Viewer web UI by filter resource.type = "project"

Related

Browser client can't connect to DynamoDB in Docker container

I've been using #aws-sdk/client-dynamodb server-side (SvelteKit / NodeJS) connecting to localhost Docker container with instance of amazon/dynamodb-local:latest which works well. I used AWS CLI to configure tables, etc. I've created the client using the simplest configuration:
const client = new DynamoDBClient({ endpoint: 'http://localhost:8000' });
This works server-side, but when the same is executed client-side along with a command, I get a message that the region is missing. I've tried passing region: 'none', but then I get a message that the credentials are missing. Adding dummy credentials enables the command to execute, but I don't get an expected response. For example, sending the ListTablesCommand returns an empty array. If I do the same from the AWS CLI, I get the correct response.
Does the DynamoDB client run client-side, i.e., in the browser? Or am I missing something else?
No it doesn't run in a browser, You will need API Gateway and some backend code to connect a browser to Dynamodb.

Firebase Admin Go SDK getting x509 certificate error ONLY when running inside Kubernetes

I'm currently working on a project using the Firebase Admin Go SDK to handle auth and to use the real time database. The project works correctly when I run it locally (by just running go run main.go). When I run it in Minikube via a docker image (or GKE, I've tested both) I get this error whenever I try to make any Firestore calls:
transport: authentication handshake failed: x509: certificate signed by unknown authority
Here is the code I'm using on the server to make the call to the DB:
// Initialize the app
opt := option.WithCredentialsFile("./serviceAccountKey.json")
app, err := firebase.NewApp(context.Background(), nil, opt)
// This is the first call I attempt to make, and where the error is thrown
// Create the client
client, err := app.Firestore(context.Background())
iter := client.Collection("remoteModels").Documents(context.Background())
snaps, err := iter.GetAll()
if err != nil {
logger.Log.Warn("Error getting all remoteModels")
fmt.Println(err)
return err
}
And here is my Dockerfile that adds the service account key Firebase provided me from the console:
FROM scratch
ADD main /
ADD serviceAccountKey.json /
EXPOSE 9090
ENTRYPOINT ["/main", "-grpc-port=9090", "-http-port=9089", "-env=prod"]
I can't find anything in the documentation about running in Kubernetes.
Is there anything I need to do to be able to connect to Firestore from Kubernetes?
If you are using alpine based images try running apk add ca-certificates it looks like a tls error.
Install ca certificates, it should resolve the issue

send grid & parse 502 Bad Gateway with nginx

I am trying to migrate my parse application over to digital ocean and followed this guide :
https://www.digitalocean.com/community/tutorials/how-to-migrate-a-parse-app-to-parse-server-on-ubuntu-14-04
Everything works perfectly fine until I get to the very end Test Parse Server ( Executing Example Cloud Code ) section
I tested the cloud code for the sample cloud code that was provided in the tutorial :
Parse.Cloud.define('hello', function(req, res) {
res.success('Hi');
});
so I got a Hi back in my browser as well as in postman.
See image here : https://cloudup.com/cH2dbBx1KTo

