DevOps Bulletin Newsletter - Issue 36

Hey folks,

DevOps Bulletin - Digest #36 is out, the following topics are covered:

🔒 Kubernetes API access security hardening: Do you want to implement strong authentication and authorization in the Kubernetes cluster you manage? Learn about the best practices concerning API access control hardening in the Kubernetes cluster.
🤩 10 real-world stories of how we’ve compromised CI/CD pipelines: Everything from Jenkins to Docker to Kubernetes to laptops are mentioned, there’s probably something relevant to your environment
🚀 GitHub Actions through annotated examples
⭐️ Introduction to eBPF and how it can be used to add security, networking, and other capabilities in the Linux kernel space
PostgreSQL guide: If you are a PostgreSQL data architect or an administrator and want to understand how to implement advanced functionalities and master complex administrative tasks with PostgreSQL, then this guide is perfect for you.
🎬 The official Kubernetes Documentary: this film captures the story directly from the people who lived it, featuring interviews with prominent engineers from Google, Red Hat, Twitter and others. So exciting to see how the whole Kubernetes journey started ❤️

Complete issue: https://www.devopsbulletin.com/issues

Feedback is welcome :)

https://redd.it/sh7nw6
@r_devops

HOW to leverage Github Actions and Terraform

I'm looking at ways to better use GH Actions in support of deployment methods.

We currently build out multiple environments that are the same(ish).

- each customer is a new AWS/Azure/GCP environment
- all environments conform to an overall architectural and security standard but many components and services are configured specific to the client.
- some clients may have pieces others don't
- I'm mostly only interested in deployment and not on-going operations.

We layout our TF code with each tool or system in a folder. EG 'iam/security/database/app1/etc...'

As these environments are built out essentially folder by folder over weeks and months having a GH action attempt to deploy everything at once is obvisoly a non-starter.

Should I have a single action for each folder, expecting engineers to add the action when they start their work on that piece?

Or is there a way I can have GH actions only attempt to TF fmt/init/plan/apply on the changed files and assume the rest of the environmental dependencies are there?

Or something else entirely?

https://redd.it/sh9ew8
@r_devops

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.

​

https://github.com/blst-security/cherrybomb

https://redd.it/shbldd
@r_devops

API Integration Advice

Hey guys,

​

So I've been in the data integration game for some time, but I'm kinda embarrassed to admit I've usually been looped in when the API endpoints/middleware are already well-established and it's just straightforward implementation.

​

If you were doing an API integration (from scratch) between, for example, an ecommerce back-end like WooCommerce and another service, what kind of infrastructure/orchestration would you need to configure/setup to lay the proper foundation?

​

Thanks everyone - I always have found the feedback and discussion here really informative and helpful!

https://redd.it/shbe2e
@r_devops

Host system running different OS distro in docker container - any negative effects?

I was just thinking: does it make a difference if I use an Ubuntu based image and run it on a different OS family, e.g. CentOS or Fedora? Any performance implications?

https://redd.it/shfb7c
@r_devops

Automating role-based authorisation strategy in Jenkins

I’m using the role-based authorisation strategy plugin GUI to manually administer and assign permissions to different roles, based on the projects/folders required.

Has anyone had experience automating this? Something such as jenkins configuration as code, but without the need to restart jenkins each time a new role/project is onboarded.

I have found a hacky solution that uses a custom .json file to list the roles and groups as they’re added, and a groovy system config script to read these changes.

My confusion lies in where to feed in this script/.json file. Putting it in the dockerfile would require a new image to be built and a jenkins restart for the changes to take effect right?

The plugin doc mentions a script, but doesn’t provide much information on how and where to implement it in the jenkins controller build process, in the beginning or as a pipeline job itself…

How are you managing your jenkins roles and permissions matrix for projects?

https://redd.it/shennc
@r_devops

Changing of mindset

Starting taking ownership of devop functions at my job. Working with Cloud formation and Release management. My boss has given me full ownership of these processes meaning I should be single point of truth for any fixes or updates. I am really struggling with this because I have always sent problems to more senior members to show me how to fix them. Now I am that person who should have the solutions. How does a devops/ software programmer become better at being the owner of a process ?

https://redd.it/shjhu5
@r_devops

What VPN/access solution do the big tech companies use?

What does Microsoft/Apple/Netflix etc use for allowing employees to access internal systems?

I'm a jr DevOps engineer working for a (currently small) startup, looking to employ thousands of people a year, and have been tasked with looking into highly scalable remote access solutions. I would like to know what existing companies use for this, and what any of you would recommend.

https://redd.it/shjs0i
@r_devops

CentOS8 core package repositories are no longer available

We've been waiting for it to happen, and today docker images and cloud compute nodes are no longer able to access the core CentOS8 image repos:

CentOS Linux 8 - AppStream 113 B/s | 38 B 00:00

Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist

The command '/bin/sh -c yum install -y rpm-build rpmlint yum-utils elrepo-release jq' returned a non-zero code: 1

Makefile:77: recipe for target 'centos-8' failed

Same error occurs for all repos, just appstream comes first.

