Requesting feedback and advice on my transition plan into DevSecOps

I understand there is no one set path. I would appreciate any comments or real tal on the likelihood of this transition plan:

Background:

- BA in nontechnical field,
- Air Force SIGINT analyst for 20 years
- TS/SCI (Top Secret) with CI polygraph <-- I understand it's irrelevant in the civilian sector, but I am hoping to find a cleared role where I can get my feet wet
- PMP, A+, some Python scripting exp, RHCSA (taking it in Oct)
- IT project management as a gov rep for contractors (netadmin, sysadmin)

In 2025:

- Start DevSecOps internship (SkillBridge) with a DoD contractor with a 3-letter agency (Feb - Aug)
- SSCP (DoDM 8140.03 IAT level II, Security+ equivalent) by Feb 2025
- CISSP by Aug 2025 <-- I understand this falls more on the GRC side but wanted to highlight my security background. Already endorsed by another CISSP professional
- AZ-204, AZ-400 or AWS SAA
- CCSP
- Learn, learn, learn both in and out of work with labs, hands-on experience

I will retire from the Air Force in Aug 2025 with the 6-month internship under my belt. My goal is to aim for sysadmin or netadmin as a starter, and work my way up through cloud engineer or any company that would give me a chance for a DevOps-related position.

Is there anything I can do differently? I am also considering these in 2025:

1. CCNA on behalf of AWS or Azure, to learn the fundamentals of networking and shoot for netadmin, because it will give me solid experience for cloud and all aspects of networking.

2. CDP, because I find it very helpful for a roadmap-style learning experience.

Thank you in advance!

https://redd.it/1ejsub0
@r_devops

Anyone test blacksmith.sh

Hello, we are thinking of testing blacksmith.sh, has anyone used this or another website?

For Github action

https://redd.it/1ejsq2a
@r_devops

How different is DevSecOps from DevOps?

Please elaborate

https://redd.it/1ejxfkj
@r_devops

Masters in Devops

Hi Everyone,
I am curious to know whether Universities have a masters program for Devops. Or is there no such thing called masters in Devops. I am interested in this field and tried to home school myself on basics of Devops from online courses and YT tutorials.
My parents want me to go for higher studies, which even I want to do but I need some advice to know what I should go for and proceed in which direction. I think I'm still a fresher and I currently have just 1yoe in a company where I do V&V for sensors. I don't see too much of a growth in this line and I'm not very interested in this line of work.
Thus, reaching out to the community to get some guidance or information on how to transition myself into Devops since I'd like to do this for a long term growth.
Best regards, Thanks!

https://redd.it/1ejy3ia
@r_devops

Greenfield EKS Setup and App Modernization Suggestions

Greetings DevOps community,

Our team has a rare opportunity to standup the infrastructure for an application modernization initiative from scratch. I wanted to come to the community to solicit suggestions, advice, or general best practices that we should adhere to, to avoid the biggest pains when I comes to managing kubernetes. Please note, my main goals are simplicity as the team needs to ramp up of course.

Some background. We are leveraging GitHub Actions primarily for our CI/CD and another team at the company already uses ArgoCD. So, we figured we’d take advantage and use that as well. The apps are all on older versions of dotnet, so we are working with the development team to get those updated to dotnet 8 and containerize them. We do not plan on breaking down all those apps into microservices, the majority will remain monolithic, as they are small in nature. We just plan to break out the database layer into RDS and for a few of the apps break the front end and backend into separate pods, for example. Nothing too fancy. There are one or two apps which would lend themselves to maybe a citadel model, but this wouldn’t be common.

Anyway, this is what we thought of so far:

- continue to use GitHub actions for CI and perhaps leverage ArgoCD for deployment/GitOps.

- deploy and manage the clusters using terraform.

- leverage ECR for our registry and EKS as our platform.

- utilize wiz for container scanning and runtime security.


What id like advice on is:

- How should we organize this cod?
- Should we utilize helm or kustomize( or both)?
- What would local development look like for our devs? Should we get them minikube?
- Anything else the community could offer advice on.

Approaches I’ve seen are to keep all the kubernetes manifests in one repository, separate apps by folders, and then each app into environment folders using kustomize? Then keep the application code separated into its own repository where the only processes that would occur is Ci, building the dockerfile and deploying the image to EcR? Thus keeping app code and infra code separated?


Thank you!



https://redd.it/1ejwues
@r_devops

Starting a DevOps role here shortly... Advice?

Hey guys,

So I'm starting a new job here this week, and it's for a DevOps role. My background is in Software engineering and programming, mostly with Python, with approx 4 years or so experience.

I went in for the interview and explained that I don't really have any experience in DevOps, and I left the interview thinking there's no way in hell I'm gonna get this job. To my suprise, the company actually made me an offer and I accepted it. They said that in the early stages it's gonna be a lot of learning for me to do, but I'm sat here baffled that they've offered me the role when they could likely find someone who is actually experienced in DevOps instead...

