|
New Yorp New Yorp posted:What's the pattern for handling provider versioning within Terraform modules?
|
# ¿ Jan 25, 2024 23:32 |
|
|
# ¿ May 15, 2024 21:41 |
|
The problem with most of the managed services in most major clouds is that aside from opaque repackaging of other services, most of what they give you aren't fully-baked products. They're building blocks with few opinions, which are great when you're trying to construct business processes, and absolutely awful when you're trying to build humane user experiences for your developers. The most valuable products are still the things that could have come from a 2004-era Google paper: S3, DynamoDB, anything you build for intentionally that lets you forget about scale. Once you get cross-cutting concerns like backup and data retention involved, every other product manages to somehow make scaling harder just by existing. This isn't a feather in the cap of on-prem in any way; it's more saying that cloud fails to add value more than it actually does it. FISHMANPET posted:Meanwhile the new place is a young tech company where I think the biggest benefit of the cloud early on was that they could start without a huge upfront investment. And now they're cloud native and also world wide and but still a relatively small compute foot print, and that just won't ever make sense to go physical. Vulture Culture fucked around with this message at 14:29 on Jan 26, 2024 |
# ¿ Jan 26, 2024 14:23 |
|
Resdfru posted:Not discounting what you're saying but wanted to point out that aws orgs and control tower can make 'do thing in a bunch of accounts' pretty quick and easy Micro accounts are containers for data planes, and if you're trying to manage containers using Puppet or something, you're obviously missing some benefits out of that approach. e: I'll give 12 rats that Amazon's underinvestment in Resource Access Manager is also an obnoxious complication Vulture Culture fucked around with this message at 22:10 on Jan 27, 2024 |
# ¿ Jan 27, 2024 22:04 |
|
I made this for a slide deck so now I have to subject you to it also
|
# ¿ Jan 30, 2024 19:43 |
|
The Fool posted:the issue is that there are actually a million different ways to do this. From rolling a web app with an api shim, to config files in a repo, to forms being submitted to a webhook.
|
# ¿ Jan 30, 2024 19:46 |
|
Applications have dependencies and it's managing the entire stack of dependencies that makes this a hard problem, not making a single leaf route invoke the right thing In simpler times, most of those dependencies were configurations and libraries and code modules, now they're mostly living organisms, tardigrades floating in clouds
|
# ¿ Jan 30, 2024 22:09 |
|
There's also a major education issue in the poorer and less medically serviced parts of the world, where you have this horrendous combination of live virus vaccines and people who don't get their full course of immunizations. So you end up with places like rural India where there are minor outbreaks due to vaccine-derived polio strains—something not rare in immunocompromised people but where it won't spread through communities—and it creates this perfect shitstorm. What doesn't help our chances in the US is that we see dead diseases popping up in the same communities over and over, and they happen to be ones where large crowds of almost universally unvaccinated people get together for large ceremonies and observances. Though, I guess that's going to be common in the political religions too in a generation. Vulture Culture fucked around with this message at 14:16 on Jan 31, 2024 |
# ¿ Jan 31, 2024 14:13 |
|
The Fool posted:I think there's room for profitable companies in this space, but Hashicorp (and others) keep making pants on head stupid decisions for investor story time. No-one wants to make a "reliable product or service that makes a little bit of money consistently"
|
# ¿ Feb 7, 2024 14:06 |
|
Hadlock posted:I'm not super happy with ArgoCD but I'm too far along the implementation path to back out and switch to flux because I need to get this delivered
|
# ¿ Feb 8, 2024 20:02 |
|
e: nm, this thread already talked about the Weaveworks shutdown
|
# ¿ Feb 8, 2024 20:04 |
|
I mean, if races don't matter, the easiest option is to run some privileged DaemonSets that set your sysctls how you need them. If races do matter, you can still use this approach, you just need to set taints on your nodes and have the DaemonSets clear the taints when they're done with a first run
|
# ¿ Feb 8, 2024 20:16 |
|
FISHMANPET posted:Today I learned that all our AWS infra is built with Ansible. Which is obviously possible, because they've done it, but holy moly is it a mindfuck trying to actually figure out how anything is put together.
|
# ¿ Feb 10, 2024 15:02 |
|
Hadlock posted:How do you approach cloudfront distributions with IaC for k8s. I guess our front end gets compiled to a stack of files on S3 served via cloudfront
|
# ¿ Feb 20, 2024 13:50 |
|
How are y'all working around AWS's design decision of RAM-shared resources not having any tags visible in other accounts?
