#random (2021-10)

Non-work banter and water cooler conversation

A place for non-work-related flimflam, faffing, hodge-podge or jibber-jabber you’d prefer to keep out of more focused work-related channels.

Archive: https://archive.sweetops.com/random/

2021-10-04

David avatar

Has anyone used Hashicorp Boundary in place of a traditional VPN? It looks pretty nifty, but I would love to hear some experiences from people who have used it before

David avatar

My main questions is:

• From a day-to-day perspective of the developers at my company, how annoying is it to use compared to other VPN software But any other thoughts are welcome

Jonathon Canada avatar
Jonathon Canada

@Ben Arent

Jonathon Canada avatar
Jonathon Canada

Hi @David. The feedback I’ve heard about Boundary is that it’s not quite a full product yet. Two other companies to look at are StrongDM and Teleport. If you want something open source then checkout Teleport: https://github.com/gravitational/teleport In full disclosure I work for Teleport.

GitHub - gravitational/teleport: Certificate authority and access plane for SSH, Kubernetes, web applications, and databasesattachment image

Certificate authority and access plane for SSH, Kubernetes, web applications, and databases - GitHub - gravitational/teleport: Certificate authority and access plane for SSH, Kubernetes, web applic…

David avatar

Thank you!

2
Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

It’s hard to say whether Boundary is a full solution for someone without knowing the requirements. @David, could you describe what your developers need to do? Are there specific constraints?

As a bit of history, Boundary was initially supposed to be an extension to Vault, but as the design fleshed out, it made sense to make it its own product. So things like certificates and secrets require an integration with Vault (or something else), but those capabilities exist and the integrations are real.

All that said, it is a new product that’s been out for around a year now, so it’s possible it’s missing a requirement you have at this point.

David avatar

@Jake Lundberg (HashiCorp) We have two main use cases:

• protect internal only sites (dev/staging sites). Right now we use public DNS for these, but with AWS Cognito protecting them. It would be nice to use private DNS and expose them through Boundary if possible

• We are setting up a Hashicorp Vault cluster in all envs, and right now in our testing it is on public DNS. Ideally, I would want to force our devs to use something like Boundary to connect to Vault.

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

What kind of authentication are you using? (LDAP/AD, Okta, Auth0)?

David avatar

AWS IAM auth to Vault right now

David avatar

We are looking at Okta in the future

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Boundary doesn’t currently have an IAM auth method. It looks like generic OIDC is the main method with examples of Auth0, Okta and Azure AD as providers. You could use any OIDC provider though, you’d just have to setup the Boundary application on your own.

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

There is a basic username/password auth method, but I wouldn’t use that outside of admin functions or concept testing.

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Do your users login to Vault using IAM credentials?

David avatar

yeah, almost all vault communication is done via the CLI/SDK, so in general it works pretty well. vault print token | pbcopy is used when we want UI access

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

I see. Hrm, well, for now that won’t work, but if you have Okta (or other OIDC) soon, you can use it. There will be other auth methods, though I’m not sure AWS IAM will one in the short term.

I haven’t seen anyone actually use Boundary to connect to Vault, but I can’t see a reason this wouldn’t work. You could configure any credential store/library integration with Vault, so you could feasibly just use OIDC to authenticate to Boundary and have Vault return a token scoped for that particular user/group. This would be transparent to the user though, they wouldn’t actually see the Vault token they’d just get a connection via Boundary.

David avatar

That would be nice. And that token would refresh as long as the user was connected to boundary?

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Yes, Boundary manages the credentials used to connect to any endpoints and stores them for the user. You can do interesting things like dynamic database credentials as well. So Vault would create temporary U/P for the target database and Boundary would connect using those credentials. The intent is that the user shouldn’t even know network or secret details for the connection.

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Connection pooling probably isn’t an issue here as these are user connections.

David avatar

Great, thanks!

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

Warning: The documentation still has a long way to go. I found the following link helpful:

https://learn.hashicorp.com/collections/boundary/configuration

Common Administration Workflows | Boundary - HashiCorp Learnattachment image

Learn the standard operational tasks to manage and configure your Boundary environment.

Jake Lundberg (HashiCorp) avatar
Jake Lundberg (HashiCorp)

It took me a bit to actually find HOW to configure the auth methods.

2021-10-05

pjaudiomv avatar
pjaudiomv

Yubico finally released the bio only two years from initial announcement https://www.yubico.com/product/yubikey-c-bio/ i won’t be able to use stolen yubikeys any more with this, I have to steal the finger now too

YubiKey C Bioattachment image

YubiKey C Bio

1
thumbsup_all2
3
1

2021-10-08

2021-10-10

2021-10-11

Mohammed Yahya avatar
Mohammed Yahya
Stack Overflow Developer Survey 2021attachment image

In May 2021 over 80,000 developers told us how they learn and level up, which tools they’re using, and what they want.

