Pentest & DevOps

With more frequent releases how often are your security teams performing a pentest? And how long does it typically take to get these scheduled?

https://redd.it/k2ohqh
@r_devops

How to install Istio with Terraform and use an existing ALB || ELB as istio-ingressgateway?

Hi guys,

currently I'm working on a small IaC project. I'd like to deploy an EKS cluster with atleast 1 auto-scaling group based on Spot instances and all other necessary components - autoscaler, cert-manager, metric-server etc. - installed.

I did all this but I've a problem with the Istio service mesh. Right now, I'm using istioctl to install Istio operator and then deploying a IstioOperator yaml with my settings which will roll-out Istio. Everything works fine, but the automatically generated ELB is a problem. If I want to destroy the cluster, Terraform will fail because it doesn't know about the ELB, which is created by Istio.

So I configured an ELB in Terraform but I can't figure out how to use this one now as my \`istio-ingressgateway\` service. I think I'd need to deploy Istio with the istio-ingressgateway as a serviceType \`nodeport\` but I'm not sure about what the needs to point where. Re-using already existent load balancers seems not to be that well documented.

So maybe there is someone who already achived this and can help me out.

Any suggestions or hints are appreciated :)

Kind regards from Berlin!

https://redd.it/k382tg
@r_devops

The ethics of Pull Requests, being the "Author"

Hi,

I wrote this blog post last week, maybe it could be interesting for this channel as well.

Link: [https://werner-dijkerman.nl/2020/11/21/the-ethics-of-pull-requests-being-the-author/](https://werner-dijkerman.nl/2020/11/21/the-ethics-of-pull-requests-being-the-author/)

Please let me know your thoughts about it.

Kind regards,

Werner

https://redd.it/k38xts
@r_devops

How to Install PHP 8 on CentOS 7/8

How to Install PHP 8 on CentOS 7/8

[https://tayeh.me/posts/install\_php8\_centos/](https://tayeh.me/posts/install_php8_centos/)

https://redd.it/k39p3l
@r_devops

[q] Shift left Pipeline - questions

Hey, I have a couple of questions :)

## Disclaimer

I am a developer, trying to wrap my head around 'modern' and 'not-gimped' CICD and devops - so in essence I want to understand 'best' practices without compromises; compromises comes later :)

## Questions

What is the point of diminishing returns?
I've found no good article on this. In theory, we can re-create almost whole environment on the dev machine - using docker, kubernetes and such. As I understand, if we take shift-left approach to the extreme, I can build, test, deploy to local cluster with monitoring and all. Two questions come to mind:

1. Why SHOULDN'T we be put everything in repo in executable form FIRST, and then iif something is infeasible to keep executable in project, move outside?
2. If this is possible, then why there is no tool for this? Is everything hand-rolled? Or no one is doing this?
3. With shift-left, it seems that I should be striving to make everything executable, so by that extension, the easiest way would be to include e.g. shell scripts executing tools on dev machine. Is this a correct approach?
1. This came up during my discussion with a colleague; why not have tools to check 'everything', e.g. linters for yaml; Dockerfile and such - executable on dev env and pipeline. I have yet to see a place that have such tests

https://redd.it/k2lxcj
@r_devops

Sending api request body to sentry

I was not able to sort api errors on sentry and was not able to get request body which Inwas sending. So How to send api request body with the error data I am sending to sentry?

https://redd.it/k2jknj
@r_devops

Open source/free registry recommendation

I'm looking for a registry that I can host on one of my linux servers. Aside from Verdaccio and Artifactory(not free), which would you recommend? I'd like to setup a lab here at home where I can build my own pipeline either using Jenkins or DroneCI, then once the artifact or package is built, it will publish it to the registry.

https://redd.it/k3lxzr
@r_devops

Coding interview equivalent for DevOps engineer?

Let's say I'm a company hiring a backend developer and a devops engineer.

After a phone interview, I'm going to give the backend developer candidate a 4 hour coding hackathon, so I can see first-hand how this person thinks and works through problems.

What is the equivalent of this 4 hour hackathon for devops engineers?

https://redd.it/k3hilj
@r_devops

How to authenticate Helm using token?

