Often in development or when working on proofs of concept (PoC), I need working SSL to protect an endpoint. If I controlled the domain, I would use Lets Encrypt to generate a certificate. When I don’t control the domain, I often use self signed certificates. Below is how I create them and then use them to create a Secret in kubernetes. Choosing a domain (common name) When I don’t control the domain, that usually means I can’t setup a subdomain with appropriate name resolution for my project. In this case I use a......
Continue Reading
Introduction Kubernetes (also written k8s) is a powerful container orchestration platform that works with Docker. This first video provides a high level explanation of how kubernetes differs from traditional application deployment and infrastructure management. Overview A kubernetes cluster is made up of masters and nodes. The masters are responsible for orchestration and the nodes host the orchestrated containers. In addition to orchestrating containers, it is helpful to have a gateway to route traffic through the cluster and a persistent storage mechanism. While these last two components aren’t strictly part of kubernetes, I consider......
Continue Reading
Kubernetes is getting a lot of attention recently, and there is good reason for that. Docker containers alone are little more than a developer convenience. Orchestration moves containers from laptop into the datacenter. Kubernetes does that in a way that simplifies development and operations. Unfortunately I struggled to find easy to understand high level descriptions of how kubernetes worked, so I made the diagram below. Operations While I don’t show the operator specifically (usually someone in IT, or a managed offering like GKE), everything in the yellow box would be managed by the......
Continue Reading
IT general controls are important for various reasons, such as business continuity and regulatory compliance. Traditionally, controls have focused on the infrastructure itself. In the context of long running servers in fixed locations, this was often an effective approach. As virtualization and container technologies become more prevalent, especially in public cloud, infrastructure focused IT controls can start to get in the way of realizing the following benefits: Just in time provisioning Workload migration Network isolation Tight capacity management DevOps Automated deployments Automated remediation One way to maintain strong IT controls can still get......
Continue Reading
Vendor and tool selection is often a complicated process for an enterprise. In the worst cases, the evaluation of tools, vendors and other technology solutions turns into a debate about tools, features and procedures. Why is this a problem? It’s that these debates too often fail to identify and measure against the outcomes that will benefit the business and the activities that will produce those outcomes. What is an Outcome An outcome is simply an end state or deliverable. The end state or deliverable is usually defined by the business and, if achieved,......
Continue Reading
I’ve recently had many conversations related to developer productivity. In order for a developer to be productive, he must have control over enough of the application lifecycle to complete his work. When a developer gets stuck at any point in the application lifecycle, his productivity drops, which can often reduce morale too. One question I’ve been asking is: how much of the application lifecycle needs to fall under the scope of the developer? In other words, how broad is the scope of the application lifecycle that needs to be available to a developer......
Continue Reading
I found this article on serverwatch today: http://www.serverwatch.com/server-trends/why-kubernetes-is-all-conquering.html It’s not technically deep, but it does highlight the groundswell of interest for and adoption of kubernetes. It’s also worth noting that GCE and Azure will now both have a native, fully managed kubernetes offering. I haven’t found a fully managed docker datacenter offering, but I’m sure there is one. It would be interesting to compare the two from a public cloud offering perspective. I’ve worked a lot with OpenStack for on premises clouds. This naturally leads to the idea of using OpenStack as a......
Continue Reading
May applications require authentication to secure protected resources. While standards like oAuth accommodate sharing resources between applications, more variance exists in implementations of securing the app in the first place. A recent standard, JWT, provides a mechanism for creating tokens with embedded data, signing these tokens and even encrypting them when warranted. This post explores how individual resource functions can be protected using JWT. The solution involves first creating a function decorator to perform the authentication step. Each protected resource call is then decorated with the authentication function and subsequent authorization can be......
Continue Reading
Container orchestration is at the heart of a successful container architecture. Orchestration takes as input a definition of how a deployed application should look. This usually includes how many containers for a certain image are needed, volumes for persistent data, networking for communication between containers and awareness of various discovery mechanisms. Discovery may include such things as identifying other containers which are also participating with the application or how to access services required by the running containers. Here’s a high level view. Infrastructure Containers need infrastructure to run. Both virtual and physical infrastructure......
Continue Reading
I’m interested in allowing a user to register on my site/app using their social account credentials (e.g. Google, Facebook, LinkedIn, etc.). It should also be possible to register using an email address. Since the site/app will be composed of a handful of microservices, I would want to provide my own identity service, which might includes profile information and roles. This should be possible with oAuth. I found plenty of examples of how to use oAuth against someone’s social accounts. What I didn’t find were any examples of how to manage user registration and......
Continue Reading