1
Mohammed Yahya avatar
Mohammed Yahya

@Erik Osterman (Cloud Posse) I would love to see this in office-hours where can get some feedback about the results from the gang there

Stack Overflow Developer Survey 2021attachment image

In May 2021 over 80,000 developers told us how they learn and level up, which tools they’re using, and what they want.

Mohammed Yahya avatar
Mohammed Yahya

for example aws trends and devops, also terraform are among popular options

Zach avatar

what specifically did you find interesting in this one?

2021-10-12

2021-10-19

Marwan Nabil avatar
Marwan Nabil

Does anyone know how can I get sweetOps t-shirt/hoodie? I see the merch page only contains mugs and laptop stickers

1
1

2021-10-20

Andy avatar

Hi, has anyone tried the new Apple M1? Any noticeable problems or applications that don’t work?

Andy avatar

It looks like VirtualBox isn’t supported yet

toast-gear avatar
toast-gear

I got one issued for work, not worth it atm imo

toast-gear avatar
toast-gear

just had qemu-system-aarch64 eat 4 GB of RAM and crash everything, had to restart to fix, not everything plays nice with the emulation, having 2 terminals is a pain in the arse etc

toast-gear avatar
toast-gear

I don’t really see what the big win is with M1 over an Intel based Mac, I didn’t find the Intel based Mac slow so

Andy avatar

Why are 2 terminals needed?

toast-gear avatar
toast-gear

haven’t need to use both but it’s just another minor annoying thing to have to deal with, ensuring the rosetta terminal is used. I’m yet to see what the gain is exactly shifting to M1

toast-gear avatar
toast-gear

I haven’t managed to get minikube to work on it with brew, kind works so at least there is an alternative.

toast-gear avatar
toast-gear

so far it’s just a list of minor drawbacks for, as far as I can tell, no real gain. None of it has been a showstopper so far and I’m sure support will get better with time etc

1
Stephen Tan avatar
Stephen Tan

the M1 allows me to work all day without plugging into power. It’s what I’ve been wanting for 20 years

Stephen Tan avatar
Stephen Tan

the only thing that doesn’t work is Virtualbox ( and probably never will ). Parallels does work though. There is a Vagrant Provider for Parallels but requires you use the Business Version or something

toast-gear avatar
toast-gear


the M1 allows me to work all day without plugging into power. It’s what I’ve been wanting for 20 years
I guess I just don’t have a need for this? I am never without any kind of plug for 8 - 10 hours. It’s certainly an improvement don’t get me wrong, it just doesn’t really add much value for me at least.

Stephen Tan avatar
Stephen Tan

sure - understand!

Stephen Tan avatar
Stephen Tan

use cases vary of course

toast-gear avatar
toast-gear

Totally! It’s definitely an improvement and it could be a deal breaker for someone else!

RB avatar

cloudposse/geodesic wont work on m1 yet but there is an open issue on it to implement it

Scott Mathson avatar
Scott Mathson

Have an M1 MBP on order to try out and our use-case is very VM heavy, so interested to see how it all performs.

2021-10-28

David avatar

I would like to create an internal course (up to a month of content) for onboarding new developers. What would be a good platform for something like this that is internal to a company?

Github Learning Labs look promising, but the support surrounding them is suspect

managedkaos avatar
managedkaos

you might think about using katacoda for preconfigured environments along with the course content. its all/mostly markdown from what i understand. https://www.katacoda.com/create

You could combine that with an internally accessible video platform if you want to put video along with the text and compute environments.

Otherwise, look into a self hosted learning management system: https://medevel.com/14-learning-management-systems-lms/

Create Interactive Teaching Environments for Software Engineers | Katacoda

Learn the latest technologies with our hands-on labs

14 Open-source Self-hosted Learning Management Systems (LMS)attachment image

A Learning Management System (LMS) is a system designed to manage educational resources and users such as students and instructors. LMS systems have been around for the l

Aris Darmawan avatar
Aris Darmawan

I think teachable.com is good to try

David avatar

I ended up creating an internal codelab site: https://github.com/googlecodelabs/tools with around 20 codelabs and then made a few Notion documents with a calendar for which codelabs/other resources should be done on each day. It went well

googlecodelabs/tools

Codelabs management & hosting tools

1

2021-10-29

Phillip Hocking avatar
Phillip Hocking

oh hey @Erik Osterman (Cloud Posse) i just sent you a linkedin message, but figured i would ping on slack as well - folks on my team at hashicorp are looking for a devops practice to refer out to. i’m not a decisionmaker/authorized to represent the org i work for, but i’m more than willing to make introductions and put y’alls name in the hat if you are experienced with the particulars of consul deployments

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

thanks @Phillip Hocking! I’ll reach out to you with a DM>

    keyboard_arrow_up