Courtesy of Dave Weatherall, Unsplash.
Nexteam is sponsoring this newsletter. Please tell your friends and colleagues about this publication. Thank you.
Nomad Cluster Setup
A very good Terraform project to deploy Nomad on AWS.
https://github.com/zerodha/nomad-cluster-setup
Trunk-based development
If you are involved in Delivery, Trunk-based development is a very good practice for collaboration on a project using GIT.
https://www.atlassian.com/continuous-delivery/continuous-integration/trunk-based-development
https://trunkbaseddevelopment.com/
https://www.toptal.com/software/trunk-based-development-git-flow
(Im)mutable Infrastructure and Terraform
The article explores the concept of immutable infrastructure in the context of Terraform, a tool for provisioning infrastructure. The author, Migara, emphasizes that mutable infrastructure, where updates and changes are made on existing servers, can lead to inconsistent states and potential failures due to configuration drift over time. In contrast, immutable infrastructure, where new servers are provisioned for each update and old ones are discarded, offers consistency and reliability, reducing the risks associated with changes and updates. Terraform, with its declarative approach to infrastructure as code, aligns well with the principles of immutable infrastructure, enabling efficient and reliable infrastructure management.
https://medium.com/@migara/im-mutable-infrastructure-and-terraform-f50e78de0912
Avoid resource sprawling using dynamic credential templating in Hashicorp Boundary
Akshay Sahni discusses using dynamic credential templating to avoid resource sprawling in IT infrastructures. Sahni suggests leveraging HashiCorp's Vault, a tool that provides secret management and data protection, with Terraform for automated and secure credential management. The article provides a step-by-step guide on how to configure dynamic secrets in Vault and how to use them in Terraform. This method can mitigate the risks associated with hardcoding credentials, improve operational efficiency, and reduce resource sprawl.
https://www.linkedin.com/pulse/avoid-resource-sprawling-using-dynamic-credential-templating-sahni/
Remove AWS Control Tower
Teri talks about the issue she found AWS Control Tower. In my current project, we created AWS accounts with Terraform and it works very well.
https://medium.com/cloud-security/remove-aws-control-tower-3375e1a6685a
An AWS IAM Wishlist
The blog post on ZeusCloud outlines a wishlist for AWS Identity and Access Management (IAM), highlighting areas where the service could potentially improve. Key suggestions include clearer documentation, better UI for policy editing, simplified handling of IAM roles, and improvements to the AWS CLI and SDK for IAM. The author also mentions the need for a testing framework to ensure policy changes do not lead to accidental permissions or security breaches. The wishlist aims to make IAM more accessible and efficient for users while enhancing its security features.
https://www.zeuscloud.io/post/an-aws-iam-wishlist
Haskell in Production: CollegeVine
Haskell is in production at CollegeVine, an education technology startup. CollegeVine credits Haskell for the startup's ability to quickly iterate and scale their product with a small engineering team. The strong static typing and emphasis on pure functions in Haskell contribute to high-quality code that's easier to maintain and refactor, leading to improved productivity. Potential challenges, such as a steep learning curve and a limited hiring pool, are addressed through thoughtful onboarding and training. The post affirms Haskell as a viable choice for startups seeking efficient and reliable software development.
https://serokell.io/blog/haskell-in-production-collegevine
Implement DNS on a weekend
Learn how to implement and DNS resolver.
https://implement-dns.wizardzines.com/
Build a Grep CLI App in Rust
https://developerlife.com/2022/03/02/rust-grep-cli-app/
Aetonix S3 incident
https://aetonix.com/incident/media-statement/
Google passkeys are a no-brainer. You’ve turned them on, right?
Ars Technica discusses the new passwordless feature of Google accounts. Google has implemented a system that relies on device-based authentication methods instead of traditional passwords, aiming to both improve security and user convenience. These methods may include biometric verification (like fingerprints or facial recognition) or a physical security key. The passwordless system mitigates common security risks such as weak password usage and susceptibility to phishing attacks. It also provides an easier login experience for users by reducing the need to remember multiple complex passwords. Google believes this innovation brings them a step closer to a more secure and user-friendly internet.
New release: ansible-core 2.15.0 - Ten Years Gone
https://groups.google.com/g/ansible-announce/c/JvWWMWDF5AU
How We Detect Anomalies In Our AWS Infrastructure (And Have Peaceful Nights)
https://bytewax.io/blog/aws-anomaly-detection
AWS Lambda Adopts Java 17
https://www.i-programmer.info/news/80-java/16302-aws-lambda-adopts-java-17.html
How Instacart Ads Modularized Data Pipelines With Lakehouse Architecture and Spark
Enterprise Data Platform @ Compass
This post discusses the implementation and benefits of Compass's enterprise data platform. It explains how Compass has structured its data ecosystem to enable rapid scalability and the delivery of high-quality products. The platform is built with a layered architecture consisting of a raw data layer, a unified data layer, and a business data layer. It uses Apache Kafka for real-time data streaming, Airflow for workflow management, and Amazon Redshift for data warehousing. The platform helps Compass manage vast amounts of data efficiently, fosters collaboration between different teams, and supports robust data analysis and business decision-making.
https://medium.com/compass-true-north/enterprise-data-platform-compass-4f96eeec1894
Automate your network configuration with Consul-Terraform-Sync
If you are using only Ansible for network automation, you should know that there is an alternative to HashiCorp's Network Infrastructure Automation. Using Consul-Terraform-Sync is possible to react to events in the Consul service catalog and run runbooks made of Terraform modules and resources. An example can be reacting to an event and changing a firewall configuration.
