How to establish encrypted communication (SSL) via reverse proxy to PostgreSQL?

So far I have three components:

* C (client - DataGrip, TablePlus, LookerStudio, MetaBase, etc...)
* P (proxy - nginx) - docker container
* DB (database - postgres) - docker container

I want to enable clients to use SSL, but I want to keep the encrypted connection only between C and P.

So my current working solution is

C --> P --> DB

and I want it to be

C -- [SSL] --> P --> DB

What do I do?

So far, I have working SSL for HTTP(s) connection on the proxy, using Let's Encrypt certificates. This is working fine. But Since I want to encrypt TLS communication, I need to configure \`stream\` in nginx. I tried to do the same as I did with HTTP, but it does not work. Client cannot connect.

**More details:**

I have several Docker services running, one of them is a database. I make connections via SSH tunnel, which is working fine. However, I want to open a port for connecting to the DB directly (as some BI tools do not support SSH tunnels). I do not want to expose the DB server, so I opted for reverse proxy via nginx, as I already use it for other services that communicate over HTTPS. The proxy is working just fine, but only if I do not enable SSL. I cannot get it working.

If I do exactly the same as with HTTPS, I get error:

[emerg] 1#1: the shared memory zone "le_nginx_SSL" is already declared for a different use in /etc/letsencrypt/options-ssl-nginx.conf:7

This is probably cause the cache memory zone is already being used by other 2 services (https). If I simply rename the zone, it does nothing. Nginx starts, but no communication is picked up (at least by access logs).

My nginx configuration for the stream is:

stream {
server {
listen 9856 ssl;

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain1.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey1.pem; # managed by Certbot
include /etc/nginx/cert/options-ssl-nginx.conf; # managed by Certbot

ssl_verify_client off;

proxy_connect_timeout 60s;
proxy_socket_keepalive on;
proxy_pass projects-client-project-database-1:5432;
proxy_ssl off;
}
}

If I turn off SSL by removing ssl keyword from the listen directive, it works fine (but without SSL).

​

PS: I am new to devops, I am configuring my first VPS so maybe I am having a completely wrong idea.

https://redd.it/1c1fkyg
@r_devops

Junior DevOps Engineer - London - Stuck on how to career progress?

Hi all,

I have worked in accounting up until I turned 26, last year and managed to secure a DevOps role in May 2023. I will have been in my current role for just shy of 1 year now. Before moving into this position, I had some hands on experience with coding, and helped at my previous role in the IT division, so I managed to learn about servers, etc. And ended up setting up my own Homelab.

I really really enjoy this career, however I know that I am a bit out of my depth. I have followed the DevOps Roadmap and have taken courses and played around with a majority of the tech stack. Now here's my issue..

The company I am with had me benched for the first 6 months. It was pretty much just me sat at home, learning courses on different things. Projects were meant to come my way but they never did. Then at the 6 month mark, I've been put on projects. Now it's odd, because my title is 'Junior DevOps', but almost immediately my first project was me on my own. I didn't get any guidance, and was just given a SOW that I made my way through. Whenever I asked for help, people were busy or I would get help but kinda half assed because they had to go do something else. I was getting complained at a lot by the customer, for things that I was never told about, but I managed to make my way through and complete that project. It was the most stressful 4 months of my life. I learnt a good bit, but I was working 7am in the morning till about 9pm every night, just to ensure I got the work done.

I've now been put on a new project, and it's kind of similar. I have someone who comes in every now and then to review my work, but it's a bit more like they are cautious over me not making any mistakes like last time, as opposed to offering me guidance. Because of this, I feel like I'm not really learning from the company, it is stressing me out a lot and on top of it my pay...

I get paid 32k per year. I was told at my 1-year mark that I would get a pay rise, however, the company says that pay reviews are done in March, and I will have missed this at my 1-year review, so I won't be getting a pay rise. The company knows I can't leave because I have no prior experience and now just 1 year at this company. I feel like I'm in a terrible catch-22. The pay isn't the biggest thing to me, but it does hurt knowing how constantly stressed I am, any learning I get is more from myself as opposed to the company offering it, and to top it off I'm in London on 32k, where the train commute into work eats up most of my pay.

tldr: 1 year DevOps experience, low pay, very little learning at company (but better than none). What should I do?

https://redd.it/1c1hdoo
@r_devops

OpenTofu’s Response to HashiCorp’s Cease and Desist Letter

On April 3rd, OpenTofu received a Cease and Desist letter from Hashicorp claiming copyright infringement on the part of one of our core developers. For full transparency, the link contains the original C&D, our response letter, and the detailed source code origin document resulting from our investigation.

