Docker -> Traefik + Keycloak: how to Claim and Check rolenames?

Hi guys,

first, Iam quiet new to devops and docker and i really Like it so far. My questionen which i cant get an simple answer is: how do i claim the roles from the token from keycloak and check it for a specific rolename?
I was not able to find something in Traefik Docs under https://doc.traefik.io/traefik/middlewares/forwardauth/ and https://github.com/thomseddon/traefik-forward-auth seems also not correct. I dont have traefik Enterprise so this https://doc.traefik.io/traefik-enterprise/middlewares/oidc/ is also not reachable for me :(.

I dont want to use Apache2 with its oidc mod since i move all my things to docker this issue is the only thing i could not managed to solve with Google.
Please Help me maybe with an easy docker-compose ? So i could learn?
Thank you very much :)

https://redd.it/njba3q
@r_devops

Anyone with experience with DevOps job assessments? (Graduate)

Hi all. I'm currently going through the application process for a DevOps graduate scheme at a big company in the UK, so competition will be tough. I've completed the first generic assessment, but the next one coming up will be a coding assessment involving shell scripting and YAML.

I'm a JavaScript graduate developer myself moving into DevOps (hopefully). I'm confident in my coding abilities, and can brush up on any algorithmic stuff from my studies.

I've started practicing shell scripting and looking at YAML as I've not had any experience with them before (it recommended learning the basics for this). Does anyone have experience going through a process like this? What kind of coding test can I expect? Any advice for a developer moving to DevOps?

Cheers all

https://redd.it/njb4gl
@r_devops

Shall we allow projects that don't want to do CI/CD?

We are operating an awesome CI/CD pipeline, and now a project that insists on using Gitflow (because they don't trust their external developers *cough*) has asked us to run their stuff through the pipeline. To be honest, my personal answer is a clear N.O., but my team members are more lenient. What do you think?

https://redd.it/nj2mck
@r_devops

How to pass Vercel's SSL certificate to Nginx backend?

I have a domain mydomain.com managed by Vercel serving a React frontend in **frontend.mydomain.com**, for both of which Vercel generates SSL certificates (including a wildcard *.mydomain.com). The only thing that Vercel shares with me is the certificate id, in the shape of cert_HasdfH234aDSFhasdfGAS1k5G

I have also set a DNS A record for the subdomain **backend.mydomain.com** pointing at the IP address of a DigitalOcean droplet which is running a server behind an Nginx Docker container. I had the same setup working with http in Namecheap, but since I've let Vercel manage my DNS I can't ping my server using http, and it seems that only https would work.

​

My question is:


How do I configure nginx.conf for the nginx container in my backend to accept that SSL certificate? Right now I have something like:

​

> events { worker_connections 1024; }
  http {
    server {
      listen 80;
      server_name backend.mydomain.com
      location / {
        proxy_pass https://backend:4000; #backend is the service name of the backend container.
      }
    }
    server {
      listen 443 ssl;
      server_name backend.mydomain.com
      location / {
        proxy_pass https://backend:4000;
      }
    }
  }


...which being incomplete, naturally throws the error:

>nginx: [emerg\] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/nginx.conf:22

​

I have checked several guides for setting up HTTPS in nginx, but none seems to include adding certification through an ID such as the one provided by Vercel.

https://redd.it/njw4l5
@r_devops

Migrating multiple Jenkins VM's to Docker Swarm \ K8's. Can it be done safely?

Problem: We've got multiple Silo jenkins masters dotted around the network, requiring different plugins and currently have different levels of security, depending on which muppet dev team decided to spin it up without talking to us. Our official standard (for now) is Bamboo, though we're going to be changing that soon as devs kept bypassing it and spinning up Jenkins or using AWS as they hated Bamboo.

We've been tasked with brining them under our control, securing them and getting some level of sanity involved.

Short \\ Middle term Solution: Containerise all the things! What I'd like to do is basically create a Jenkins Swarm of masters, taking X amount of VM's down to 3 or 4 VM's.

While I've found a single guide on migrating a jenkins server to docker on the same server, I've yet to find anything for migrating it to a container cluster. The issue for me is the persistent storage.

https://redd.it/njyss1
@r_devops

The CNCF Kubernetes API best practices needed an update

This is a good start: https://www.portshift.io/blog/kubernetes-api-security-the-challenges-best-practices/

BUT anything else I should tell our K8s newbies

https://redd.it/njvkz0
@r_devops

Disable TLS 1.0 and TLS 1.1 in Kubernetes cluster on GCP

I want to disable TLS 1.0 and TLS 1.1 from my website.

The website is hosted on the google cloud platform Kubernetes engine.

