SRE looking to transition to security

I've been working as a sysadmin -> DevOps -> SRE for over 10 years (on premisis, cloud, AWS, K8S) and looking to shake it up a bit and get onto a security operations team. That type of role doesn't exist where I'm currently working...but trying to understand what I should learn to get me in the door and build off of skills I already have.

Anyone have advice or a guide to making this career transition?

https://redd.it/1d436qn
@r_devops

Best practices to manage and deploy IaC

Hi! So I'm going to work as a junior cloud engineer soon (I've just graduated in IT) and chatting to one of the engineers in the company (there are like three of them, so it's a relatively small environment) he told me that they do everything by hand from the GUI. So the infrastructure they design is then deployed by hand.

Being a bit of a geek, and having enjoyed developing software i have already imagined a future where I can get the company to change its ways and start using IaC to manage infrastructure. Now, a doubt has come to my mind, could any of you tell me how the deployment part usually works in a professional and large context?

Suppose you have an infrastructure defined by terraform code, how would you go about ensuring an optimal workflow while virtually minimizing failures when going into production?

I personally imagined such a scenario. 3 branches, respectively production, staging and development.

On development you introduce new features and update the infrastructure, merge to the development branch only requires that the code is syntactically correct. After that, once some functionality has been introduced, we merge to staging where, through git hub actions, we run tests (terratest or terraform test) to make sure the infrastructure meets the logical requirements and that everything works correctly.
After that, maybe we can do some manual testing and if we realise that everything is working fine, we can merge it in production and deploy it.

Does this make sense?

https://redd.it/1d47gly
@r_devops

Infisical releases native K8s/AWS/GCP/Azure auth methods for secrets management

Infisical is unveiling not 1, not 2, but 4 new native authentication methods for Kubernetes, AWS, GCP, and Azure.

With this update, it is now possible for applications to fetch secrets back from Infisical without needing to explicitly manage an additional secret to authenticate with the platform in the first place (i.e. avoid secret zero).

Here’s how each method works:

Kubernetes Auth: Pods can use Kubernetes-native service accounts to have a service account credential mounted at a specified path. This credential can be used to authenticate with Infisical.

AWS Auth: AWS IAM principals for services like EC2 and Lambda can send a signed query containing a computed signature specific to the underlying IAM principal to authenticate with Infisical.

GCP Auth: GCP services like Compute Engine, App Engine, Cloud Functions, and Kubernetes Engine can use GCP-native ID tokens to authenticate with Infisical.

Azure Auth: Azure services like VMs, App Services, Functions, and Kubernetes Service can use Azure-native managed identity access tokens to authenticate with Infisical.

By treating Kubernetes, AWS, GCP, and Azure as trusted identity providers to supply and verify native platform tokens, we achieve a near “secretless” authentication pattern for applications running on these platforms. It’s now as seamless as pointing your application to Infisical to fetch back secrets.

Link to documentation: https://infisical.com/docs/documentation/platform/identities/machine-identities

https://redd.it/1d478jy
@r_devops

How likely is it to get into Dev Ops right after finishing College without any experience in it?

I don't have a strong coding background but I wanted to try getting into Dev Ops, but I don't know where to start and what resources I should follow and what I exactly need to know and what kind of projects I need to do, I have researched about it and most of the post say that you do not need much coding , you need just the basic networking knowledge(How much is basic I do not know) and you need to know about Linux commands, Git, CI(Jenkins), docker, Virtualization at least to get a intern?

Can i break into this field? I have basic knowledge that I had studied during bachelors in networking and some basic coding skills(Only in JS though). What should I learn and What should I follow , I am finding it really hard to create a roadmap that helps me. I would really appreciate some insights in this.


Thank You

https://redd.it/1d44ahn
@r_devops

Ideal location for the IaC

Should I keep my Infrastructure as Code in the same repository that is containing my app's code or is it better to keep it separate? Which one is considered best practice and why?

https://redd.it/1d4bk63
@r_devops

How can devopssupport multiple teams?

