#office-hours (2023-09)

“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!

https://cpco.io/slack-office-hours

Meeting password: sweetops

2023-09-02

2023-09-05

Alanis Swanepoel avatar
Alanis Swanepoel
Kubernetes v1.28: Introducing native sidecar containers

Authors: Todd Neal (AWS), Matthias Bertschy (ARMO), Sergey Kanzhelev (Google), Gunju Kim (NAVER), Shannon Kularathna (Google) This post explains how to use the new sidecar feature, which enables restartable init containers and is available in alpha in Kubernetes 1.28. We want your feedback so that we can graduate this feature as soon as possible. The concept of a “sidecar” has been part of Kubernetes since nearly the very beginning. In 2015, sidecars were described in a blog post about composite containers as additional containers that “extend and enhance the ‘main’ container”.

2023-09-06

Piotr Pawlowski avatar
Piotr Pawlowski

Last time there was a mention about self-hosted n8n where someone mentioned Node-RED as an alternative. I believe it is worth to mention, that for some time there is tool called FlowFuse (https://flowfuse.com , self-hosted option available) which is positioned as a DevOps for Node-RED.

FlowFuse • DevOps for Node-REDattachment image

FlowFuse allows organizations to reliably deliver Node-RED applications in a continuous, collaborative, and secure manner.

Alanis Swanepoel avatar
Alanis Swanepoel

I mentioned node red…

FlowFuse • DevOps for Node-REDattachment image

FlowFuse allows organizations to reliably deliver Node-RED applications in a continuous, collaborative, and secure manner.

Alanis Swanepoel avatar
Alanis Swanepoel

I was looking for flow fuse well. There’s quite a few players in this low-code environment

tommy avatar

In this area I think windmill is also great, for more complex workloads, there is temporal.io

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are moving Atlantis to the CNCF!!! please take a minute to give a thumbs up https://github.com/cncf/sandbox/issues/60

2023-09-11

Jeremy (UnderGrid Network Services) avatar
Jeremy (UnderGrid Network Services)

Are office hours changing to be an hour earlier from now on?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It shouldn’t be

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Please confirm it’s at the same time. It should be 11:30 PT, 1:30 CT

Jeremy (UnderGrid Network Services) avatar
Jeremy (UnderGrid Network Services)

Yes, that was the time… Hadn’t noticed the CT not ET

Matthew James avatar
Matthew James

I’ll add to the mutli-cloud comment datadog is an example of an org that does that, they use GCP and AWS for various regions for a number of reasons (cost, HA etc).

2023-09-12

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@here PSA

alert The old meeting ID will not be used 508587304

Please make sure you’ve registered for this week’s office hours. Future meetings (including this week’s) will use a new Zoom meeting ID and these calendar invites are sent via our Google Group ([email protected]).

Meetings are at the same time (11:30 am PT), but a new meeting link.

Registration is at cloudposse.com/office-hours

You can email me at [email protected] if you have any problems registering.

2023-09-13

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:19 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Alex Atkinson avatar
Alex Atkinson

MongoDBs docs are slick, but watch that license. https://github.com/mongodb/docs

Matt Gowie avatar
Matt Gowie

Question for next time: AWS IAM Database Authentication – who has implemented it? What are you thoughts? Any alternatives that are open source or SaaS that are worth looking into? Not trying to solve the private network access problem – really just working to solve the RBAC DB access problem and not have to create / maintain postgres roles + passwords for every engineer who needs SQL access.

IAM database authentication - Amazon Aurora

Authenticate to your DB instance or cluster using AWS Identity and Access Management (IAM) database authentication.

1
Matt Gowie avatar
Matt Gowie

Bumping this thread / question for next week’s office hours

IAM database authentication - Amazon Aurora

Authenticate to your DB instance or cluster using AWS Identity and Access Management (IAM) database authentication.

2023-09-14

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

Hey folks, my friend does have open source Earthfiles to share

For anyone looking for a larger and more meaningful example of using Earthly.dev: https://git.sr.ht/~nelsam/pnp-tools/tree/main/item/Earthfile

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

Also, if you want a full ci example in sr.ht , he has hel set up that way with https://git.sr.ht/~~~nelsam/hel/tree/main/item/Earthfile and https://git.sr.ht/~~~lsam/hel/tree/main/item/.build.yml if you want to see that. For small projects, sourcehut is pretty nice.

Matthew James avatar
Matthew James

Also surpised the rollbar breach didn’t get mentioned on this today - for those using it make sure you rotate your tokens https://dataconomy.com/2023/09/14/rollbar-data-breach/

Rollbar data breach acknowledged after a monthattachment image

Rollbar has announced that its systems were hacked in August, and it was identified recently. The Rollbar data breach was

2

2023-09-17

Hans D avatar

although localstack is not 100% perfect, anyone got it running using atmos and as a separate stack/org (so side by side with normal aws stack)?

