This hands-on project is designed for anyone who is interested in getting into DevOps.

Source code:

* [https://github.com/tntk-io/tntk-infra](https://github.com/tntk-io/tntk-infra)
* [https://github.com/tntk-io/tntk-ci](https://github.com/tntk-io/tntk-ci)
* [https://github.com/tntk-io/tntk-cd](https://github.com/tntk-io/tntk-cd)

Video instructions:

* [https://www.udemy.com/course/real-world-devops-project-gitops-methodology/](https://www.udemy.com/course/real-world-devops-project-gitops-methodology/)
* Apply "TENTEKDEVOPS2024" for discounts.

Enjoy!


PS: We've previously posted this but received requests for video instructions. Therefore, we're posting again to inform you that we've uploaded video instructions containing approximately 8 hours of material explaining the project's essentials.

https://redd.it/1bv0zdx
@r_devops

How does CI/CD or TBD handle features that take more than a couple of days?

Sometimes you can't breakdown features into smaller ones or you are assigned a feature that will need half a Sprint or even an entire Sprint. If you follow CI/CD guidelines, you should merge at least once a day.
I've read that a potential solution to this is to merge incomplete feature code that doesn't break prod or hide it behind a flag.
However, I'm reading these options as workaround, which means that CI/CD Features are usually shorter than two days.
How is this possible?

https://redd.it/1bv2ieu
@r_devops

Best practices of authentication to Vault

Hello,

What could be considered the most secure way of authenticating in HashiCorp Vault by an application running in a Kubernetes cluster?

The AppRole method is nice, but implementing AppRole implies that the secret_id must be passed to the application. This means that the secret_id must be saved somewhere in the Deployment's configuration or in a Secret as plain text, which doesn't seem secure because someone could steal it.

The Kubernetes method seems to be a bit better, but it implies that the application should take the ServiceAccount's token (e.g., from /var/run/secrets/kubernetes.io/serviceaccount/token), which doesn't seem to be secure as well. Someone could break into the application's container by exploiting the application's vulnerability, read this token, and authenticate in Vault with this token just the same way the application does.

I consider the JWT method a bit more secure. In this case, we could make the application generate its own RSA key, then sign a JWT token with this key and process the requests from Vault when Vault knocks back for JWKS. In this case the application keeps its private key in memory only and doesn't store the private key anywhere (here's my very simple example of implementation: https://gitlab.tucha.ua/khmarochos/vault-client-demo/). But, frankly speaking, I would like to find a simpler (yet still secure) solution.

Would you be willing to share any ideas on that topic? What approach could be considered simpler and more secure?

Thank you.

https://redd.it/1bv4pdc
@r_devops

Good resources for implementing Opentelemetry?

I am looking to implement otl but its just roadblock after roadblock of obtuse configurations and completely inability for me to make one thing talk to another.

I am wondering if there are good resources for setting stuff up besides the documentations and examples, which I've gone through and doesn't have map 1 to 1 for what I am trying to do.



https://redd.it/1bv5d6f
@r_devops

I want to reach the next level

I am an L2 linux system administrator and a part of ops team which works on a monolithic fintech project. The project is powered by Ericsson's Wallet plateform and has MSA arch. Meanwhile our company developed the frontend apps and business logic deployed on client's data center.
We don't have access to Ericsson's infra obviosuly but its a complex project and I have learnt allot about SDLC and operations.
I am highly underpaid and want to move ahead in my career.

I am unable to switch to a devops role as I have been turned down in a couple of interviews. I have been learning about docker and little bit of kubernetes. I am good with bash scripting and networking ( because I switched from a networking role).

Eversince I have studied a bit about AWS, its on my nerves. I just made my free tier account today on AWS and spun up an apache webserver on the first day.

I am confused that either its good for me to keep praticing cloud straight away or should I get full command over devops tools off the cloud.

I was always interested in infrastructure provisioning, networking and OS and now I feel like cloud has everything to offer.

Kindly guide me if its a good approach to learn cloud at this point in career. For now I can't even opt for certification exams because of finances but I have my hands on some good material on cloud and Devops.




https://redd.it/1bv96oa
@r_devops

What are ArgoCD & FluxCD used for?

Hey,


What are ArgoCD & FluxCD used for, I understand they are for continuous deployment, but what is the issue with just using a CI/CD tool such as GitHub Actions?


From what I understand, they are mainly for k8s? So I would use them for my yaml files, can I not just use GitHub Action for this?


Best,


No_Weakness

https://redd.it/1bv9697
@r_devops

What are some of the latest tools in this space that you absolutely love?

Disclaimer: I'm the founder of Facets.cloud and I am looking for help to see which tools we haven't yet integrated with.