|
# ¿ Feb 21, 2024 16:59 |
|
Docjowles posted:We went the route of many microsegmented accounts for better and worse. Whether an account is dev/stage/prod and who owns it and so on are known simply by some metadata on the account itself. So we have not found being militant about tagging to be useful at all. Instead we have many other problems
|
# ¿ Feb 21, 2024 23:57 |
|
The main security benefit of micro-segmentation is that you consistently get to use managed IAM policies, rather than rewriting them all into tag-based policies that fail open if you leave out a condition. It's up to you what kind of benefit that confers. For any migration to go smoothly you're probably going to find yourself adopting zero-trust (VPC Lattice or some other service mesh, OIDC federation out of all your managed platforms, etc.), at which point there's actually less benefit still on the table for all the remaining parts of the migration. Put another way: micro-segmentation is a killer feature for pure-play AWS, but the more of this functionality you have rolled into high-level abstractions through an internal developer platform or portal, the less useful it's going to be to you. I view it as pretty similar to containerization: there are some apps that adapt really well into a native container orchestration world, and some legacy/enterprise apps that are best left for now as fat containers that mix too many concerns. The goal is to minimize the number of changes moving each piece of your larger system into a new account/VPC environment, because doing the opposite usually goes poorly unless you have central ops doing all the lift-and-shift work. Vulture Culture fucked around with this message at 17:48 on Feb 23, 2024 |
# ¿ Feb 23, 2024 17:42 |
|
Hadlock posted:So I ran across a blog post the other day that had an interesting term, "reference architecture" specific to platform architecture/DevOps and that's sent me deep down a philosophical rabbit hole. I've really been struggling to find/define "best practices" or "state of the art" I think it's loosely defined as "containers using git ops and iac"
|
# ¿ Feb 26, 2024 15:49 |
|
It sounds like it's just NLP-enhanced search results, nothing more or less
|
# ¿ Feb 28, 2024 15:43 |
|
There's basically no benefit. Containers make deployment faster, which you don't often want to do with a database until you reach a certain level of sharding. Deploying quickly, even to track patch releases, comes with its own drawbacks: restarting a database flushes the in-memory cache, and your performance probably suffers from cold starts. Container tech has gotten a lot better in the last decade, but there's still overhead. The one place in your stack you might really need to max your vertical scale is probably the worst spot for it, especially if you're licensing your database tech by the CPU. It's not like this type of isolation confers many advantages on a system that isn't running multiple workloads in the first place.
|
# ¿ Mar 4, 2024 13:49 |
|
necrobobsledder posted:Anything that's everyone's responsibility quickly becomes in practice nobody's responsibility nor accountability
|
# ¿ Mar 6, 2024 20:22 |
|
A ton of companies are just building Microservice Jenga at this point, and the next big-paying job is just going to be fixing that
|
# ¿ Mar 7, 2024 20:13 |
|
Docjowles posted:What the actual gently caress, did these guys walk out of a portal from 2005 lol. That's about the last time I encountered FTPing code to "the server" as a deployment strategy
|
# ¿ Mar 8, 2024 20:08 |
|
Yeah, this is a really sensible approach. A lot of service and platform designs fail to consider who is going to be making what kind of changes to the software at what pace, so we end up making precisely the wrong decisions. Core business logic gets broken into dozens and dozens of tiny independently-shipped parts that are substantially harder to change and test for people who are close to, but not on, the owning team. At the same time, we're continuing to build a lot of the central platforms that run the business as monoliths, when there's absolutely no benefit to doing so because the people making contributions are coming from everywhere, and nobody has any context about the system anyway.
|
# ¿ Mar 11, 2024 18:40 |
|
Something else to remember about Conway's Law is that it's really mentally tempting to simplify that organizational design into a reporting structure org chart, but the question who's doing the work? goes far beyond the nominal conversations about ownership that people like to start from.
|
# ¿ Mar 12, 2024 15:00 |
|
NihilCredo posted:https://resume.ingy.net/ CPAN? More like CPEP
|
# ¿ Mar 13, 2024 15:01 |
|
LochNessMonster posted:Probably something like not having to deal with this. TBH, a big part of the problem with interpolating vs. not interpolating variables is that people don't pay attention to at what point they've stopped providing variables to things and have started dynamically generating code, as though landing in this place is the fault is variable interpolation somehow. Don't do that. There's a hundred ways not to do that. Provide things that need interpolation as inputs to your shell script, or export them as environment variables. Have your Jenkinsfile be Jenkins code and have your shell scripts be shell scripts. I heartily recommend folks don't generate shell scripts and get annoyed about how hard this obviously hard problem is Vulture Culture fucked around with this message at 14:50 on Mar 18, 2024 |
# ¿ Mar 18, 2024 14:44 |
|
my homie dhall posted:the problem jenkins is solving for everyone is centralized job scheduling, orchestration, code reuse, testable pipelines/components, custom plugins, etc.
|
# ¿ Mar 18, 2024 17:27 |
|
my homie dhall posted:I agree, but what platform is doing all of them better? I don't know that GitHub Actions or GitLab CI do "run thing at time" better, but gently caress, at least they have working access control.
|
# ¿ Mar 19, 2024 14:20 |
|
Hadlock posted:Deployments are plenty enough organizational division in 85% of cases
|
# ¿ Mar 20, 2024 12:11 |
|
George Wright posted:If you’re handling PII or you’ve got a reliable, well used, integrated, and supported PKI, then you should terminate at the pod. Otherwise it’s easier to terminate at the LB and let your cloud provider deal with certs.
