Is HashiCorp Certified: Terraform Associate (002) Worth It?

I have an upcoming internship this Summer in a DevOps role. I have never used Terraform first hand, but I do know it will be a tool I'll be using on the job. Is it worth pursuing an associate certification in order to prepare? Does anyone have any experience with this cert? How does it stack up time wise to prepare for?

https://redd.it/11n2k0z
@r_devops

Save $ on public S3 buckets using VPC endpoints via SQL

The cost savings of routing the traffic of public S3 buckets through VPC endpoints instead of NAT gateways in AWS can be quite large. NAT gateways are the default. We wrote a guide on how to do this with r/iasql using a couple of queries: https://iasql.com/blog/save-s3-vpc/

https://redd.it/11n5d6u
@r_devops

whats your development process for github actions and how are you testing them?

so, I have been getting in deep with github actions: terraform with a remote backend, automated testing, linting, automated building, etc.

and I am finding the development process to be slow. 3-4 minutes per iteration and I am iterating a lot because I am learning and small changes are more likely to succeed. but waiting for push, waiting for it to get picked up, waiting for the entire workflow to run is slow when I am making incremental changes. Plus its eating into my GA budget.


I know once my pipelines are all set, I shouldn't touch it much, but I'd love a more responsive, local environment for testing these workflows.

https://redd.it/11n4cn1
@r_devops

when companies provide you with a laptop as an employee and it comes with pre installed software, how does that software get installed?

I might be in the wrong subreddit.. but I'm curious:

My company recently got acquired by a much bigger company, and during that process, the parent company provided all new employees with a laptop, so they shipped 100+ laptops to employees, and you go through a setup process with the IT team, to assign the laptop to oneself.

Usually, there is some software already installed on the laptop after setup. I'm curious how the parent company creates these identical laptop setups for 100+ people...

Is it manual? Do they use a snapshot of an existing setup and then apply that to all laptops? Is there a company that provides this as a service?

Any info would be great, or directions to the right subreddit.

Thank you

https://redd.it/11n7zdb
@r_devops

Deploying CLIs to developer machines

We have some internal tools for interfacing with our Kubernetes clusters and other internal systems. They're all CLIs, some Bash scripts and Rust binaries, and we're looking to have them regularly built and deployed onto developers' machines (Linux and OSX).

Is there an existing solution for this ?

https://redd.it/11n39ie
@r_devops

Proxy Basic Auth Replacement Best Practice for Cloud Native / OIDC / Vault

What would be the up-to-date, cloud native, best practice for replacement of e.g. haProxy with ACLs and Basic Auth, with something like Envoy (it has RBAC) + JWT + Hashi Vault and/or OIDC provider like Okta/AD?

I want to secure web endpoints, which don't support auth natively. Current solution is haProxy with network ACLs and Basic Auth, but I want actual identity check (not network-based), ideally tied to an identity provider (in my case AD) with either rotating token or at least password stored in Vault (and I do realize that I might be mixing stuff here - AD and pwd/token being mutually exclusive, so either is fine, but I want to be able to auth with another software as well, not just human - not sure how to go about that with AD).

I've seen a solution with Envoy+something (I don't remember, maybe traefik?)+OpenPolicyAgent+Okta in K8s env. It was ugly :-D. I want something independent of k8s, so I can place it in front of a historical service running on a VM, and secure it while it's being migrated and ideally doesn't require 3 containers to implement :-D.

Thanks for any suggestions and pointers!

https://redd.it/11nas9j
@r_devops

How to change all links across a 200 page site, automatically?

An affiliate program needs me to change all links to their new landing page URL.

It is thousands of links across 200 pages. What is the best way?

https://redd.it/11n3127
@r_devops

Any way to automate CVS version control?