I’m a ops/devops guy wih mainly openshift experience. In a nutshell I write code to build and deploy an application and that is always customised for this application. For sure there are many scripts that I can reuse for several applications but it still requires a lot of internal application knowledge like does it require PVCs, environment variables, ports, or even a context directory to build a new image.
In this sub I frequently read that one small devops team sometimes supports dozens of teams and I can’t understand how it works.

Can someone explain please?




https://redd.it/1d4krjc
@r_devops

[Help] buildx failed with: ERROR: failed to solve: failed to push ghcr.io

Given a public Github repository ( you can find a minimal reproduction repository here [https://github.com/matthiashermsen/deleteme](https://github.com/matthiashermsen/deleteme) ) with a Dockerfile with this content

FROM alpine

and a Github Actions workflow with this content

name: Release

on:
push:
branches:
- 'main'

permissions:
contents: write
packages: write

jobs:
release:
name: Release
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to GitHub container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: github-actions
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@v5
env:
DOCKER_REPOSITORY: ghcr.io/${{ github.repository }}
with:
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ env.DOCKER_REPOSITORY }}:latest,${{ env.DOCKER_REPOSITORY }}:${{github.run_id}}

I would expect the workflow to be fine but unfortunately the last step fails with the error message

>ERROR: failed to solve: failed to push ghcr.io/matthiashermsen/deleteme:latest: unexpected status from POST request to https://ghcr.io/v2/matthiashermsen/deleteme/blobs/uploads/: 403 Forbidden

>Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/matthiashermsen/deleteme:latest: unexpected status from POST request to https://ghcr.io/v2/matthiashermsen/deleteme/blobs/uploads/: 403 Forbidden

Is something wrong or am I missing something?

https://redd.it/1d4n5bk
@r_devops

Do you 'Lose Your Fastball' as a DevOps Engineer? Joining a new team as a mid- or senior-level engineer.

Hi all -

Started as a Junior 3 years ago, getting ready to switch companies for the first time, and wanted to ask the community's opinion.

The company I'm leaving has recently (within the past year or so) hired two very senior DevOps Engineers. Both have 10+ YOE. One was hired at a managerial level, one as a Senior (though not staff) Engineer.

Both have, frankly, struggled. I'm not a typical Junior (had 20+ years of experience in management outside of Tech before moving into an IC role), so even though I've still got a lot to learn about IT, the director and VP have come to me about people management issues, and I keep suggesting caution and patience.

Every DevOps Engineer that I've seen start with us, it takes about 6 months to get to a level of proficiency where you can start producing individually across the organization. I think that Seniors (and Managers) get a lot shorter of a leash when it comes to this kind of thing - they have higher expectations to 'hit the ground running.' But my experience is that they do not 'ramp' any quicker, and may in fact ramp up more slowly.

I don't think this is an ageist thing on my part (again: am old), and our most productive DevOps by FAR is a guy who is a 'Super Senior' - he's staff level, has been here for 10+ years, and is a master. But again - he's been here for ten years.

I was reading a book where a physicist decries that he's 'too old' at 30 to make any major discoveries, and the paradigm of an athlete (where you're cooked after 10-15 years professionally) fit a little too well onto the DevOps Engineers I know.

TL;DR - Do DevOps's have an expiration date? Is it harder to join a new team when you're more experienced? Or am I just seeing outliers and trying to draw a trend line that doesn't exist?

https://redd.it/1d4nvhf
@r_devops

Process in place for keeping track for vulnerabilities

We have different tools for code scanning and security like sonarcloud, fortify, aqua, wiz and we are running these scans regularly some in CICD pipelines, others are being done by respective teams.
How do you keep track of the issues??, maybe create a dashboard or work item but still keeping track of all of them and how many are resolved is still hectic. Any suggestions for this?