So I'm wondering, does software engineering lend itself to DevOps much? I'm a bit nervous at this point, but at the same time, I didn't lie to them about my capabilities and they know that it's pretty much gonna be a fresh start for me. Any advice would be awesome

https://redd.it/1ek1uzm
@r_devops

OpenTelemetry Tracing on Spring Boot, Java Agent vs. Micrometer Tracing

>My demo of OpenTelemetry Tracing features two Spring Boot components. One uses the Java agent, and I noticed a different behavior when I recently upgraded it from v1.x to v2.x. In the other one, I’m using Micrometer Tracing because I compile to GraalVM native, and it can’t process Java agents.
>
>I want to compare these three different ways in this post: Java agent v1, Java agent v2, and Micrometer Tracing.

https://blog.frankel.ch/opentelemetry-tracing-spring-boot/

https://redd.it/1ejzkcd
@r_devops

Mimir or Thanos at Scale

I'm kicking off an investigation to build a observability system for our data platform. We run self-hosted Trino, Hadoop (YARN and HDFS), and Spark. It feels like taking advantage of Prometheus makes sense to minimize our need to build a totally custom solution.

One of the requirements is persistent storage for the metrics. We need to build aggregations to create business level metrics. We want to allow these metrics to be used for debugging. DataDog is expensive. The system needs to support high throughput and should have the ability to retrieve metrics for up to 90 days.

With the above in mind, I'm looking at Thanos, Mimir, and TimescaleDB. I understand that all three are different. How's the scalability of Thanos or Mimir with S3? Have you experienced any issues at scale? How about Timescale? If I went with Timescale, we could use Kafka Connect for metric ingest. Also, their tiered storage looks attrative. Any thoughts?

Edit: I forgot to add TimescaleDB to the title.

https://redd.it/1ek42xi
@r_devops

Windows for work?

Hi there!

I've been working in the DevOps field for two years. I've been using macOS, and it's been working well for me, and I've enjoyed it. However, I'm about to start a new job.

I've been given a Windows laptop, and I'm aware it can cause issues, like the base64 encoding in Terraform (for instance, if the VM is generated with Linux, it can make you recreate the machine).


What would you recommend I do?

On one hand, I feel it's not right to change the OS on a company-issued laptop. But on the other hand, I'm not sure if Windows will be able to handle the job...

https://redd.it/1ek5cbk
@r_devops

Creating AWS AutoScaling Group with Terraform

Good tutorial for anyone learning AWS and terraform

https://youtu.be/1UtEyacje98?feature=shared

https://redd.it/1ekbbqg
@r_devops

Backend dev here. How many Dockerfiles and docker-compose files should a microservice have?

I am learning about CI/CD and I would like to know if the same Dockerfile and docker-compose file should be shared across testing, staging, production, or if you need multiple files for these?

https://redd.it/1ekfhlh
@r_devops

Is there any open source replacement for the full MuleSoft Studio web-based platform which is free to use?

Hello,

I need to test complex API endpoints and would like to find a way to quickly build such tests. It can be pure HTTP, REST, WebSockets, web services, or plugin-based and extendable. I am aware of some minimalistic and crippled versions of Mule, but I need one with a web-based GUI.

Thanks.

https://redd.it/1ekh534
@r_devops

How do you manage a "large" amount of docker environments and containers?

I did not want this.

We're producing just the software for our customers and deploy it manually or per the tooling of the customers choosing - like their Jenkins - on their servers that they control. That's because access is secured per VPN (and/or the server being 'managed' by another provider), so our Jenkins instance won't have access to the customer's systems for deployment.

Yes, we're using Jenkins. Yes, our customers don't care if their services aren't available for 2 days.

The bar is so brutally low, you won't believe it. Monitoring for PROD? Nonono, only if the customer wants it and pays for it (which, I mean, makes sense).

Now we have over two dozen servers to manage (seven of them are our customer's) and I don't even know how many containers, running on Docker.

Every container gets its own folder for its volumes, the .env file and the docker compose file.

One service per file. On every server.

If we want to deploy a new version (automatically), we use Jenkins to run a script or to directly replace the VERSION variable and then run the compose.

* GitOps? Nah, what if someone changes the config on the server? (wtf) I have to save/backup the configs MANUALLY (really funny if i have to edit 20 f\*\*\*\*\* compose files).
* Secrets? PLAINTEXT.
* Docker Swarm (for the secrets)? Isn't compatible with Spring - Tomcat hates the swarm host naming convention.
* When we decide that we have to do xyz another way I have to connect to every goddamn system that exists and DO THE CHANGES MANUALLY.

Whyyyyyyy.

So, now, let's ̵t̸r̷y̴ ̶t̸o̶ ̶s̵m̵i̸l̴e̷ again.

Ok. How do you guys manage - let's say - between 50 and 100 containers (just the beginning) that don't have to scale and are hosted on many different systems?



https://redd.it/1eki570
@r_devops

Devops Engineer here, unsure about future

Hi Everyone,



I’ve been working in the DevOps field for about four years, focusing on tools such as Jenkins, Terraform, Kubernetes, and Docker, primarily within Google Cloud Platform. As I look to expand my skill set, I’m considering exploring new areas such as security or data. I’m interested in hearing your thoughts on which direction might be most beneficial for future growth and how best to get started. Any suggestions or advice would be greatly appreciated!



