Local Development with Kubernetes Service Accounts

I'm a devops engineer and i'm trying to convert an application from using an AWS service account w/ key and secret for authentication, over to using a k8 service account to assume an AWS Role.

The challenge im facing is that the app developers use IntelliJ on their local machines to test their code, which requires hitting AWS resources. This means that they have possession of the key and secret for the service account (in our dev environment at least) on their local machines. If their IAM user is terminated, they still have possession of those keys and security is not ok with that. We don't have a good mechanism for key rotation, nor is there a plan for one.

...Hence using kubernetes service accounts to assume an AWS role and grant the application the AWS permissions that it needs to function. Since we are using EKS and the containers already assume the cluster role by default, this has been super easy to implement. But it totally breaks the ability for devs to run the applications locally in intelliJ.

I'd love to set them up with the ability to run the application locally using docker desktop's kubernetes environment or something like that. But then they have to build the app and then deploy it locally, which is far slower and less streamlined than intelliJ. They are used to being able to run the application without even having to build it.

I'd love any and all suggestions as I am totally out of ideas.

https://redd.it/sxtjv4
@r_devops

Is there an easier way to SSH to ECS containers?

When I want to SSH to ECS I use

aws ecs execute-command --cluster <Cluster> \
--task <taskId> \
--container <ContainerName> \
--interactive \
--command "/bin/sh"

&#x200B;

But the ECS container gets rebuilt on every pull request so I have to keep going to AWS and get the new task Id.

Is there any other more convenient way to SSH?

https://redd.it/sxw5gj
@r_devops

What is Developer Experience? a roundup of links and goodness

https://redmonk.com/jgovernor/2022/02/21/what-is-developer-experience-a-roundup-of-links-and-goodness/

https://redd.it/sxwm41
@r_devops

question about internet speeds...

So, I'm looking at moving to a new house. The place is awesome but it's also pretty rural, and it seems difficult to find internet plans that are more than 50mbps. I'm used to having a much faster connection than that, like at least 300.

I need to know if I can do my job from home before I commit to purchasing a property... y'all think 50mbps would cut it?

https://redd.it/sxzd6h
@r_devops

Does anyone here use oath2 proxy in front of Atlantis?

I'm trying to figure out how to insert https://github.com/bitly/oauth2_proxy in front of https://github.com/runatlantis/atlantis via terraform but have several questions. First, is there any publicly existing terraform repo that can set this up automagically on Kubernetes? My google-fu is coming up short. Second, are there are any automagic scripts that can generate the config values for you via github api? The end goal really is to just figure out how to get this as automated as possible so I can add auth to atlantis. Any additional suggestions appreciated!

https://redd.it/sy0o6c
@r_devops

Telepresence with Consul

I've gotten Telepresence working without Consul (and it's great!), but I'm having some trouble when I add Consul connect's Envoy sidecar. I see the `traffic-agent` sidecar for the service I'm intercepting, but all of the traffic is still flowing thru Envoy.

Have any of y'all gotten Telepresence+Consul working? Thanks!

https://redd.it/sy4raf
@r_devops

Does anyone have experience using KodeKloud as a learning tool? What was your experience?

It is on sale right now. I enjoy the structure for learning and it is on sale right now. Any experience? And alternatives you enjoy?

https://redd.it/sy6e5w
@r_devops

Any folks from the zerossl project lurking these forums? Your user signup page cert is expired.

https://app.zerossl.com/signup

I was looking for an alternative to cert-manager/letsencrypt because of rate limiting pains. This does not look as promising :(

https://redd.it/sy9p9f
@r_devops

EKS ingress

I want to set ALB ingress. For some reason Ingress forwards paths to services.for example. If I access mydomain/ng-test/ I get redirected to nginx-test-service but in pod log I see

\[error\] 35#35: \*16 "/usr/share/nginx/html/**ng-test**/index.html" is not found (2: No such file or directory),

Can I somehow force ingress not to add path?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alb-app
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: ***********
nginx.ingress.kubernetes.io/rewrite-target: / #test ....?
spec:
#ingressClassName: alb
rules:
- http:
paths:
- path: /ng-test/
pathType: Prefix
backend:
service:
name: nginx-test-service
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: xxxx
port:
number: 8989

https://redd.it/sy536o
@r_devops

How to build Lakehouse with Azure Synapse

In today's article, we are going to see what lake house is and how azure synapse can be used to implement lakehouse architecture. https://clouddatascience.medium.com/how-to-build-lakehouse-with-azure-synapse-56ddf831c1b9

https://redd.it/sydl5c
@r_devops

Branching strategy for Infrastructure as a code

Hi folks,

I am very curious about people's way to manage infrastructure in a git and looking for a way to improve mine.
So, we are using terraform and store code separately from source code. The infrastructure code is relatively complex and on general divided by 2 modules(global resources, regional resources) then each environment call modules from own environment folder and supplying variables.
I have aproblem for branching strategy for module (it's a separate repo). The software release happens not often (1 in few month, because before going to prod it is tested on like 4 environments).
So we have a master branch, where the prod deployed from SW released version (say 2.6.30).
Then we have a develop branch with the version that reflect current development (let's say, 3.x)
Then sometimes developers start a complete different version (4.x) while releasing fixes and features for the current master and develop branches.
So,we have a sort of branching hell.
Do you guys have any tips on how to support this scheme?

https://redd.it/syi0ye
@r_devops

Which source code management alerts are most important to monitor?

