Gitlab pipeline timeout when uploading security scan to defect dojo

Hi Everyone,

I am facing a issue trying to integrate defect dojo with my gitlab ci/cd.

Here is the breakdown:

I am using gitlab built in security scanning templates for dependency scanning,container scanning.

These template generate json reports after scanning.

I am using a python script to upload these json reports to defect dojo

From my local  machine we access mydomain.defectdojo.com via vpn

I can curl with with vpn enabled and upload results.

But in gitlab pipeline the requests api i use to upload throws connection timeout to  mycompany.defectdojo.com 

I also tried running direct curl in the pipeline but it showed  couldnt connect to server

Is this due to vpn not in pipeline ?

How can i fix this issue?



https://redd.it/1ivbcp2
@r_devops

Secure way to share flutter mobile app without sharing code

Hi, in my company we have to give our onboarding flutter app to the vendor whose trading app we’re using and intergate our app with theirs. Now is there way to share our apk in a way that they can integrate it but not get access to the code.

https://redd.it/1ivclgt
@r_devops

Sieve Scripting Cheat Sheet

I created a fairly extensive cheat sheet for scripting Sieve mail filters. Here's a link to the Gist if anyone is interested.
Sieve Scripting Cheat Sheet

https://redd.it/1iveqqr
@r_devops

Azure RM API Deprecations in Q1 2025 – What It Means for Terraform Users

If you’re managing infrastructure with Terraform on Azure, Q1 2025 will bring preview API deprecations for Azure Resource Manager (Azure RM), including APIs for Azure Kubernetes Service (AKS) and other resources. Now is the time to check your provider versions and ensure compatibility.

# What’s Changing?

Azure RM provides a structured way to manage and deploy Azure resources. Microsoft frequently introduces preview APIs, but these can change, get deprecated, or be removed entirely. Terraform’s azurerm provider depends on these APIs, which means unexpected changes can break your infrastructure.

# What You Should Do

Identify the Azure services in your Terraform-managed infrastructure. Whether it’s AKS, Storage, App Services, or Databases, knowing what you rely on is the first step.
Check the API versions your provider is using. Terraform’s azurerm provider often includes preview APIs, making it important to track which ones are in use. Example: Containerservice APIs in version 3.105.0 link
.
Monitor upcoming API deprecations. Azure phases out older APIs regularly, and failing to update could lead to outages.
Review your Terraform provider versions. New releases may introduce breaking changes, so read the release notes before upgrading.
Test changes in a lower environment before deploying. Validate any updates in a controlled environment to avoid unexpected failures.

Keeping up with API deprecations is key to maintaining reliable Terraform deployments. If you haven’t reviewed your setup yet, now is the time.

https://redd.it/1ivf6ae
@r_devops

Bootstrapping CD for Terraform + Docker

TLDR: What's the best practice for managing infra with custom Docker based images using Terraform?

We primarily use GCP and for a lot of simple services we use Cloud Run with GAR (Google Artifact Registry) to store the Docker images.

To manage the infra, we generally use Terraform and we use GitHub Actions to do CI & CD.



Deployments to new environments comprise of the following steps:

1) [Terraform\] Create a new GAR repository that Docker can push to

2) [Docker\] Build and push the Docker Image on the newly created GAR and then

3) [Terraform\] Deploy the Cloud Run service which uses the GAR, along side any other infrastructure we might need.

This 3 step process is usually how our CD (GitHub Actions) is structured and how our "local" dev (i.e. personal dev projects) works, both usually running with just as the command runner.

Terraform needs to have a "bootstrap" environment which gets deployed in the first step, separate from the "main" one used in the third. Although, instead of using a separate bootstrap environment, you can also use -target to apply just the GAR but that has its own downsides imo (not a fan of partial apply, especially if bootstrap involves additional steps such as service account creation and IAM role assignment).


It's possible to avoid having two Terraform apply steps by doing one of the following:

\- Deploy the Cloud Run services manually using the gcloud CLI - but then you cannot manage it well via Terraform which can be problematic for certain situations.

