Throw in the key

In Swedish there is a saying that you're fast if "you can lock a drawer but manage have time to throw in the key".

If I create a AWS VPC with private subnets, how do I access them from Ansible if I lock down SSH to only local addresses using a Security Group? Do I have a local Ansible Control Host? Should I keep SSH open an all machines and give them public IP addresses although this is a huge security risk? Is there anyway to throw in the key while locking the drawer?

As a AWS+Terraform+Ansible newbie, I'm a little bit lost here, does anyone have advice or can you point me in the direction to go?

https://redd.it/13gjwn7
@r_devops

Where are the recipes for "Hybrid" Delivery?

Everyone talks about and uses recipes for Continuous Delivery.

Does anyone have any pointers to tooling or recipes for delivering complex systems in releases?

My team manages \~dozens of components that we do CI/CD into a staging environment, but release into production every 2 weeks, and we like it that way; we don't really want to move to continuous delivery to production.

Our current system is a set of scripts with a decade old sqlite database with Jenkins:

Devs trigger a build in Jenkins.
Jenkins deploys to staging via Ansible.
Jenkins then adds the artifacts to sqlite as "latest artifact deployed to staging as part of XXX release".
On release day, once all tickets are resolved, we run a script that pushes the latest artifacts for each project up to the production repo.
At this point devs can begin working on tasks for the next release. Before this point devs need to be working in a branch and not building changes for the following release into staging.
Release night I do database migrations and then run Ansible scripts that release the updated packages.

This is all implemented with custom built scripts.

I'd like to do some enhancements to this (adding docker containers as a deployable, for example. Integrating the database migrations which right now are done largely by hand). But ideally I'd like to follow some existing patterns or use tooling rather than custom building if possible. It seems like something that should be a well worn path, but all I ever see talked about is CI/CD.

Anyone have pointers to what I'm missing?

https://redd.it/13gl6t4
@r_devops

Is this a good CI/CD setup to build and deploy services to Kubernetes?

So at the company I'm working for we have many applications and services that we deploy to k8s clusters on GCP (GKE). We follow this approach:

We dockerize the application
Create a helm chart
Create a Google cloud build pipeline that gets triggered on commits to certain files on some branches, the pipeline steps:

1. Build docker image with a new tag and push it to the registry
2. Upgrade helm chart setting the image.tag variable of the service container with the new tag

The application code and helm chart are all present in the same Git repo. The issues I see with this approach:

You always need to trigger the whole pipeline and build new docker images even if you're just modifying the helm chart
We don't separate the versioning of application and the versioning of helm charts and we don't have a registry for helm charts
It's kinda messy to have helm, Dockerfile, and application code all in one repo

Now I'm still a junior DevOps engineer and I don't like the way things are but they say we don't have the resources now to do better. Anyways, I wanted to ask you guys what better practices could we have done and what other problems could this setup result in?

https://redd.it/13gjsz5
@r_devops

Work like balance as a devops engineer?

I’m a backend dev with 2+ yoe. I’m looking to transition to devops and one of my important criteria is WLB. So I just wanted to ask the experienced devops peeps here about the WLB in this field.

https://redd.it/13gmayq
@r_devops

Would you say that learning how to develop browser extensions is a useful skill in devops?

Just a random question I thought about today, noticed we use a lot of sites that we don't have much control over, figured learning JS may help in this regard (automation, make things easier for our team, etc) and it never hurts to have another programming language under one's belt.

Do any of you do this?

https://redd.it/13gq6gg
@r_devops

Migrating from Nexus to Harbor: A Comparison of Features and Easy Steps

In this article, I would like to share my experience of migrating from Nexus docker registry to Harbor and the steps involved. I will also explain some of the most useful features of Harbor by comparing them to Nexus and why you should consider using it:

https://mallakimahdi.wordpress.com/2023/05/13/migrating-from-nexus-to-harbor-a-comparison-of-features-and-easy-steps/

https://redd.it/13gpzk6
@r_devops

Got the $3000 bill on my AWS account

Hello guys,
I left my services open and I got the bill of $3000 bill on my mail id. so, will they make any legal actions if I don't pay the bills. There is no payment methods added so it can not be deducted automatically.

https://redd.it/13glmng
@r_devops

devops as a new grad

hello guys i wanted to ask if its a good idea to get a first job as a devops or should i try to get a sysadmin / dev job first then switch to devops

https://redd.it/13gwsb3
@r_devops

Help with SNI issue (TLS)

\- At home, I have two ISP providers.

\- Both of them assign a dynamic IP address that changes from time to time.

\- I have a router doing load balancing between both providers

\- To detect the IP changes I want to set up a script running in a headless RPi that I have.

\- My idea is to hit https://api64.ipify.org to obtain my public IP. Taking advantage that they have more than one IP, I set up two static routes: one forcing the traffic through WAN1 and the other through WAN2.

