QUIC - a planned successor of TCP - is now formalized as RFC 9000.
QUIC was initially developed at Google, but later adopted by IETF. It provides some TCP-like features on top of UDP in order to overcome latency and packet loss, especially in the last mile.
HTTP/3, which is built on top of QUIC is not formalized yet, but it's following closely behind. So, it will be likely released soon as well.
So, with HTTP/3 around the corner, have you already switched to HTTP/2?
#networking #quic
QUIC was initially developed at Google, but later adopted by IETF. It provides some TCP-like features on top of UDP in order to overcome latency and packet loss, especially in the last mile.
HTTP/3, which is built on top of QUIC is not formalized yet, but it's following closely behind. So, it will be likely released soon as well.
So, with HTTP/3 around the corner, have you already switched to HTTP/2?
#networking #quic
Fastly
QUIC is now RFC 9000 | Fastly
QUIC version 1 is officially formalized, and QUIC deployments will now move away from using temporary draft versions to the newly minted version 1.
Gatus is a health dashboard written in Go.
It has minimalistic configuration and allows you to set multiple conditions to label an endpoint as "healthy".
Also, you can host it on your own inside your private network. So, if you have security requirements of not to allow external health checkers into the perimeter, this could be a good way to go.
#toolz #observability
It has minimalistic configuration and allows you to set multiple conditions to label an endpoint as "healthy".
Also, you can host it on your own inside your private network. So, if you have security requirements of not to allow external health checkers into the perimeter, this could be a good way to go.
#toolz #observability
GitHub
GitHub - TwiN/gatus: ⛑ Automated developer-oriented status page
⛑ Automated developer-oriented status page. Contribute to TwiN/gatus development by creating an account on GitHub.
Introducing Argo Rollouts v1.0
Now, for those, who's not familiar with Argo universe, there are Argo, ArgoCD, and Argo Rollouts. All these tools are developed under the same umbrella and are complimentary to each other, but they are not the same thing.
Argo Rollouts manages iterative deployments aka progressive delivery aka canary releases. However, progressive delivery is a broader term. Basically, you roll out your application gradually in an automated way based on the health metrics.
Currently, Argo Rollouts supports such metrics providers as: Prometheus, Wavefront, DataDog, NewRelic, Kayenta, custom Kubernetes Job, and custom Web check. And it supports various traffic controllers like: Linkerd, Istio, AWS LoadBalancer, Ambassador, and Nginx.
So, what's new in version 1.0?
- New Argo Rollouts UI
- Ability to reference existing Deployment workloads instead of inlining a PodTemplate at spec.template
- Richer Prometheus stats and Kubernetes events
- Support for Ambassador as a canary traffic router
- Support canarying using Istio DestinationRule subsets
You can read the full changelog in the GitHub release description.
Also, they have a roadmap, so you can check, what's coming next
#cicd #kubernetes #argo
Now, for those, who's not familiar with Argo universe, there are Argo, ArgoCD, and Argo Rollouts. All these tools are developed under the same umbrella and are complimentary to each other, but they are not the same thing.
Argo Rollouts manages iterative deployments aka progressive delivery aka canary releases. However, progressive delivery is a broader term. Basically, you roll out your application gradually in an automated way based on the health metrics.
Currently, Argo Rollouts supports such metrics providers as: Prometheus, Wavefront, DataDog, NewRelic, Kayenta, custom Kubernetes Job, and custom Web check. And it supports various traffic controllers like: Linkerd, Istio, AWS LoadBalancer, Ambassador, and Nginx.
So, what's new in version 1.0?
- New Argo Rollouts UI
- Ability to reference existing Deployment workloads instead of inlining a PodTemplate at spec.template
- Richer Prometheus stats and Kubernetes events
- Support for Ambassador as a canary traffic router
- Support canarying using Istio DestinationRule subsets
You can read the full changelog in the GitHub release description.
