quay.io dns registry has expired

quay.io dns registry has expired


whois quay.io | grep Expiry
Registry Expiry Date: 2021-09-30T04:49:59Z


So.... omg. Our kube clusters cannot pull images, probably my fault for not having a DR container registry wise.

And its not the first downtime quay has been had. Specially since redhat acquired it.

What do you guys use for this? I dont really want to setup and maintain harbor, but maybe its the less of evils

https://redd.it/pye2ez
@r_devops

Github and Slack - DevOps Management

This sample shows how Linx automatically post messages to Slack. Once this GitHub-Slack integration is active, the sample posts messages to Slack Channel. Post messages to Slack using Bot User for GitHub issues for a time period.

https://github.com/linx-software/github-slack-devops-management

https://redd.it/pygakw
@r_devops

DevOps in Service Based vs Product Based Companies

So basically, I've worked for the last 4 odd years in DevOps with product based companies. I got an offer from a Service Based company, so I was thinking whether it would be good to work with clients, how is it different than product based companies. And if I would want to change back, would it cause any problems?

https://redd.it/pyhsgs
@r_devops

Is end-to-end secured traffic really that uncommon with a load balancer?

At work recently I had to setup our various web apps in a load balanced environment, both in Azure and AWS. This was to prove they could be load balanced, but also document the steps for a client. I'm dabbled with Azure and am very inexperienced in AWS, but so it goes.

Not sure if it matters, but I was just testing a pretty simple use case. For both AWS and Azure, there were two VMs both running 2-3 of our apps in IIS, one VM was also serving as the database server for all the websites.

In Azure, I got all our sites working with an Application Gateway. It took a bit being pretty noonish, but now that I've got it done (and documented) it was actually pretty straightforward and quick. I am pretty sure the https traffic is secured end to end, it's secured between the user and the load balancer, the LB and the target web servers, even the target web servers making SOA calls to another site on the same box. This requires you to deploy the same IIS certs to the LB listener/http rule.

Been attempting to do the same thing in AWS- I didn't setup whatever load balancer tool we are using, but apparently their expectation was I believe that user traffic to the LB is encrypted, and traffic between the LB and the web servers is port 80/HTTP. This won't work with our product the way it's currently set up, one site is a static site populated with data from SOA calls from another site on the same box. Currently in my AWS setup, you can access the 443/HTTPS websites but it will tell you connecting insecurely on 80 and must connect securely. If I drop the port 80 binding entirely (almost none of our apps use it) connecting via the LB gives me a Bad Gateway.

My colleague who set it up and is far more familiar with both load balancing and AWS than me said he could certainly accomplish the Azure-type scenario in AWS with some reconfiguration. But he and a couple friends in the industry made comments suggesting the end-to-end I'm doing in Azure is less common or not the standard approach.

Is that the case? I'm curious if so, and if I'm assuming the facts right about which parts are secure/insecure in my current AWS state, why is that the usual approach?

https://redd.it/pyc5ab
@r_devops

Anyone think such tool is relevant?

How is the relevancy of such tools? For Windows machine (typically server)

https://github.com/sorainnosia/EVIPBlocker

It creates firewall upon fail login attempt

https://redd.it/pyk84f
@r_devops

What is the best chatting alternative for IRC Freenode in 2021 for questions about Bash, Linux, Python, Ansible, etc?

What is the best chatting alternative for IRC Freenode in 2021 for questions about Bash, Linux, Python, Ansible, etc?

https://redd.it/pylo8z
@r_devops

Gitlab proxied by F5?

I have a self-hosted gitlab on-premise, and would like to allow for limited external access to some collaborators. I tried using Azure App Proxy, but git clone, pull or push's do not work. I'm thinking I need a full featured reverse-proxy/WAF like an F5. Has anyone tried this before?

https://redd.it/pyne3q
@r_devops

Best Log Masking tool (json)

Does anyone here have experience with an application (self-hosted) or other set of tools for running json logs through for PII/PHI redaction?. I appreciate the help.

https://redd.it/pyp6y1
@r_devops

"The certificate for deb.nodesource seems to be expired"

https://github.com/nodesource/distributions/issues/1266


🙃
🙃
🙃

https://redd.it/pyopvo
@r_devops

Create an Azure AD group with Terraform

I'm trying to create a group in Azure Active Directory with Terraform but it appears the next error:

Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404
with provider["registry.terraform.io/hashicorp/azuread"],
on main.tf line 13, in provider "azuread":
13: provider "azuread" {

My code is :

# Configure the Microsoft Azure Provider.
terraform {
required_providers {
azuread = {
source  = "hashicorp/azuread"
version = ">= 2.0.0"
    }
  }

required_version = ">= 0.14.9"
}

provider "azuread" {
}

resource "azuread_group" "example" {
display_name = "Terraform-Test"
security_enabled = true
}

https://redd.it/pynljg
@r_devops

question for devops engineers, who writes your app infrastructure?