https://redd.it/1d4q8aj
@r_devops

AWS RDS AND EC2 HELP

Can anyone please confirm, Help me

For RDS

I can use one t2.micro and one t3.micro db within limits(750hours per month) for no cost per month for 1 year even if i keep both of these machines on for the whole month

For EC2

I can use one t2.micro and one t3.micro ec2 machine within limits(750hours per month) for no cost per month for 1 year even if i keep both of these machines on for the whole month


https://redd.it/1d4tgyz
@r_devops

Packer Templates for most recent Ubuntu LTS versions with QEMU and Cloud-Init

Hi all,

Maybe a showcase post, but I made a repo couple of years ago where you can create custom QEMU (QCOW2) image files for Ubuntu LTS versions using Packer and Cloud-Init which for some weird reason has been picking up stars on GitHub at a low-to-moderate level.

It now generates Ubuntu 24.04 LTS images too. If you need a template that works out of the box for local development or for your CI systems here is the repo link.

it it worth-noting that there is a non-compatibility between UEFI boot sequencing logic for older LTS version (22.04, 20.04) and the new one which I have solved. In case this post gets searched in posterity.

Hope it helps anyone looking to make Ubuntu VMs with customization

https://redd.it/1d4ugck
@r_devops

is a devops degree in college a scam?

i am now in the first year of a university specializing in computing in general. after you are done with your first year subjects, which should be in a month or two from now, it's on you to choose from three different modules (cs, software eng and hardware eng) to be your main degree. each of them have a wide variety of elective subjects so you can really go for anything you like. the software engineering program seems like the best fit for me, as you can literally only focus on backend and devops if you feel like it, and i'm not looking to do anything with ai, ml, cryptography, graphics, video games, or advanced math.



i'd say devops or backend with java and spring are my main career goals, and i know that it will require a lot of learning, but i am really hyped about it all. this year i took discrete math, real analysis, assembly, c and java programming, and i failed linear algebra which i will have to take again. however, in the following years, my subjects can, if i choose so, cover everything from docker, k8s, many cloud tools and services, microservice apps, js, ts, python, linux, terraform, ansible, jenkins, different apis and web dev, and all the good stuff a good devops engineer should know.



now, this does sound really good on paper, but as far as i know it's very hard to start your career from a devops role, as nobody really trusts a junior to do such complicated tasks (correct me if i'm wrong). so that makes me think i should maybe opt for a more standard dev to devops path, or maybe even let myself go of any predestined paths to a career and just do what clicks at the moment. like i thought i would hate java before i started actually doing it and now it's my favourite thing i took in uni.



so, should i take the opportunity and learn the devops skills on hands-on projects in university, or should i just do as much coding and algorithms as possible in the following couple of years before landing some kind of a junior dev role and then slowly transition into devops / platform eng? could things my uni promises be a scam? i'd post a link to the website, but we are actually the first generation being offered those electives, and they haven't yet updated their website and subjects descriptions to have english translations, so you'd be looking at either the old program in english or end up having to learn cyrillic. but given the information i gave you, what would you choose?

https://redd.it/1d4wt4p
@r_devops

How to use Terraform Modules for Azure properly?

I am a little bit confused about the usage of Terraform Modules for Azure,
So if I am using a module for creating a VM, does this mean that all I have to do is to use this code?


module "virtual-machine" {
source = "Azure/virtual-machine/azurerm"
version = "1.1.0"
# insert the 7 required variables here
}


If so, what does the usage part mean as mentioned on the registry page? It is mentioned at the usage part of the module.
In fact there is a mention of this `source`, why is it empty?


module "linux" {
source = "../.."

​

https://redd.it/1d52jah
@r_devops

EKS driving me mad

Hi All

I have an EKS cluster that I setup with kubectl
I am using Argocd and GitHub actions to deploy various microservices into the cluster
The big issue I have is everything a Dev makes a change and a new container is built,pushed and deployed to the cluster the private IP changes
Which is causing a major issue as our frontend relies on those services.