And this is a specific tutorial for Palo Alto Networks:
Having fun with seccomp profiles on the edge
The blog post titled "Seccomp Profiles: The Edge of Enhanced Container Security" was published on the Kubernetes.io blog on May 18, 2023. The post discusses the concept of Seccomp profiles and their role in enhancing container security in Kubernetes environments.
Seccomp, short for secure computing mode, is a Linux kernel feature that allows fine-grained control over system calls made by a process. Seccomp profiles provide a way to restrict the system calls that a container can make, which helps to reduce the attack surface and improve security.
The blog post highlights the introduction of a new feature in Kubernetes called Seccomp Profiles, which allows users to specify and enforce custom Seccomp profiles for containers running in Kubernetes clusters. It explains how this feature can be used to further enhance the security of containerized workloads by restricting the system calls that containers are allowed to make.
The post also discusses the benefits of using Seccomp profiles, such as reducing the risk of container escape attacks and limiting the impact of container vulnerabilities. It provides examples and guidelines on how to create and apply custom Seccomp profiles in Kubernetes.
Overall, the blog post aims to raise awareness about the importance of Seccomp profiles in container security and provides insights into leveraging this feature in Kubernetes environments to strengthen the security posture of containerized applications.
https://kubernetes.io/blog/2023/05/18/seccomp-profiles-edge/
Kubernetes 1.27: KMS V2 Moves to Beta
The post discusses the release of version 2 of Key Management Service (KMS) for Kubernetes, which has now moved to the beta stage.
KMS is a critical component in managing encryption keys for securing sensitive data in Kubernetes clusters. It provides the ability to encrypt and decrypt data at rest and in transit within a Kubernetes environment.
The blog post introduces the key features and improvements introduced in KMS V2, which aim to simplify key management in Kubernetes. It highlights the use of the Key Management CRD (Custom Resource Definition) as a standardized way to define and manage encryption keys in a Kubernetes-native manner.
The post explains how KMS V2 offers enhanced capabilities, such as increased flexibility in key rotation, improved key access control, and support for multiple key providers. It also discusses the importance of secure key storage and provides guidance on integrating KMS with existing key management solutions.
By moving to the beta stage, KMS V2 is now considered more stable and ready for broader adoption. The blog post encourages users to try out KMS V2 in their Kubernetes clusters and provides links to relevant documentation and resources.
Overall, the blog post highlights the advancements in KMS V2, which aims to simplify key management in Kubernetes and invites users to explore and provide feedback on this new version to further improve its capabilities.
https://kubernetes.io/blog/2023/05/16/kms-v2-moves-to-beta/
Docker vs Snaps: a side-by-side comparison
https://ubuntu.com//blog/docker-vs-snaps-a-side-by-side-comparison
Updated Debian 11: 11.7 released
https://www.debian.org/News/2023/20230429
cron(8) now supports random ranges with steps
https://undeadly.org/cgi?action=article;sid=20230507122935
Ubuntu 6096-1: Linux kernel vulnerabilities
https://linuxsecurity.com/advisories/ubuntu/ubuntu-6096-1-linux-kernel-vulnerabilities-urunrvhdlu9i
Is Github Alive
A discussion on a tool called IsGitHubLive, which enables real-time monitoring of the GitHub service status.
IsGitHubLive provides an easy-to-use web interface that displays the current status of various GitHub services and features, such as repository operations, issues, pull requests, and more. It allows users to quickly check if there are any ongoing incidents or disruptions impacting GitHub's functionality.
The motivation behind creating IsGitHubLive, is the need for developers and GitHub users to stay informed about service status, especially during critical development and collaboration activities.
IsGitHubLive utilizes the GitHub Status API, which provides real-time updates on the operational status of GitHub services. The tool periodically fetches and displays the status information, allowing users to monitor the health of GitHub services at a glance.
The post also covers the features of IsGitHubLive, including the ability to filter and search for specific services, view historical status updates, and subscribe to notifications for changes in service status.
https://oschvr.com/posts/isgithublive/
Newsletter sponsor: Nexteam
Technology, Experience, Delivered.
Thanks for reading Infra Weekly Newsletter! Subscribe for free to receive new posts and support my work.