I'm in a weird spot where I'm not sure who should be responsible for writing application infrastructure with IaC tech like Terraform. One the one hand if a devops engineer has a list of requirements then they can write many different application services that easily flow together in one big IaC workflow.

On the other hand, if the application developers themselves want to practice the culture of devops (aka devops is a mindset not a job title), then the IaC workflow becomes more convoluted between services of the app. Different developers write code in different ways. They may not quickly or easily know how to reference outputs from other services in the app that are needed (for example a terraform remote state file).

So I'm curious how do companies that have devops engineers on the payroll design these responsibilities and workflow? Do you have your devops engineers write IaC based on developers' requirements or do you have developers own the infrastructure code first, then pass it off to SRE or devops engineers to deploy?

https://redd.it/pytqp3
@r_devops

Confusion with unit and integration testing in CI pipeline

Trying to get a better understanding of running unit and integration tests in a CI pipeline. I feel like I understand it, start working on it, and a bunch more questions come up, confusing me. Hoping this set of questions will be the last and it will all finally click.

# Unit Tests

I've been using this Dockerfile as a template of sorts because it pretty clearly delineates the various stages and concerns in a multi-stage Dockerfile.

The test and linting stages makes sense and is pretty straight forward to me: in the CI pipeline, target these stages and if passing target the production stage. Using RUN for these stages makes sense to me because you are just building and testing this code, not how it integrates with other services, and not deploying images of these stages, and just trying to determine as quickly as possible if the build is passing. If not, the build will fail. It seems somewhat unnecessary to add steps of building and then deploying just for this purpose.

Q1: Should these testing and linting stages be deployed as a container if they are just running unit tests, therefore converting the RUN to a CMD?

# Integration Tests

I'm struggling with these the most.

My understanding is that the flow should be:

PR ->
Build Code ->
Unit Tests (test and linting stages) ->
If passing, Build Production images (production stage) ->
Push to Container Registry ->
Pull from Container Registry ->
Deploy to Test Kubernetes Cluster ->
Integration Tests

This seems to necessitate deploying integration tests into separate containers for a couple reasons:

1. The production images have no development dependencies so you shouldn't be able to run tests in them.
2. RUN wouldn't work in this setup since no images are being built.

So my questions are:

Q2: Is this correct that integration test containers should be deployed?

Q3: Should there be a stage for integration tests in the Dockerfile that uses a CMD to be run when the image is deployed to a container?

Q4: I'm struggling to understand what this image would have on it: just tests that target the microservice end-points (e.g.., /api, /client, etc.) or is it a copy of the production build that still has testing dependencies?

Q5: If it is the latter, why deploy the production image since you aren't really testing it but a copy of it with the testing dependencies on it?

After typing this all out, I feel like the "correct" answer is having a unit-test stage that is RUN in the process of building production. Then having test-runner containers that just run integration tests with CMD against the running production images.

Q6: Or is what I just described more E2E than integration testing?

Thanks in advance for any feedback.

https://redd.it/pyw0ii
@r_devops

Nutanix Calm

Anybody have experience using or considered using Nutanix Calm for enterprise IaC deployments? Want to know if it’s worth paying for over just using terraform

https://redd.it/pyulns
@r_devops

Script getting started with Terraform in an Azure tenant

If you've ever wanted to get any Azure tenant setup and don't want to have to reference this article: https://learn.hashicorp.com/collections/terraform/azure-get-started or that article: https://docs.microsoft.com/en-us/azure/developer/terraform/overview

How about just trying my script? https://seehad.tech/2021/08/30/use-powershell-to-setup-any-azure-environment-for-terraform/

​

Check out my site for other good scripts for Azure! https://seehad.tech

https://redd.it/pyymcx
@r_devops

Good resources for learning/Testing Ansible automation?

