Pants 2.14: Support for templating and deploying Helm charts

Pants 2.14 was just released, and includes supports for a new deploy goal, with an initial ruleset for Helm.

https://blog.pantsbuild.org/pants-2-14/#do-more-of-your-workflows-in-pants-with-the-experimental-deploy-goal-with-initial-support-for-helm

Pants will automatically:

1. Infer the Docker image dependencies of your Helm charts
2. Build and publish image dependencies
3. Post-process the Kubernetes manifests to use the published image names
4. Run the Kubernetes deployment resulting from the post-processing

Please check it out and let us know what you think!

https://redd.it/ye53su
@r_devops

azure - vm size for the cluster and for the node pools?

I'm creating a cluster for a client (yay employed!) but client wanted to use Azure. I had just light contact with Azure before but I'm willing to learn.

Client reserved a VM for 3 years for us. He wants a managed AKS installed on one of those VMs.

My question is: I'll create the AKS selecting the reserved VM; will I be stuck with a single node pool? As I understood when I create a node pool I have to state the size of the VM as well.

If I use the reserved VM (F8 instance) and create nodepools with smaller sets (a system node pool with the bare minimum, another node pool for an application), will I be using (and paying for) several VMs? If so I'll have to stick with 1 node pool and manage replication on the containers/replica-sets?

Or it will create VMs on that reserved bigger VM and I'll not be paying extra?

For example, F8 has 8vCPU and 16GB RAM, which means I can "create" 4 node pools DS2 with 2vCPU+4GB RAM?

I'm reading the https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools docs but nowhere it solves my doubt.

Thank you!

https://redd.it/ye2y2i
@r_devops

Unable to install Virtual Box on my macOS Monterey (AppeM1 Pro chip)

Is there a different hypervisor that's compatible with my machine? I'm new to Mac's and Virtual Box is the only hypervisor that I've used so far to configure vms.

https://redd.it/ye1id9
@r_devops

With all these DevOps tools, what’s the use case for using Python?

Is using Python still a necessity? I know a lot of these tools use Python under the hood, but do you have to know it?

https://redd.it/ydt1su
@r_devops

How did the Solarwinds attack and log4j affect your work as a Junior Admin?

title asks it all

https://redd.it/yehina
@r_devops

What happens when a node with local persistent volume goes offline in K8s?

From what I've understood about local PVs, they are allocated on a single node itself. What happens when this node goes down? Is there any way to set up replicas (or something similar) of a local PV on different nodes?

Note: I'm referring to multi-master multi-node cluster.

https://redd.it/yeizu5
@r_devops

Nginx ingress controller: how to insert whitelist-source-range annotations globally, but conditionally at the same time?

Hi Guys,

I wonder if that's even possible ;)

We have one ingress controller resource which monitors multiple Ingress resources in our k8s cluster.

Let's say \~40 Ingress resources. Some of them have whitelist-source-range defined to allow access only from selected IP ranges. Some of these Ingress resources are publicly opened.

Now, this mechanism works perfectly fine. Nothing wrong about it, except we need to maintain, monitor and track correctness of white-source IP ranges in number of Ingresses.

Therefore, we were thinking if there is a way to conditionally inject the whitelist-source annotation into selected Ingress basing on URL e.g. if ingress URL contains magic text, say ".notpublic.", then insert white-source annotation.

Another way would be to have two ingress controllers: open for public access, and second one for private access (with whitelist-source-range annotation).

Appreciate you help and input.

https://redd.it/yekoi3
@r_devops

Devops or cloud engineering

Hi everyone,


I am about to finish my master's degree in IT in the next few months and was thinking of getting into devops or cloud engineering. I know most of you say there is no such thing as junior or entry devops roles, but I am moving to Melbourne or Sydney after graduation and there are some job posts there for junior or entry level devops engineers.


I have 4 years of work experience in mechanical engineering, and no IT work experience although I have done some tinkering with HTML, CSS and JS in the past.


I have got 4 months left till I graduate and would like to gain some solid skills in that period by self-studying.


Which career path might be more suitable for me?

https://redd.it/yemrud
@r_devops

What's the best way to update/manage a self-hosted k8s/k3s cluster?

My aim is to make my home server and deployments more accessible externally and also add in some more comprehensive management tools for a better "more professionally maintained" environment.

I have a simple k3s cluster running and was wanting to add in TF so I can store and use secrets from my vault instance and possibly make some TF modules for deploying new apps which would create and update Cloudflare DNS entries/cert-manager definition/nginix ingress/(authelia config maby too)

I do have azure arc connected so I could potentially have a GHA connect via that proxy, or I could try expose the cluster externally and connect it to GHA somehow, or use kubectl proxy connected to a subdomain e.g cluster.domain.com then whitelist certain IPs for access or something.
I've also been researching Crossplane which looks like it could be fun and powerful to help manage the cluster instead of TF for applying changes, but that may be over complicated at this point.

