#general (2021-01)

General conversations related to DevOps/Automation

General Discussions

2021-01-30

SweetOps avatar
SweetOps
08:00:04 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @

Good to have you here =)

3

2021-01-29

SweetOps avatar
SweetOps
08:00:18 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

6
1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hey @! welcome

Lionel LONKAP avatar
Lionel LONKAP

Yo guys! Glad to be a member

1

2021-01-28

Evan Pitstick avatar
Evan Pitstick

Hi all, thanks for all you’re doing to help the community. I joined the office-hours yesterday and it was quite interesting. I work on a small internal tools team and I’m trying to really focus on Devops and IaC to mature our processes. I’ve been looking into terraform / terragrunt all week and I’ve noticed something that feels strange to me that seems to be considered best practice across a number of tools and I was hoping to get some input from all of you.

I may get some of the wording wrong here but I’ll try my best to be descriptive. So it seems that it’s common to split things up into modules that do individual jobs, and environments which control configuration values and compositional instructions. The combination of configs and compositional work flows in the environments seems odd to me. I can see a place for having some of it in cases where you’d want them to have some different structure (maybe you want some kind of chaos service in staging but not in prod for example), but generally it would seem like you’d want to have most of your composition to be shared between environments. To make an analogy to software development that I’m more used to, we would create a feature branch, and work on it, then merge that code to staging, after it was tested there the same code would be merged to a prod branch which would deploy to prod. You’d have different settings for each env but the code would be the same. I wouldn’t create a prod and staging directory in my source and try to copy my staging code to prod when I was ready for it to be deployed.

Where does this practice come from? Is there any argument against doing it? Does anyone know of any example repositories that do handle most of the composition in a shared folder and only uses prod and staging for things that would make them different? I’m mainly focused on terragrunt right now since I’m new and it seems to be a mature system with plenty of users and help but any examples would help.

roth.andy avatar
roth.andy

The files that live in the prod and staging folder are typically very small. They reference different versions of a “module” so that you can do exactly what you are talking about up above.

roth.andy avatar
roth.andy

But it’s also not the only way to do it. My team doesn’t do it that way, they do it in a more typical app-dev kind of way. There’s lots of different ways to skin this particular cat

roth.andy avatar
roth.andy

Take a look at #atlantis for a tool that is popular around here that helps a lot when deploying IaC

roth.andy avatar
roth.andy

CP does it with GitHub actions as well, though I think that process is more homegrown and “proprietary”? Not sure how extensible it is.

roth.andy avatar
roth.andy

Then others use Terraform Cloud with nice success

Evan Pitstick avatar
Evan Pitstick

so, one way to do it might to be to call a shared “module” that actually handles most of the composition?

roth.andy avatar
roth.andy

yes, and utilizing different versions of that module let you gradually promote something up through your environments

roth.andy avatar
roth.andy

while sharing the same codebase

Evan Pitstick avatar
Evan Pitstick

that module would be called from each of the environments but with different inputs

roth.andy avatar
roth.andy

yes

Evan Pitstick avatar
Evan Pitstick

that makes a lot of sense

Evan Pitstick avatar
Evan Pitstick

thanks a bunch for the tips

roth.andy avatar
roth.andy

also see https://www.youtube.com/watch?v=4MLBpBqZmpM. It’s a whole office hours about different Terraform cloud services

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@ happy to talk about this again on #office-hours

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

in the next 1-2 months, we’ll have more documentation on getting started with our reference architecture. in the next week, we’ll have documentation for our various components coming out. after that we’re focused on archiving a lot of our legacy documentation before starting down the path of documenting our current approach.

1
1
johntellsall avatar
johntellsall

@ I’m also interested in this, how to map code releases to production/environment releases. I’ll be curious to be on the Office Hours this week!

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @

Good to have you here =)

2021-01-27

SweetOps avatar
SweetOps
08:00:14 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3
Philip Asiala avatar
Philip Asiala

Thanks for the welcome.

cool-doge1
Thomas Picquet avatar
Thomas Picquet

Hi Everyone! glad to be part of this community!

1

2021-01-26

SweetOps avatar
SweetOps
08:00:25 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

5

2021-01-25

SweetOps avatar
SweetOps
08:00:24 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

2
Doug Lane (he/him) avatar
Doug Lane (he/him)

thanks for the welcome

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hey hey! glad you stopped by!