The OpenTofu team vehemently disagrees with any suggestion that it misappropriated,
mis-sourced, or otherwise misused HashiCorp’s BSL code. All such statements have zero basis
in facts.

Despite these events, we have managed to carry out significant development on OpenTofu 1.7, and we will be releasing a new pre-release version next week, including provider-defined functions!

Here’s the blog post with all the details: https://opentofu.org/blog/our-response-to-hashicorps-cease-and-desist/


https://redd.it/1c1ishn
@r_devops

What is the biggest unsolved problem in DevOps?

For me the biggest problems are human problems: it can be very hard to 'sell' executives on reducing tech debt. But what do you think is the biggest unsolved problem in DevOps?

https://redd.it/1c1iacy
@r_devops

Waste of time or good learning material?

For context, I was pretty much a “Pipeline Monkey” or Pipeline Mechanic (systems engineer - vague title) in my previous role where i was constantly troubleshooting Developer builds in Jenkins and helping them on the CI side. There wasn’t a lot of opportunities for learning more tools, as this was taken by the Seniors which we had on the team and the juniors just worked on tickets.

Now i accepted a junior Devops position, 1 year into it and it’s super slow. Although learning ECS, terraform, etc. Lots of time has been spent on raising the appropriate access etc. Very little hands on and most of it has been copy/paste.

I do have some “downtime” aka waiting for feedback from Principal engineer before i do TF applies, changing DB configurations etc etc. I was thinking of learning the following to help upskill,

- personal website project set up with AWS s3, route53, etc. Implement first perhaps manually, and then after I would update the configuration to be done via terraform- perhaps configure this to use a AWS CI/CD pipeline(currently learning) - and maybe set this up in ECS fargate? Not sure if this would be overkill(roughly $10 USD a month to leave it running continuously ?)

- Learn Python - small side projects

- Get better at AWS networking ; setting up a 2 tier web application, even ones that may say, “hello world” - is this feasible or a waste of my time?

https://redd.it/1c1i8vc
@r_devops

Sonar scanner SSL issue

SonarQube server & Jenkins master are running on Linux machines. Sonar scanner is installed on a Windows server that is a Jenkins slave machine. A dot net application needs to be scanned. I have a build pipeline that builds, run sonar, and deploys the dot net application. Sonar scan fails due to TLS error. It's a self-signed certificate and it was already installed in the Windows server Java keystore including the cert chain. What is the issue here? I tried a curl command, curl -k https://mysonar.com/api/server/version in the same jenkinsfile it works.

https://redd.it/1c1iyuf
@r_devops

What browser do you use and why?

I have been a Chrome user for almost all my career but every once in a while I see a 'privacy-aware' engineer, mostly from DevOps/SRE background, use browsers like Vivaldi or Brave or something else.


What are your views on chrome?
Is Chrome safe enough?
Does it make sense to use any other browser?

https://redd.it/1c1onb9
@r_devops

Help with a project

I'm currently working on a university project, basically it's a jobs website for freelancers, my question is, should i use elasticsearch or the postgreSQL full text search, we're doing this project alongside a real business, they already own a job search website, so it's safe to think that there's going to be a lot of users and job offers if the website is finally deployed for them(we're doing the proyect with Django, id that's relevant)

https://redd.it/1c1q0kg
@r_devops

what's the easiest vps rolling deploy setup?

I have a website that I deploy as a jar to a VPS via 3 commands (build, scp, run) as a one man operation. I do this multiple times a day. My site is down for maybe 10 seconds at a time when I do this.

I understand the concept of a rolling deploy but not sure what technologies I should use to implement. Many setups and technologies seem to be for large orgs.

https://redd.it/1c1ufm2
@r_devops

It's getting blatantly obvious when our junior guys are copy/pasting GPT lol..

I've started having them review their PRs with us on a call, and describe what the actual fuck is going on in their PR.. then the fun ensues when they can't explain anything lol

FWIW the code does work most of the time for what it's intended to do, but if you're going to use an AI to help you be able to know what you're submitting..

The kicker is that we've blocked all AI tools at our workplace, but you can obv just use your personal device to get some output..

Most of the time it seems to way over engineer a simple task with some random library.. again.. it works, but there's easier ways to accomplish the task.. this is typically the giveaway

https://redd.it/1c1zl0q
@r_devops

Exploring Platform Engineering for Enhanced DevOps Efficiency

As DevOps professionals, we constantly strive to optimize workflows and empower development teams. Yet, the growing complexity of infrastructure often poses a significant hurdle. Could Platform Engineering be the key to unlocking greater efficiency and agility within our DevOps practices?


Platform Engineering: A Strategic Approach to Infrastructure Management
Platform Engineering centers on the concept of building internal developer platforms that provide self-service capabilities, standardized tooling, and streamlined workflows. By abstracting infrastructure complexities, it empowers developers to provision resources, manage environments, and deploy applications with increased autonomy and efficiency.