\- Perform the bootstrap separately (perhaps manual operations?) so normal work doesn't require it - but this sounds like a recipe for non reproducible infra - might make disaster recovery painful

\- Run the docker commands as part of some terraform operator (using either a null resource with local exec or perhaps an existing provider such as kreuzwerker/terraform-provider-docker), but this might be slow for repetitive work and might just not integrate that well with Terraform



Any suggestions how we can do this better? For trivial services it's a lot of boilerplate stuff that needs to be written, and it just drains the fun out of it tbh. With some work I suppose it's possible to reuse some of the code, but we might put some unnecessary constrains and abstracting it right might take some work.

In a totally different world from my day job, my hobby NextJS apps are trivial to develop and a lot more fun. I can focus on the app code instead of all this samey stuff which adds 0 business value.

https://redd.it/1ivepjr
@r_devops

Am I Ready for DevOps?

I started off learning about DevOps soon after I got into self hosting and running my own homelab, fast forward a few years this has become my addiction. I work with VoIP currently and play around with Linux a bit for work but nothing with containers or DevOps tools, so i have just been learning with my homelab.

Anyways, Im sick of VoIP and my current role, and would like to start applying for some Jr DevOps roles but am curious from the people who actually do this as a job if you would think I am prepared enough just based on my homelab.

Personally I think i need to get better with Ansible, Kubernetes, adding more things to Terraform/OpenTofu, and learning coding languages, this is what I am working on currently.

All of the config can be located here https://git.mafyuh.dev/mafyuh/iac or on Github here https://github.com/Mafyuh/iac

Please critique and let me know what you think, this is my first time ever posting in DevOps so dont really know what to expect but id love to hear it all, good or bad. Thank you

https://redd.it/1ivhjrn
@r_devops

SPRING BOOT MICROSERVICES ISSUE : even when i deployed my spring boot microservices in Digital Ocean droplet , i am not able to use that ip address inside POSTMAN why ? is there any reason or i lack some information about this ? for eg. https://111.11.11.111:8082/register/user but i error coming,

help me please !! Could not send request
Error: connect ECONNREFUSED 111.11.11.1111:8082
i deployed all my microservices and they are running through digital ocean with .jar file but still this why???

https://redd.it/1ivhhfz
@r_devops

How Are You Handling Professional Training – Formal Courses or DIY Learning?

I'm curious about how fellow software developers, architects, and system administrators approach professional development.

Are you taking self-paced or instructor-led courses? If so, have your companies been supportive in approving these training requests?

And if you feel formal training isn’t necessary, what alternatives do you rely on to keep your skills sharp?

https://redd.it/1ivldyd
@r_devops

Packing RPMs from source - what are you using at scale?

Hi there,

We're running a largish AWS deployment (about 5k EC2 instances), a mixture of Alma 8 + 9 on aarch64. We have a number of packages we run on these nodes that are significantly out of date on the public mirrors e.g. Strongswan (nobody is packaging Strongswan 6 for Alma on aarch64 yet). How can we deal with this? We attempted to use Fedora Copr to build from source and package as RPM - however we had to write our own SPEC files and these kept failing.

We were thinking of using something like Github actions linked to an ARM EC2 runner to build form source? This still doesn't give us an RPM though.



https://redd.it/1ivljyg
@r_devops

NEED for MENTORSHIP and guidance

Am a pre final year CSE Cloud computing student, and i have develpoed an immenese liking for devops and cloud witha basic understadning of cloud and cloud services. I am so desperate for finsing an internship but i have no knowledge of where to begun , i have roadmaps and all but all i need is ine mentor who can guide me well throught the chaos of my mind and make me proficient in devops and cloud . As of now , i cant say i have any skill set i am well versed in , and yeah ik , its a disgracing thing ..but now i want to leanr with full focused and with correct resources, cuz i cant let my parents's money go ointo paid courses where i dont have a proper guidance and mentorship who can be with me on my journey ...

i need your guys' help and support

https://redd.it/1ivoohe
@r_devops

Is This a Scam Placement Company?

