#ops

Archive: https://archive.sweetops.com/ops/

2019-10-03

Sharanya

Create Jenkinsfile to deploy UI code to S3 bucket.

Erik Osterman

I don’t have any context…

2019-08-28

Sharanya

Did anyone Come across NPM memory Issues ?

2019-07-29

Sharanya

Hey Folks, Trying to find some Terraform Modules related to AWS - app stream service ( for creating fleets and stacks) any help appreciated

2019-07-22

Jonathan Le

I didn’t know where to post this, but if you’re dealing with TLS restricted redis: https://www.compose.com/articles/redli-your-new-redis-command-line-client-from-compose/

Redli - your new Redis command line client from Compose

Today, we’re pleased to release, as open source, Redli - a humane alternative to the redis-cli and TLS connections. It makes connecting to a TLS/SSL-protected server as simple as connecting to one with no encryption protection. TL;DR: There’s a new Redis CLI client from Compose which lets you

2019-03-12

AWS Cloudtrail Slack Integration | GorillaStack

Monitor AWS CloudTrail Events in Slack with GorillaStack AWS Slack Integration. Notify any channel or party with your choice of CloudTrail events for free.

Erik Osterman

no, but it reminds me of https://marbot.io/

marbot - Send CloudWatch alarms to Slack

Easy-going incident management for AWS. Cloud-native alerting with CloudWatch and Slack.

2019-02-14

Erik Osterman
05:21:03 AM

@Erik Osterman set the channel purpose: Archive: https://archive.sweetops.com/ops/

2019-02-12

I believe I asked this before, but how do you guys run etcd/consul/etc config chabges or even secrets?

EG you have one or multiple secrets using config from etcd /someparam You want to update it.

Most examples I see with confd and etc (even in code) means you potentially kill all services using that parameter if you the wrong one. Same applied to secrets.

We handle it by not hotreloading and just triggering a force deploy (roll/blue green even if no changes detected)

Erik Osterman

Yes, same.

Erik Osterman

Changing secrets is a new release

2019-02-05

Any recommendations for an incident response/monitoring platform? PagerDuty/OpsGenie/etc?

joshmyers

Either of the above are good, IIRC OG is significantly cheaper than PD

1

2019-01-17

Erik Osterman

lets encrypt down

Erik Osterman

sarkis

2019-01-15

There is a sidecar container for doing auto letsencrypt

JrCs/docker-letsencrypt-nginx-proxy-companion

LetsEncrypt companion container for nginx-proxy. Contribute to JrCs/docker-letsencrypt-nginx-proxy-companion development by creating an account on GitHub.

2019-01-14

james

what’s the current state-of-the-art for auto-renewing HTTPS certs for nginx?

Erik Osterman

Are you on k8s?

james

no

Erik Osterman

Unfortunately no recent experience with self-NGINX with LE. Bet a lot has improved since I last checked it out.

james

I vaguely recall reading it’s got a lot better, but it’s hard to google

Erik Osterman

Are you running on AWS?

james

yes

james

no wait, no

james

sorry

Erik Osterman

No prob… was going to suggest using ACM

Erik Osterman

Where are you hosted?

james

Digital Ocean

james

just vanilla droplets for now

Erik Osterman
Argo Tunnel | Secure Tunneling Software | Cloudflare

Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV with Argo Secure Tunnel.

Erik Osterman

Argo is pretty sweet. Doesn’t require k8s

Erik Osterman

You don’t need to expose your webservers at all

Erik Osterman

It creates an encrypted reverse tunnel out to CloudFlare

Erik Osterman

CloudFlare handles all certs

james

that does look very cool

james

the “contact us” pricing looks a bit scary

james

context: this is for our staging environment

james

funnily enough, we use ACM for production

james

ah prices are at the bottom of the page, just $5/month?

Erik Osterman

Though I think it requires business class

Erik Osterman

Which is 200

Erik Osterman

Not free/cheap

james

ah ok

james

FYI in case anyone is interested, this seems to work pretty well: https://certbot.eff.org

Certbot

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

1
Erik Osterman

thanks for reporting back!