Bill Clark avatar
Bill Clark

Hey all. I know atmos is still in progress, but I am curious about components directory missing. No terraform or helmfile in there. Or perhaps I have answered my own question?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
cloudposse/terraform-aws-components

Catalog of reusable Terraform components and blueprints for provisioning reference architectures - cloudposse/terraform-aws-components

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Atmos is just a cli. Our components are kept in separate monorepo and versioned separately.

2021-01-24

SweetOps avatar
SweetOps
08:00:07 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

2

2021-01-23

SweetOps avatar
SweetOps
08:00:07 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

johntellsall avatar
johntellsall

Hi all: ever want to learn more about raw Linux networking, e.g. under the Docker level? Here’s a very clear explanation of veth devices and bridging and the other machinery Docker/Kubernetes uses to route container packets to/from the network: https://iximiuz.com/en/posts/container-networking-is-simple/

Container networking is simple attachment image

How container networking works under the hood? Setting up docker-like container networking from scratch. Bonus: podman rootless container networking explained.

2021-01-22

Matt Gowie avatar
Matt Gowie

Anyone using pritunl? Any feedback on this tool / the paid options?

I’m getting pushback from a client’s auditing team that Tailscale is not PCI compliant (still working through that with them). But just in case that doesn’t work out, I’m looking for real experience on pritunl. I feel like I’ve heard folks discuss it here before and weigh in on pros / cons, but can’t seem to find it.

loren avatar
loren

i looked at pritunl some. or at least pritunl-zero, not the whole vpn. it just seems really confusing from the docs. and despite being open source and on github, issues are disabled, and there is basically a single contributor. didn’t give me a ton of confidence.

1
aaratn avatar
aaratn

I have used pritunl multiple times, no experience with paid version though but community version is rock solid

Matt Gowie avatar
Matt Gowie

Huh — can you use the community version with more than 1 server? Their pricing is a bit confusing, but it seems to limit community to 1 server from what I can see.

aaratn avatar
aaratn

We had one server only

Matt Gowie avatar
Matt Gowie

Gotcha

aaratn avatar
aaratn

How many users are you planning to provision ?

Matt Gowie avatar
Matt Gowie

30-50

Matt Gowie avatar
Matt Gowie

We would need to go with the full paid option.

aaratn avatar
aaratn

Okay got it, you can have one server and keep ami as standby

aaratn avatar
aaratn

If something happens to server, you can create a new one from that AMI

aaratn avatar
aaratn

poor man’s HA solution

1
Matt Gowie avatar
Matt Gowie

@Erik Osterman (Cloud Posse) have you used pritunl with any Cloud Posse clients? I just saw you folks have a helmfile for it when searching through this Slack.

Drew Davies avatar
Drew Davies

We’re just in the process of deploying it now, to replace our existing OpenVPN instances.

Drew Davies avatar
Drew Davies

It’s a pretty great wrapper around OpenVPN & Wireguard from my experience, although, it’s effectively a one man operation (https://github.com/pritunl/pritunl/graphs/contributors) and the documentation leaves a lot to be desired.

pritunl/pritunl

Enterprise VPN server. Contribute to pritunl/pritunl development by creating an account on GitHub.

2
Drew Davies avatar
Drew Davies

It’s still using Python v2, which leads to some deprecation warnings at present, but there is an effort via Zach to update the codebase to v3 (https://github.com/pritunl/pritunl/pull/468#issuecomment-689651018)

Matt Gowie avatar
Matt Gowie

Ah good stuff Drew! That helps me in a couple aspects.

Matt Gowie avatar
Matt Gowie

Thanks for weighing in folks — appreciate the thoughts / experience.

Drew Davies avatar
Drew Davies

I can’t speak to it’s level of PCI compliance, however, since it’s just a wrapper around OpenVPN/Wireguard, the security vector shouldn’t be impacted to a great degree.

Drew Davies avatar
Drew Davies

Sure thing, happy to provide some perspective. Feel free to DM me if you end up deciding on it, and if have any implementation questions.

Matt Gowie avatar
Matt Gowie

Have you used the wireguard aspect of it at all? I would like to avoid any VPN configuration and wireguard seems superior in regards to be a mesh over point to point.

