Kubernetes + Git Book Recommendations?

Hi All,

I'm reaching the final lessons in a Udacity SUSE scholarship program I got to be a part of. In this program we covered CI/CD and got to do some great hands on projects using GitHub, Docker, Kubernetes, building images to DockerHub. It was a great ice breaker into the world of hands on DevOps.

My issue is that my retention of the material isn't great. I really need to practice this more and need to learn more details on how to implement this in real life. I need to do more hands on exercises. I'm thinking that finding a good book or two would be a great contrast and offer some more depth.

Are there any books on the topic that you could recommend?

What methods of study have helped you get the best retention? I figure hands on at work is the trump card, but short of that...

https://redd.it/omijmb
@r_devops

Combining Terraform IaC with GitOps

How coupled is your Terraform Infra and GitOps apps (Flux/ArgoCD/whatever)?

Situation: Terraform is pretty good at creating AWS resources. We want a service owner to be able to create the IAM Role/Policy and any backend resources (Dynamo, RDS, Elasticache, etc.) as well as deploy the apps to Kubernetes. This would work best if it can take advantage of things like remote state/data look-ups from other already created Terraform resource (namely ACM, R53, and VPC resources). For example for RDS, we would want to be able to specify the subnets, etc.

The present GitOps repo is based on kustomize. The base is the service (vanilla, no per-env specifics), and overlays provide all of the "last-mile" configuration. This usually includes some sort of Ingress (with hostname), and the IAM Roles for Service Accounts (IRSA) setup in the overlay.

These are usually set once and forget it type of things for us, but to keep things consistent and hands-off, more automation is welcome. Some of the values can't be predicted at plan time (e.g. security groups when using sg for pods feature). Terraform must be applied at least once to create those identifiers. IAM Role name could be templated with envsubst or similar, so that's not a big issue.

So far, this feels like a CI problem, where we need the Terraform apply to complete, read the outputs, and then post-render the terraform outputs either directly into the overlay kustomization.yaml, or push them to one of the configmap generators in order to take advantage of the new kustomize subsitutions (the extra ConfigMap is no biggie).

This feels reasonable to manage, as a successful terraform apply can just notify the next step in the workflow to generate a new last-mile overlay and write back to git for the controllers to pick up/sync. It gets a little more strange if you try to shove both the terraform and kustomize bits into the same repo with Flux/ArgoCD, as to me it becomes less clear which workflow is supposed to be invoked when considering Terraform (via Atlantis, etc.) or ArgoCD, for example.

Blogs, ref architectures, and opinions welcome!

https://redd.it/omiiz4
@r_devops

Deployment to Digital Ocean using Circle CI

My goal is to implement a CI/CD pipeline using CircleCi to automatically ssh into a digital ocean droplet, and execute a git pull and docker-compose command. See

Circle CI YML file

version: 2

defaults:
docker:
- image: circleci/python:3.7
workingdirectory: ~/project

jobs:
pull-and-build:
docker:
- image: arvindr226/alpine-ssh
workingdirectory: ~/project
steps:
- checkout:
path: ~/project
- run:
name: Deploy
command: |
ssh -oStrictHostKeyChecking=no -v $USER@$IP
git pull origin main
docker-compose up --build

workflows:
version: 2
build-project:
jobs:
- pull-and-build

​

The digital ocean droplet was created using a putty. CircleCI doesn't recognize the .ppk in in SSH. Is there a way to add ppk public key in circle ci? Or is there another way to set up CI/CD pipeline to deploy on digital ocean?

https://redd.it/omlaf5
@r_devops

Total noob needs help.......please

Hi ladies and gents,

I have an assessment to do but don't know where to start😔
Would you be able to advise on any code editors or resources with regards to
• IaC Best Practice
• Cost
• Security
• Observability

There are some code snippets I need to do a peer review with regards to the above
I just need pointing in the right direction ☺️

Thank you in advance

https://redd.it/omn174
@r_devops

Should I buy Macbook M1 for devops?

I am planning to buy macbook m1 air, but I heard it had issues with devops software. There has already been a discussion on https://www.reddit.com/r/devops/comments/lmc986/experiences\_with\_macbook\_m1/. My question remains same.


But I would like to know how things have changed these past 5 months?

https://redd.it/omnq60
@r_devops

Question Creating kubernetes environment for painless microservice development for multiple isolated (external) development teams

Hello, this will be a long post, I will do tldr first:
I need to create a kubernetes solution for developing multiple applications by multiple teams (RBAC, policies and everything) as painlessly as possible (for the developers). The cluster will be running on vSphere with Tanzu.

Now for the whole story:
I was hired by capital city of my country as a DevOps engineer. I've been DevSecOps engineer in Azure for 3 years and have done lots of projects, but I've just scratched the surface of Kubernetes, using it only for a few months.