|
# ¿ Apr 1, 2024 13:47 |
|
neosloth posted:We tried to run istio and it caused a bunch of outages and upgrade headaches with no tangible benefit. It sounds cool tho I'm again going to say that if your host offers VPC Lattice or something like it, and you aren't either using it or trying to get it adopted, it's out of stubbornness and not because you're looking out for your users
|
# ¿ Apr 1, 2024 13:49 |
|
If you live in the US, continue all your open interview loops until you have a signed letter with a start date. In America, even a signed letter isn't a guarantee that you're going to work a single day on the job.
|
# ¿ Apr 1, 2024 18:48 |
|
The Iron Rose posted:Architecture is critically important but it shouldn’t be considered a separate job or role, it should be something all engineers do as and when it’s required of them. Architecture without skin in the game leads to bad advice, no accountability, and worse relationships between teams. I do not believe it is a skillset you can divorce from engineering implementation. Architecture functions often work more like product functions than engineering ones: there's a hundred ways to do it, and until you get someone in the org who's showstopper good and sets the bar for everyone else, it's going to tread water. Getting incentives right matters for an org that's actually moving in a coherent direction, but you should rely on emergence until you see someone succeed vibrantly. I've seen architects with local "skin in the game" flounder and fail to set their own local priorities effectively, and I've seen architects with great product, project, or program management skills really flourish despite having none. It's all circumstantial. Vulture Culture fucked around with this message at 18:53 on Apr 2, 2024 |
# ¿ Apr 2, 2024 17:01 |
|
The Iron Rose posted:How do yall handle caching authentication tokens between multiple pods/processes/etc? Current practice is to just toss a 5min TTL JWT into the cluster local redis so the authentication service doesn’t get swamped with requests. This cluster runs probably 30k pods every day that need a half dozen tokens from a half dozen services each, and we get hella rate limited by everything to MS’ management plane to our own internal keycloak auth endpoints if we don’t leverage a shared token cache. Throwing the token in redis doesn’t feel especially secure, but it does sure reduce the number of 429s we get!
In this configuration, you might hit a bottleneck if you're cold-starting your whole system, but in general, your IdP should be able to scale to basically a limitless number of token refreshes without much CPU effort beyond cryptographically signing the JWTs on refresh. Secrets management, where you're exchanging your application identity for a credential to a different system/application, is another ballgame.
|
# ¿ Apr 23, 2024 19:52 |
|
madmatt112 posted:Does anyone have a link/resource about why Broadcom is such a widely vilified company? The only thing I know them for is like mobile chips or the like. Did they do something specific with a software company that I’m not aware of? https://www.crn.com/news/virtualization/2024/broadcom-tells-partner-negotiating-for-charity-vmware-is-not-for-everybody
|
# ¿ Apr 24, 2024 16:14 |
|
Hadlock posted:Developers want better visibility into their build and deploy process (of course, for good reason) most of this happens either in GitHub actions, or ArgoCD This is more or less how Datadog's CI/CD monitoring product handles it, anyway, just with a pretty bow on it
|
# ¿ Apr 24, 2024 19:48 |
|
And it's official https://www.hashicorp.com/blog/hashicorp-joins-ibm
|
# ¿ Apr 25, 2024 01:11 |
|
Cyril Sneer posted:Hiya, I'm setting up a little vanity web server on my own hardware (a lower-end mini PC). Separately from this I have my development machine. I'm trying to put together my own little cutesy ci/cd workflow but need some (a lot) of guidance. I'm comfortable with git but not much beyond that. Generally, you have somewhere to host your artifacts. This might be something like Docker Hub, GitHub, or GitLab's container registries. You build somewhere, you push to a central location. Then you have your deployment target initiate an image pull from that repository and launch the container. You can use something like Ansible to initiate that image pull and container creation over an SSH connection without needing to install any agents or other dependencies on the server. You can run a database service in a container too, but you generally don't want this to be in the same container as your app. You want one container for each service, one container for your database, and you want to network them together. (It will be fast, like connecting to localhost over TCP, because in a single-host configuration your traffic will never leave the host.) And make sure you mount a data volume into your DB container, otherwise you'll be deleting all your data every time you restart the database! Performance hit from Docker should be really negligible, if your host is already running Linux. If you're running Docker Desktop under Windows or macOS on the mini PC you're using as a deployment target, things get a lot more complicated for you.
|
# ¿ Apr 26, 2024 14:06 |
|
The Fool posted:our terraform enterprise license agreement is up next year and management is freaking out about how ibm might make changes
|
# ¿ Apr 27, 2024 18:56 |
|
|
# ¿ May 15, 2024 21:41 |
|
Hadlock posted:"Might"
|
# ¿ Apr 27, 2024 18:57 |