Drew Davies avatar
Drew Davies

I’ve used it personally, but we’re not implementing it at present within my org. The thing about Pritunl though, is that you’ll have your users retrieve their configurations for either OpenVPN or Wireguard from the same web interface. After that, there really isn’t much maintenance for either OpenVPN or Wireguard.

Drew Davies avatar
Drew Davies

The Electron-based Pritunl client (https://client.pritunl.com) sync’s any changes with your Pritunl cluster, so once users download their OpenVPN configuration, there really isn’t any ongoing end user maintenance.

aaratn avatar
aaratn

By the way if you are on aws, there is. also aws managed openvpn called as aws-client-vpn that you can use, also supports OKTA integration

Matt Gowie avatar
Matt Gowie

Thanks for that info Drew, that’s good to know about the maintenance of the two protocol configs + the client.

Matt Gowie avatar
Matt Gowie

@aaratn I’ve implemented the AWS Client VPN for a client before… I wouldn’t go down that path again. VPN configurations are a nightmare to manage and AWS’s client VPN is super expensive for what it is.

masterpointio/terraform-aws-client-vpn

This terraform module installs a client VPN. Contribute to masterpointio/terraform-aws-client-vpn development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@ how’s pritunl holding up for your team?

Robert Horrox avatar
Robert Horrox

once configured it has held up well, the okta integration has been very useful for our company. We are working on having the organization come from Okta so a user is placed into the correct Org on Pritunl to grant different levels of access. You can’t however push groups down from okta to pritunl

Robert Horrox avatar
Robert Horrox

We have pritunl running on k8s and it has been stable. We also have it elsewhere on ec2 instances and it runs just fine there as well

1
Matt Gowie avatar
Matt Gowie

Huh gotcha — How was setting up the cluster configuration? That hasn’t given you any trouble?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

One of the biggest downsides is it depends on mongo

1
Robert Horrox avatar
Robert Horrox

we don’t use a cluster per say on the k8s side

Matt Gowie avatar
Matt Gowie

Yeah, that’s one of my problems with it right now… I don’t want to have to standup a cluster for a tool that I pay for.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t know if it works with DocumentDB. By default, on kubernetes, we deploy mongodb as a container (it’s only for storing configuration data)

Robert Horrox avatar
Robert Horrox

with ec2 instances I have mongodb atlas setup and once you do the initial setup all instances that connect to the cluster get their config from it

Robert Horrox avatar
Robert Horrox

@Erik Osterman (Cloud Posse) would need to comment on trying to run multiple Pritunl pods inside k8s

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, so that works fine too. It’s basically deployed as a statefulset.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Requires though the enterprise version.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

which is a “whopping” $600/year for unlimited seats and SSO.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(in otherwords dirt cheap)

Robert Horrox avatar
Robert Horrox

they will charge you per-cluster

Matt Gowie avatar
Matt Gowie

Yeah it’s super cheap… why are you evaluating alternatives @Erik Osterman (Cloud Posse) ?

Robert Horrox avatar
Robert Horrox

I did do math on AWS VPN at one point, it gets expensive very fast

Matt Gowie avatar
Matt Gowie

AWS VPN is crazy.

Robert Horrox avatar
Robert Horrox

Lastly I would suggest looking at something like https://www.pomerium.io/ instead of a VPN. If you can get away without running a VPN, all the better. I don’t personally use pomerium, so buyer beware.

Home - Pomerium attachment image

Pomerium is an identity-aware proxy that enables secure access to internal applications.

Matt Gowie avatar
Matt Gowie

Hahah I think this is one of the most crowded spaces right now. Every flavor of BeyondCorp under the sun. That’s the first I’ve heard of this one.

1
Matt Gowie avatar
Matt Gowie

That’s another cluster driven solution. I’m trying to avoid those if I can. But thanks for adding it to the pile.

loren avatar
loren

what do you mean by “cluster driven”?

Matt Gowie avatar
Matt Gowie

As in it has a centralized management layer that requires deploying a cluster for the solution to work. E.g. pritunl, Hashi Boundary, Pomerium, ect.

