Explain how I manage external tools with chezmoi behind a corporate proxy using kerberos| Wyssmann Engineering
A quick introduction to Nix and NixOS to show how amazing it is.| Wyssmann Engineering
Improve ArgoCD config saving environment configurations on their own files| Wyssmann Engineering
As of a sudden Terraform secrets with SOPS and Azure Keyvault does not work anymore and you will get an error when trying to decrypt: sops --decrypt ./secrets/secrets.enc.json > ./secrets/secrets.json Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED https://mykv.vault.azure.net/keys/sops-key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED - | failed to decrypt sops data key with Azure Key Vault key | 'https://mykv.vault.azure.net/keys/sops-key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx...| Blog on Wyssmann Engineering
What is velero? velero is a backup and restore tha allows you to Take backups of your cluster and restore in case of loss. Migrate cluster resources to other clusters. Replicate your production cluster to development and testing clusters. What we want to do? We are currently running velero. However we want to use Azure Managed Identity. Currently our setup is that we have 2 different resource groups 1 for the storage account 1 for aks (disk snaphost). Looking trough the documentation, it is n...| Blog on Wyssmann Engineering
Key learnings from GitOps Enterprise: Learn how to use Argo CD in multi-tenant installations, how to create preview environments and more| Wyssmann Engineering
Platform Engineering is the new kid on the block. But I have seen, there is some confusion with the term Devops. Here I want to give a quick clarification and also some cool links where you can read about Platform Engineering.| Wyssmann Engineering
As reader of my blog you know we are using Rancher logging app. While we migrated the Rancher (Upstream) cluster from RKE to AKS, we cannot use the built in log collection and shipping for audit logs. According to Enabling the API Audit Log to Record System Events - a guide on how to enable audit logs - we find the information as of today is a bit misleading. We have enabled audit logging in the helm chart as follows.| Wyssmann Engineering
What is Azure AD Workload Identity? Azure AD Workload Identity allows you the use of a Managed Identity to access resources in Azure Azure AD Workload Identity for Kubernetes integrates with the capabilities native to Kubernetes to federate with external identity providers The kubernetes cluster becomes a token issuer, which issues tokens to Kubernetes Service Accounts. These service account tokens can be configured to be trusted on Azure AD applications or user-assigned managed identities.| Wyssmann Engineering
What is managed identities? Resources usually need secrets (secrets7credentials/certificates/keys) to communicate with other resources. While (in Azure) you can securely store these in an Azure Key Vault, as a developer you still have to configure your applications accordingly - means you probably copy around these secrets. With Managed identities this is not necessary anymore, as it will provide an automatically managed identity in Microsoft Entra ID for applications. An application can use ...| Wyssmann Engineering
Problem While try to do a terraform init you get the following error │ Error: Failed to install provider │ │ Error while installing hashicorp/azurerm v3.83.0: failed to compute │ checksum for │ C:\Users\papa~1\AppData\Local\Temp\4\terraform-provider1701116033: │ EvalSymlinks: too many links The problem seem to occur if the profile is a roaming user profiles. Solution Use Local Folder This happens on Windows servers, where the profile is not local. To fix it you need a local folder...| Wyssmann Engineering
What is SOPS? SOPS stands for Secrets OPerationS, and is an open-source text file editor that encrypts/decrypts YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. If you want more details to SOPS as such you can also have a look at A Comprehensive Guide to SOPS: Managing Your Secrets Like A Visionary, Not a Functionary (gitguardian.com). What do you need? As we will use azure-key-vault: you will need| Wyssmann Engineering
Why update the no_proxy? Generally access to azure resources is going through public endpoints at first. Especially for sensitive stuff like keyvault and storage, this shall happen through private endpoints. While traffic to public endpoints have to be routed through the webproxy, for privat links we have a direct connection, so it shall not go trough the proxy. So for each private link, the fqdn has to be added to the no_proxy so that calls from atlantis (or terraform) are redirected properly.| Wyssmann Engineering
What is it? Based on Git-hooks - a practical example with tf docs I extended the git-hooks so it check for secrets and aborts the commit if secrets are found. All you neds it After that also install gitleaks, which is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.| Wyssmann Engineering
A long time ago I wrote about git-hooks, today I want to give you a practicle example on how I ensure my terraform documetation stays up-to-date. terraform-docs Not sure if you every heard of terraform-docs, but it’s a tool which generates terraform modules documentation in various formats. You can define a config file .terraform-docs.yml which defines how your documentations shall look like. My $HOME\.terraform-docs.yml looks as follows: formatter: "markdown"# this is requiredsections: hid...| Wyssmann Engineering
As a long-time user of Hetzner as my hosting provider, I am very satisfied of their services. The do not provide a bunch of interesting offers but also an auction where you can reuse hardware for a very good price. Server hardware can be reused even if a product is terminated. This is reasonable in terms of both economic and ecological aspects. Benefit from this advantage. For the ones of you looking for a cloud service - similar to Google Cloud or Amazon - I recommend to look into the Hetzne...| Wyssmann Engineering
I have multiple ansible roles and I want to use the same workflows for all of these roles. This is when reusable workflows comes into play: Rather than copying and pasting from one workflow to another, you can make workflows reusable. You and anyone with access to the reusable workflow can then call the reusable workflow from another workflow. This consists of two elements: shared workflow: The actuall workflow which does all the work caller workflow: A workflow that uses another workflow Cre...| Wyssmann Engineering
Chocolatey While I first experienced with Chocolatey as package manager for Windows, I am not very happy with it. The mayor downsides, is, that you need admin permissions and that the packages are not self-contained. Both are a problem in corporate environments where you might not have admin permissions and if you want to fully rely on proxied repositories. For example if you have a look at the package source of “python” you will see that the package source always points to an external so...| Wyssmann Engineering
Issues with cluster restore and Gatekeeper It has been some weeks since I have installed Gatekeeper. Today we had an issue, which lead me to do a restore of the cluster state to the state from some minutes ago. Usually that is not a problem - well at least before OPA Gatekeeper was installed. While the restore worked, the cluster eventually will not start, some pods stuck in Termination while others are stuck in Pending:| Wyssmann Engineering
Monitoring and Alerting with Rancher As part of the Rancher monitoring stack the app also installs the Alertmanager The Alertmanager handles alerts sent by client applications such as the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integration such as email, PagerDuty, or OpsGenie. It also takes care of silencing and inhibition of alerts. If one provide the routes and receivers as part of the helm values, it will create the respective ...| Wyssmann Engineering