Company refuses to switch to git.. any way to automate CVS or create some type of pipeline with it? Right now I have to run cvsq on all dev files and then sign off on it.

https://redd.it/11n2nhy
@r_devops

DevOps with background in computer science

Hi. I'm currently facing a bit of a dilemma. So i recently started a position of devops trainee (i have a background in computer science and i actually enjoy programming).... However my company tends to be very "Ops" oriented, there's almost no work nor projects where we work directly with the developers, it's mostly "services" where they provide or maintain infrastructure. There's little to no-code involved (except for terraform used for IaC, which is mostly scripting) and I find it really boring working with that.... The most exciting task i came up with was developing a lambda (which i suggested, cause I was the few that knew how to code), where i can implement, create unit and integration tests and deploy it in a pipeline and it's very similar to the SWE types of tasks that I learnt in college, so I'm more familiar with and find it more exciting to do......

And I'm really debating now if I'm completely in the wrong job position (should i become a developer?), or if the company perception of DevOps is just off (but I'm actually very newbie and idk how i can help to improve its culture).....

https://redd.it/11mwirj
@r_devops

Top 10 DevOps Tips for Cloud and backend Applications (Presented in the Arabic Language)

Top 10 DevOps Tips for Cloud and backend Applications (Presented in the Arabic Language)

أهم 10 نصائح DevOps للتطبيقات السحابية

https://www.youtube.com/watch?v=c_ay2xZDRUw

https://redd.it/11mzx6e
@r_devops

How do you Bootstrap an Organization in Google Cloud Platform?

I found this process very intense from a team interaction point of view, especially when the conversation goes down a rabbit hole trying to solve the chicken and egg problem.

I try to optimise based on principles while still knowing that we are in a state when we cannot adhere to them 100%. I proceed in a three phases approach:

* Inception Phase (Ring 0)
* Pre-operational Phase (Ring 1)
* Operational Phase (Ring 2)

You can imagine these 3 phases like the protection rings in an operation system where you gradually tighten the adhere to principles and policies. I explained in more detail in this video: [https://youtu.be/RDF4Yf5JhPI](https://youtu.be/RDF4Yf5JhPI)

Would appreciate any feedback.

https://redd.it/11njbmz
@r_devops

FeatureProbe: Streamline your DevOps workflow and achieve faster and safe feature releases with seamless feature flag open-source integration.

https://github.com/FeatureProbe/FeatureProbe

https://redd.it/11nk9na
@r_devops

How do you handle CSP Headers for a multi tenant application?

right now its just one CSP for all of our tenants and we keep adding domains if we see a block. as you can imagine our CSP is huge.

you think doing a * will not be a security issue? (my heart says it is.. lol)

Dev team seems dont think its a priority to include this in the application per tenant

https://redd.it/11nlice
@r_devops

Sonic Pi Can Help You Make Music Through Code. So cool.

https://gotopia.tech/articles/220/Sam-Aaron-SonicPi-can-help-you-make-music-through-code

https://redd.it/11nm35a
@r_devops

I'm looking for a good vulnerability management tool, big bonus if it can integrate into the deployment pipeline

Hello all.

Can anybody recommend a good vulnerability management tool for cloud-native applications?

I am currently trying to find something that can perform real time monitoring for a basic tech stack (java, php, go etc), api's and ideally infrastructure,

Bonus if it can perform static code analysis! I am hoping there is a singular tool I can get for all of this, but as it seems it looks like I may have to go with 2 or 3

Currently looking at Dynatrace, which has some great agent-based real time monitoring, but it lacks the overall infra and static code monitoring

Any help appreciated, thanks

https://redd.it/11nl6jf
@r_devops

Is Push based GirOps dying, or it's just me?

Personally, as a guy who works with k8s a lot, I prefer the Push GitOps because I feel that I have more control over what I'm dealing with. The whole ArgoCD tendency is driving me nuts, because I think that ArgoCD is cool if it's provided kinda as a service to devs, and they can use it to deploy what they need to have without my help, but if I'm running something I prefer other tools, for example Helmfile

I feel that Pull GitOps is displacing the Push one. And it seems a logical continuation of the getting rid of human factor thing, but still doesn't seem right to me. Because my job is to deal with systems and I need to be able to do it fast in case of emergency. And with pull-git-ops I don't feel that it's possible.