Brian avatar

Yes. I was able to do it. However, I did so with at least two compromises. • I disabled LocalStack’s IAM enforcement. • I updated the [providers.tf](http://providers.tf) in any component module (aka the root module) that would be deployed to LocalStack. I updated so it would check if a TF variable localstack_enabled was true, it would explicitly set the service endpoints configurable in the AWS TF provider to point to LocalStack. I haven’t used LS in nearly 2 years though. The solution I implemented worked well until we scaled out the number of lambda function we deployed to it (150+) and services we consumed (dozen plus including redis, rds, cognito). Even then it worked, but the overhead to deploy everything fresh could take 20+ minutes or much longer on some systems and may need to be retry if LS or TF had issues when provisioning everything. This wasn’t ideal for a dev-ex so we moved on. That said, LS is still best-in-class for the problem is solves.

Hans D avatar

Thanks. Looking at some bootstrapping work atm (orgs, accounts/account-map etc.)

2023-09-18

managedkaos avatar
managedkaos
CloudBees Launches the Most Significant Performance and Scalability Functionality for Jenkins in a Decade

CloudBees announced significant performance and scalability breakthroughs for Jenkins with new updates to its CloudBees Continuous Integration (CI) software.

1
jose.amengual avatar
jose.amengual

what? they are using Github Actions?

CloudBees Launches the Most Significant Performance and Scalability Functionality for Jenkins in a Decade

CloudBees announced significant performance and scalability breakthroughs for Jenkins with new updates to its CloudBees Continuous Integration (CI) software.

2
1
venkata.mutyala avatar
venkata.mutyala
Introducing Kargo

Kargo transports ‘freight’ (build and configuration artifacts) to multiple environments with a first-class GitOps approach.

1
1

2023-09-20

venkata.mutyala avatar
venkata.mutyala
Linux Foundation Launches OpenTofu: A New Open Source Alternative to Terraformattachment image

Backed by industry leaders and hundreds of developers, OpenTofu is set to become the go-to infrastructure as code solution.

3
2
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:11 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Join Zoom Meeting https://cloudposse.zoom.us/j/88609060289?pwd=cHlNSjkrbVNHeWphL0xrcHNUejV5UT09

Meeting ID: 886 0906 0289 Passcode: 157166


One tap mobile +13052241968,,88609060289# US +13092053325,,88609060289# US


Dial by your location

+1 305 224 1968 US

+1 309 205 3325 US

+1 312 626 6799 US (Chicago)

+1 646 558 8656 US (New York)

+1 646 931 3860 US

+1 301 715 8592 US (Washington DC)

+1 689 278 1000 US

+1 719 359 4580 US

+1 253 205 0468 US

+1 253 215 8782 US (Tacoma)

+1 346 248 7799 US (Houston)

+1 360 209 5623 US

+1 386 347 5053 US

+1 507 473 4847 US

+1 564 217 2000 US

+1 669 444 9171 US

+1 669 900 6833 US (San Jose)

Meeting ID: 886 0906 0289

Find your local number: https://cloudposse.zoom.us/u/kcJY3rCz8A

david.gregory_slack avatar
david.gregory_slack

Question for today if there’s time (will cross post): I have been looking into using Terraform with drift detection (Spacelift edition) to manage Security-relevant stuff and share visibility with InfoSec. So, group memberships, security rules etc. But there’s a hole around memberships (and possibly rules) added manually that aren’t in state so don’t get spotted as drift. Is there any clever way to catch these?

Hao Wang avatar
Hao Wang

how about cloud custodian from capitalone?

Nenna avatar

Links from today’s office hours:

https://news.google.com/search?q=Mgm&hl=en-US&gl=US&ceid=US%3Aen https://news.ycombinator.com/item?id=37570407 https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-getHSMInfo.html https://www.prnewswire.com/news-releases/caviums-liquidsecurity-hsm-enables-hybrid-cloud-users-to-synchronize-keys-between-aws-cloudhsm-and-private-clouds-300631079.html https://www.wired.com/video/watch/tech-support-hacker-answers-penetration-test-questions-from-twitter https://opentofu.org/ https://www.linuxfoundation.org/press/announcing-opentofu https://github.com/opentofu/registry https://registry.opentofu.org/ https://akuity.io/blog/introducing-kargo/ https://www.prnewswire.com/news-releases/urbancode-announces-the-launch-of-terraform-161831135.html https://github.com/UrbanCode/terraform/blob/master/LICENSE https://www.cloudbees.com/newsroom/cloudbees-launches-most-significant-scalability-functionality-jenkins https://dataconomy.com/2023/09/14/rollbar-data-breach/ https://pulpproject.org/about-pulp-3/ https://github.com/hashicorp/terraform/issues/13022 https://tmsearch.uspto.gov/bin/showfield?f=toc&state=4801%3Ad3ogud.1.1&p_search=searchss&p_L=50&BackReference=&p_plural=yes&p_s_PARA1=&p_tagrepl%7E%3A=PARA1%24LD&expr=PARA1+AND+PARA2&p_s_PARA2=terraform&p_tagrepl%7E%3A=PARA2%24COMB&p_op_ALL=AND&a_default=search&a_search=Submit+Query&a_search=Submit+Query https://jenkins-x.io/ https://www.firefly.ai/ https://github.com/kr8s-org/kr8s https://github.com/lensapp/lens https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ https://github.com/cloudfoundry-attic/lattice-release https://nats.io/

