#office-hours (2024-04)
“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours
Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!
https://cpco.io/slack-office-hours
Meeting password: sweetops
2024-04-03
office hours:
we have a goal to deliver a working helm project to a customer, so customer BYOI (brings your own infra), and we ask them to helm install our project. this normally works fine for simpler projects, but we’re facing difficulties in ordering some of the k8s resources we want to create before we deploy our services AND ensuring the dependency helm charts (alb + fluent-bit) are setup PRIOR to our helm chart.
our flow right now looks like this:
- install external helm chart (aws-load-balancer-controller)
- install external helm chart (fluent-bit)
- we install service-account.yaml before secret.yaml
- run this vault script to ensure service account has access to vault to fetch secrets
- helm install
(2 jobs, service, deployment, and ingress.yaml) - we wait for restarts until “things eventually work out” (app restarts multiple times because jobs are not done) this doesn’t seem feasible managing all of this in helm. am i wrong? if not, what are my options here?
I looked into helmfile and splitting up our helm chart into 2 helm charts, where our main app will have dependencies in Chart.yaml to ensure deps are met, but AFAIK we can’t “order” the dependency installs. or even writing a shell script that does this step by step.
thank you!
cc @Yonatan Koren
It’s important to know what the assumptions are as well
• What flavor of Kubernetes (e.g. EKS, GKE, AKS, etc)
• Are they running a current version of Kubernetes
• Is deploying an ALB even viable? E.g. they might already have ALB controller deployed
• Is using only helm a requirement? Maybe helmfile will simplify things
I used to work at Codefresh and we had to solve similar issues for delivering on on-prem installation to customers.
You can take a look at the documentation for the on-prem codefresh helm chart: https://artifacthub.io/packages/helm/codefresh-onprem/codefresh
My devil’s advocate response to wanting to package all of your low-level app dependencies for customers is, what happens when you have two customers with different underlying cluster requirements?
For example, when I worked at Codefresh we had to support both aws-load-balancer-controller and nginx-ingress-controller. So we saved these as open ended for the customer to choose, and these served as pre-requisites for our app. Yes it’s less automated and we needed support engineers to help new customers, but it was a complicated architecture and the expectation was that setup needs some manual preparation anyways. So we focused more on ensuring compatibility with different ingress controllers, different public cloud providers, even added support for openshift customers. This was more important to us than to automate everything from end to end only for one type of customer.
So in my opinion, take #1 and #2 out of the equation. This needs to be handled by the customer. This way you can onboard more types of customers who have different k8s environments.
If you can automate #3 and #4 using a Kubernetes resource instead of a script, you definitely should do that. Have you looked into https://external-secrets.io/latest/provider/hashicorp-vault/ ? If External Secrets Operator can sync that vault secret you need for the service account, you don’t need to manually intervene with a script. It will eventually sync and your application will come up. You should also give your customers different options to get this secret into their cluster. Maybe they have it in AWS Secrets Manager. You can instruct them how to set up ESO to sync that secret as well. This ESO resource probably won’t be inside your helm templates, but you will give an option to change the name of the secret inside the SA template. Then they deploy it either in templates/ with your chart as a sub-chart, or just deploy it manually beforehand.
We can discuss this on the office hours call today if you’d like
Sorry and thank you for the replies. Our first customer is running kubernetes on VMware TKGI (kind cluster behinds the scenes). So I cannot take advantage of any cloud managed k8s
Our first customer is running kubernetes on VMware TKGI
Hah! Exactly the challenge
So many ways to run k8s. Other considerations that we ran into were exposing web interfaces over TLS without self-signed certs, which required Let’s Encrypt and public DNS names.
As another example, take a look at the Teleport project and how they support their helm installation for different scenarios.
https://goteleport.com/docs/deploy-a-cluster/helm-deployments/
They have a single helm chart but support EKS, GKE, AKS, and others. There are semi-manual steps involved, such as setting up IAM, setting up TLS, setting up DynamoDB, etc. Their helm chart only installs their app, but they walk you through how to install it based on your scenario.
IMO it’s much better to keep new potential customers happy by giving and documenting different options for them to use. One of the worse things that can happen is if a customer wants to install your product on their cluster and you say that they have to use cert-manager instead of AWS Certificate Manager. Or that they have to use aws-load-balancer-controller instead of nginx-ingress-controller. In my experience this leaves them with a bad taste in their mouth, because it makes them feel like they need to do a lot of changes to install your app, and that your app isn’t engineered in a way that had compatibility in mind.
@here office hours is starting in 30 minutes! Remember to post your questions here.
Am I doing it wrong or did office hours not start yet?
Make sure. you click the link from the invite
I clicked the one in my gmail/calendar. Still says waiting for host to start the meeting. I guess no OH for me today.
