alert for self sign certs

hi folks

I created a python script that runs on concourse(pipeline) to alert us if any of the self signing ssl certs is going to expire soon. My program manager was not satisfied this and felt I'm using pipeline for the wrong reason


I choose python on concourse as the other solutions I explored required paid solutions or some new tech like NAGIOS I'm not experienced it. So I have two questions


1. was I wrong to run python script as a cron job in concourse pipeline
2. is there any solution other than NAGIOS worth exploring?

https://redd.it/zndh8r
@r_devops

DevOps and Feature Flags

I would like to understand the role of Feature Flags in DevOps function

i. Do you "create & toggle" feature flags or "only toggle" feature flags?

ii. What all use cases does feature flag help you with?

https://redd.it/zncvl9
@r_devops

What security controls to prevent someone from pushing arbitrary code into production?

What is the typical process before something is pushed into live? Just as if you were to push code into a repo, it will be reviewed by individuals before being approved, does this happen in DevOps automation tools?

1. Does this happen with the likes of Octopus DevOps or Jenkins or Azure DevOps or any tools if you could share that you use in enterprise environments?
2. What steps are taken to ensure someone cannot accidentally or even maliciously push something bad into live?
3. We have a policy that at least high-severity vulnerabilities are not allowed to go live? Broadly, what kind of processes can you set up to track/audit this? I appreciate things like false positive findings and risk acceptance can be done here to shoot it into live because often times a lot of vulnerabilities are nonsense and noisy. But how is this done, is this flagged somewhere on before you press live: "Are you sure you want to go live" sort of thing? I have no idea.

https://redd.it/zngalh
@r_devops

Beginner's guide on how to set up a new project with proper CI/CD pipeline and containers

Good CI/CD practices and proper containerization are at the core of the best DevOps teams. Mounting them later in the lifecycle of a project is time-consuming and expensive.

In order to give people an idea about the possibilities and how little the initial investment in terms of time is, we wrote an article containing a step-by-step guide to get started with a simple React application, containerized, and set up with docker-compose for local development. How to insert basic checks into the CI/CD pipeline is also covered.

https://www.coguard.io/post/ci-cd-pipeline

Enjoy the read. And yes, one could've made different design choices, but we tried to keep it simple ;-)

https://redd.it/znirfs
@r_devops

Would you consider a job with on-prem rather than public?

Had an interview today and the company is 100% on prem. I'm not too keen on this as I've got AWS and Azure experience and would feel it would be a waste to not use it and potentially hinder future job opportunities. As they say 'use it or your lose it'.

Would you make you reconsider if the company was on prem over public cloud? Why, why not?

https://redd.it/zniddk
@r_devops

React/Flask Minikube k8s pods are working, but not finding each other. How to fix?

I've got 2 pods for the front and back end, react and flask respectively that reside in the same namespace. Both are running individually functional pods, but the frontend is not finding its API. The way the project is configured currently is that react expects the API at pod's localhost:3000 I am unsure how the best way to route it to the API service is.

Since React has a proxy field in the package.json I dont know what the best way to fill that would be, as well as making the fetch requests in my files. Perhaps an env variable but how would I populate it with the proper address?

I have messed around with ingresses but was wondering if there is a more straight forward way to do it as an ingress seems like more overhead than is necessary, and I'm not all that familiar with how they work, to be honest.

https://redd.it/zni8hz
@r_devops

Moving from sysadmin to sre/devops. any certs or none at all?

I've been working as a SysAdmin for 2+ years since I graduated. My current company is pretty small, most of the things were on bare metal although now we've virtualised most of the things using vSphere, the infrastructure is solid but doesn't use most of the things I see job postings asking for nowadays (no K8s, no CI/CD, little things with Ansible set up before I got there, no Terraform and the only cloud services used are AWS S3/Glacier).