I received a message on LinkedIn from someone claiming to be with a placement company called HireEaze. They said they would provide resume building, interview coaching, and send out my resume to several companies per week. They also guarantee placement within 45 days. The catch is that they want 15% of my first year's salary, and the initial document they sent over is full of spelling and grammatical errors. Everyone I've talked to on the phone has an Indian accent, but the phone numbers are American. Has anyone used this company or one like it? Or is this just a scam?

https://redd.it/1ivo4bb
@r_devops

Do you have a list of project topics for POC-ing?

I would say that there are two types of PoC projects - super small, where you just write "Hello World" to a console, and slightly bigger one where you want to have a real topic behind the code.

For example, if I need a web service of some sort, my go-to project would be a pizza selector. Developers can have a list of pizzas available, and users can randomly select what pizza they want to order next time. I used that couple of times already and it is getting old :)

Do you have a similar type of project that is funny, somewhat useful and can be easily implemented/explained?

https://redd.it/1ivtlak
@r_devops

Icosic AI: Perplexity For Your Company’s Server Logs

Hello!

I'm Zuri, founder of Icosic AI, a startup based in San Francisco - we are Perplexity for your server logs.

The problem:

- searching through and filtering your logs using keywords is tedious at best

- semantic search is a step up, but still has no real intelligence regarding your query or your server logs

- engineers spend around 10 hours per week sifting through logs to investigate issues and uncover insights

The solution:

- Icosic AI is an intelligent search engine for your all of your company's server logs

- We use LLMs to intelligently understand your search query and intelligently understand all of your logs

- This gives you insights and answers that previously would take your engineers hours to uncover

- For example, a fintech company's engineer could ask "Why has there been a spike in transaction failures this morning?"

- Another example: "Tell me all instances where we got a high latency warning within 2 minutes of a transaction failure"

The time and cost savings:

- A typical example is a company with 100 engineers, where 20 of them each look through logs 10 hours a week to investigate issues and uncover insights and information

- If they're paid $70/hour, that's $70 * 10 hours * 4 weeks * 20 engineers = ~ $56,000 / month searching through logs. Our search engine does ALL of that for you.

More:

- You can integrate with your existing observability platforms like Datadog and Splunk to use logs that you've indexed there

- You can also just use logs that you've got on a cloud server somewhere at a specified path, for example /var/log/example.log

- You can use unstructured or structured logs, or both!

If you’re interested in finding out more, feel free to schedule a call with us from our landing page:

https://icosic.com

Also, you can start playing around with the product using our demo logs right away, no sign in required:

https://app.icosic.com

Feedback would be much appreciated!

What other integrations would you like to see? Let me know in the comments!

Thanks,
Zuri Obozuwa

https://redd.it/1ivx0db
@r_devops

Pipeline for dev containers to ecs?

Hey all! Just kind of thinking out loud here.

So I have pipelines etc in place that handle deployments to ecs. But these are tightly integrated with other services and I handle the deployments.

If I wanted to create a portal & pipeline where devs could enter the resource reqs and specify their repo / branch for a container image that’s built then deployed to a sandbox ecs env that has endpoints for common services and flexible network constraints. Is there any good resources to reference for this?

I feel like I’m excluding features and use cases I haven’t thought of that would be really cool here to improve the dev experience and give them some more autonomy in dev deployments. So any ideas, or similar setups you have and how you use it I’d love to hear about!

Cheers.

https://redd.it/1ivxly0
@r_devops

What are your biggest cloud infrastructure pain points?

Researching current cloud infrastructure setups and preferences across different teams. Interested in understanding:

• Which providers/tools teams are using
• How teams are handling multi-cloud
• Infrastructure costs and spending patterns
• Team size vs infrastructure complexity
• Deployment preferences and patterns

Quick 3-minute survey. Will share interesting trends and insights back with the community.

https://docs.google.com/forms/d/e/1FAIpQLSfadPrJIYpMpH8ETJKfITGc5sd4M3E-E6tnct6hC3a9lJ0DJQ/viewform



https://redd.it/1iw0sd2
@r_devops

How can I transition my career path to DevOps?

I started as an embedded software developer in March 2022 for automotive software development and was assigned to the microcontroller team. But most of my tasks revolved around software test automation scripting with Robotframework. I felt the lack of involvement in production development as 65% of my tasks are about writing, testing and deploying automation scripts.