Others mentioned that you might have the old invite link
In september 2023, we changed meeting
Aha, Public "Office Hours" is definitely the old invite
2024-04-04
Links from today’s office hours:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor https://docs.localstack.cloud/tutorials/replicate-aws-resources-localstack-extension/ https://blog.cloudflare.com/python-workers https://techcrunch.com/2024/03/31/why-aws-google-and-oracle-are-backing-the-valkey-redis-fork/amp/ https://www.infoworld.com/article/3714688/the-bizarre-defense-of-trillion-dollar-cabals.html https://www.reddit.com/r/Terraform/comments/1bpfjjr/is_checkov_now_paywalled_by_palo_alto/ https://github.com/clivern/lynx https://aws.amazon.com/about-aws/whats-new/2024/03/slack-connect-aws-sales-collaborate-customers-partners/
https://github.com/bridgecrewio/checkov-vscode/issues/141 https://artifacthub.io/packages/helm/codefresh-onprem/codefresh
That post should be deleted, is actually not accurate
That post should be deleted, is actually not accurate
the InfoWorld post or this Slack post?
or it should be corrected
Will do!
Redacted Cease & Desist letter https://opentofu.github.io/legal-documents/2024-04-03%20HashiCorp%20C%26D/OpenTofu%20C&D%20-%20Redacted.pdf
This quote is from OpenTofu: “In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this.”
That’s such a reasonable request by OpenTofu and how reasonable parties should operate on both sides.
2024-04-06
2024-04-10
Randomly, another whiteboarding/diagramming app. this one’s open source and embeddable…. https://excalidraw.com/ https://github.com/excalidraw/excalidraw
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html https://containerssh.io/v0.5/ https://goteleport.com/blog/teleport-community-license/ https://github.com/opentofu/registry/issues/301 https://www.infoworld.com/article/3714980/opentofu-may-be-showing-us-the-wrong-way-to-fork.html https://www.linkedin.com/posts/opentofuorg_opentofu-project-was-recently-made-aware-activity-7182147077496344576-jsDQ/?utm_source=combined_share_message&utm_medium=member_android https://gource.io/ https://github.com/charmbracelet/freeze https://github.com/cloudposse/terraform-aws-eks-cluster/blob/main/docs/migration-v3-v4.md https://github.com/seal-io/hermitcrab https://runtipi.io/ https://github.com/charmbracelet/glow https://masterpoint.io/updates/opentofu-early-adopters/ https://aws.amazon.com/lightsail/ https://noxon.cc/@jeff/112157251058272180
AWS Ref architecture for wordpress - https://github.com/aws-samples/aws-refarch-wordpress
Yes this is exactly along the lines of what I’m looking for. Thanks for sharing!!
2024-04-11
2024-04-12
2024-04-16
2024-04-17
Question for #office-hours
We are trying to automate the service deployment process in AWS using terraform/terragrunt. Currently the Services are deployed in ECS. We are starting to use Atlantis for Pull Request automation.
Once a new Service version is deployed in the integration environment and tested, we want the same version to be automatically deployed in different regions of the production environment.
We want the automated tests for each Service to be run against the new deployed version to validate the deployment.
There should be a bake time in each region/environment. Only after validating the health of the deployment in that region/environment, it should be propagated to the next region/environment.
The Service should be rolled back to the earlier version in case of any test failures or increase in error rates during the bake period.
We are trying to understand how different teams have implemented something similar for AWS.
Is AWS Step Functions a good mechanism to orchestrate these steps for automating service deployment? Are there other options that folks have successfully implemented?
Please let us know…
You might also enjoy this other recent thread. It’s not entirely related, but talks about some of the challenges we’ve encountered managed ECS tasks purely with Terraform. https://sweetops.slack.com/archives/CCT1E7JJY/p1712686050689659
@here office hours is starting in 30 minutes! Remember to post your questions here.
Links from today’s office hours:
https://www.cnbc.com/2024/04/17/aws-stops-selling-snowmobile-truck-for-cloud-migrations.html https://aws.amazon.com/blogs/aws/amazon-cloudwatch-internet-weather-map-view-and-analyze-internet-health/ https://gregoryszorc.com/blog/2022/08/08/achieving-a-completely-open-source-implementation-of-apple-code-signing-and-notarization/ https://neon.tech/blog/neon-ga https://library.tf/ https://docs.cloudposse.com/reference/terraform-in-depth/terraform-unknown-at-plan-time/ https://opentofu.org/blog/our-response-to-hashicorps-cease-and-desist/ https://opentofu.github.io/legal-documents/2024-04-03%20HashiCorp%20C%26D/OpenTofu%20C&D%20-%20Redacted.pdf https://www.theregister.com/AMP/2024/04/12/linux_foundation_opinion/ https://github.com/hashicorp/terraform/releases/tag/v1.8.0 https://github.com/hashicorp/terraform/issues/34984#top https://github.com/hashicorp/terraform/releases/tag/v1.9.0-alpha20240404 https://masterpoint.io/updates/opentofu-early-adopters/ https://tea.xyz
