Only 4 days left to get the Terraform - From Zero to Certified Professional course for free!

I think, this is a great opportunity to get yourself familiar with Terraform or take a look, how things are done in the newer versions in case you're still using 0.11 for whatever reason.

#terraform #hashicorp #aws

​​Вітаю зі Святом Незалежності, коти! 🇺🇦✌️

Policies as code is a powerful tool to test and validate your configuration.

And probably one of the most famous engines for policies as code is OPA aka Open Policy Agent.

The beautiful part of it is that it’s kind of platform agnostic i.e. there are tools that implement OPA for different things. Threfore, OPA policies are usually not limited to a single application.

The hard part of OPA is that it uses Rego langugage, which is not quite similar to the popular general purpose programming langugages. If you payed attention to langugages like Prolog at school, Rego might be not a big issue for you.

However, if you don’t remember those classes or didn’t have them at all (like myself, he-he), this article on how to get started with Rego might be helpful for you!

#opa #policy #security

Humble Bundle together with Pluralsight are sharing a bunch of Azure related courses.

As usual, you can pay at least $1 to unlock 4 courses or at least $25 for the whole bundle of 20 items. A part of the funds go to charity as usual.

So, if you work with Azure or you’re looking forward to switch to it, or you’re getting a job in a company that uses it; this bundle may be helpful to you.

#azure

One of the initial motivations behind CatOps was to have a public notebook. I was saving tons of links and articles at the time and wanted to share those with the community, but also have a way to search for materials in case I need to get back to something. With time CatOps has evolved into something bigger that that,

Telegram channel perfectly serves the first purpose, but searchability is far from perfect.

That’s why I have created a Substack newsletter. I’ll try to make those newsletters weekly or bi-weekly. Although, I’m not commiting in anything at the moment, let’s see how it goes.

There are two main purposes of this newsletter:
- Searchability
- Be a home for medium-sized posts

Emails are much better to search for things, in my opinion, moreover they’ll have more concentrated lists of things inside.

Also, sometimes I want to share thoughts that take a little bit more space than a readable Telegram post, but aren’t exactly a full blog post. Hopefully, Substack can become a home for such things.

So, feel free to subscribe to my new newsletter! If you’re not keen to it, no worries - Telegram is still the main place to share interesting links with y’all!

Here is a brief and neat comparison between External Secrets Operator and Secret Storage CSI for Kubernetes.

Both tools allows one to fetch secrets from an external storage like HashiCorp Vault. However, they work a little bit differently. If ESO creates a k8s secret based on the external one, SSC mounts a secret as a CSI volume.

You may ask, why use one of these if Banzai Bank Vaults exists? Well, not everyone uses HashiCorp Vault. Also, in case you have multiple secret storages (for whatever reason), one of these tools may be a good solution to reduce the footprint for secrets management.

#kubernetes #security

It's been a while since we had some practical materials here.

So, here's an article that helped me a lot today. It's about how to split outputs of a GitHub Actions step into an array that is suitable for a matrix property of a GHA job.

You see, the problem is that GHA don't have a native "split" functionality. So, you need a way to work around it. Moreover, that fromJson() function is important there, 'coz otherwise it doesn't work.

This could be useful if you need to run multiple jobs based on, for example, changed files. Also, here's a bonus article on how to get the changed files in GHA without 3rd party Actions.

P.S. Well... One can hate Jenkins until they need to write some more or less custom logic in a YAML-based CI.

#github #cicd

While I’m working on some new material (also, I must admit that I didn’t read anything for last few days), I can share with you some cool IT Ukrainian communities.

Today I want to share a Telegram chat about Linux: @linuzua

Also, I have a small list of Awesome Ukrainian IT communities on GitHub. So, if you own or know cool chats, Slack or Discord communities, websites, etc., feel free to add that there! Or you can leave those in the comments (I’ll leave the comments open for this post).

P.S. This is not a paid post. If you do any cool media-projects or blogs about DevOps in Ukraine - let me know! I’ll happily share those.

P.P.S. Important information for the Finanzamt of Berlin: I don’t get money from my Telegram channel, blog, and newsletter. Please, don’t ask me about these things.