Also, they have a roadmap, so you can check, what's coming next
#cicd #kubernetes #argo
Medium
Introducing Argo Rollouts v1.0
Progressive Delivery done right!
Consul Service Mesh for Amazon ECS is now in the Tech Preview.
This means that you can deploy Consul Service Mesh on Fargate type ECS using official Terraform modules. However, only setups for Dev are supported right now, i.e. the official module deploys only a single dev/testing Consul task for now. This will be changed before Consul Service Mesh for AWS ECS hits GA.
#consul #hashicorp #aws #networking
This means that you can deploy Consul Service Mesh on Fargate type ECS using official Terraform modules. However, only setups for Dev are supported right now, i.e. the official module deploys only a single dev/testing Consul task for now. This will be changed before Consul Service Mesh for AWS ECS hits GA.
#consul #hashicorp #aws #networking
HashiCorp
Announcing Tech Preview of Consul Service Mesh for Amazon ECS
AWS users may now select Consul as their service mesh for ECS deployments.
A short article by Julia Evans about why OSI model doesn't map to TCP/IP really well. And why sometimes it's just easier to say things like "TCP load balancer" or "Ethernet switch" rather than "later 4", "layer 2", etc.
tl;dr: primarily, because OSI is old.
Also, there is a diagram of your usual network packet as a bonus.
tl;dr: primarily, because OSI is old.
Also, there is a diagram of your usual network packet as a bonus.
Some time ago we had some weird network timeouts in our Kubernetes clusters. It was also pretty strange that not all service owners reported timeouts and according to the monitoring graphs, these issues usually happened during the day.
A colleague of mine dig into this problem and, well, found a bug in AWS. He described the process of his debug in this article, which steps he took and in what sequence, as well as some tools he used to debug this.
Happy reading!
#kubernetes #aws
A colleague of mine dig into this problem and, well, found a bug in AWS. He described the process of his debug in this article, which steps he took and in what sequence, as well as some tools he used to debug this.
Happy reading!
#kubernetes #aws
N26
N26 engineering team solves Kubernetes challenge
N26's site reliability engineers face exciting challenges each day. Read on to learn about their recent Kubernetes success story.
The Serverless Rules are a compilation of rules to validate infrastructure as code templates for AWS against recommended practices.
They are available as
#aws #serverless
They are available as
cfn-lint or tflint plugins. So, you can check your CloudFormation or Terraform code against them.#aws #serverless
GitHub
GitHub - awslabs/serverless-rules: Compilation of rules to validate infrastructure-as-code templates against recommended practices…
Compilation of rules to validate infrastructure-as-code templates against recommended practices for serverless applications. - awslabs/serverless-rules
I like it when articles on the Web start discussions. Although, sometimes such articles are just click bait, but you can figure it out based discussions they ignite.
Steve Smith wrote an article called "GitOps is a placebo", where he argues that GitOps haven't bought anything new to the table, because all its core concepts already existed in form of Continuous Delivery and Infrastructure as Code.
And here is the reply to this article by Carlos Sanchez in the form of a Twitter thread.
Feel free to share your own thoughts on GitOps in our chat
#cicd #iac #gitops
Steve Smith wrote an article called "GitOps is a placebo", where he argues that GitOps haven't bought anything new to the table, because all its core concepts already existed in form of Continuous Delivery and Infrastructure as Code.
And here is the reply to this article by Carlos Sanchez in the form of a Twitter thread.
Feel free to share your own thoughts on GitOps in our chat
#cicd #iac #gitops
Twitter
Carlos Sanchez
"GitOps is a placebo" Interesting take but let me disagree with some points, a 🧵 twitter.com/SteveSmith_Tec…
Forwarded from Roman Siewko
Identified - The issue has been identified and a fix is being implemented.
Jun 8, 10:44 UTChttps://status.fastly.com/
So, first big announcements from HashiConf Europe, which is happening right now.
Terraform goes 1.0 at last!!