Can you share a list of Ops tools that you use daily? We can skip the basics.

https://redd.it/1bvdjfb
@r_devops

Tools that simulate the cloud (?)

Hi. Just wanted to know if there are any tools that simulate the cloud (like AWS) without actually giving you the hardware resources.

I want to learn AWS and TF by doing it but I do not have the budget to bear AWS' exorbitant fees. I have already utilised my free year of AWS services.

https://redd.it/1bvh2wr
@r_devops

Career Advice Needed

Hello There! I am currently a software engineer(BE) working for a startup in UAE- Dubai. And Im thinking about starting my journey in Openstack. But first I want you to know why Im thinking about taking this decision and tell me if those are valid reasons.
1- Prior to being a SDE I was into technical support and application management, I had to work with servers, networks, databases and everything a support engineer is involved into (old school stuff) and I really liked the experience. therefore, starting to learn Openstack would not be an issue since I have previous required experiences (combined with SDE experience).
2- SDE and infrastructure are very well interconnected and having a strong knowledge in managing infrastructure would be a great skill to acquire. So Learning Openstack will increase my employment chances (A developer who is also a cloud engineer). but note sure about this point?
3- web service development is not something that really excites me anymore, and I would like to take my coding skills into the cloud (infrastructure as code, scripting) plus I really miss living inside the server and data centers to setup stuff.
4- I have a feeling (just a feeling) that there will be a time where some companies will dump the cloud and begin to build their own cloud. So it is nice to position myself for that moment (honestly where do you think things are going??)
5- I like Openstack, I like what is stands for and I love opensource
6- I'm putting a plan(teaching myself) to start contributing to the project itself.
Your thoughts are welcomed , appreciate the advice.

https://redd.it/1bvhr6m
@r_devops

All cloud audit logs in one place.

We are multi cloud company. We rely on AWS | GCP| Azure. Is there a away or tool which would help in aggregating all the cloud audit logs from all cloud in place(store). So, that we can setup alerts, query logs as and when needed.


https://redd.it/1bvhq3j
@r_devops

Can trunk based development work in this case?

Given a large monolith java code base, developed since the early 2000s. A testsuite with 6k Unittests that run \~10mins, and a few thousand JUnit-based integration tests (end2end tests with XML ingestion from queues to either XML sending through queues and or updating a large database underneath) that run \~2h. There is another massive test suite of E2E frontend tests that runs over night (and on lots of machines in parallel, else it would not get done in that timeframe).


There are currently \~30-40 developers actively working on the application.
VCS is git (since only a few years. Before it was SVN)


It can and does happen, that the main development branch gets broken by check ins. The chances of compile clean check ins are quite high. Chances for broken Unit tests are still low (this hurdle 98% of all check ins take). But broken integration tests are common, as you can only guess which ones will be effected by a check in and you can only run so much locally. Finding the culprit later on is hard, as the turnaround time between CI runs is \~2h and there can be many check ins in the meantime.


Currently my thinking is, to separate changes into branches that are individually verified before you merge them back into the main branch. But I always read that trunk based development is the state of the art way forward and I wonder if this is even possible with a system like the one I have here as the feedback cycle for validating a check in is to slow.

https://redd.it/1bvjbe4
@r_devops

Kubernetes and containers security simulator

Has anyone seen or tried the Kubernetes security simulator created in ControlPlane? It’s an Open Source project (GitHub) providing ready-to-use tooling to deploy a bunch of K8s-based security scenarios in AWS. For now, it has 9 of them created for the CNCF, with different difficulty levels. (And I guess we can expect more coming later.) Really cool to have some fun (at least) or even use for educational purposes.

Recently, we tried it and enjoyed it a lot. Here is an overall impression and full guidance from my teammate through the Seven Seas scenario (it’s an easy one).

Another similar project I recently spotted is the Kubernetes LAN Party by Wiz. Haven’t tried it yet, but any feedback is welcome.

https://redd.it/1bvkasi
@r_devops

I sold my startup because of bugs: I wish I had this serverless repository

I ran a startup for almost 2 years, first with a simple approach of Cron, Queue, Workers.
Then I moved to AWS - EventBridge, SQS, and Lambdas (Vendor Locking)
I wrote an article about the main problem that caused me to close it in the end:
https://nevo.hashnode.dev/i-sold-my-startup-because-of-bugs-i-wish-i-had-this-serverless-repository

https://redd.it/1bvlq2h
@r_devops

breakglass account setup for cloud access? (AWS, GCP or Azure)


Does anyone have an example of a breakglass account setup for cloud access? (AWS, GCP or Azure)

I am looking at what people are implementing with regard to privilege account management (PAM).