Assume the alerts are sent to a central channel and not to the individual user who performs the action.

View Poll

https://redd.it/syhdy5
@r_devops

Facing an issue with Step Function

I want to run a function every 2 mins but I want to start those 2 mins only after the excution of that function is complete. I saw that this is a usecase of Step Function so when I created my workflow.

Start -> Run ECS Task -> wait(2mins) and now I want to run the function again in an infinite loop. But step funtion is not allowing that, it need an "End" statement.

Any workaround for this?

https://redd.it/syk9k2
@r_devops

Has git conquered the source control world?

Are there people who still use other source control like ClearCase, SVN, etc, other than old projects that are sort of abandoned?

https://redd.it/syo6tm
@r_devops

CRLF vs LF Git FIX

git config --global core.autocrlf true

Does this allow mac/windows users to treat CRLF and LF as the same or will this ONLY remove the warning error?
Currently when i do file comparison via filezilla it shows my files as different which is a pain when working in a team.


If I pull from github when synced with server it shows conflicts.
I think this is due to me being windows and team being Mac so I'm looking for a long term solution!

https://redd.it/sylkgl
@r_devops

DevOps projects

How are you guys doing of presenting DevOps projects in your resumes.
How to do or demonstrate a DevOps project in GitHub?

Shoot your opinions and answers

#devops

https://redd.it/syk3ae
@r_devops

Remote work cost of living calculator

There’s been a few discussions on here recently about remote salaries and how they normally vary by location based on cost of living.

Is there any online resource we can use to predict what companies cost of living based salaries will be?

Example, I’m currently looking to move out of NYC area but don’t want to totally screw up my salary. I’m looking at Frederick Md or Dutchess County Ny. I think Maryland is safe but I’d prefer Dutchess county (Poughkeepsie area. Even tho it’s high tax and reasonably pricy I think it will fail the COL calculator.

https://redd.it/sypi9i
@r_devops

Why can't I create a standard public IP in Azure?

Hey,

I'm trying to create a Standard Public IP in Azure but when I do it errors out saying I have insufficient quota for Basic Public IPs. I know I do, that's why I'm trying to create a Standard, not a Basic because I have plenty of Standards left to use.

I originally tried this in Terraform but not I'm just doing it in the Azure portal to troubleshoot. I'm selecting Standard in the SKU so I don't know what the problem is or why it thinks I'm trying to create a Basic.

Any help would be appreciated.

Thanks


UPDATE: I deleted a Basic IP and tried to create a Standard. It worked but now when I check my quota both the Basic and Standard have gone up by 1. Does a Standard Public IP also use up your Basic Public IP quota?

https://redd.it/syks00
@r_devops

Some of the best terminal utilities you have ever used and are still using.

When I got introduced to tmux or lazygit, I got hooked to the wide range of powers 😅 that i felt within my hands. Across my org, was successfully able to move everyone to be using either of them.


So what are some other awesome terminal utilities that you have come across?

https://redd.it/syrl3g
@r_devops

Kubernetes and Cloud Native Associate (KCNA) Certification. Good for someone looking to break into the field?

I am looking to break into the DevOps field in hopes to get a Junior / Beginner level role after working in IT Support and Application/Software Support for 3-4 years.

I stumbled upon the KNCA Kubernetes and Cloud Native Associate Certification from The Linux Foundation and really liked how it’s geared towards beginners. I have been doing a lot of research and searching at job postings and found that Kubernetes is a in-demand skill.

Do you think this certification is worth while? Obviously it’s beginner based and nothing compared to something like the CKA or CKAD certifications… but was wondering if it’s a good talking point on a resume or to get some looks from recruiters/interviewers/. I was thinking of doing the certification and having some projects that use Kubernetes hosted on a GitHub or talking points where I’ve had hands on experience to supplement the learning.

For a Junior/beginner… would you recommend this? The price isn’t an issue for me at the moment. Here is the link for more info:

https://training.linuxfoundation.org/certification/kubernetes-cloud-native-associate/#review_module

https://redd.it/sz28zt
@r_devops

Does anyone know what happened to slack on 2-22-2022 ?

Hey guys, wanted to understand the cause for slack downtime.

https://redd.it/sz9ldm
@r_devops