People were expecting this release for a long time. Also, it seems like there gonna be less jokes about Terraform's production readiness from now on.
#hashicorp #terraform
Terraform goes 1.0 at last!!
People were expecting this release for a long time. Also, it seems like there gonna be less jokes about Terraform's production readiness from now on.
#hashicorp #terraform
Fastly has published a report of yesterday's incident
Not much there, to be honest. In the mid May they introduced a bug, which could be triggered by a specific configuration which is valid on its own.
And yesterday, on the 8th of June, someone submitted such configuration eventually.
These are basically all the details they reveal. The good part is that the whole incident lasted for just 49 minutes. And full downtime was much shorter.
So, it's seems like the Internet has got its 3rd problem.
Not much there, to be honest. In the mid May they introduced a bug, which could be triggered by a specific configuration which is valid on its own.
And yesterday, on the 8th of June, someone submitted such configuration eventually.
These are basically all the details they reveal. The good part is that the whole incident lasted for just 49 minutes. And full downtime was much shorter.
So, it's seems like the Internet has got its 3rd problem.
You can use multi-line RUN commands in Dockerfiles now.
It's not like you couldn't, it's just became more human readable.
To use this feature, set Dockerfile version to labs channel. Currently this feature is only available in docker/dockerfile-upstream:master-labs image.
#docker
It's not like you couldn't, it's just became more human readable.
To use this feature, set Dockerfile version to labs channel. Currently this feature is only available in docker/dockerfile-upstream:master-labs image.
# syntax=docker/dockerfile-upstream:master-labs
# syntax = docker/dockerfile-upstream:master-labs
FROM debian
RUN <<eot bash
apt-get update
apt-get install -y vim
eot
#docker
GitHub
buildkit/frontend/dockerfile/docs/syntax.md at master · moby/buildkit
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit - moby/buildkit
Kris Nova's recent write up on Infrastructure as Code vs Infrastructure as Software
(also available on GitHub)
In short, we are used to manage our infrastructure with Turing incomplete configs like YAML. Since configs are too static, people invented some tooling on top of it. So, now you have a lot of templating for this.
On another hand, we can simply use modern day programming languages like Go, TypeScript, Python, etc. In this scenario infrastructure engineers can benefit from the entire ecosystem of a given language like test suites, IDE plugins, package management and so on.
In fact, these concepts are already used in various CDKs and Pulumi.
This article is not yet a definitive guide, rather just a thoughts material. You can join the discussion
- on Twitter
- on Reddit
#iac
(also available on GitHub)
In short, we are used to manage our infrastructure with Turing incomplete configs like YAML. Since configs are too static, people invented some tooling on top of it. So, now you have a lot of templating for this.
On another hand, we can simply use modern day programming languages like Go, TypeScript, Python, etc. In this scenario infrastructure engineers can benefit from the entire ecosystem of a given language like test suites, IDE plugins, package management and so on.
In fact, these concepts are already used in various CDKs and Pulumi.
This article is not yet a definitive guide, rather just a thoughts material. You can join the discussion
- on Twitter
- on Reddit
#iac
CNCF Security Technical Advisory Group published The Software Supply Chain Security Paper last month
This paper is intended to be a living document guided by the community. It provides general recommendations, tooling options, and design guidances on how to reduce the risk of a supply chain attack.
This document has more that 40 pages and covers topics like: securing the software and materials, securing pipelines, artifacts and deployments, etc.
#security
This paper is intended to be a living document guided by the community. It provides general recommendations, tooling options, and design guidances on how to reduce the risk of a supply chain attack.
This document has more that 40 pages and covers topics like: securing the software and materials, securing pipelines, artifacts and deployments, etc.
#security
A few announcements from AWS, which I personally find interesting. Ofc, there are usually tons of AWS announcements.
1. AWS KMS multi-Region keys. So, now you can define global KMS keys and that's awesome! Previously, it was always cumbersome to create a cross-regional backup for encrypted data. Looking forward to trying it!