Thank you!

https://redd.it/1ekifox
@r_devops

How do I get use Tetragon to get notifications when someone made some actions in our environment?

When I started testing Tetragon I imagined I'd be able to get alerts when someone kubectl exec'ed into a pod and did some things, but it seems like it's not as straight forward.

Tetragon seems to expose a few metrics that I thought would help, like tetragon_events_total or tetragon_policy_events_total, but both don't provide any information on what command was executed.

For example, following their setup docs I was able to run cat /etc/shadow which got a SIGKILL, and that event shows up in the above metric, but I don't see how I'm utilizing this information to get alerts.

Am I doing this wrong? How did you implement this or a similar eBPF tool in your environment?

https://redd.it/1ekj0cq
@r_devops

How Do You Prefer to Use a CLI Tool?

Hey everyone!

I just made a migration tool that helps you move from Nexus and Artifactory to my new platform, RepoFlow. It's all in TypeScript, and I’m trying to figure out the best way to make it available for everyone.

How do you like to install CLI tools? Would you prefer:

An npm package?
A Docker image?
A yum package?
Or should I just open-source it and let you run it straight from the code?

https://redd.it/1ekl36t
@r_devops

MMORPG/Games streaming architecture help

Hi all,


Lately I have been fairly curious about how do most MMO games/games streaming services like XBOX Game Pass' infrastructure look under the hood, how sessions are managed, server provisioning/scaling etc. Unfortunately, I was able to find little to no reference architecture on that regard. Do you know of any good references/projects/books/articles etc. I could look into so I can get a better view of how they work under the hood?

Thanks in advance!

https://redd.it/1ekkz15
@r_devops

Junior fullstack developer -> appsec or devops?

Hello, I was wondering what is a more natural career progression for a junior fullstack developer working on a web app? As part of my job I have very limited interactions with the ci cd pipepline in Azure DevOps and I was curious to get to know more about it.

This got me a little interested in DevOps and I was wondering if this was a natural career progression to take? I was also very curious and interested about Appsec as I've I'm also interested in cybersecurity as I do reverse engineering as a hobby (but not reverse engineering malware or anything like that) and I was told that was a valuable skill for Appsec.

As a junior fullstack webdev, what would be a more natural career or even lucrative progression for someone interested in both DevOps and Appsec? I imagine I only have time to go in one direction, right?

https://redd.it/1ekmqt6
@r_devops

What is the best Git branching strategy for managing Ansible CIS (hardening) roles?

We currently have one AWX server and a Gitlab instance in our environment to develop and test automation. I was tasked with testing the roles as a proof of concept for multiple OSs/applications (MS SQL servers, web, RHEL 7-9, etc). Once we knew the roles worked and we were satisfied with our compliance results, our lead said that we needed to build an automated testing process to ensure code quality. We ended up building something that ideologically works in theory, but would probably be a disaster to manage in practice unless I can guarantee that our pipeline process is forcefully rigid.

To manage inventory, they put each ENV:OS type in its own file. For example, we have a Dev<type>Server.yml, Test<type>Server.yml, Prod<type>Server.yml, and the same pattern of .yml files in this one repository for any other type of server (RHEL, SQL, etc) you can think of. Why did we do this? We did this because we thought we could not keep the inventory file the same in the repository that the role lives in, because we have 3 separate branches for each environment. So now, I am able to keep each hardening deployment separated, because there is a .CI file that essentially forces an upstream code promotion pattern as commits are made, linted against, tested in the corresponding environment and merged to the next branch.

But there is literally an inventory file for each environment per OS/server function type living in a separate repository. Each inventory file corresponds with an inventory object in AWX which we correlate to a job template. When a developer makes a commit to the development branch in role’s repository, we trigger AWX’s API to launch the development job template (after linting the commit in development branch of role). If the development job template runs successfully in AWX, the pipeline creates a MR, randomly assigns the MR to some reviewers so we can build an audit trail then the next merge will restart the same .CI process but for the upstream environments.

This works fine in theory, but I foresee an event where we have TONS of job templates for the same role but in each environment in our Ansible server. I am also wondering how we are going to treat each application’s hardening process different. For example, I think all application teams who use RHEL servers should use a golden hardened image before they even build their app on top, because we are starting to see issues occur when we harden a system that belongs to another team and they say the server is unreachable or something breaks. Having a separate version of the role for each team to satisfy each application sounds horribly unmanageable. I just don’t see how I can maintain separate environment, for each server type, FOR EACH SEPARATE TEAM.

https://redd.it/1eknzsl
@r_devops

Greetings fellow newly unemployed people. How can we apply to jobs more efficiently?

A lot of the popular auto-complete forms are absolute trash. There must be a better way.

https://redd.it/1ekoef4
@r_devops

Branching strategy and environments.

I'm a little confused about how branching strategies related to environments for developing, testing and production, can someone explain to me how they do it in practice?

https://redd.it/1ekq3de
@r_devops