Key Benefits for DevOps Teams:

Accelerated Development Cycles: Self-service provisioning and automated deployments eliminate bottlenecks and accelerate time-to-market.
Reduced Operational Overhead: Centralized platform management streamlines infrastructure provisioning, configuration, and maintenance, freeing up Ops teams to focus on strategic initiatives.
Enhanced Collaboration & Ownership: Platform Engineering fosters a culture of shared responsibility and collaboration between Dev and Ops, breaking down silos and promoting a unified approach to software delivery.
Improved Developer Experience: By providing a streamlined and intuitive platform, developers can focus on writing code and innovating, without getting bogged down in infrastructure complexities.


Delving Deeper into Platform Engineering
If you're seeking ways to enhance your DevOps practices and overcome infrastructure challenges, I encourage you to explore the world of Platform Engineering. The r/platformengineering subreddit offers a valuable resource for learning, sharing experiences, and connecting with fellow professionals passionate about this evolving field.


**Here are some discussion points to get you started:**

* What are the core components of a successful internal developer platform?
* How can Platform Engineering principles be integrated into existing DevOps workflows?
* What tools and technologies are essential for building and maintaining a developer platform?
* What challenges have you encountered in implementing Platform Engineering, and how did you overcome them?


Join the conversation on r/platformengineering and let's collectively navigate the path towards greater DevOps efficiency and agility through Platform Engineering.

https://redd.it/1c22w8d
@r_devops

Will people ever grow up wanting to be a DevOps engineer?

I understand that DevOps as a methodology hasn't been around for that long to expect people to be aware of it in their high school and early college years.
But will that change in the future? Will more people decide to be DevOps engineers from the start of their careers? The assumption I have (and happy for you to challenge) is that the people I know in the DevOps space usually say they "fell into" the field. I'd be interested to know if that's the case for people here in the subreddit, if so what was it about the DevOps position that attracted you to it in the first place? And in 5/10 years will DevOps become people's first option? Cheers



https://redd.it/1c24rbg
@r_devops

Enablement CI/CD vs Platform

My definitions of the respective terms in a nutshell:

Enablement:
- no ownership of any systems/tools (e.g. GitLab)
- therefore no engineering for these systems
- not doing the dev teams’ jobs (i.e. also not creating CI/CD jobs for them)
- work mainly centered around consulting for teams/advisory role for best practices in DevOps (e.g. Giving trainings on how to properly use Git, Docker best practices etc)
- creating an environment so devs/engineers can help themselves (e.g. governance and standardization in CI/CD)

Platform:
- ownership and operation of systems
- engineering for these systems
- governance for these systems
- …



Does anybody here have any experience with setting up an enablement team/working in an enablement-centric team?

Is the definition of the terms correct?


Honestly, any opinions welcome



https://redd.it/1c25k7q
@r_devops

does devops belong in game design or gaming industry?

ive been a DevOps for a while now (7-8 years) and always worked with fintech/SAAS solutions. my latest rodeo is a consultancy working on all sorts of projects and blockchains, however, my biggest struggle is that all those projects have no passion or narrative in them. its just a bunch of people doing random tickets so they can get paid by the end of the month.


On the other hand, we have game design might be a good option for me (possibly indie). i have some dev experience (I miss it), I'm decent at 3d modeling, heck I even fiddle with 3d printing and staff. Im not expecting anything major straight from the start but I would like to work on a passion project were things are built out of love. i understand that these things take years to build but the end result always amazed me.


is dipping my toes into game design a good idea?

https://redd.it/1c24tn3
@r_devops

Securing a DevOps Internship: Tips for Navigating GitLab

I've recently secured an internship in DevOps, which is a thrilling opportunity. However, upon researching the company, I discovered they heavily utilize GitLab—a tool I'm unfamiliar with. While I've worked on DevOps projects using other tools, GitLab is new territory for me. Any suggestions on how to quickly get up to speed with it before the interview to increase my chances of success

https://redd.it/1c26uit
@r_devops

Restricting SSH Access while Allowing PostgreSQL Connections to a VM Provisioned with Terraform

How can I disallow SSH connections to a VM provisioned with Terraform, but allow TCP connections to the PostgreSQL instance installed on it, so that my local machine can connect to the SQL database, but no one else can access the VM on which the database is hosted?
This is the security rule in the Network Security Group:


security_rule {
name = "TCP"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["5432"]
source_address_prefix = "*"
destination_address_prefix = "*"
}


Thanks in advance!