\- That way I can do something like "wget https://xxx.xxx.xxx.xxx" to get my public IP from provider 1 and "wget https://yyy.yyy.yyy.yyy" to get my public IP from provider 2

\- The problem I'm facing is that I'm getting the error "GnuTLS: received alert [112\]: The server name sent was not recognized" (and a similar but from OpenSSL using curl).

\- I tried to find an option (wget/curl) to force a server name other than the one in the URL with no success.

\- Setting a header at http level doesn't work (pretty obvious having into account that SSL negotiation happens before any http stuff is sent)

What could I do?

Thank you for any help

https://redd.it/13gzvrl
@r_devops

secrets management for noobs

Even DevOps friends,
I'm still a little new to the DevOps game, but my coding is getting good enough that I am planning to move it up to github. I am a one man team, so I'm just using github for practive and a DR plan.

My code has some API keys, and I would like to understand how NOT to expose those keys to everyone who can see my code. It seems like general consensus is to use HashiCorp Vault and be done with it. However, I suspect that I need to host my Vault server in the cloud so that anytime my code needs to call an API, it can verify the secret. Is this correct?

If I could simply install vault on my Macbook and close it until its time to add a new feature, that would be ideal. However, I'm not sure I can see this working if the vault is offline.

If someone has the time and patience, I would be very grateful for any secret management advice and education you folks are willing to share.

Thanks

https://redd.it/13h10wp
@r_devops

Azure DevOps - How to do DevOps with Azure

The approaches used by development and IT operations teams under the name "DevOps" are meant to speed up and scale software delivery.

Automation, continuous integration, development, testing, and the use of infrastructure as code are some of these techniques. One of the popular devops platforms is Azure Devops. So, let’s get started!

https://itcertificate.org/blog/azure/how-to-do-devops-with-azure/

https://redd.it/13h3qkk
@r_devops

What Linux knowledge is expected for an interview?

I'm a new grad and I'm studying for the RHCSA but at the same time I want to get started with the cloud. However, studying can only take me so far, and I feel like I'm in a bit of a rush to get started in my career. I went to my university's recent career fair yesterday and I noticed that many recruiters were more interested in cloud knowledge and DevOps tools rather than proficiency in Linux. This has left me wondering what I should focus on.

I've been working my way through a popular book on Linux Administration and have made it about halfway through. I'm now trying to figure out which of the remaining topics I can skim over and come back to later down the line, and which ones I should know for an interview. Here are the remaining topics in the book:

1. Boot Process, Grub2, Linux Kernel
2. System Initialization, Message Logging, and System Tuning
3. Storage Management
4. Local File Systems and Swap
5. Networking, Network Devices, and Network Connections
6. Network File System
7. Hostname Resolution and Time Synchronization
8. The Secure Shell Service
9. The Linux Firewall
10. Security Enhanced Linux
11. Shell Scripting
12. Containers

I would appreciate any advice on which topics I should prioritize and which ones I can come back to later.

https://redd.it/13h4zrv
@r_devops

If you want to exceel in your career, you MUST be able to write code

Hello /r/devops,

Let me preface, I expect getting downvoted to hell, but that's perfectly fine, we ain't after internet points :)

I have been following this sub for some time now and I have noticed a trend that seems to be a misconception to me.

In a lot of posts, people ask whether or not they should code and I thought I would share my opinion on the matter, hopefully to spark a discussion.

9 years ago, I started as a sysadmin performing the following tasks:

Network configuration and management (mainly Cisco)
Linux/Windows server management
Jenkins configuration and automation
AD Domain management
Virtual Machines management (Containers were not such a hot topic back then)
Monitoring (mainly with Nagios)

That said, things have evolved lately, containers kicked in, Clouds are the new girl in town and all other hot topics you can think of. We all have managed/manage these and are rather familiar with them. You might see where I am going, you might not, but the idea behind what I am saying here is that if you just manage *(*don't get me wrong, I am not saying it is easy) what I just mentioned, you have eveloved as a Systems Administrator, this evolution has been observed multiple times, i.e. the norm evolved as follows:

managing physical servers \--> managing virtual machines \--> managing containers

Now, for DevOps, there are a lot of discussions what this thing and so on, so I am not going into detail about that, but I will state the following - Systems Administrator != DevOps engineer.

IMHO (I want to emphaise on the "MY") , a DevOps engineer must be able to not only leverage tools like Ansible, Kubernetes, Terraform, etc., but to also understand them enough to debug their code AND extend them to their needs, whether it is extending an existing functionality (Ansible module, Terraform provider, k8s controller, etc.).

I am not here to brag even if it might sound like this, but rather show you that if you are able to code, you will excel in your career faster than you might think. Here are some stats for myself that I think helped/help me a lot into my career's development:

I am comfortably programming in Golang, Python, Rust, despite having never held a Software Development position
I used to actively contribute to Ansible
I actively contribute to Kubernetes
During my time at VMware, I have successfully extended a few Terraform providers, written two Prometheus exporters for OpenStack and developed numerous Ansible modules for vSphere automation

The few points I mentioned above helped me tremendously in growing my salary in 9 years from 9200$ \-> 142k$ per Year NET. (I live in Eastern Europe and that's why my initial salary was so low, it is still the average salary here)

As I said before, I DO NOT brag, but I want to show you how much being able to code can help you.