This a pure Friday material, but I totally forgot about this one yesterday.

So, a systemd security patch broke DNS on Azure VMs on the 30th of August.

Here’s the bug report.

This only affected Ubuntu 18.04 version, which is extremely popular, TBH.

Well, shit happens. Yet, the worrisome part of this story is that according to The Register:

> Azure is recommending that Ubuntu 18.04 users disable automatic security updates for the time being.

#azure #security #dns

So, on Friday I told you that I’m working on something new and now I’m ready to drop yet another teaser!

In nutshell, I’m going to write a series of articles on the basics of CLI applications in Go. A teaser or Part 0 of this series is already available in my blog!

There I talk about side projects and my motivation to write that tiny app as well as to start this series.

I will post new parts here as they appear. Also, you can subscribe to the CatOps newsletter to get bi-weekly digest of what has happened here.

#go #programming #blog #oc

I don’t work with the databases much lately. Moreover, I haven’t worked with MySQL/MariaDB for a long time. Thus, I am not 100% sure how useful is this tool, but I found it in the reliable source.

mariabak is a CLI for mysqlsump that eases certain operations. So, you don’t have to pass multiple mysqldump commands for certain jobs.

#toolz #databases #mysql

Now, Go ecosystem has a vulnerability checker in their toolset.

From the doc:

 new govulncheck command is a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions.

Just keep in mind that you have to have Go version >= 1.18.

#go #programming

Monitoring at scale with Victoria Metrics

https://tech.bedrockstreaming.com/2022/09/06/monitoring-at-scale-with-victoriametrics.html

#monitoring #victoriametrics #prometheus #kubernetes #k8s

Istio project has revealed their new architecture concept: an Ambient Mesh.

Basically, with this configuration they're moving away from sidecars in favor of a ztunnel (zero-trust tunnel) installed on the nodes and multiple waypoint proxies. You can find more details as well as the benefits of such architecture in the article.

This is not an all-in-one change, though. Istio still promises support for sidecar-based mesh, which means that two types of setup will co-exist with each other.

Also, keep in mind that the new Ambient Mesh is in the rapid development phase still. The article promises some early stable results in 2023.

These news came from our chat. If you have any interesting things to share, feel free to share those there!

#istio #kubernetes #networkin

​The Grug Brained Developer

A layman's guide to thinking like the self-aware smol brained.

#culture

Netflix’s article about the Data Mesh - their managed streaming pipeline solution.

The second issue of the CatOps Newsletter is now live on Substack!

#digest #newsletter

An amazing book collection on Humble Bundle this time!

For the next 20 days you can by books about Linux by No Starch Press, including famous “The Linux Programming Interface” and “How Linux Works. What Every Superuser Should Know”.

I’ve been relying a lot on the second one in early days of my career and this is still the book I recommend everyone, who wants to start using Linux systems.

As always, you can pay different amount of money to unlock different number of books, but obviously you have to pay the highest stake (€40) to get two books I mentioned.

#books

CatOps Voice chats on Thursdays aka “Говорилка CatOps” are back!

And I’d like to make this comeback a little bit special. Therefore, next Thursday, the 22nd of September, we are having a special edition of our voice chat with a recording.

We’ll speak with Oleks Maistrenko - a co-host of the famous DOU Podcast and a host of its chapter dedicated to the engineering management.

We will talk about engineering management, DevOps, and other stuff. You can also ask your question in Slido and, of course, you’re more than welcome to join us live on the 22nd of September at 20:00 (Kyiv time) in the CatOps Chat!

~See~ hear you there!

#говорилка

Uber apparently has been hacked.

There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.

However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).

If you rather prefer a web page view, here’s the same thread via Unroll app.

The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces

#security

IAM Policy Validator for Terraform can validate your IAM policies written in Terraform against best practices.

It uses AWS IAM Access Analyzer, therefore you need to grant it respective permissions to access this service. On the good side, unlike isolated tools, you don’t have to rely on the tool’s developers to update the validation policies. Everything comes from AWS itself.

#aws #terraform