Im currently working on a project with helm and gitlabci,
i have docker executor in my gitlab-runner, so i use alpine/helm image to use helm command. The problem is that i can't connect to the cluster using --token=..., it said: "**Error: Kubernetes cluster unreachable: Get "https://10.0.0.4:6443/version?timeout=32s": x509: certificate signed by unknown authority**

[**34**](https://gitlab.com/nam.nguyen.tuan/test/-/jobs/876123402#L34)**helm.go:81: \[debug\] Get "https://10.0.0.4:6443/version?timeout=32s": x509: certificate signed by unknown authority**

[**35**](https://gitlab.com/nam.nguyen.tuan/test/-/jobs/876123402#L35)**Kubernetes cluster unreachable"**

Is there any way to solve this?
Thanks

https://redd.it/k3o48u
@r_devops

What replicates well between different cloud PaaS/iaas?

Let's say I want a system highly available and eventually consistent (preferably that eventually being within a couple hour window) between AWS and Azure. It needs to accept pretty consistent writes, basically collecting logs that can't be missed.

What are my options here? Elasticsearch? build something with Kafka? Cassandra?

I've been pretty much 100% AWS now for the past 2ish years and had a product in us-east-1 only this past week. Need to expand my horizons here.

https://redd.it/k3a4lw
@r_devops

What is the cheapest Cloud Sql provider?

Not sure if this is the right place to ask, but I'm looking for a cheap MySQL cloud hosted solution.

I currently have a very expensive vps that mostly hosts websites from my small business clients and other small projects. I want to ditch that vps and replace everything with Google app engine containers because those are way cheaper due to being able to scale back to zero.

The only problem I have right now is that the cloud sql option by Google is super expensive. So I'm looking for an alternative. I don't want to keep a vps running just for the database. Ideally you wouldn't pay anything when the instance receives no traffic, only for the storage and actual usage.

Does for example Aws offer something like this? Or digital ocean?

https://redd.it/k36pv8
@r_devops

Packer VMWare Templates + Ansible? + Terraform - Responsibilities

What is the generally agreed responsibility split between tools like these?

I'm using Packer to create Windows VMWare templates. Should I add as much to this template as possible? (eg. basic software), then configure using Ansible, and deploy using Terraform? Or perhaps simplify and also deploy using Ansible?

The lines are so blurred between tools that it seems difficult to decide on the responsibility split.

https://redd.it/k3uuht
@r_devops

Is there a tool/way to rate limit REquests depending on the url?

I'm trying to build a rate limiting solution for our GKE hosted application - where customers can come and make their applications.

The requirement is it should be able to check the route (which would have a unique identifier) for each application (which is accessed by multiple users so the API URL would be the same.)

For example, a level one customer would have "ABC" app and we want to limit the transactions to say, 5 per second, at the infra level before it reaches the microservices.

But a level 2 customer, with their "XYZ" application would have 30 transactions per second.

The distinguisher would be the URL in the API request (which of course would be checked in the backend if it actually belongs to the user).

**What I've been able to do till now** : Switch to Kong ingress and apply a rate limiting policy per route there though I'm looking for a better solution.

https://redd.it/k3vqf3
@r_devops

Aws

How to delete only null objects in aws s3 please any one help me on that's

https://redd.it/k3s5hm
@r_devops

Is my experience in AWS transferable to Azure?

I've been working on AWS for 3 years now and about to get the Solution Architect certificate.

I've been interviewing for a job that requires Azure...is my experience easily transferable?

https://redd.it/k3rp2p
@r_devops

Adding a secret manager to Observable notebooks

Wow I just finished a crypto odyssey adding the ability to store secrets on public notebooks on [observable](https://observablehq.com/@tomlarkworthy). I absolutely love that programming environment and I want to use it for serverside scripting work.

The wonderful thing about implementing serverside code via a clientside notebook is everyone can see exactly how it's implemented. It's like lambdas but without deploys.

Each notebook is also a tutorial. I released everything as ISC.

The main notebook is the secret manager interface, which proxies onto Google Cloud Secret manger.
[Endpoint Secret Manager](https://observablehq.com/@tomlarkworthy/secret-manager)


For my system to understand your uid has write permission to a subdomain I implemented a DNS-01 like challenge protocol for proof-of-ownership. This is the supporting notebook but maybe the most interesting intellectually.

[Certify Subdomain Ownership](https://observablehq.com/@tomlarkworthy/subdomain-certification)

These subdomain secrets once configured can be injected into "serverside cells". These are cells run by a remote browser with privilege access. Thus the user does not get exposed to the secrets, yet the serverside code is configured in the viewed notebook.

Just to prove how fricken’ powerful this is, I wrote the secrets API and the subdomain challenge infrastructure IN PURE OBSERVABLE CODE!!! You can see how it is all implemented yourself thanks to being able to execute notebooks in a remote environment.

Man it was tough, the GCP SDK’s do not work in a browser context so I had to figure out how to mint an access token from a service account manually. Similar story for verifying Firebase id tokens.

