#office-hours (2024-02)

“Office Hours” are every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers! https://cloudposse.com/office-hours

Public “Office Hours” are held every Wednesday at 11:30 PST via Zoom. It’s open to everyone. Ask questions related to DevOps & Cloud and get answers!

https://cpco.io/slack-office-hours

Meeting password: sweetops

2024-02-05

venkata.mutyala avatar
venkata.mutyala
Alexis Richardson on LinkedIn: Hi everyone I am very sad to announce - officially - that Weaveworks will… | 64 commentsattachment image

Hi everyone

I am very sad to announce - officially - that Weaveworks will be closing its doors and shutting down commercial operations.  Customers and…64 comments on LinkedIn
1

2024-02-07

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I would like to discuss this today: https://github.com/palantir/policy-bot/issues/705

#705 Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs

We came across policy-bot and eagerly deployed it without realizing we couldn’t do what we had hoped to do.

We run a large Open Source GitHub organization with hundreds of repositories. We are a small business. Adding trusted contributors to our enterprise organization as outside collaborators or team members is cost-prohibitive (this is what we currently do).

We would like to instead follow in the footsteps of kubernetes/test-infra to implement a ChatOps style mechanism to approve PRs for testing and separately approve PRs for merging. Under the hood, this project uses prow.

We would like this solution to play well with GitHub Action triggers

Ideal Workflow

  1. Untrusted open-source PR is opened against one of our repos from a fork (never a branch in the repo)
  2. A vetted contributor inspects the PR. If it looks good, they comment /ok-to-test
  3. policy-bot receives the payload, and applies its advanced policy controls. Instead of approving the PR, it can be configured to comment on the PR with something like /terratest (or add a label, such as ok-to-test)
  4. GitHub Actions configured on the PR trigger on comments from the policy-bot or labels. Note, non-org members cannot add labels.
  5. Tests pass
  6. policy-bot awakens and approves the PR (as a CODEOWNER), so branch-protection rules now pass
  7. A vetted contributor now decides if this PR is mergeable, and then comments /ok-to-merge
  8. Something like bulldozer then auto-merges the PR.

Limitations

• The major limitation seems that policy-bot cannot interact with PRs beyond approving them, and we cannot approve a PR without first running tests. • We cannot run tests automatically on untrusted Pull Requests from open-source forks due to the massive attack surface and the requirement that tests have access to secrets required to validate terraform code.

Alternatives considered

  1. Implement a native GHA solution. GHA suck for ChatOps. It’s like talking to the Mars Lander. Commands take minutes to receive an acknowledgment.
  2. Trigger GHA on policy-bot status checks. GHAs can only trigger on status checks in the default branch, precluding it’s use on PRs
  3. Write a custom bot using one of the plethora of GH bot frameworks. We would like not to have to maintain a custom solution.
  4. Deploy prow used by test-infra, however, the project feels overwhelming in complexity and doesn’t seem to support GHA (only Jenkins), a requirement for us.
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Comment on #705 Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs

As you discovered, Policy Bot was designed for overall/merge approval workflows and doesn’t support the phased approval (approved for testing vs approved for merge) that your workflow requires. Given the limitations of GitHub Actions and Policy Bot, I don’t think you can achieve what you want using only features that are available today.

That said, here’s an idea that might work with one new Policy Bot feature:

  1. Implement the feature requested in #387, which is a way for Policy Bot to leave GitHub reviews instead of only posting status checks. Since this is a feature we don’t have a use for internally, I’m not sure my team will have time to implement it, but I think it should be relatively straightforward to add and I’m happy to review a contribution or discuss the implementation.
  2. For your organization, run two instances of Policy Bot, the “Test” instance and the “Merge” instance
  3. The “Test” instance looks at a test-specific policy file and leaves an approving review when it is satisfied. You configure the GitHub branch protection and the “Merge” policy to ignore approvals from this app instance. Instead, this approval is the trigger condition for the GitHub Actions workflow.
  4. The “Merge” instance looks at a merge-specific policy file and approves the PR (either by leaving a review or via status check) when code review is complete and the PR is ready to merge

Running two instances of Policy Bot is awkward, but they can be configured to not conflict and it avoids adding more complicated features.

To achieve what you want with only a single instance, I think we’d have to add significant new features. We don’t really have a concept of sub-policies or policies for different actions (the disapproval policy is an explicit special case) and I don’t immediately see a place to hook in logic to leave comments or add labels when certain conditions are met.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:01:23 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Alex Atkinson avatar
Alex Atkinson

Here’s one, for you release-engineering types. What’s the approach that most folks take these days for handling db migrations. Laravel, or whatever. Do folks tightly couple the migrations with the application, applying them at the time of app code deploy? I still see this frequently, and it seems aweful. My answer is the same as always – to manage the DB schema/queries/etc., as their own versioned products. This way if you know your app is going to need a new column you can make that change before the app is deployed. As you would do with any dependency. LMK, I’m interested in finding out what others see/do.

1
Jonathan Eunice avatar
Jonathan Eunice

Weaveworks shutdown & implications

Alex Atkinson avatar
Alex Atkinson

speedtest.net reaches 50 Billion tests and authors some slightly interesting stats on bandwidth availability over time. https://www.ookla.com/articles/speedtest-50-billion

rohit avatar

Two questions:

  1. External Secrets Operator alternatives? Where our kubernetes applications (high # transactions per min) need to write and read secrets from an external secrets management system. we looked at dapr, eso, and some others, but they only support reading secrets from the source.
  2. Anyone ever deploy things to kubernetes hosted on vmware infra?
Alex Atkinson avatar
Alex Atkinson

Sorry. Internet installer guy showed up.