I used this Nginx ingress [https://cloud.google.com/community/tutorials/nginx-ingress-gke](https://cloud.google.com/community/tutorials/nginx-ingress-gke)

And for the SSL certificate, I used cert-manager from this tutorial [https://youtu.be/hoLUigg4V18](https://youtu.be/hoLUigg4V18)

I don't get where I should do the change. Should it be done from:

​

* ingress YAML file
* cert-manager
* load balancer on GCP

I tried to create an SSL policy on GCP but I wasn't able to add a target because it should be a GCE ingress, not Nginx (I have to use Nginx due to lack of required metadata in GCE) I also tried creating a config map file but still, they are enabled.

https://redd.it/njszf8
@r_devops

Best CICD solution for building and publishing Dockerfiles? Just build/use something in GitHub Actions or something specific?

So Kubernetes has ArgoCD with manifests, Terraform has GitHub Actions with Atlantis, is there a unique solution out there to building Dockerfiles in infrastructure as code fashion? Let's say you have like 300 Dockerfiles you want to build at a time, what's the best way to do so at scale?

https://redd.it/nk221u
@r_devops

DevOps experience and coding tips

Hope everyone is staying healthy and well. I had the wonderful experience of being able to do a DevOps role even if it was a minor one. It's funny how this all came to be because going down this road wasn't easy and a bit odd. I don't have much extensive coding experience like a full time software engineer/developer does and my experience is very mixed. I have a background as a Test Technician, Tech Writer, IT technician, Research Engineering Intern, and then finally DevOps (woohoo!). However, as of recent, I actually was laid off due to COVID so now I'm currently in the market. In terms of programming, I'm actually very very rusty. I have this tendency where I practice a lot of coding and then at some points in time, I don't practice enough which I then forget after some time has passed. Are there any specific questions that I should be looking at in terms of coding or should I just chug and plug away at programming questions from Hacker Rank, Leet Code, etc to improve my coding. I find that trying to answer as many coding questions as possible seems a bit exhaustive considering that DevOps don't code as much as Software Developers and Engineers. What are your guy's experience like? Any additional tips are always welcome.

Cheers!

https://redd.it/njnbh4
@r_devops

what is the difference between directory/folder name and shared folder's name?

what is the difference between directory/folder name and shared folder's name?

https://redd.it/njmuy9
@r_devops

2 years of DevOps experience with no education or certificates. How do I take my career to the next level?

No degree. 1 internship doing CSS work, 2 years contracting doing test automation (selenium) and 2 years doing DevOps (Jenkins/docker/K8s/AWS/Python).

I quit my job to take some time off and whatnot. I’d like to now spend 1-2 months sharpening my skills and increasing my chance of landing a killer job.

Should I get my AWS certificate?

Should I get my Kubernetes certificate?

Should I take Linux academy courses to learn more about networking?

Should I build and launch a side project to show my abilities?

Should I do leet code?

Should I take some basic CS courses?

Should I try my hand at freelance work to diversify my experience?

Should I try to launch a DevOps consulting agency?

https://redd.it/nk6sw1
@r_devops

The role of a modern QE

Spending almost two years in software testing industry, I have found that people specially fresh graduates have no clue of the great responsibility & career opportunities they have in this amazing field. They think testing is about manual effort, and still many organizations lack to understand the importance and advancement in the field of testing. With advancements in automation tools, devOps; testing tools has become very mature to decrease the manual effort to minimum.

The following learning series is my effort to acquaint people of the role that a QE plays in an agile organization and how organizations can adopt to best QE practices. Let me know what you think.

​

1. Introduction to testing - https://shivamgohel.medium.com/the-role-of-a-modern-qe-1-4-9a3e75075728
2. Introduction to agile - https://shivamgohel.medium.com/the-role-of-a-modern-qe-2-4-d52e8fe84c6e
3. Quality Engineer Roles & Responsibilities - https://shivamgohel.medium.com/the-role-of-a-modern-qe-3-4-dfaadc9fb849
4. Modern QE Learning Path - https://shivamgohel.medium.com/the-role-of-a-modern-qe-4-4-d81b6f1712d8

Let me know what you think.

https://redd.it/nk11pn
@r_devops

Certification for a DevOps engineer

Hi,

AWS Certified SysOps Administrator – Associate or AWS Certified Solutions Architect – Associate

for a role of DevOps engineer,

thanks

https://redd.it/nk212q
@r_devops

Troubleshooting istio health checks

So just to keep this short and simple, I've tried following the documentation on setting up istio for my Kubernetes cluster. The weird portion is, I was able to get istio installed with no issue for the very first time. The second time I try to re-install it, I keep getting these 15021 connection refused health checks which is driving me nuts. I've spent at least a few days or so trying to troubleshoot it by running curl against the endpoint, installing it in various different ways, etc. I have a feeling that this may or may not be a red herring and that I can continue to go through some exercises. It's been driving me nuts for a while and was wondering if anyone else was encountering and/or had a similar issue with mine from before. Open to discussion and possible solutions. Maybe there's something that I'm currently missing atm. Thanks!