I had a lot of situations when I had to create/remove/update k8s resources manually to fix things fast and then write those changes to git repo without any hurry, because everything was fixed already. And, for example, when you have your whole infra deployed by ArgoCD with AutoSync enabled, you can't really do that without disabling it, and it feels like a very ugly workaround to me, like a sign that system doesn't work after all. (Or you do follow GitFlow, update manifests/charts/whatever, merge, and check if problem is solved, so fixing a problem is taking a way more time)

And the main benefit that I've been told is that you always can see everything that is running in the cluster and the state is always synced. But I can see anything that is running in the cluster with kubectl, (and I actually would never go to ArgoCD Dashboard myself), and the state is not always synced because someone would eventually disable syncing for fixing something and wouldn't enable it again. Also, I don't care what developers are running there, if I'm not afraid that they will ruin the cluster, but preventing a situation like this, is also a part of my job. And also you still can apply anything that won't be spotted by argocd, so you can't even be sure that you see everything there.

But I'm getting more and more confused about this ArgoCD topic while reading articles, talking to people, etc. I've got a feeling that everybody want to use this Pull gitOps approach for everything, but I still don't see real benefits. And since I've got a feeling that I'm becoming a minority, I think that I should consider changing my mind on this topic. So, if you prefer Pull GitOps for infra stuff, could you say why?

UPD: I meant Push based GitOps, of course, but I think that I can't change the name anymore

https://redd.it/11noszn
@r_devops

How are you splitting out your IaC pipelines?

Hi everyone,

I have started to leverage Azure Devops pipelines and IaC (with bicep) to manage our Azure environment. I am curious about how I should be separating out resources in different pipelines though.

Currently we have been running a pipeline for each resource type with different environment variables depending on which environment we want to update via a specific set of bicep/parameters files.

Does it make sense to continue this way? I had gone over the ms learn documentation and a lot of that involved deploying the entirety of an application with various modules for different resources via a single deployment.

So say for virtual machines, would I have them all deploy via a single "VM" pipeline or group them by application in separate pipelines?

I've also started to work with microservices (api gateway w/ functions, logic apps, etc.) and it seems like for that, it would make more sense to deploy all the components of a specific application via its own pipeline but I'm not entirely sure that's the best approach.

Any input or suggestions are greatly appreciated.

Thanks!

https://redd.it/11nnvzh
@r_devops

How Do We Save about ~$10,000 a Year Using Self-Hosted GitLab

## Moving from GitLab CE to GitLab Premium

In October 2022, GitLab changed its subscription model. There are three plans: 

* Free
* Premium—$19 per user/month
* Ultimate—$99 per user/month.

Switching to a paid subscription or looking for alternatives became necessary for large teams and projects.

The free plan supports up to 5 users in a project or group and is unsuitable for us. It is possible to deploy our self-hosted GitLab CE, but this will require infrastructure and support costs.

In one of our projects, all the binding in the form of CI and environments had already been made for the specifics of GitLab, and the number of repositories numbered several dozen. First, we looked at the proposals of GitLab so as not to waste time on pipelines. Moreover, we had to consider that the total number of users in the project was around 64.

The free plan supports up to 5 users in a project or group, and it was not a right fit for us. We could deploy our self-hosted GitLab CE, but it would require infrastructure and support costs.

Let’s do the simple math.

If we had bought a Premium subscription: 64 users \* $19 = **$1,216 per month** or $14,592 per year (Subscriptions must be paid annually).