I had the opportunity to assist my integration team since June 2024 as a temporary integrator (to end by June 2025). Basically Ive been assisting the team in automating as many processes to ease the software integration flow. I acquired exposure on Linux Yocto and docker utilisation along the way. There's alot more to learn and pick up for sure.

I have 2 questions :

1. What should I learn and pickup to be a
DevOps engineer?

2. Can I apply for DevOps roles elsewhere with
my current experience and motivation to
learn more?

https://redd.it/1iw0ggv
@r_devops

Question: ArgoCD for Dynamic Apps?

Hi,

I wanted to get some thoughts on an approach I'm thinking of. Say I have web apps with Helm charts for K8s deployment, and I want users to instantiate custom versions of these apps with their configuration e.g branding, title etc.

Does it make sense to store user configs in repos and then have ArgoCD sync that with the web app Helm charts via values.yaml? Whenever users change their custom configs, ArgoCD updates their deployments.

Are there other approaches/tools I should consider?

Thanks!



https://redd.it/1iw4e63
@r_devops

What should I do as a DevOps Intern, prepare for MNC's aptitude exams or for Certifications?

I am a final-year engineering student from a not-so-good college. Currently, I’m doing an internship at an AI startup as a DevOps/SRE intern. I’m happy with the job and the company, but I want to explore and learn more, preferably outside my state.

I have completed the AZ-104 Azure Associate certification and am preparing for the CKA and other DevOps-related certifications. However, as a fresher, I’m confused about whether I should focus on certifications or prepare for aptitude and coding tests for big MNCs like TCS, Infosys, Wipro, and IBM.

I personally prefer working in startups because I’ve seen that they offer great learning and growth opportunities. But all my friends and brothers are in big MNCs, and they suggest aiming for MNCs for job security, please guide me with your experiences what should I do.

https://redd.it/1iw4wjo
@r_devops

Production-Ready Coding: Best Practices for Developers

Hey all!
I wanted to share a quick list of my "rules of thumb" for the production-ready coding.

Basically, when you want to move from a hobby pet project to a real production application - what is needed?

For me, the list is simple:

0. Code must be compilable :)

1. Code must be readable for others. E.g. no 1-letter variables, good comments where appropriate, no long methods
2. Code must be tested - not necessarily 100% coverage, but "good" coverage and different types of tests to be available - unit, integration, end-to-end
3. Code must be documented. At least in the readme.md. Better if you have additional documentation available describing the architecture, design decisions, and contribution process.
4. Code must be monitored. There should be at least logs to standard output about errors that are happening and be able to track infrastructure metrics somehow.
5. Code must be somewhat secure. User input should be sanitized and something like OWASP top 10 should be checked
6. Code should be deployable via CI/CD tool.

What else would you add to the list?

And just in case, as a self-promotion, I added a video about this, describing those topics in a bit more detail - https://youtu.be/cdzrS-w\_bJo It would be great if you could like & subscribe :)

https://redd.it/1iwcdur
@r_devops

The brief history of IaC

Covered the history of infrastructure-as-code in this video as a preparation for a webinar where I'll be hosting Adam Jacob - the creator of Chef.
https://youtu.be/rjjyv0Cf6UY?si=aPkw9YFawSYMVVSa

https://redd.it/1iwcsem
@r_devops

Are DevOps Under Job Threat?

Hello everyone.
I'm currently tagged as a DevOps Engineer having following experience:
Azure Webapp and VMs, Azure DevOps.
I'm having 4.2 YOE since I started my career in IT industry.
I don't have any kind of experience in K8s or docker or monitoring or jenkins or any other tools.

I want to know how much should I be afraid of this AI impact?
Should I change my domain from devops to data engineer or anything else?
Which DevOps Zone is AI impact proof(so that our job won't affeft much)

I'm really afraid and in panic mode right now as people are getting laid off and these CEOs and big companies are coming up new thing every week that AI will impact our job.
Please guys HELP ME!!

https://redd.it/1iwd4yz
@r_devops