The last job I landed required me to do Distributed Systems Deign, Pair programming and required me to provide actual code contributions on GitHub (I am not sharing it here, because it contains personal info)

https://redd.it/13h6nk4
@r_devops

Have things become better since the "Phoenix Project"? I don't see any of these stories in real life anymore

I wonder if things are better now

https://redd.it/13h81e9
@r_devops

Create OIDC/SAML app in an IDP using a tool similar to IAC like Terraform, Ansible

Hi,
I am posting this question to the community as I am looking for some suggestions, helpful guides which can help me implementing the design to achieve the below scenario:


Scenario: We have to automate the application onboarding for OIDC/SAML app. hosted in secure auth to ForgeRock.


Design: Similar to any IAC tool where we declare the desired state using a yaml file, the same conecpt is said to be utilized. We would have a yaml file defining application details. Going through terraform registry, I found that there is no such provider defined for oidc/saml app onboarding by ForgeRock. Also, if we define a plugin for same we are restricted by the programming language (need to use Go for development). So, we need a kind of python script which can function similar to a provider in Terraform, reading through the desired application configuration from the yaml file and then making use of the rest api endpoint exposed by ForgeRock for creating the app.


Can anyone in the community please help me out here with any useful resources like any Github repo's ,opensource project, docs which I can make use of to give me a starting point about how this can be implemented?

https://redd.it/13h7tdi
@r_devops

ML Enthusiasts Club - read papers/books and do projects together

Hey folks,
I'm lucky enough to be running this super cool community where we all geek out over machine learning papers, dive into some epic books, and smash out projects in teams. We're already a gang of 1300 strong learners, spread across more than 40 dynamic groups. If this sounds like your kind of scene, give me a shout and I'll slide a Discord invite your way in a DM. Can't wait to welcome you aboard!

https://redd.it/13hav26
@r_devops

Project Team Lead or Dedicated IT Guy

I would like to hear your opinions about the decision that I am facing.

I recently started working at a large MNO that gives me the opportunity to smith my role into whatever I would like.

You wanna be a tester? Sure.

Oh, you wanna help with development? Done.

Hmm, so K8S interests you more? Start working with this colleague.

​

However, my supervisor came to me recently offering me to lead the dev team and be a quasi project/product owner. He is already doing this but it would free him up to for example clear obstacles that the org. puts in front of the dev team.

​

Now I am conflicted because A) I was never in such a position and I barely understand the environment after such a short onboarding period and B) I had in mind to first solidify my tech skills before even considering such a position since I am kinda still a junior. Also C) I am not sure which of these two career pathways would be the most 'bang for my buck'.

​

What is your opinion about this?

https://redd.it/13ha1q6
@r_devops

What tools or services do you use for your cloud infrastructure other than monitoring/logging/APM

Hey guys,

So I'd like to know what tools or services you use on your cloud infrastructure, other than the usual monitoring, logging and APM services like DataDog, New Relic, Elastic, Splunk, etc.

Recently I came across services and tools like Forward Networks, CloudMapper, Shoreline.

I am specifically looking for services for cloud security and runbooks.

Appreciate if you can share any services or tools that you recommend.

Cheers.

https://redd.it/13hduhs
@r_devops

Doing projects or taking another AWS certification


A month ago, I took the AWS Solutions Architect Associate certification and can reasonably pass SWD SysOps Administrator in two or three weeks.

While I have experience as a network engineer, I don't have any programming work experience. To move into Cloud/DevOps, should I pursue another certification or concentrate on working on projects and improve my coding skills/learn terraform?
If another certification wouldn't help much, I prefer to do something more useful like learning terraform and eventually doing a project.

Thanks for your time

https://redd.it/13hfh4t
@r_devops

History and Future of Infrastructure as Code

This [insightful article](https://www.endoflineblog.com/history-and-future-of-infrastructure-as-code) by [Adam Ruka](https://www.linkedin.com/in/adamruka) covers:

* What's IaC.
* First gen. tools: Declarative, Host Provisioning (Chef, Puppet, Ansible).
* Second gen. tools: Declarative, Cloud (CloudFormation, Terraform, Azure Resource Manager).
* Third gen. tools: Imperative, Cloud (AWS CDK, Pulumi, SST).
* The future: Infrastructure from Code (Wing, Dark, Eventual, Ampt, Klotho).

https://redd.it/13hi5bm
@r_devops

Just read the book "Investment Unlimited" about DevOps and Security. This book is written 10 years late.

The ideas and situations are common now. Most companies have implemented such security pipeline.

https://redd.it/13h9en5
@r_devops