Certbot

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

1

2018-11-07

aknysh

CircleCI launches Orbs, a package manager for software delivery automation https://techcrunch.com/2018/11/07/circleci-launches-orbs-a-package-manager-for-software-delivery-automation/

CircleCI launches Orbs, a package manager for software delivery automation

DevOps platform CircleCI today announced a new partner program that will open up its platform and allow third-party tools to integrate with it. In addition, the company is launching Orbs, which it describes as “the world’s first package manager designed specifically for configuration of…

2018-09-18

08:01:44 PM

@ has joined the channel

2018-09-04

siert
03:50:17 PM

@siert has joined the channel

2018-09-02

07:32:05 AM

@ has joined the channel

2018-08-29

Raghu
03:05:07 PM

@Raghu has joined the channel

2018-08-28

05:18:32 PM

@ has joined the channel

It’s a bit of effort to get things like MFA/dynamic passwords pushed “down the stack” .. but oddly enough you end up with less maintenance later if you can pull it off. Well worth the journey IMO

Erik Osterman

yea, also with the new push-style notifications of Okta/Duo/Google, it doesn’t annoy me as much

Erik Osterman

I’d like to get push for AWS MFA

SAML is as close as I’ve gotten. Set your MFA there and use the SAML token to pass into AWS.

fall back to those horrid keys they sell for your root … cause … nothing else works

Erik Osterman

yea, those are the escape hatch

then for programmatic access I’ve become a Vault fan. Let users dynamically request temporary creds, and you can gate vault with MFA as well

so far used it with both Okta/Centrify. Not tried Duo

Erik Osterman

vault as in hashicorp vault?

Erik Osterman

cool

I keep forgetting there’s techncially lots of vaults out there …

Erik Osterman

yea, and we’re big on using aws-vault (so for a second I was surprised to learn it supported Okta) - but we’re talking about another vault

Erik Osterman

yea, I’ve seen that feature of hashicorp’s vault

It’s nice. Hardest part becomes policy management … but it’s been solid on the stability front

Erik Osterman

we’ve just done a poc with vault. all-in-all, liked it. it was pretty simple to setup. the security architecture too was pretty sweet (the “two man rule” for unlocking vaults)

Erik Osterman

but it scared me from an operational perspective (just from lack of experience with it) - what happens if all vaults get restarted

Erik Osterman

if you don’t automate the unsealing, that’s a forced outage

or pay for enterprise which can auto-unseal against an HSM

but yeah I hear you

Erik Osterman

so running vault under kubernetes, we automated the unsealing

Erik Osterman

but it felt “wrong”

Erik Osterman

I actually wen t full paranoid where I deployed it and did NOT use containers. It sat on instances build using packer from ther http://terratorm.io registry

was too concerned about a container reshuffle causing things to happen

but in general I don’t think ti ever went down except when I messed up a health check so the proxy “thought” it was down (oops) … so I left the unseal manual

current place has “cyberark” in place … it’s API is horrible. Just the worst

Erik Osterman

i am not familiar with cyberark

Erik Osterman

what’s that?

similar in concept to hashicorp vault or AWS-vault … but honestly I’m not impressed so far: https://www.cyberark.com/

CyberArk: Secure Privilege. Stop Attacks | cyberark.com

CyberArk is the only security software company focused on eliminating cyber threats using insider privileges to attack the heart of the enterprise.

it “feels” like old software, if that makes sense

2018-08-27

11:16:11 AM

@ has joined the channel

loweryr
03:12:17 PM

@loweryr has joined the channel

2018-08-22

04:17:52 AM

@ has joined the channel

2018-07-30

johntellsall
04:53:50 PM

@johntellsall has joined the channel

2018-07-25

Arkadiy
02:50:03 PM

@Arkadiy has joined the channel

2018-07-20

aknysh
08:24:12 PM

@aknysh has joined the channel

2018-07-05

sarkis
06:31:15 PM

@sarkis has joined the channel

sarkis

reminder how important 2FA is these days …

Erik Osterman

yikes

09:01:52 PM

@ has joined the channel

2018-07-02

12:00:23 PM

@ has joined the channel

zerocoolback
05:10:37 AM

@zerocoolback has joined the channel

2018-06-23

06:39:32 PM

@ has joined the channel

2018-06-21

Max Moon
10:53:35 PM

@Max Moon has joined the channel

2018-06-18

11:52:58 AM

@ has joined the channel

2018-06-14

Jeremy Grodberg
09:38:12 PM

@Jeremy Grodberg has joined the channel

2018-06-13

Erik Osterman
12:28:41 AM

@Erik Osterman has joined the channel

    keyboard_arrow_up