2. AWS Step Functions Workflow Studio. Now you can design a state machine in a visual editor.
3. AWS Proton became generally available. Proton is a tool or rather a toolchain that helps you to build a custom PaaS for your internal product teams on top of AWS.
And one more thing. Short manual on how to stop and RDS on schedule with a Lambda function. Could be interesting for those, who are willing to save some money in their non-production environments.
#aws
1. AWS KMS multi-Region keys. So, now you can define global KMS keys and that's awesome! Previously, it was always cumbersome to create a cross-regional backup for encrypted data. Looking forward to trying it!
2. AWS Step Functions Workflow Studio. Now you can design a state machine in a visual editor.
3. AWS Proton became generally available. Proton is a tool or rather a toolchain that helps you to build a custom PaaS for your internal product teams on top of AWS.
And one more thing. Short manual on how to stop and RDS on schedule with a Lambda function. Could be interesting for those, who are willing to save some money in their non-production environments.
#aws
Amazon
Encrypt global data client-side with AWS KMS multi-Region keys | Amazon Web Services
Today, AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another. Multi-Region keys are designed to simplify management of client-side encryption…
An experiment ran by Corey Quinn: what would happen once you pushed your AWS keys to a public repository.
He summarized it in a Twitter thread
tl;dr: AWS contacted him about leaked credentials and refused to close the case before he rotated the keys even though these keys had no permissions.
Also, there's an interesting reply from a person who is working in GitHub. GitHub have a monitoring for leaked credentials. However, they notify AWS directly rather than a customer in such occasions. The reason for that is a lot of false-positives at the time such monitoring was just introduced. So, they decided not to bother their customers in vain.
P.S. Last time I had to scan a repository for leaked credentials, I used TruffelHog tool it searches not only for AWS secrets, but actually for any high-entropy strings. Also, it works quite well even for large repositories.
#security #aws #github #toolz
He summarized it in a Twitter thread
tl;dr: AWS contacted him about leaked credentials and refused to close the case before he rotated the keys even though these keys had no permissions.
Also, there's an interesting reply from a person who is working in GitHub. GitHub have a monitoring for leaked credentials. However, they notify AWS directly rather than a customer in such occasions. The reason for that is a lot of false-positives at the time such monitoring was just introduced. So, they decided not to bother their customers in vain.
P.S. Last time I had to scan a repository for leaked credentials, I used TruffelHog tool it searches not only for AWS secrets, but actually for any high-entropy strings. Also, it works quite well even for large repositories.
#security #aws #github #toolz
Twitter
Corey Quinn
Let's do an @awscloud experiment with our friends at @github. I have pushed a set of API credentials to a public repository. Oh no! Specifically at Mon Jun 21 23:08:12 UTC 2021.
In addition to our last post.
An article on what happens if you push secrets into a public repository with some advices on how to mitigate that risk.
This article was sent to me by one of our subscribers. Big thanks for it! If you want to share interesting stuff as well, you can either send it to our chat or admins directly.
#security
An article on what happens if you push secrets into a public repository with some advices on how to mitigate that risk.
This article was sent to me by one of our subscribers. Big thanks for it! If you want to share interesting stuff as well, you can either send it to our chat or admins directly.
#security
If you work with Open Policy Agent, you probably want to test the policies you write.
Lucky there is an ability to write test suites for Rego.
However, these tests suits are not always very obvious as well as Rego policies themselves. Here is an article by Dustin Specker on how to write tests for your policies. This article helped a lot me personally. And I hope it will be helpful for you too.
#opa #kubernetes #testing
Lucky there is an ability to write test suites for Rego.
However, these tests suits are not always very obvious as well as Rego policies themselves. Here is an article by Dustin Specker on how to write tests for your policies. This article helped a lot me personally. And I hope it will be helpful for you too.
#opa #kubernetes #testing
Open Policy Agent
Policy Testing
Policy-based control for cloud native environments