I managed to browserify an express router, so the secrets API looks implemented like 'normal', but in reality is an express server running in a browser serving a public URL ([https://observablehq.com/@tomlarkworthy/secret-manager#apiServer](https://observablehq.com/@tomlarkworthy/secret-manager#apiServer)). Crazy.

https://redd.it/k46i2z
@r_devops

In your experience, have the good managers/supervisors you've had been more technically inclined, or not?

And by "not", I mean on a *good* day calling their tech skills mediocre is being *very* generous. BUT aside from that, they were fantastic people to work for?

Or was it *always* the good managers were the people who knew exactly how to do your job if not better if they had to?

https://redd.it/k474g4
@r_devops

Docker networks in Jenkins pipelines

I’m having some issues on a project in which I’m attempting to run Jenkins in one container and SomarQube in a second container all on the same network. Then in the pipeline I’m using a maven container to build and test a simple project.

My issue comes when trying to run sonar scanner. If I manually enter in the IP of the SonarQube container it connects fine, but if I try to use the name of the container it’s unable to connect.

Is there some way to get the Jenkins pipeline to talk to the rest of the network?

https://redd.it/k46gxj
@r_devops

Adding a secret manager to Observable notebooks

Wow I just finished a crypto odyssey adding the ability to store secrets on public notebooks on [observable](https://observablehq.com/@tomlarkworthy). I absolutely love that programming environment and I want to use it for serverside scripting work.

The wonderful thing about implementing serverside code via a clientside notebook is everyone can see exactly how it's implemented. It's like lambdas but without deploys.

Each notebook is also a tutorial. I released everything as ISC.

The main notebook is the secret manager interface, which proxies onto Google Cloud Secret manger.
[Endpoint Secret Manager](https://observablehq.com/@tomlarkworthy/secret-manager)


For my system to understand your uid has write permission to a subdomain I implemented a DNS-01 like challenge protocol for proof-of-ownership. This is the supporting notebook but maybe the most interesting intellectually.

[Certify Subdomain Ownership](https://observablehq.com/@tomlarkworthy/subdomain-certification)

These subdomain secrets once configured can be injected into "serverside cells". These are cells run by a remote browser with privilege access. Thus the user does not get exposed to the secrets, yet the serverside code is configured in the viewed notebook.

Just to prove how fricken’ powerful this is, I wrote the secrets API and the subdomain challenge infrastructure IN PURE OBSERVABLE CODE!!! You can see how it is all implemented yourself thanks to being able to execute notebooks in a remote environment.

Man it was tough, the GCP SDK’s do not work in a browser context so I had to figure out how to mint an access token from a service account manually. Similar story for verifying Firebase id tokens.

I managed to browserify an express router, so the secrets API looks implemented like 'normal', but in reality is an express server running in a browser serving a public URL ([https://observablehq.com/@tomlarkworthy/secret-manager#apiServer](https://observablehq.com/@tomlarkworthy/secret-manager#apiServer)). Crazy.

https://redd.it/k46ecu
@r_devops

Is Serverless Worth?

I've experimented with serverless over the course of last two year and composed all my findings into an assay. If you are interested: [https://quanticdev.com/articles/serverless](https://quanticdev.com/articles/serverless/)

Overall, my personal experience with function-as-a-service is mixed:

* Last year I tried using it for the entire server-side of one of my open-source projects. However, I could not do that as none of the major serverless providers supported the latest version of Node.js, which I needed for async/await functionality. I have recently checked it again, and Firebase Functions now supports the latest LTS version of Node.js.
* I also tried using serverless for one of my games. However, that also failed since I needed persistent connections throughout the gameplay session using WebSockets. No major serverless providers supported a sensible way of using WebSockets. This also changed. Amazon now supports creating WebSocket connections through their API Gateway, which is accessible from Lambda functions.
* On the positive side, I have successfully utilized Firebase Functions to handle user authentication events raised by Firebase Authentication. When a user logs in, Firebase Authentication triggers my authentication handler function. That function checks if the user is logging in for the first time so I can create relevant user tables in my databases. I still use it today, and it has been working a treat.

If you want to experiment with serverless, I recommend Firebase Functions. In my experience, it is the easiest of the bunch and has a generous free tier.

If you have and findings, dump them here so I can add them to the writeup.

https://redd.it/k45dk5
@r_devops

Can I do a research based on autoscaling

Can I do a research which is already done on autoscaling of VM but not in autoscaling a pod/container?

Will it be an issue if the concept is same but the scaling algorithm logic will be different.

https://redd.it/k40399
@r_devops