You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/copilot-instructions.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -140,7 +140,7 @@ Follow the structure in `https://github.com/killercoda/scenarios-istio`.
140
140
For Azure-flavoured scenarios (e.g. `terraform-cli-apply-azure`), substitute LocalStack with [miniblue](https://miniblue.io/):
141
141
142
142
-`init/background.sh` calls `start_miniblue` instead of `start_localstack`. Do NOT call both — each scenario picks one cloud emulator.
143
-
- `assets/docker-compose.yml` uses image `ghcr.io/lonegunmanb/miniblue:sha-decf9af` (a fork that fixes case-insensitive ARM routing for azurerm v4 compatibility, persists blob metadata on `?comp=metadata` and plain `PUT {blob}`, and adds the `MINIBLUE_DISABLE_SHAREDKEY_AUTH` env var so the azurerm backend's lock + state-write flow works without per-request SharedKey signing; version pinned by SHA tag, never `latest`), exposes ports `4566` (HTTP) and `4567` (HTTPS), and limits memory to 512M. The compose `environment:` block sets `MINIBLUE_STORAGE_ENDPOINT=http://localhost:4566` (so ARM returns local blob endpoints) and `MINIBLUE_DISABLE_SHAREDKEY_AUTH=1` (so curl/azlocal can hit the data plane without HMAC-SHA256 signing — strictly a tutorial convenience; real Azure always requires SharedKey). Do NOT bind-mount the cert directory — the image is distroless and runs as `nonroot`, so the cert lives at `/home/nonroot/.miniblue/cert.pem` inside the container; `start_miniblue` extracts it via `docker cp` instead.
143
+
- `assets/docker-compose.yml` uses image `ghcr.io/lonegunmanb/miniblue:sha-fba5d05` (a fork that fixes case-insensitive ARM routing for azurerm v4 compatibility, persists blob metadata on `?comp=metadata` and plain `PUT {blob}`, and adds the `MINIBLUE_DISABLE_SHAREDKEY_AUTH` env var so the azurerm backend's lock + state-write flow works without per-request SharedKey signing; version pinned by SHA tag, never `latest`), exposes ports `4566` (HTTP) and `4567` (HTTPS), and limits memory to 512M. The compose `environment:` block sets `MINIBLUE_STORAGE_ENDPOINT=http://localhost:4566` (so ARM returns local blob endpoints) and `MINIBLUE_DISABLE_SHAREDKEY_AUTH=1` (so curl/azlocal can hit the data plane without HMAC-SHA256 signing — strictly a tutorial convenience; real Azure always requires SharedKey). Do NOT bind-mount the cert directory — the image is distroless and runs as `nonroot`, so the cert lives at `/home/nonroot/.miniblue/cert.pem` inside the container; `start_miniblue` extracts it via `docker cp` instead.
144
144
-`start_miniblue` writes `SSL_CERT_FILE=/root/.miniblue/cert.pem` to both `/etc/profile.d/miniblue.sh` and `/root/.bashrc` (Killercoda terminals are non-login shells), and exports it for the current shell. It ALSO installs the cert into the system CA trust store via `update-ca-certificates` (`/usr/local/share/ca-certificates/miniblue.crt`) — this is the primary trust mechanism, because Killercoda terminals are opened BEFORE `background.sh` runs, so the `~/.bashrc` append does not affect the user's existing shell. With the cert in the system store, Terraform/azurerm trusts `https://localhost:4567` regardless of `SSL_CERT_FILE`.
145
145
- After `start_miniblue`, call `install_azlocal` to extract the bundled `azlocal` binary (`/azlocal` inside the container) to `/usr/local/bin/`. `azlocal` is a standalone Go CLI (no `az` dependency) that talks to miniblue over HTTP 4566 — use it in step text instead of raw `curl` for resource verification (`azlocal group list`, `azlocal dns zone list --resource-group ...`, `azlocal network vnet list --resource-group ...`, `azlocal network vnet subnet list --resource-group <rg> --vnet-name <vnet>`).
146
146
-`assets/main.tf` MUST use the **azurerm v4** provider:
@@ -181,8 +181,8 @@ For Azure-flavoured scenarios (e.g. `terraform-cli-apply-azure`), substitute Loc
181
181
182
182
### Miniblue Image Pin
183
183
184
-
-**Source of truth**: `scripts/miniblue-image.mjs` exports the canonical image tag (e.g. `ghcr.io/lonegunmanb/miniblue:sha-decf9af`).
185
-
-**Auto-propagated**: `scripts/sync-miniblue-image.mjs` rewrites every `image: ghcr.io/lonegunmanb/miniblue:sha-decf9af` line in `terraform-tutorial/*/assets/docker-compose.yml`, `terraform-tutorial/*/init/background.sh`, and the docs reference in this file.
184
+
-**Source of truth**: `scripts/miniblue-image.mjs` exports the canonical image tag (e.g. `ghcr.io/lonegunmanb/miniblue:sha-fba5d05`).
185
+
-**Auto-propagated**: `scripts/sync-miniblue-image.mjs` rewrites every `image: ghcr.io/lonegunmanb/miniblue:sha-fba5d05` line in `terraform-tutorial/*/assets/docker-compose.yml`, `terraform-tutorial/*/init/background.sh`, and the docs reference in this file.
186
186
- Run `npm run sync-miniblue` after bumping, or it runs automatically via `prebuild`.
187
187
- Do NOT edit the image tag in any docker-compose.yml or background.sh by hand — change `miniblue-image.mjs` and resync.
0 commit comments