And if we raise our GitLab in AWS (the cost in GCP is about the same):

* The minimum recommendation for a self-hosted instance for a service of up to 500 users is 4 CPU 8 Mem, which is \~$130 per month;
* 200Gb drive with daily snapshots up to 14 days is \~$26 per month;
* RDS database with daily snapshots storage for up to 10 days is \~$50 per month;
* S3 bucket for storing caches and artifacts is \~$1 per month.
* **Total: \~$207 per month**.

NB: Here, we consider only the main GitLab service without runners because their value in all cases is constant.

After the estimation, we presented the results to the customer and discussed the obvious benefit of having a leftover $1,000 per month. We also separately drew attention to the need to support and regularly update our own GitLab CE. We added about 6 hours a month for support and started moving.

## Getting ready

Using Terraform, we created a network, storage, S3, instance, and RDS in the cloud. This is our favorite IaC (Infrastructure as Code) approach, which makes it convenient to manage the infrastructure and, if necessary, reuse the finished code.

As a VM image, we used the official GitLab CE AMI (Amazon Machine Image)—an image that is updated and maintained by GitLab itself. To update the GitLab version and not be afraid that the instance will break, we used the ASG (Auto Scaling Group) with the Launch template, to which we transferred the AMI image, instance type, disk configuration, etc.

Moreover, we used a small bash script in User Data to reconfigure and roll our data and configs automatically. It runs immediately after creating the instance, checks the availability of the allocated IP address and storage with data and configuration, and subsequently reconfigures the new model into “our” GitLab.

So, “our” GitLab is configured and tested. Next, we must migrate users and repositories from SaaS GitLab to self-hosted GitLab.

## Moving

To avoid violating the deadlines and not interfering with the developers themselves, it was necessary to agree on and draw up a plan to migrate repositories. For the convenience of user migration, we added Google OAuth with authorization in our Google organization and asked all developers to log in to the new GitLab, thus getting users.

Furthermore, the repositories had to be migrated one by one manually through the export/import mechanism. At the same time, it was necessary to consider that the CI/CD and webhook settings are not exported because they depend on the environments. They had to be adjusted manually for each repository. In addition, we had to connect our group runners as shared runners from GitLab SaaS will not be available.

We moved the repositories, set up the CI environment and webhooks, and checked with the developers that everything worked.

Pros and cons of

this decision:

​

|**FEATURES**|**SELF-HOSTED GITLAB**|**SAAS GITLAB**|
|:-|:-|:-|
|Price|**+**|**-**|
|Support|**-**|**+**|
|Logs|**+**|**-**|
|Administration|**+**|**-**|
|Full access to the API|**+**|**-**|
|Privacy|**+**|**-**|

While Self-Hosted GitLab provides more options, it requires you to have your own support.

## Results

For a modest amount of money, the client received git hosting (GitLab CE), which is slightly inferior in functionality to the premium version of SaaS in some aspects but is generally suitable for work.

If you have a large team and are not willing to pay over $10,000 per year, working with self-hosted GitLab is for you. Of course, such a choice will oblige you to deal with support, allocate additional time for engineers, and the responsibility for the work of GitLab will be entirely on the DevOps team, but this can save you a lot of money.

If you have a small team and don't want to spend time maintaining git hosting, SaaS is a great option. You can get an out-of-the-box, working solution by buying a subscription rather than worrying about infrastructure.

https://redd.it/11nr4gv
@r_devops

Opinions on Hashicorp Nomad?

Has anyone used it? What are your thoughts?

https://redd.it/11nsxo3
@r_devops

Feeling pretty down/demoralized. Any suggestions on easy wins for my team?

In charge of the DevOps team that’s part of a dev org touched by layoffs about a month ago.


Was everyone’s first time experiencing something like that. Anxiety and nervousness have been almost palpable while we’ve kind of just been attempting to run the same org without a lot of the teammates we cared about.


Been trying to figure out some easy wins for myself and the broader team to try and feel like progress is being made. Any and all suggestions welcome.

https://redd.it/11nttd2
@r_devops