Yes, this is more complicated than just managing some yamls and using a VPN like I do now, but was wanting something more comprehensive for learning purposes as well.

https://redd.it/yekmon
@r_devops

open-appsec Machine Learning-based WAF open-source code is now published on GitHub

open-appsec is a new open-source initiative that builds on machine learning to provide enterprise web application and API security with the visibility, protection and manageability that is required by modern workloads.

The engine is powered by two machine learning models:

A supervised model that was trained offline and fed with millions of requests, both malicious and benign.
An unsupervised online model that is being built in real time in the protected environment. The online model is updated constantly based on inbound network traffic.

Since it's not based on signatures, it proved to be effective against zero-days attack such as Log4Shell, Spring4Shell and the recent Text4Shell - blocking them using the default settings and with no update.

We are glad to update that code of open-appsec is now fully available in **GitHub**. Thank you for those of who participated in the early review and provided comments.

See more details in this blog https://www.openappsec.io/post/open-source-code-is-now-published-for-open-appsec-machine-learning-based-waf

The project is still in beta and team is eager to get your feedback about the product and the code. Please use the community page at https://openappsec.io/community

https://redd.it/yenjff
@r_devops

Is FANG DevOps all about coding

So I have been contacted by a few FANG companies recruiters offering to participate in interviews for being recruited into DevOps/SRE positions. All of them include multiple coding exercises to proove you're worthy of their money showers. From what I am told they do a lot of in-house coding to replace well known monitoring, configuration management software because it is not capable to handle their insane size of infrastructure. So basically it is much more of writing code than using usual infra management activities with open-source software solutions used globally I am more used to. I myself come from infra background with little actual development experience so I am not even sure why I draw their attention. Also having experience working in Enterprise and large infra using well known tools I find it strange that FANG find those tools incapable. Are the DevOps working in FANG all geniuses or is it because coming from Developer background they don't know much on how to properly configure those tools for large scale? Maybe there's another reason I am not aware about?

https://redd.it/yevhaw
@r_devops

Has anyone had luck getting a four-day workweek?

Currently, despite working in a FAANG (or perhaps because of that), I get several jobs offers every week. The range salary is most of the time lower and sometimes much lower than the one I have currently, which is kind of expected I suppose.

The thing is, I'm kind of burned out from the long work days and stress, so I'm looking for options, even if they pay less. Still, I have the feeling that just changing to another company will not fix it, best case scenario I will work fewer hours (maybe), for less money.

A four-day workweek, however, I think it will make a big difference. So when contacted, usually after is clear that the salary range they offer is below my expectations, I offer the option of a four-day workweek with noticeably reduced salary expectations. So far, despite the urge, some of them have to find someone, no luck.

For the record, I'm in Europe, and in my country, they are companies using this system, and even the government funded some trials about it, so it is not something crazy to ask, especially in a field so in demand.

Could anyone get this kind of arrangement? Is really that difficult to find a position that allows it?

https://redd.it/yezm14
@r_devops

How to prevent triggering Gitlab pipeline on new tag creation

I have a repository that I am using as a template for semantic release:

release.yml

workflow:
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_COMMIT_BRANCH == "test"
      when: always
    - if: $CI_COMMIT_BRANCH == "main"
      when: always

.release:
  image: docker-images/semantic-release-test:v0.2.2
  variables:
    GITLAB_TOKEN: $GITLAB_ACCESS_TOKEN
  script:
    - npx semantic-release --debug

and I am referencing it in another project

.gitlab-ci.yml

stages:
  - release

include:
  - project: templates/semantic-release-test
    file:
      - release.yml

docker_release:
  stage: release
  extends: .release

the problem is that there is still a second pipeline being created after the script creates a new tag. I did try to implement the logic within the .gitlab-ci.yml without the template and it works fine. But when I am using the include key a new pipeline is being triggered regardless.

I have tried many other variation of adding rules to the end of the job or and to the .gitlab-ci.yml as to the release.yml but no luck.

Any ideas on why is that happening?

https://redd.it/yf4501
@r_devops

DevOps vs DevSecOps: What's the Difference?

DevOps is the amalgamation of Development (Dev) and Operations (Op). **DevSecOps** combines development, security, and operations. DevSecOps incorporates security in every phase of the Software Development Lifecycle (SDLC).

https://redd.it/yf9124
@r_devops

Data Analyst/Data Engineering Role on DevOps Team?

Hi DevOps Community,

In the past year I’ve moved from a software engineering team over to an engineering team that supports DevOps tooling and have gone full circle for my current role on this team.

This team does perform cross collaboration work with a few other teams but from my understanding was that it seemed I would be able to boost and enhance my DevOps enngineromg skills set and enhance the following skills: Ansible, Docker, Kubernetes, Linux etc. more skills basically in this area.

Initially team needed me as a scrum master with some technical work on the side building reports for the DevOps tools we support, then moved to a product owner and finally full technical role which I prefer over everything else.