I started looking for SRE roles after I learned about the role from Google, since I love how they define it even if I know that not everywhere does it that way, but after seeing I lack most of the most demanded technologies, I enrolled to KodeKloud and plan to do the IaC path and the K8s one (which I started).

But I want to know how I can improve my chances in job interviews and how to make myself more attractive (maybe even avoiding starting from a completely bottom position too).

Right now I'm doing the course for CKAD on KodeKloud so I was interested in certs, but looking around and talking to people they mentioned mostly CKA and AWS SAA ones. Should I go for these if I'm looking to get a job similar to the SRE role that Google mentions? Should I just learn the technologies and forget about certs?

I feel like I have a good foundation with networking, scripting, databases and even programming as I've done that as a freelancer (mostly Java for mobile apps, though), all I'm missing in my CV is what I mentioned before imo. How do I increase my chances?

I'm from Europe if that matters.

https://redd.it/znkfz0
@r_devops

Need help

What exactly is DevOps? I am looking to grow my career and I am a union organizer.

I get that coding is basically looking for “bugs” and using some type of logic to solve the problem.

https://redd.it/znpl2z
@r_devops

Web UI for Managing Files in a Kubernetes Volume

I have a need to give access to users to manage files in a volume. For authentication I would prefer to use Duo SSO. Is anyone aware of anyone projects I may be able to use to make this happen?

https://redd.it/zniz1q
@r_devops

Anyone have luck whitelisting Terraform Registry?

I have a box that runs terraform commands and is locked down pretty securely. Since this box will only do a few tasks, we want to whitelist the specific IPs/CIDRs that are required. Now, however, I am running into an issue during terraform init where I get the below error:

Could not retrieve the list of available versions for provider hashicorp/aws: could not connect to `registry.terraform.io`: Failed to request discovery document: Get │ "`https://registry.terraform.io/.well-known/terraform.json`": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

With that, if I open up 0.0.0.0/0, it works just fine. So, it seems like a routing issue.

I am able to dig to `registry.terraform.io` to get the IP but whitelisting this IP `146.75.38.49` does not work. I have tried to search for an IP or CIDR range supplied by Hashicorp for this but with no luck.

Any ideas on how to proceed or troubleshoot? Or,

https://redd.it/znsbjz
@r_devops

GitHub Actions - How do you deal with the built-in cron scheduler being unreliable?

Hey everyone, I've built a small CICD pipeline that pushes code to AWS. I also want to execute that code through Github Actions, up until now the cron job that executes it ran on the EC2 instance itself. Now I have set up a workflow to run it from Github and it works, but it's pretty unreliable, it often executes ten minutes later and I read that it's not uncommon to be way worse:

https://upptime.js.org/blog/2021/01/22/github-actions-schedule-not-working/

One thing I saw Github recommend is just to "not run mission-critical jobs on it". But I find it very convenient to check right on Github if it has successfully executed my script. What's the easiest fix here?

https://redd.it/znndps
@r_devops

Having trouble with home project - beamdog/nwserver on ECS Fargate

Hi all,

I'm trying to get the beamdog/nwserver:latest docker image off the ground with a completely self-contained image that I can deploy to ECR. I want to do this because it's a fun project, it'll help me learn Docker, and also help me learn ECS/ECR.

The problem is that the instructions on their website only show how to run it in docker locally via CLI, and I'm at kind of a loss as to how to write the entire Dockerfile so that ECS Fargate can understand it and successfully deploy the running server binary.

Current issues:

1. When I follow the exact directions on their site, it runs just fine. I think. I've not yet been able to actually log into the server via the game client using my loopback, but it says that it loads the module and runs it just fine so I'll take that with a couple grains of salt. I assume it's some WSLv2 weirdness, as I'm doing this on Windows in WSLv2.
2. It seems like when you run the container, it expects the local filesystem to have the 'server' folder, along with 'modules', 'hak', and 'tlk' inside that folder. Then your module file should go in the 'modules' folder. Does this mean I will need to figure out how to attach an EFS volume to the task which has these same files? I'm seriously struggling to figure out if I can put the .mod file directly inside the container somewhere where the binary can find it.
3. It suggests to use either environment variables or --env-file to pass in the variables. Can I also just do this inside the Dockerfile using 'ENV'? It doesn't seem to work when I try it that way. There are a few ways I can skin this pig, namely using environment variables in terraform for the task definition, or doing it at build time, etc. I think the more secure way would be at build time during the pipeline.