The city is trying to change the model of it's IT projects. In the past, everything was done by external providers for abnormally high price, and most of the apps and services aren't even owned by the city, but the providers, which causes a lock-in, and more and more money flowing in their pockets. The city now wants to create a new model, having an internal development team, plus any external provider will be working as an extra workforce managed by the city project managers, working on our infrastructure and using our tools and processes (part of the contract).

What I would like to ask, is how to make this as simple as possible for the development teams. The Kuberentes cluster will be running on Tanzu, as city already has own servers with vSphere (not to mention that they've outsourced vSphere upgrade and Tanzu installation for \~100K€ before I was hired and it's going on for over 2 months already). So best solution would be using tools and components already included in Tanzu.

My idea for RBAC (I'm open to any suggestions) is to first integrate the solution into city's AD (city has an office 365 subscription with Azure AD) for RBAC, both to internal (dev) Ingress endpoints and development tools (I'm trying to push for AzDO, because of AD integration, project and team separation and so on, but the management team is adamant on using Jira and github) so we can control access via AD groups.

To describe what will be developed: City has a huge API for all services (both internal and for citizens, over 100 of services) that's really outdated, using SOAP and mostly owned by provider (and the contract is over). I would like to refactor this into microservices, possibly even serverless functions (if possible, without dockerfiles, to make it simpler for developers, like Azure Functions for example), gradually, one by one. As I've seen, Tanzu has Knative integrated. The only problem I see is that Knative still needs dockerfiles AFAIK and Tanzu has no API gateway (only service mesh). I would like a service that creates routes for the microservices/functions and possibly has a graphql endpoint to fetch multiple things at once (all with as little configuration for the developers as possible). Also something that could make just some APIs accessible to specific roles. The developers should only specify the route for the API, and that also could possibly be scope protected by RBAC (for example team working on taxes could only create endpoints under /api/taxes/*). Also how would you do automated testing on such environment?

Another question for a different application, just for a suggestion: Other projects are city's websites, and unification of them into a single React solution with a self-hosted, headless CMS for the marketing team, probably based on Strapi (and maybe TinaCMS). Would you do the API for this solution also in the serverless way, or just have a frontend/backend containers?


I know this is a little too specific, but it's necessary from security and ease of use standpoint.

https://redd.it/omuw99
@r_devops

Aks & networking

Hi . I recently got into a DevOps role. I'm a beginner and I'm into a platform team which gives the flexibility to onboard application/Dev teams. Our work is to access images from ACR and push them into aks nodes/pods. My manager has given me a task to configure the networking segment of this and the aks cluster. We eventually are going use a jenkins with parameters to make it easy for application teams to chose their network inputs but as of now for the dry runs, we've decided to just hardcode the network into the terraform scripts. I'm learning kubernetes still. Any help regarding this or any support/reference material is highly appreciated. I actually want to know all the network components included and Thier functionality as of now. Thanks in advance.

https://redd.it/omtwr5
@r_devops

Master Rolling Updates with Ansible Serial

Hey everyone,

Below is a video I made demonstrating the "serial" feature in Ansible. Serial allows for "rolling updates," and I demonstrated this with a restart of Apache.

Its geared for newcomers to Ansible, Linux, and Automation in general.

Let me know what you think!

https://youtu.be/e5x1Alp8fao

https://redd.it/omyhf3
@r_devops

Simple Logging and Monitoring solution for dockerized microservice system?

Are there any combined out-of-the-box dockerized solution that can provide logging services like Kibana and Metrics like Grafana together? I have a very simple microservice system on a bare metal server with only 2 microservice and I would prefer not to create additional containers for kibana, grafana, zipkin, and many more than application services.

https://redd.it/omz0ln
@r_devops

Is it possible to automate a web session via the CLI?

I love to automate things and I want to automate what currently is a manual step where someone goes to a website, fills out a few forms, and presses the submit button.

Is there a tool that could help me accomplish this in some sort of linux box or container? Or is it something that can only be done on a computer with a graphical display?

https://redd.it/on0tjx
@r_devops

Angular NgRx/Store + ExpressJS Shopping Cart Series



New to angular & JavaScript in general ?

Well, I'm here to announce my new YouTube tutorial series that I started uploading recently which contains :

\-Redux Pattern Explained in details

\-JavaScript / Node basics (Express.JS)

\-SCSS styling and Basic angular component setup

\-NgRx setup for angular 11

and much more..

The tutorial Series ==> https://www.youtube.com/channel/UCF3QsixhylSFAC-s87xa-jw

I would really appreciate your support, all I'm asking is for you to check out this playlist and subscribe if you're interested It would really help me.