CNI: Calico

Readiness probe failed: Get "https://192.168.185.2:15021/healthz/ready": dial tcp 192.168.185.2:15021: connect: connection refused

2021-05-24T00:59:56.636865Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"

2021-05-24T00:59:57.058123Z warn sds failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"

2021-05-24T01:00:21.989645Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 10.96.0.10:53: read udp 192.168.215.193:45025->10.96.0.10:53: i/o timeout"

2021-05-24T01:00:39.772320Z warn ca ca request failed, starting attempt 1 in 91.485819ms

2021-05-24T01:00:39.864828Z warn ca ca request failed, starting attempt 2 in 188.891576ms

2021-05-24T01:00:40.054452Z warn ca ca request failed, starting attempt 3 in 414.486264ms

2021-05-24T01:00:40.469240Z warn ca ca request failed, starting attempt 4 in 758.642414ms

2021-05-24T01:00:41.228216Z warn sds failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: lookup istiod.istio-system.svc on 10.96.0.10:53: read udp 192.168.215.193:45025->10.96.0.10:53: i/o timeout"

2021-05-24T01:00:42.581702Z info Status server has successfully terminated

2021-05-24T01:00:42.581800Z error accept tcp [::\]:15020: use of closed network connection

2021-05-24T01:00:42.581820Z info Agent draining Proxy

2021-05-24T01:00:42.582855Z info Graceful termination period is 5s, starting...

2021-05-24T01:00:47.583724Z info Graceful termination period complete, terminating remaining proxies.

2021-05-24T01:00:47.583768Z warn Aborted all epochs

2021-05-24T01:00:47.583774Z info Agent has successfully terminated

https://redd.it/njmtmp
@r_devops

How to health check 2 services on a single EC2 instance for ASG health checks

I have an application that I plan to run on a single EC2 instance for now that I want to be able to recover from failure if something were to happen. I don't want to go to multiple instances for now due to cost. I was thinking of doing an EC2 instance in an ASG that is set up via a user-data script where I install Docker and pull images then start a Docker Compose file. Not sure about secret management yet. Open to suggestions for simple, and cheap options.

My question comes, how can I have it so the ASG will replace the instance if either of the two different services stops responding or maybe both stop for some reason.

I know this is a horrid design and needs to be changed out ASAP and it will be soon as EKS makes sense cost wise.

https://redd.it/nkd139
@r_devops

Are self hosted GitHub runners safe in production?

I asked something similar in another question on GitHub but used the term external which seemed to confuse people.

Basically security: self hosted vs GitHub hosted into AWS. Are Aws creds in secrets easier and safer?

https://redd.it/nkc2nf
@r_devops

Effects of unrealistic goals and metrics on DevOps

How unrealistic goals and bad metrics can negatively affect DevOps?

https://redd.it/nkbj4f
@r_devops

How to replace a string with a variable in a file using sed?



I have a file having some text like:

ipaddress="127.0.0.1"

I have to replace the 127.0.0.1 with a variable say $ip_add, where $ip_add=127.0.0.2 the following sed command is not working

sed -i 's/127.0.0.1/$ip_add/' conf.py

when i run this command the text is file like this

ipaddress="$ip_address"

Please help. thanks in advance

https://redd.it/nks2xk
@r_devops

Searching for a suitable hosting service (Express.js, VueJS and MongoDB)

I need to deploy a Website that have HTML, CSS and JavaScript with a Node.JS and Express.JS so what's the best place to host it on? adding that I'll integrate VueJS and MongoDB to the website to add a Dashboard and Blogs. So I need the hosting services to be reliable to do soSo basically, it's a static site with Node.js backend and it'll also have Vue.js and MongoDB after very short time (maybe two weeks or four)

So which hosting services you guys recommend?

...

https://redd.it/nkr1lg
@r_devops

Career switch in DevOps from Automation Tester

Is there anyone who has switched their career from Test Automation Analyst to a DevOps role ?
Please share your journey if someone has done it .

https://redd.it/nkslbi
@r_devops

GitLab vs ADO vs GitHub

As the title suggests I’m looking for opinions on these toolsets. I use GitHub daily, but have used GitLab in my past role and I think a lot has changed. I have a customer I’m working with to build a new cloud practice and I’d like to weigh all of these out.

https://redd.it/nkpfot
@r_devops