I am kind of hoping for something like Tryhackme but realistically if I can't find that ill just spin some stuff up in my lab. but if anyone has any resources/advice it would be really helpful. I am not great on dev ops stuff and my role is more or less security dev-ops patching Linux servers and applying CIS baselines with Ansible. It would be nice to get more hands-on experience.

https://redd.it/pym6vs
@r_devops

AZDO & Variables

Shot in the dark here but I think I’m really close.

We’re utilizing Azure DevOps for our CI. We’re a legacy Windows app.

The goal is to tokenize a variety of configs (some in and out of the root) so that we can then change those tokens per environment. We would also like to manage our variables in our Library in variable groups, labeled after envs.

Using the default msbuild.exe task, we’re able to transform the root web.config using the web.release.config.

Ok great - but how can we transform configs out of the root? We can’t get the damn file transform task to do anything and there is one line of error it throws which is useless (v1 and v2).

Lastly, assuming I even can tokenize all of my configs, how can I push variables from AZDO libraries into these tokens?

<3

https://redd.it/pyzs7j
@r_devops

quay.io Down again!

Any idea when quay.io back in service? I am tired of these outages with quay.io.

https://redd.it/pye0va
@r_devops

Gcloud oauth credentials automate

So in my company, we are using gcloud as service provider and we create new projects for each of the clients.

For internal access to application, we have to manually configure the oauth from the credentials screen from the Console. I don't think google has made oauth API public, has anybody tried to automate the oauth configuration. Need to create 2 oauth groups.

https://redd.it/pydkm0
@r_devops

Question, how to prevent -- Internet goes down for millions, tech companies scramble as key encryption service expires

Per title, how could (or should) have DevOps identified and resolved this issue months ago?

Better test tools?
Better search/static analysis?
Improved (technical) risk identification and mitigation?
Better culture?
Better organization (people) to research lower level dependencies?
Better leadership from outside organizations (e.g. IEEE or similar)

Internet goes down for millions, tech companies scramble as key encryption service expires

> The expiration of a key digital encryption service on Thursday Sept 30, 2021 sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users.

> Tech giants — such as Amazon, Google, Microsoft, and Cisco, as well as many smaller tech companies — were still battling with an endless array of issues by the end of the night. The problems were caused by the forced expiration of a popular digital certificate that encrypts and protects the connection between devices and websites on the internet. The certificate is issued by Let's Encrypt , the largest issuer of such certificates in the world.

> At least 2 million people have seen an error message on their phones, computers, or smart gadgets in the past 24 hours detailing some internet connectivity problems due to the certificate issue, according to Scott Helme, an internet security researcher and well-known cybersecurity expert.

> “So many people have been affected, even if it's only the inconvenience of not being able to visit certain websites or some of their apps not working,” Helme said.

> “This issue has been going on for many hours, and some companies are only just getting around to fixing it, even big companies with a lot of resources. It's clearly not going smoothly,” he added.

> There was an expectation before the certificate expired, Helme said, that the problem would be limited to gadgets and devices bought before 2017 that use the Let’s Encrypt digital certificate and haven't updated their software. However, many users faced issues on Thursday despite having the most cutting-edge devices and software on hand.

> Dozens of major tech products and services have been significantly affected by the certificate expiration, such as cloud computing services for Amazon, Google, and Microsoft; IT and cloud security services for Cisco; sellers unable to log in on Shopify; games on RocketLeague; and workflows on Monday.com.

> This problem has flown under the radar of many major tech manufacturers, including Big Tech companies such as Apple, Google, Sony, and Microsoft — none of which have made announcements to customers about the issues, Helme told the Washington Examiner on Wednesday before the certificate expired.

https://www.washingtonexaminer.com/news/tech-companies-struggle-millions-suffer-digital-certificate-expiry

https://redd.it/pz4e55
@r_devops

How to start learning devops?

I have been doing development (as a full stack developer) for a while now, and currently working on various personal projects which requires devops stuff, rn I have a Django-nginix-graphql-nestjs dockerized full stack webapp and thought of using azure for all the deployments stuff but don't know where to start.

Any help would be great!

https://redd.it/pyc4jq
@r_devops

Kubernetes Visualizer Ideas

Hey guys! I'm currently brainstorming ideas for a visualizer OSP for Kubernetes, and was wondering if developers could tell me what metrics you want more interaction with?

https://redd.it/pybskw
@r_devops