​

https://redd.it/1c2adnv
@r_devops

The Hidden Economy of Open Source Software

The recent discovery of a backdoor in XZ Utils (CVE-2024-3094), a data compression utility used by a wide array of various open-source, Linux-based computer applications, underscores the importance of open-source software security. While it is often not consumer-facing, open-source software is a critical component of computing and internet functions, such as secure communications between machines.

https://sysdig.com/blog/hidden-economy-of-open-source-software/

https://redd.it/1c2aqbx
@r_devops

Company needs me to learn DevSecOps for a new project - Help me choose before I pay for ECDE

Looking to join a DEVSEOPS program as my company insisted for devsecops expertise for a new project. I need opinion before I pay.

I couldn't find a lot but this one looks promising like the ECDE program but pease feel free to suggest if any other program you find better.

https://redd.it/1c2a2gn
@r_devops

Looking for my second DevOps project

Hey all,

I am an IT Engineer with say about 3 years of experience, currently working as a security implementor. About 2-3 months ago I've decided to shift over to DevOps after around a year of trying to find the motivation to do so after getting really burnt out at my last job place.

I have started teaching myself by looking for beginner projects, and today have finally accomplished this project (almost! I just need to implement SSL cert in a DevOps'ish manner, also I have skipped Ansible, but wish to learn it.)

https://loganmarchione.com/2022/10/the-best-devops-project-for-a-beginner/

I have learned Docker, Jenkins, Terraform, AWS services that are relevant to this project and probably some more I forgot to mention. Of course I'm no expert at those, I expect to start a new project, where I will dive-deeper into those technologies. Haven't touched K8s just yet.

I do have some optimization to do, as well as migrate some local stuff over to AWS, should be finished this weekend.

I would appreciate if you guys could recommend me maybe a similar project, where I will perhaps dive deeper, or learn new technologies.

PS. If anyone has the time and wants to peek at my code:
Terraform code is here
Web app code is here

PS 2. Please don't roast my code! I do appreciate real feedback though.

https://redd.it/1c2ei8k
@r_devops

Bazel is ruining my life

Rant incoming
We adopted Bazel and honestly, I hate it.


We had to hire additional contractors to maintain it and I still haven't entirely grasped how to make a simple change to our CI configuration.


I'm so incredibly tired of using Bazel and the maintenance burden. Our principal suggested it (former Googler) and it has just been a massive time suck. Yes, yes, I know our builds are "reproducible" and "hermetic" but goddamn I just want to build a container. I don't want to have to reach out to our contractors to do this.


I massively messed up by not opposing it and now I'm paying the price.


Even Kubernetes stopped using Bazel because of how much of a nightmare it was. https://github.com/kubernetes/kubernetes/pull/99561
This recent Kubecon video made me realize I wasn't alone or just stupid https://www.youtube.com/watch?v=nZLz0o4duRs
It really is hard and I'm not sure if it's worth it.


I can no longer run some parts of Bazel locally because of an esoteric error to do with Mac OS and SIP. Apparently Apple has quarantined some aspect of Bazel that depends on Java in Mac OS Sonoma. The recommended fix? Wipe your laptop and reinstall. Hope it doesn't happen again.


Our SRE team hates how it strips binaries which again, "is a configuration option that you can change"
BUT THAT ALSO REQUIRES AN EXPERT. perf doesn't work because of this

So be warned. Bazel adoption means you need to have an expert on-call for the life of the product or you will need to become an expert.

I just want go build to work and local testing to work.

Has anyone else used Bazel? Should I just suck it up and learn it?

https://redd.it/1c2g3s4
@r_devops

Wanting to get into DevOps after college, am I doing enough?

Hi everyone, I'm an upcoming college graduate (Studying Management Info Systems) wanting to get into DevOps. I've been working at my school's IT department as a Field Tech for about 2 years. (General Troubleshooting, some Active Directory, deploying images, windows server, etc) and completed a cloud cybersecurity engineering internship over the summer.

Over the past year, I have achieved my Network+, my AWS SA-A, and completed a few cloud-related projects to show hiring managers. (AWS Cloud Resume Challenge, 3-Tier Architecture in AWS VPC made through IAC, made a pipeline with Github Actions, etc) and soon going to deploy a demo app through kubernetes.)

I've used resources such as TechWorld with Nana, Learn To Cloud, and the DevOps roadmap commonly shared on this subreddit to further cement my knowledge.

I understand that DevOps isn't typically an entry level role, but I wanted to know what my options were for pivoting to it after college given my current experience and hands-on projects.

I've had a few recruiters reach out to me for cloud engineer/sysadmin roles, but they ended up turning me down due to me still being in school. I'm assuming that's a sign I'm on the right track, but is there anything else I could be missing that could make my chances of securing a role better?

https://redd.it/1c2c7mi
@r_devops