This occurs with trusted images and AWS AMIs, because the repo mirrorlist is now inactive.

https://redd.it/shbdbv
@r_devops

(New project / feedback request) - ssm-provisioner - A script that provides the ability to provision AWS instances via SSM

Hey all,

Thought I'd post about a new project I've been working on during my free time - ssm-provisioner.

I'll keep this somewhat short, but the main point of this project is to offer a simple method of SSM-based provisioning through Terraform.

Obviously, provisioners are not an ideal choice in most situations, but I've occasionally found need of something like this for personal projects where I'm not entirely worried about "production" quality deployment, but still would rather have a more secure option for live provisioning.

That's about it! It runs on the MIT license, and I'll be leveraging a formal semantic release and test process for it - mainly so I can keep some of my NPM and miscellaneous maintainer skills a bit more sharp.

Let me know what you think, and feel free to add issues, feedback, perhaps even some code if you'd like. I'll be fine tuning the contribution process, test suite, etc - for an upcoming "stable" release after I've had some good run time and feedback for this.

https://redd.it/shmgj3
@r_devops

How important do you think communication skills (particularly documentation and presentations) are to a DevOps Architect role?

I know this is really open ended and probably could be significantly different from company to company (20 person startup vs a 1000 or 10k person company).

I personally think of architects as extremely influential people in a company, not just good designers, but good evangelizers, communicators, able to draw out people's concerns and issues in order to best solve for them in a broadly adoptable manner.

But I want to get other people's opinions. Have you ever seen an architect thrive who wasn't very strong in communication/presentation skills?

https://redd.it/shnqhf
@r_devops

New developer

This might be a dumb question but I am making a career change I was making a plan to move into IT but I enjoy developing more do I need any IT experience to get a position as a frontend or backend? Also what’s the best way for me to get a position?

https://redd.it/shhnqm
@r_devops

Best resources on latest DevOps practices and trends

Where do you guys go for latest DevOps practices, trends, and news? Preferably something more technical.

https://redd.it/shqnrv
@r_devops

Should I buy KodeKloud subscription?

I'm a second year CS major and currently thinking of getting a KodeKloud subscription.

1) Is sit worth it?

2) Should I get the standard or Pro subscription?

Also, I have just started my DevOps journey so any piece of advice is much appreciated :)

https://redd.it/sh2uy0
@r_devops

Kubernetes, Openshift and Docker Swarm differences and comparison?

Hi, I am looking for a website or book etc where I can find the differences and comparison between Kubernetes, Openshift and Docker Swarm. Can you recommend any source where I could find this?

https://redd.it/sgyn0m
@r_devops

Top DevOps Trends for 2022

DevOps is already making headlines across the business world. In this blog post, we’ll introduce you to the new and emerging DevOps trends that will become more apparent in 2022.

https://redd.it/sht5j2
@r_devops

mULti-cloud kubernetes and whatnot

We’re in the process of deploying everything to multiple cloud providers. We’re already in GCP, AWS is next then Azure. Mostly we’ll be using Kubernetes for the applications and such. For some reason, management wants us looking into the Kubernetes managed services for each provider (EKS, AKS, GKE) which makes no sense to me, really. I think it’d be easier to deploy our own vanilla Kubernetes setup so it’s more “write once, run everywhere”…heh. I know there are tools to abstract out some of the managed specific bits, but I’m still leery.


Anyway, I’m totally open to being wrong, but I’d like to hear from others on which direction they went and why. Preferably from those who have hundreds of applications with 25k+ instances in each provider. Thanks for any insight/links/whatever!

https://redd.it/shutbk
@r_devops

How to implement Blue/Green Deployment using AWS CodePipeline

Hello all,

We, engineers have put together a step-by-step process of implementing Blue/Green Deployment using AWS CodePipeline (including screenshots). Hoping this would be of some use to fellow engineers.

https://blog.axiomio.com/configuring-blue-green-deployment-using-aws-codepipeline-c403196c6c16

Any constructive feedback or ways to do this any differently are welcome.

https://redd.it/shuyzt
@r_devops

How to (or even should I) sell an IPv4 block?

Hey, so we finished our migration to the cloud and we're left with a /24 unused block of IPs our company has had since forever.

Looking around the net I've found a few websites that auction IPs but they do seem a bit dodgy, even more so since we've been receiving random phishy looking emails asking to buy our them every now and then.

Is this a legit market? Can you suggest a website that has worked for you? Any technical considerations we should be mindful of?

https://redd.it/shw9yr
@r_devops

How do I solve the lets encrypt rate limit issue with ambassador

Hello everyone please I need help with this. Our ambassador ingress controller generates our tls certs and secrets but a change was made in our environment and it caused an error with the host file so now the rate limit is high. I get an “too many certificates already issued for exact set of domains(10) in the last 168 hours”
I would like to know how lets encrypt counts so I know when we can generate a new one and how can I solve this too please. Does anyone have an idea?

https://redd.it/shxwpg
@r_devops

Tree people vs. Forest people

I wrote a post comparing what I call "tree people" to "forest people" and would be interested to hear what y'all think.

tl;dr Forest people are systems people and are disproportionately represented in DevOps. Usually we are right, but sometimes not.

badgateway.qc.to/tree-people-vs.-forest-people

https://redd.it/shxe1k
@r_devops