Can anybody help me figure this out? I've tried it about 5 different ways, but it seems like the official image from Beamdog is the best way to go. (I've tried to compile the binary myself on ubuntu, I've tried NWNX - which is way overkill and much more complex, I've tried centos images...)

My current file looks something like this, but again, I don't think this will work unless the ECS task is able to run it the same way I run it on my local CLI...which I just don't know enough about how to set that up in AWS.

FROM beamdog/nwserver:latest

ARG NWNPLAYERPASSWORD
ARG NWNDMPASSWORD
ARG NWNADMINPASSWORD

ENV NWNPORT=5121
ENV NWNMODULE="MyCoolModuleName"
ENV NWNSERVERNAME="MyCoolModuleName"
ENV NWNPUBLICSERVER=1
ENV NWNMAXCLIENTS=32
ENV NWNMINLEVEL=1
ENV NWNMAXLEVEL=40
ENV NWNPAUSEANDPLAY=0
ENV NWNPVP=1
ENV NWNSERVERVAULT=0
ENV NWNELC=1
ENV NWNILR=1
ENV NWNGAMETYPE=0
ENV NWNONEPARTY=0
ENV NWNDIFFICULTY=3
ENV NWNAUTOSAVEINTERVAL=0
ENV NWNRELOADWHENEMPTY=0
ENV NWNPLAYERPASSWORD=$NWNPLAYERPASSWORD
ENV NWNDMPASSWORD=$NWNDMPASSWORD
ENV NWNADMINPASSWORD=$NWNADMINPASSWORD

https://redd.it/znufw6
@r_devops

Need advice

Is devops still a good field to go in, these days?

https://redd.it/znr42j
@r_devops

advice on career and personality

Hey everyone
I got my first traineeship few months ago but got pulled out of the team within the first month.
In the beginning I was told I don't have the knowledge which didn't make sense because it was a traineeship but today after a conversation I was told that the main reason was my attitude and that I was making the team unproductive.
In my life I have been told I am a connector and connect people together and that my presence and my energy in the room is big.
Sometimes without even doing anything.
In this team though I was never told anything, and in the opposite I felt good. Also I saw the team having the same energy without me.
I have had this issue all my life as a blessing and a curse but I am thinking if technical and devops is the right place for my personality
Any advice really appreciated 🙏

https://redd.it/zng6zi
@r_devops

Internal documentation thing

I would like to know how are you guys managing internal code documentation. API references, processes, instructions and so on. This area seems wild to me, i’ve seen lots of different things around, still not sure what is best. Also, who is defining documentation framework for you? Or maybe you define it for devs?

So far i worked with markdowns in git, confluence, gh wikis, gitlab, google docs, office 365, custom internal portals and random combinations of the above…

Do you know any approach which you think works for your case?

https://redd.it/znjqns
@r_devops

group merge requests

When working with polyrepo architecture, a single change to the entire product often happens across multiple projects, and that means the teams have to coordinate multiple merge requests, which all run CI/CD processes that theoretically should be a single CI/CD pipeline, and a single merge request. Gitlab even recognizes this problem, as seen here:

[https://gitlab.com/groups/gitlab-org/-/epics/882](https://gitlab.com/groups/gitlab-org/-/epics/882)
https://gitlab.com/gitlab-org/gitlab/-/issues/3427

However, they claim that they found low demand when interacting with customers. My question is- how is that possible? As they said themselves, most people solve this problem by either using a monorepo (which has its own issues), ci patch-scripting (which is limited and requires a lot of work and decisions) or by using submodules (which might fit the bill for libraries, but not things that need to be deployed like microservices)

So I guess my question is, what do you guys do when you want to use a polyrepo architecture for developing microservices, and want to make a single change to your product that spans multiple repositories?

https://redd.it/zni83l
@r_devops

Automate the deployment of resources in AWS

Hello, newbie here, be nice...