Most of my role now has been supporting and owning one DevOps tool/system and making sure the lights stay on and people have access to tooling. I get to work with K8S here and troubleshoot pod issues etc. The other half of my role is supporting some business intelligence work continuing building reports and helping build data pipelines.

This is my dilemma:
I feel like my career/role is split between what would normally be a data engineer/data analyst and a potentially full blown DevOps Engineer. I honestly don’t know if I should continue splitting my role between specific areas of work or focus on just one area. It honestly has led me to feeling some burnout. Somehow this data work has increased over the months and even other data work comes down the pipeline. Somehow we have put a small set of teammates to perform the data work but it makes no sense to me when there is another fully dedicated team that does this in another part of the company. This team I’m on seems to always want to own every piece of work they build and touch from scratch. I feel like they are just adding more work into their queue where it’s not needed.

I would honestly rather focus more on the sys admin and DevOps work more over the data work because I want to slowly get back into some security work again.

Any tips and suggestions are appreciated.

P.s. I definitely do not get paid enough to split my time between two varying roles and skills.

https://redd.it/yfagb5
@r_devops

Advice Please

Hi Reddit, I just started working as Salesforce devops 2 months ago (My first ever job, campus recruit). I'm really confused in as how to grow further in this domain, or if should I even stay in this domain or switch to Dev.
Currently the project I am working in uses Azure DevOps, So I was thinking of probably doing Azure certifications, but other than this I don't have any insights on what to do in the future.

https://redd.it/yffe1j
@r_devops

Remote positions in the UK

Looking on LinkedIn looks like majority of places are advertising as hybrid. The number of remote positions has decreased quite a lot. Interested to hear people's experience in finding fully remote roles in the UK recently.

https://redd.it/yfkg8b
@r_devops

Ho many of you use LXC / LXD instead of VMs on your local machines?

Since most of my Virtualbox VMs on my laptop are linux based (mostly ubuntu) i wonder wouldnt be better to switch them LXC. Ive used them A LOT on proxmox hypervisor in my previous company. And now, when im spinning few machines with kubernetes cluster on my laptop, it seems to me reasonable to move nodes to LXC to better utilize my laptop resources.

I even found nice article about it, bu i would prefer to use webui instead of command line.
https://www.virtualizationhowto.com/2021/07/lxc-container-management-gui-installation-and-configuration/

But whats your experience?

https://redd.it/yfjk2q
@r_devops

help IAM Identity Center (SSO) used to login into EKS Cluster

The problem: I can't use AWS SSO Authentication to manage my EKS Cluster

​

I can use awscli with sso user, I can login into AWS console with sso but my EKS can't understand sso role.

When kube config is configured for standard role based account, then there is no problem. I can manage my EKS

With SSO in kube config I have 2 problems:

1. When I am not adding SSO role to configmap/aws-auth:
2. When I add SSO role (arn:aws:iam::XXXXXXXXXXX:role/AWSReservedSSO_Administrator_XXXXXXXXXXXXXXX) to configmap/aws-auth:

I tried to:* aws sso login* set env for AWS_PROFILE

There is no documentation provided by AWS for this topic and it's frustrating.

Anyone have similar issues in the past and can help with it?

https://redd.it/yflqj5
@r_devops

GitHub Actions - prevent secret exfiltration on pullrequest triggers (organization repo)

I have read some considerations about possible secret exfiltration or other possible vulnerabilities when running pull\request triggered Actions, however they were mainly considering public repos where everyone can create a PR.

Here, I am talking about GitHub Team or Enterprise plans and repository which is not public.

My scenario is that I would like to have a pull_request triggered Action which will run Terraform Plan and output plan into the pull request comment so reviewers can easily take a look at expected changes to the infrastructure. This is following Terraform examples from the docs - https://developer.hashicorp.com/terraform/tutorials/automation/github-actions.

To run Terraform Plan, I need to pass secrets so the Terraform can authenticate to my cloud provider (in this case Azure) and perform Plan operation. Cloud credentials are obviously stored in GitHub secrets.

However, as anyone who can create a pull request can also modify pull request workflow yaml definition stored in the repo (in his specific branch against which pr workflow will be run), he can easily exfiltrate secrets used to authenticate to the cloud via logging them in workflow or just sending them via HTTP from his modified version of the workflow stored in the repo.

We would like to prevent situation where anyone from our organization who has access to create PRs can exfiltrate our secrets (including production secrets).

Any ideas?

https://redd.it/yfs45m
@r_devops

Any good AWS CDK example repos for Node.js full stack?

Hi there!

DevOps n00b here. I’m trying to create a full stack Node.js + Typescript app. Something that uses a React frontend and an Express backend. The backend also would need access to a Postgres database (RDS) as well as Redis (ElasticCache). Running the node app in a EC2 container would be nice as well as domain setup (domain.com for frontend and api.domain.com for backend).

I’ve looked at the examples repo that the CDK docs point to and didn’t find anything there. I’m a little surprised to not find anything as this seems like a fairly common setup for full stack web dev.

Any help is appreciated!

https://redd.it/yfoyaf
@r_devops