Thanks and have a nice day.

https://redd.it/ome33b
@r_devops

Looking for a good guide or online course for DevOps.

Hi everyone, Is there a guide or online course that have a pretty good breakdown for materials needed to study for DevOps?

I found this one here and was wondering if is worth it?

https://cloudacademy.com/library/devops-engineer/

Thanks!

\-Angel

https://redd.it/on61z4
@r_devops

Chef courses


I am starting with chef, and i want to know what are good courses.
I see this on udemy: Chef Fundamentals: A Recipe for Automating Infrastructure , i don't know if worth or there is a better option or some free courses.
Thnks in advice

https://redd.it/om3c71
@r_devops

Angular NgRx/Store Tutorial Series

Hello everyone, I'm dreevo and I'm new in the youtube community..I just wanted to share my youtube videos that I started posting about angular and ngrx if you're interested, you can check them out here :

https://www.youtube.com/watch?v=VIje9vLlQ3c&list=PLaIAlYh\_vQPWpaKUJwYt7sCjVe7nRoN8u

​

I would really appreciate some support thanks !

https://redd.it/olsax2
@r_devops

Need ideas to improve IoT infra



So I am intending to develop an ioT platform.

In the infrastructure has the following devices and its purpose

1) IoT device

2) Raspberry PI, acts as an AP to gather the data from the IoT Devices and push it to a central server every 5 IoT device, one raspberry PI

3) Central server – gathers all the data interprets it and stores it. It contains a webserver, database management system and an MQQT broker

My idea is to omit the central server totally and the PI works as both an AP and a central server

The idea is, the AP services are running in container, the central server is running on a clustered container

Is this possible?

https://redd.it/on91nu
@r_devops

Abstractions/low code platforms above kubernetes?

Hi everyone,

Recently i discovered crossplane and it seems to me that is this is kind of a low code platform above a kubernetes cluster.

I feel like this platform create it so that developer only have to focus on the application side and can use the crossplane api to deploy and such?

https://crossplane.io/

I'd like to hear your opinions about it, also feel free to share alternatives, so i can take a look at others :P

https://redd.it/olpu2v
@r_devops

Google Zanzibar versus OPA (Open Policy Agent)

What are the main differences between Google Zanzibar and OPA? OPA seems to solve many of our use cases out of the box but Zanzibar would require an in house implementation. Our team is very concerned about scalability in the future and this led us to consider an in house Zanzibar implementation. What are the other considerations we should pay attention to in picking a policy engine and overall permissions system?

https://redd.it/olnfwr
@r_devops

Integration between Git Enterprises and Slack Enterprise on webhook

Hi,

I am trying to integrate between Git Enterprises and Slack Enterprise on webhook to get all the repos changes on slack channel. Since both apps are enterprise version ... slack and github are not able to talk to each other "could not resolve hostname". I cant request firewall team or proxy team to open the traffic and ports between them. Need some direction .. can i run a webhook container on (Openshift cluster where port has open between github and cluster and webhook are working For e.g: ArgoCD and Git working) ... any suggestion guys ... appreciate it ...

https://redd.it/onbc4u
@r_devops

Explaining boto3: How to use any AWS service with Python

boto3 is a Python Software Development Kit to create, configure, and manage AWS services. It's built on botocore, which in a nutshell, allows us to forget about underlying JSON specifications and use Python (boto3) when interacting with AWS APIs.

This article looks at how boto3 works and how it can help us interact with various AWS services.

Read more: https://dashbird.io/blog/boto3-aws-python/

https://redd.it/onbga8
@r_devops

Some Security Risks of Using Push-Based CD

After going through several conversations, including here, that relate to Push-Based Continuous Delivery like a fine approach, I felt like there is need to describe in detail why I consider it highly insecure.

Here is a summary of security issues I see:

1. Credential leak from the CI system.

2. A person with push access to source code may abuse the system.

3. Management APIs from deployment instance must be widely exposed.

4. Credential leak on transport layer.

5. Increased pressure on book-keeping and maintenance.

What I'm suggesting instead - always use Pull-Based CD with an agent on the instance itself doing the deployment.

Full post - https://worklifenotes.com/2021/07/19/some-security-risks-of-using-push-based-cd/

https://redd.it/onaxor
@r_devops

git pull without providing username and password

I have deployed my website to a VPS and want to automate the build step with Github Actions. It fails however because the command git pull asks for my username and password every time. I've seen multiple questions about this on Stack Overflow, but what confuses me is that on my computer I was never prompted a username and password. So why does this happen on the VPS?

Thanks in advance

Edit: I'm also getting a mail with deprecation notice about using a password as authentication method.

https://redd.it/ondi3m
@r_devops