Region: Bahrain + UAE

Services used: CodeCommit, CodeBuild, ECS, ECR

I'm using both of the regions, because CodeCommit and CodeBuild are not yet supported in UAE region. ECS and ECR are in UAE region.

How is it currently working: GitLab repos are mirrored to CodeCommit. I'm getting the source code from CodeCommit, use it in CodeBuild to build an image, push in to ECR and then use the image for a task definion (service) on ECS. But this is manual approach and I don't like it.

So, I want to automate the workflow but sadly, there is no CodePipeline available in either of the regions. Should I use Lambda which is listening to a certain event, which triggers the build process (maybe whenever a push commits to the master?) I don't really know what is the recommended approach.

Thank you in advance.

https://redd.it/zneccv
@r_devops

Artifactory as CDN/Package Manager, how to ask for latest version?

Companies are taking local backups of thousands of 3rd party libraries and storing these in different versions.

These dependencies eventually become vulnerable and clean-up becomes necessary, but simply deleting the old libraries will mess things up for a lot of developers.

I am familiar with NPM and package.json, where develops use tilde (\~) and caret(\^) to get minor or point releases of libraries... is the workflow similar with JFrog Artifactory?

How does one allow developers to get an approximate version of a dependency, and not direct-linking to a specific version?

Is this even possible, or should the company implement another solution?

https://redd.it/zndrom
@r_devops

How much would it cost to run this service on AWS?

I am developing a software service that will have:
a) a phone app with ~800 users
b) a web app for desktop with ~50 users

The phone app will mainly be used to:
a) track the location of an employee during their shift by sending latitude & longitude data to the server every ~5mins/ user / day for 8 hrs a day.
b) upload photos by the user to the database (~10 photos / user / day)

The web app will mainly be used to:
a) monitor the data recorded by the users of the phone app.
b) assign an agenda to each employee.

The tech stack will be:
Flutter for mobile & web apps
Node Js to run the server

How much will it cost to run the app per month?
What are the best ways of optimising cost (Storage/Compute/everything) ?

TL;DR:

How much will it cost per month to run a Node JS service and Flutter app on AWS with :
1) 2,304,000 latitude & longitude data uploads and fetches per month.
2) 240,000 photo uploads and fetches per month.
3) + Compute costs
What's the best way to optimize cost?

https://redd.it/zo2sfb
@r_devops

Atlantis users on EKS, how do you manage account credentials?

I am just curious to see how people have their Atlantis configured. I assumed the easiest way was to have the Atlantis pod log into its own role and other accounts allow that role to assume a deployer-type role in their respective account. However, I do not want to hardcode any credentials for Atlantis.

Is there a way to get Atlantis to use its IRSA role for terraform changes? If so, how would I configure this? Or, by default, does any traffic leaving the pod assume the pod's IRSA? And then I could just allow that role to assume other roles across accounts?

https://redd.it/zmzfhp
@r_devops

I think IaC is a lot better than “ClickOps”!

Infrastructure as Code is imho way better than *ClickOps (*where you manage infrastructure through a GUI which is slow and prone to errors that only accumulate as environments gradually diverge).

ClickOps practices typically lack versioning, eliminating any hope of clean audit trails. Since you can't reuse configs, it becomes impossible to roll them out to multiple environments.

One of ClickOp's biggest weaknesses is that it's highly dependent on individuals. If your knowledgeable engineers who were in charge of configs jump ship, your infrastructure will be dead in the water until you can decipher the configurations they left behind.

Do you use ClickOp? If yes why?

https://redd.it/znfctz
@r_devops