Then I test the function that uses sendgrid's service to send emails (http://blog.parse.com/announcements/introducing-the-sendgrid-cloud-module/), my cloud code file looks like this :
see image : https://cloudup.com/cD6MNRP3Tft
and now I try to run my post request from postman and I get an error even on my hello function that was working before
See image : https://cloudup.com/cIkwJ6552_5
So I look around and figure out that its an issue with my sendgrid import
var sendgrid = require("sendgrid");
sendgrid.initialize(“xxxxxx”, “xxxxx.”);
in these lines.
does anyone have any experience with digital ocean cloud code and send grid emailing service please help me out I will be grateful as this is the last step left and I will be done with my migration :)
cheers
Tanzeel
you have to specify server URL in parse config file. It is required and could be the reason why you cant run cloud code.
"PARSE_SERVER_URL": "http://localhost:1337/parse"
The url has be the same what you are using. There is also error in Nginx config in that tutorial, I explained it here https://serverfault.com/questions/765627/cannot-post-get-over-ssl/766428#766428
So I looked up at pm2 and to see real-time logs the command is
pm2 logs
at first when I ran the command I saw some errors, maybe they were there from before :
Then I tried the hello cloud function from postman app to test for its output in pm2 logs and I got the following :
Next I try to run my sendMail sendgrid function and I find out the the api-key I had used in my sendgrid function was throwing an error
ReferenceError: XXXXXXXXXXXX is not defined
So I went back to my cloud code and used quotes around my api-key parameter and passed it as a string in my send grid initialize function. Then I retry and get
[Error: The provided authorization grant is invalid, expired, or revoked]
So I went back to my sendgrid account and made sure that the api-key I was using was the correct one and it seemed to be just fine. I tested again and got the same error again so I decided to generate a new api-key just in case.
So I realize that I was not using the api-key but instead API KEY ID :
When we create a new api-key on sendgrid they give us the actual api key once and they ask us to store it in some secure place :
We can only display the key above one time. Please store it somewhere safe because as soon as you navigate away from this page, we will not be able to retrieve or restore this generated token.
So after I used an actual api-key I was able to send emails 😃
But one small issue still remains and I am not sure if its because of postman that I am using to run cloud code or something in the parse server or nginx that is still returning me with a 502 Bad Gateway as a response
But when I look at the logs for my parse server I do see a
parse-wrapper-0 { message: 'success' }
but it never gets back to me in my postman and instead I am getting a 502 error not sure why but the emails are being sent succesfully :)

How do you fix Google OAuth API - (403) There is a per-IP or per-Referer restriction configured on your API key

I have recently moved a project over to another server. The domain name is the same, it has just been pointed to the new server. The URL is exactly the same. Since moving the project over however I get this error when the app tries to connect to googles OAuth api.
{
"name": "Error calling GET https:\/\/www.googleapis.com\/analytics\/v3\/management\/accounts\/~all\/webproperties\/~all\/profiles?key=AIzaSyBKUP8JriiOnFnbJm_QYt_bHTMuHf-ilAI: (403) There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"url": "\/analytics\/statistics.json"
}
The obvious reason (based on the error message) would be that I haven't added the new server IP into the list of allowed IP's in the devlopers console under APIs & auth->Credentials->Key for server applications.
I have added the IP. I've checked the domain has propagated by pinging it and the new IP comes up which has been entered in the console so i'm struggling to work out why it doesn't work.
Has anybody come across this before that may be able to help me solve it?
Go to Project -> APIs & Auth -> Credentials -> API Key -> Create New Key -> Browser Key. It may take upto 5 minutes to reflect changes.
And it worked for me.
After you added your new server IP you need to generate a new API key from the Console. This message shows up when access in not properly configured. Look here and scroll down to "accessNotConfigured".
So, go to your developer console, Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key. Use this new key and you should be good to go.
I've had this problem for a while as well but finally solved it:
I noticed when trying wget http://bot.whatismyipaddress.com/ from my server it would actually return an IPv6-address, when on the API key's config page I had entered the IPv4-Address of my server. Once I added the IPv6-Address, my requests where finally accepted.
Go to Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key >> Accept requests from these server IP addresses (Optional) section,
then remove all the IP Address and Update it first, then try it. And, later you can add the specific IP address which did weirdly work for me.

Apparently my API Proxy does not exist

I've created a new API Proxy and deployed revision 1 into production, but when I call my API I just get:
HTTP 500 Internal Server Error
{
"fault": {
"faultstring": "Internal server error APIProxy revision 1 of MyProxy does not exist in environment prod of organization MyOrg",
"detail": {
"errorcode": "messaging.adaptors.http.ServerError"
}
}
}
Not the most helpful error message in history. Any pointers where to start debugging this would be very helpful, thanks!
You appear to be using the wrong url for your API, so it could not be found. If you haven't added any API key checking or additional authorization, you should be able to copy the url directly from the API details page in the prod Deployments line. Start a trace session and paste that url into the URL box. Test what happens when you do that trace.
If you have any additional security or other features that would alter the API, you would need to make those changes to the URL before sending it. If you're still having a problem, send an email to help#apigee.com.

Resources