Blaise Pabon avatar
Blaise Pabon

Thank you @Nenna!

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:33:56 PM

set the channel topic: “Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours

SlackBot avatar
SlackBot
11:55:32 PM
SlackBot avatar
SlackBot
11:55:32 PM
SlackBot avatar
SlackBot
11:55:32 PM
SlackBot avatar
SlackBot
11:55:32 PM
SlackBot avatar
SlackBot
11:55:32 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:33 PM
SlackBot avatar
SlackBot
11:55:34 PM
SlackBot avatar
SlackBot
11:55:34 PM
SlackBot avatar
SlackBot
11:55:35 PM
SlackBot avatar
SlackBot
11:55:37 PM

2023-09-21

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)
managedkaos avatar
managedkaos
Cisco to buy cybersecurity firm Splunk for $28 billionattachment image

Cisco Systems on Thursday agreed to buy cybersecurity firm Splunk for about $28 billion in its biggest-ever deal to strengthen its software business and capitalize on the boom in artificial intelligence.

2023-09-25

Vlad Ionescu (he/him) avatar
Vlad Ionescu (he/him)

I’ll miss the next 2 Office Hours due to a conflict Sorry!

1
fb-wow1
1
2
1
venkata.mutyala avatar
venkata.mutyala

Anyone here using self-hosted github enterprise? If so, any tips/wisdom you could share?

I’m exploring the option of going self-hosted because we have heavy amounts of automation using github and when their API’s have errors it causes a real disruption for some of our development workflows.

z0rc3r avatar

What makes you think your self-hosted solution will be more reliable?

venkata.mutyala avatar
venkata.mutyala

I am under the impression that I will have control with this approach for when I want API updates to hit me. Of course this doesn’t mean I don’t risk new issues from self-hosting, hence this question to better understand the other risks/issues I may experience.

A little more context on our issue: I think the errors we are having right now are probably because of a backend change/update. When we make an API request using terraform more than half the time it throws a 401 error. We don’t do anything and it suddenly works again. Something feels non deterministic and I assume it’s an issue on their backend. I’ve got a ticket open with them but it’s already been close to a day without much traction (totally possible they just immediately come back and say it’s fixed now). We also updated our GitHub terraform provider to the latest version to try and resolve the error but that didn’t do much. Our terraform has been working fine for months so this feels like GitHub issues for our enterprise/tenant.

We also barely spend a couple hundred a month on GitHub so our support options are pretty much through the front door support.

If anyone has any input on github premium support offerings that would be great.

Alex Atkinson avatar
Alex Atkinson

I haven’t been enjoying GH since MS bought them. Might just be me, but my perception is that it’s a lot more unstable since. Checkout https://about.gitea.com/.

venkata.mutyala avatar
venkata.mutyala

Yeah i’m sure as part of that purchase they are migrating things to Azure now

venkata.mutyala avatar
venkata.mutyala

Thanks

2023-09-26

2023-09-27

SlackBot avatar
SlackBot
10:28:24 AM
SlackBot avatar
SlackBot
10:28:25 AM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
06:01:15 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Sri avatar

Hello, Q re the GH action workflows. Looking at the workflow triggers: event based, scheduled, and manual(workflow_dispatch), noticed that scheduled and manual based triggers have a requirement that the workflow file is on the default branch which makes its development comply with the branch protection rules(require approvals, etc). But from the looks of it, it isn’t the case with event based triggers. Just thinking about the security implications. Thinking of a scenario where folks can create a branch “x” and setup a workflow with a trigger on push to branch “x”, and the workflow can access the repo secrets and the underlying runners ie you can trigger workflow from arbitrary branches, and can have unreviewed code running arbitrary releases. To add, the above is in reference to a private repo with GH Team license. wanted to check if i am missing anything, or if there is a workaround for the above issue, or if there is a repo/org level setting that should just do the trick.

Blaise Pabon avatar
Blaise Pabon

That was fun

2023-09-28

    keyboard_arrow_up