2024-02-08

managedkaos avatar
managedkaos

For next time…. The Container Evolution Kit: https://cekit.io/ Define container images in YAML format which is easy to read and parse! This really makes me believe we are all becoming YAML Engineers

CEKitattachment image

Container image creation tool

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

YAML rules

managedkaos avatar
managedkaos

i’m not mad at it. i think the more prolific it becomes, the less of an issue it will be to onboard people to a tool/platform.

“Know how to read/write YAML? Good, you can do this”

1
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

regardless if you love it or hate it

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

haha, sounds like they just want to be compatible with atmos.

2024-02-13

jose.amengual avatar
jose.amengual

Who changed the logo on my slack workspace???????

2
1
venkata.mutyala avatar
venkata.mutyala

We need answers. Also, with this new color scheme will there be the ability to purchase SweetOps/CloudPosse t-shirts/swag?

jose.amengual avatar
jose.amengual

I should get a free T-shirt just for the inconvenience.

2
Alex Atkinson avatar
Alex Atkinson

It took me 20m to find SweetOps in the side bar…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

HAHaha

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Happy valentines day!

2024-02-14

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:01:45 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Two questions:

  1. External Secrets Operator alternatives? Where our kubernetes applications (high # transactions per min) need to write and read secrets from an external secrets management system. we looked at dapr, eso, and some others, but they only support reading secrets from the source.
  2. Anyone ever deploy things to kubernetes hosted on vmware infra?
Jonathan Eunice avatar
Jonathan Eunice

Thoughts on https://www.firefly.ai/ and its “Terraform the chaos” and “genuine drift detection” claims

Firefly | Manage Your Cloud with Infrastructure-as-Codeattachment image

Firefly provides the cloud infrastructure management tools missing from traditional CMDBs

Roy Sprague avatar
Roy Sprague

Lack of boot strapping the foundation in IAC

Jeremy White (Cloud Posse) avatar
Jeremy White (Cloud Posse)

If anyone wanted to continue the discussion about empathy and encouraging devs to learn IaC, feel free to off this. I know that once the zoom call ended, folks might think to look here

1
SlackBot avatar
SlackBot
09:33:18 PM
SlackBot avatar
SlackBot
09:33:18 PM

2024-02-15

managedkaos avatar
managedkaos

Is this another approach to multi cloud? Looks like a couple tools wrapped into one … A little AWS SDK, some Pulumi, and some Local Stack…

https://nitric.io/

Nitric Cloud-Native Framework | Get Infrastructure from Codeattachment image

Nitric Open Source Cloud-Native Framework auto-provisions infrastructure for your app from any language for any cloud. Launch now with AWS, GCP and Azure.

1

2024-02-20

Isaac avatar

question for office hours : should errors go into a dedicated slack channel only for errors or should they go into the slack channel the team is already in so that they don’t get ignored?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Good question for today?

2024-02-21

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:00:51 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

managedkaos avatar
managedkaos

It’s day it’s about time. And still not enough.

“AWS Free Tier offers free usage each month for AWS services and products. You can use the Free Tier API to programmatically track your free tier usage against the monthly usage limits.”

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-free-tier-api.html

Using the Free Tier API - AWS Billing

Use the Free Tier API to programmatically get your free tier usage.

1

2024-02-22

SlackBot avatar
SlackBot
10:43:21 PM
SlackBot avatar
SlackBot
10:43:22 PM

2024-02-26

managedkaos avatar
managedkaos

Was this ever a thing? https://gitness.com/

Gitness: Open-Source Code Hosting & CI/CD Pipeline Engineattachment image

Unlock superior Git workflows with Gitness. Experience seamless code reviews, robust CI/CD solutions, and up to 4x faster pipeline execution. Begin your journey in just 30 seconds.

venkata.mutyala avatar
venkata.mutyala
Q&A What you need to know about Codefresh joining Octopusattachment image

We have some great news! Octopus Deploy has acquired Codefresh in a strategic investment to combine forces in creating the best CD and CI platform. Octopus Deploy is a leader in continuous delivery, especially for VMs and Windows with recent additions for Kubernetes while Codefresh has been wholly focused on cloud-native applications. Together, our goal […]

2024-02-28

Kevin Neufeld(PayByPhone) avatar
Kevin Neufeld(PayByPhone)

@Erik Osterman (Cloud Posse) stumbled a week or two ago on Pkl (pronounced pickle) and thought you might be interested in having a look for office hours. Something that might help my team with generating Gitlab-triggered jobs. https://pkl-lang.org/index.html

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Oh yep! Brought it up on #office-hours a couple weeks ago

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you kick the tires on it, it would be great to get a report of your experience.

1
joshmyers avatar
joshmyers

Know a few folks at Apple who are using pkl as a drop in for HCL, basically generating JSON and passing to terraform. They haven’t had to write any HCL in a long time, so they say. Interesting idea. Certainly fills some of the language/DRYness/dyanmic providers etc issues with HCL/Terraform.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

At that point, why not use CDK? That’s all its doing.

joshmyers avatar
joshmyers
We created Pkl because we believe that configuration is best expressed in a special-purpose configuration language; a blend between a static configuration format, and a general-purpose programming language.
joshmyers avatar
joshmyers

Because don’t want a full fledged programming language. The horrors I’ve seen devs do “because they can”

1
joshmyers avatar
joshmyers

Also it is used internally a lot, so consistency++.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:01:12 PM

@here office hours is starting in 30 minutes! Remember to post your questions here.

    keyboard_arrow_up