Matt Gowie avatar
Matt Gowie

Really I think I’m just enamored with the simplicity of tailscale and now I don’t want anything else

loren avatar
loren

heh, yeah, tailscale architecture is bomb. mesh private internet with acls. though i still want to self-host my own relays and coordination server

Robert Horrox avatar
Robert Horrox

that cost per user though, 3 users is more than a pritunl license

Robert Horrox avatar
Robert Horrox

sorry 5 users

loren avatar
loren

i mean, comparing to pritunl pricing is a bit nuts. why it is so underpriced, i do not understand

Matt Gowie avatar
Matt Gowie

Yeah maybe I would host the tailscale coordination server if I could.. That would solve the PCI compliance issues I’m running into. And I’m sure that’s lightweight anyway considering [their Database was a JSON file up until recently>. </i](https://tailscale.com/blog/an-unlikely-database-migration/)

An unlikely database migration attachment image

When I first joined Tailscale, I was horrified to learn that “the database” was a single JSON file that was rewritten on any change. We migrated to something better.

Matt Gowie avatar
Matt Gowie

Yeah, pritunl is definitely winning the pricing game 100%.

Robert Horrox avatar
Robert Horrox

pritunl is just a simple wrapper around OpenVPN, in fact their whole codebase is opensource. Even the code that checks if you are an enterprise user

Matt Gowie avatar
Matt Gowie

But compare pritunl vs tailscale vs strongDM… tailscale aint that bad.

Robert Horrox avatar
Robert Horrox

we use StrongDM, their support is great. Product is a bit immature

loren avatar
loren

i don’t think tailscale is even checking against licenses right now anyway ;)

Matt Gowie avatar
Matt Gowie

Oh interesting… why do you use both?

Robert Horrox avatar
Robert Horrox

in StrongDM you can give time grant access to users to databases

Robert Horrox avatar
Robert Horrox

a VPN is needed for some items that SDM doesn’t support

Matt Gowie avatar
Matt Gowie

Huh

Robert Horrox avatar
Robert Horrox

similar to PCI, we have compliance requirements that keep us from public exposing endpoints

1
SweetOps avatar
SweetOps
08:00:09 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3

2021-01-21

SweetOps avatar
SweetOps
08:00:23 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

2

2021-01-20

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

2

2021-01-19

SweetOps avatar
SweetOps
08:00:29 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

1
1
Zach Holt avatar
Zach Holt

Thanks!

2021-01-18

Zach M avatar
Zach M

Thank you for the welcome!

SweetOps avatar
SweetOps
08:00:19 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

7

2021-01-17

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

2
1

2021-01-16

SweetOps avatar
SweetOps
08:00:17 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

1

2021-01-15

SweetOps avatar
SweetOps
08:00:20 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3
3

2021-01-14

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

1

2021-01-13

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3

2021-01-12

SweetOps avatar
SweetOps
08:00:24 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

2
3

2021-01-11

mfridh avatar
mfridh

Miss the old scaffolding from rails etc when building grpc go apps? – https://github.com/lileio/lile

lileio/lile

Easily generate gRPC services in Go . Contribute to lileio/lile development by creating an account on GitHub.

SweetOps avatar
SweetOps
08:00:13 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @Oleg Batozhnyi

Good to have you here =)

1
2

2021-01-10

SweetOps avatar
SweetOps
08:00:08 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

1

2021-01-09

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

1
1

2021-01-08

SweetOps avatar
SweetOps
08:00:12 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3
Vincent Sheffer avatar
Vincent Sheffer

Thanks for the welcome.

1

2021-01-07

Bill Clark avatar
Bill Clark

</wave>

SweetOps avatar
SweetOps
08:00:12 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3

2021-01-06

SweetOps avatar
SweetOps
08:00:24 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

5
1

2021-01-05

Julian avatar
Julian

Hello All! Julian here, trying to learn the latest and greatest of DevOps practices and incorporate them into my architecture for the ultimate in AWS Wizardry. aws

5
3
3
3
SweetOps avatar
SweetOps
08:00:25 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

4
1

2021-01-04

jose.amengual avatar
jose.amengual

Who works for slack here????? ohhh wait….

3
SweetOps avatar
SweetOps
08:00:09 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @

Good to have you here =)

4

2021-01-02

SweetOps avatar
SweetOps
08:00:08 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

3

2021-01-01

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

    keyboard_arrow_up