The problem is what do you do during an incident or maintenance to temporarily increase permission of a developer in a secure, traceable and auditable way?

https://redd.it/1bvmdto
@r_devops

How do I access a ci value to a golang variable using werf?

To preface I'm not proficient at all in devops and what I need to do is to log the commit hash after a succesful build. Project has a werf.yaml file in which there's this piece of configs:

shell:
beforeInstall:
\- useradd -M -s /bin/bash app
setup:
\- cd /usr/src/app/api
\- go mod tidy -compat=1.17
\- CGO_ENABLED=0 GOOS=linux go install -a -ldflags "-X 'main.buildVersion=${CI_COMMIT_SHA}


the go install -ldflags works fine with a fixed value (e.g. it sets buildVersion to "1.0.0" with main.buildVersion="1.0.0") but I cant figure out how to access the CI_COMMIT_SHA gitlab variable.
How can I achieve that? Or what kind of documentation I should dig into?
Sorry in advance for poor description as I said I'm not the best at devops or technical stuff in general.

https://redd.it/1bvobgm
@r_devops

Preproduction postgres database best practices

Hi,

I am in a small team of development. In order to test new releases before going production we need to link our preproduction server to a preproduction database with fresh data (we fill prod db with frequent cron jobs requesting third party services).

The easiest solution I have found yet is to clone my postgres db when I need to test but I find it quite tedious. Are there better ways of doing this and what are the best practices in general regarding preproduction databases ?

Thanks :)

https://redd.it/1bvonu7
@r_devops

Image process server benchmark

The reproducible showdown between Thumbor, imagor, and imgproxy.

https://redd.it/1bvqpfh
@r_devops

Is anyone using Contour ingress controller?

Hey folks. So I'm reading about Envoy and I came across Contour project. As you might know it's an ingress controller based of Envoy.

My question is, is anyone using it? What are your experiences about this project?

I'm asking because I want to use Envoy as a load balancer (L4 & L7) and also want to migrate from NGINX ingress to Contour.

https://redd.it/1bvsym4
@r_devops

Is it possible to remove a pod from a service, let it finish its process, and then delete it?

Hi

We have ProxySQL instances deployed on the K8S, when we want to make some changes in the ProxySQLs, by deleting the older pods and bringing the new ones, the application takes a while to realize the older connection is not usable so it has to create a new connection, this will cause some errors and spike on CPU usage on the application.

Connections to the ProxySQL have a lifetime, so it will get closed after some time, I wonder if it is possible to do this scenario when we want to update the configs on the ProxySQL:

1. Remove the pod from the service, prevent it from accepting new connections

2. Wait for the ProxySQL pod to handle the existing connection and when all connections are closed, delete the pod

For the second phase, maybe a sidecar can realize the state of the current number of connections, but I have no idea about the rest of the process


Is it possible to do so in Kubernetes?

https://redd.it/1bvujwp
@r_devops

Is this possible in terraform? ("anonymous blocks"?)

I like using the `terraform-aws-modules/security-group/aws module`, but I'm wondering if a definition like this:

module "test_sg" {
source = "terraform-aws-modules/security-group/aws"
name = "test-sg"
vpc_id = "vpc-123"


ingress_with_source_security_group_id = [
{
rule = "postgresql-tcp"
source_security_group_id = "sg-0adf3535bed76a6c6"
},
{
rule = "postgresql-tcp"
source_security_group_id = "sg-0c0bd45fd61a70af2"
}
]
}


Can be somehow expressed with a for-loop or dynamic loop for each `source_security_group_id`, even though the blocks don't have "names". I'm hoping to do something like this, but don't see if that's possible:

locals {
sgs = ["sg-0adf3535bed76a6c6", "sg-0c0bd45fd61a70af2"]
}


# tfsec:ignore:aws-ec2-no-public-egress-sgr
module "test_sg" {
source = "terraform-aws-modules/security-group/aws"
name = "test-sg"
vpc_id = "vpc-123"

ingress_with_source_security_group_id = [
dynamic {
for_each = local.sgs
content {
rule = "postgres-tcp"
source_security_group_id = each.key
}
}
]
}

https://redd.it/1bvufx3
@r_devops

How do you get over guilt from letting people go?

Hi all, different question to usual I expect. Maybe the wrong place to ask but it's my role, cut a long story short recently I worked with someone as a senior to onboard them.

I pretty much did as much as I could but they were hire as a mid when really they were a junior. We went through probation etc tried to get them on the ball but in the end it never worked out and they had to go.

I just feel like I could've done more to help, I feel awful especially with a tough market the person made so much effort just didn't have the skills.

I've never been involved to this level of hire/fire and I feel fucking rotten that they've lost their job.

Is it normal to feel this way or is it just the way it is?

https://redd.it/1bvwhsr
@r_devops