Comments (11)
What software are we using for devops and what licenses are they licensed under? This list will be required for a future buyer for sure and possibly for future investors. If there is anything licensed under AGPL, how can we replace it with something with a more favorable license?
How would we bring up a new cluster in another region? What existing files/repos would we clone or modify?
from docs.
While all the questions below should also have generic answers in the generic documentation (e.g. add a metric by adding some piece of info to some configuration file), the cheat sheet should have the specifics (e.g. name and location of configuration file to change, and if it is not in GitHub, how to change it and maintain version history, and how to deploy changes).
How do we manage access control to devops related systems (both in staging and in production):
- Ability to view metrics/graphs/reports
- Ability to add/remove servers or otherwise modify AWS resource provisioning
- Ability to view or change secrets?
- How do we audit access and changes to secrets?
- How do we add custom metrics to graphs?
- How do we add resource scaling triggers based on custom metrics?
from docs.
@osterman The examples above were not meant to be a bullet list of specific documentation requirements as much as a set of examples meant to be broadly covered by the cheat sheet. The cheat sheet can say
- Grafana documentation is <here>
- Where the documentation refers to <this logical file or URL>, use <this actual explicit file or URL> for PopChest staging and use <this actual explicit file or URL> for PopChest production.
and that might be all we need. To you it is probably obvious where everything is but to people with no experience with any of the DevOps tools you installed (which is, I think, our entire team), it is not even clear where to start.
from docs.
As far as I know, nothing is AGPL. I know this is a toxic license. We try to use mostly APACHE2
or MIT
licensed software. Everything Cloud Posse develops is APACHE2
, with one exception wp-quip
is GNU
(due to wordpress requirements).
This is a good question though. We should make sure to call out the software licensing on all tools in the solution.
from docs.
@goruha can you add some notes, links, references in this issue to unblock @Nuru. I'll refine them in the documentation, but we can start it here. Specifically, address this question first as it relates to grafana: #20 (comment)
from docs.
Ability to view or change secrets
@Nuru we need to upgrade the clusters ASAP to use our current "best practice" that we've already rolled out with Joany and PeerStreet. Namely, we've switched to using AWS Parameter Store with KMS encryption. This is all automated using chamber
by Segment.io. The way it works at PopChest is using "env files" stored in an encrypted S3 bucket. I don't think it makes sense to document this as it should simply be replaced.
The benefits with chamber
are that you can easily view all the parameters in the AWS web console, provided you have permissions.
from docs.
Ability to add/remove servers or otherwise modify AWS resource provisioning
I'll take a stab at this one today.
from docs.
@osterman I'm in favor of using AWS Parameter Store and KMS, and it is fine to switch to that before/instead of documenting the env files (except please note where the env files are/were so we can track whatever secrets were in them should we later discover the files were disclosed) as long as this does not break local/dev/CI environments.
I'm a little wary about using chamber
because it does not have a long history of widespread support and adoption (by my definition of those terms), but as long as it is just a convenience and we can manage without it, it is OK to use it if you like.
from docs.
@Nuru thanks for taking time to explain your position on this. Let me just expand on why we've chosen to back `chamber.
I'm in favor of using AWS Parameter Store and KMS
Great! My gripe with using the envfiles
is that it was a snowflake implementation (as are all envfile implementations I've seen). The challenge is how to keep those files secure as a system of record. Mozilla has a project called sops
, but it's gnarly by comparison to chamber
to implement. Then there's multiple extensions to git
which will help encrypt those files using precommit
hooks. All in all, didn't like the solutions.
Chamber is a convenience utility. And like you say, it's possible to manage the secrets themselves using the AWS Web Console directly. My experience with AWS is that they make great APIs and rather poor command line tools. That's why there's a rich ecosystem of tools that support it.
Segment.io as a company has raised $108M and been around since 2011. Our philosophy is to cherry pick the best tools from the community to facilitate integration. Most of the tools are by startups because they are the earliest adopters. Segment.io's Chamber meets the cloudposse criteria for this.
There are 600+ stars on the repo. It has an MIT
license and regular releases for the past year.
Unfortunately, as with the entire kubernetes
ecosystem, it is moving very rapidly. The criteria for widespread support needs to be adjusted relative to the maturity of the community. I have not been able to find any more mature tools that expose secrets stored in AWS SSM (or their new Secrets offering) as environment variables.
Alternatives to consider would be HashiCorp's Vault. This is a tool with widespread support and in use by many major financial institutions. HashiCorp Vault coupled with envconsul
would also satisfy our current use-case, but Vault would need to be deployed as a separate cluster at an additional cost and management overhead.
from docs.
The cheat sheet can say . ... and that might be all we need.
Cool, yes, we'll start with just documenting a roadmap of links with light descriptions of how the pieces fit together. I'll be writing up a few more docs this weekend.
We've also officially relaunched the documentation portal now on Hugo (https://docs.cloudposse.com) with more or less equivalent functionality, but the added benefit of tight github integration for issues.
from docs.
This PR will serve as the "cheat sheet" (#108). It's more of a getting started guide, but tries to cover all pertinent pages in paragraph form with links out to all the pages. The goal is to communicate how all the pieces fit together.
from docs.
Related Issues (20)
- Terraform Crash File (errored.tfstate) HOT 3
- Search Box Not Loading
- Implement Banner
- Using old version of packages
- How to find pods geted over allocated CPU
- Fix Link Color on Index Pages
- Document Helm Tiller Installation with RBAC
- Replace Comments with Discourse HOT 1
- Add Scroll Spy HOT 1
- Document Kubectl Proxy in Geodesic HOT 1
- Change Header Color? HOT 1
- Homepage Text Overlaps
- Prettify Scrollbars
- 100.64.0.0/10 is routable address space HOT 1
- Fix `aws-vault` description
- SyntaxError: Document.querySelector: '#1-the-terraform-module' is not a valid selector
- Description is not properly rendered HOT 1
- Add Best Practice for Modules to use ARN Partitions
- Add docs on when to use data sources
- Better Navigation Between Pages?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docs.