So I guess my question is, can someone guide me how I can force those ups to never change or to auto update an internal DNS name to them

Thanks

https://redd.it/1d53x8n
@r_devops

Request for DevOps feedback!

Hi Fellow DevOps Pros!

After my post here a couple weeks ago asking you all what real problems DevOps people face/struggle with, I built a small demo— An AI-powered Terraform Management solution specifically aimed at startups for now.

The slogan is — Let your words shape your infrastructure. We integrate with your existing infrastructure codebase. Then, through our chat interface, using plain English, you can query, analyze, and modify your cloud infrastructure! 

Here's some example prompts you can use: 

1. Show me all the resources in my current infrastructure.
2. Add a new EC2 instance with the name 'web-server' and configure it with the latest Ubuntu image.
3. Delete the unused S3 bucket named 'old-backups'.

It's just a short demo that I was able to spin up in my free time after work, and I'm currently trying to find my first customer or user to test my demo. I've also got a simple landing page setup, but I'm mainly reaching out personally like this across various communities to see if someone is willing to see/test this.


There's a LOT of work to be done here. This is nothing near perfect but I'm hopeful that after getting good feedback I should be able to work on it for a while and come up with a product that genuinely enhances the devOps workflow.

I've been struggling to get my first customer so would be really helpful if anyone is willing to have a look at it! I've named it Euso AI. Here's a link to the landing page, and let me know if you're interested to see the demo! 

https://redd.it/1d54tcs
@r_devops

Does your team use Zero trust?

Hey as the title suggests, does your team use ZeroTrust? And if so how are you using it /what resources are behind it?

Would love to hear, as at previous employer we leveraged Cloudflare ZT which was actually pretty good for our use case. For more complex multi cluster setups, would love to hear your use of Zero Trust, what provider and how you implemented it!

https://redd.it/1d54euh
@r_devops

Versioning helm values files?

Using helm to deploy app to multiple deployments within an environment. Think multiple regions.

We have configurations for example "prod" that are then deployed to 3+ regions in AWS. Right now it's copy pasta in values files like values-prod-region1.yaml, values-prod-region2.yaml, values-shared-prod.yaml

I'm trying to bundle this within the helm chart so when I update the shared prod values I can just bump the chart version where I have this deployed.

Using Argo.

https://redd.it/1d57k59
@r_devops

As a dev, what book can I read to learn how to divide my software cycle in dev, test, staging, prod?

What book would you recommend for a dev to learn to configure the software cycle to include all these stages?

https://redd.it/1d589bh
@r_devops

devops or sw developer being student

In your opinion, which one could be more beneficial for a student (in my case, an engineering systems student) in terms of pressure, learning curve, extra hours, etc.? An opportunity as a DevOps engineer came up, but I only have basic knowledge of Linux/PowerShell. As a software developer, I have minimal experience with Java.

https://redd.it/1d56ev3
@r_devops

Looking for specific Udemy Courses or other good learning sources

Hello everyone,

I am leaving my current position and have the opportunity to get more into DevOps. I already have some experience with it on the Dev side of things and know how software shipment works too.

We are currently planing to migrate our TFS to Git and use GitHub Actions in the future.
Also we are using Azure as our Cloud Service and current Pipelines.

So what I need would be some good courses about Azure DevOps and Git/GitHub Actions. I am planning in the not so near future to get an Azure certificate too.

I would be the first full DevOps Engineer in the company, just for info and need all the help I can get.

Are there any recommendations that makes the switch for me easier? Any courses you would suggest?

Thanks!

https://redd.it/1d55ict
@r_devops

AWS -> Terraform Assoc -> CKA

Network Engineer 6yoe trying to break in to cloud engineering/devops. I got my AWS SAA and SOA.
Trying to figure out best path for me to go.
I am creating project and will document it on yt.
While doing that, would it be smart to take terraform associate then CKA, or should it be the other way around?

https://redd.it/1d5co2y
@r_devops