DevOps / SRE - Top Links Last Week
Week 3 - Issue #62
Week 3 - Issue #62
Solving Open Source Supply Chain Security for the PHP Ecosystem
Gossamer is a proposal for securing the software supply chain for the PHP ecosystem. Code-signing and third-party attestations published to a transparency log prevent a partial censorship attack (i.e., allow updates to go through, but not crucial revocations or attestations). This approach largely mitigates the risk of extralegal government action. Developers remain in control of their signing keys and are mapped to a set of public keys. All changes show up in the transparency log.
How to validate Kubernetes YAML files
This article is intended as a guide for validating Kubernetes YAML files. We will look at various tools and methods that shift the starting point of a validation process to a development workflow. The holy grail of shifting validation left is to make illegal states irrepresentable. The validation can be done using the right tools with a non-statically typed language, but it isn't easy to do without the right tools. These tools are more suited as a platform than a tool that fits neatly in a standard developer workflow.
Dude where's my coldstart?
Alex takes a look at the architecture of OpenFaaS and why you can say goodbye to cold-starts. This article will cover why containers are slow to start - particularly on Kubernetes. Then take you through our research and development that ultimately led to not needing cold-starts or not needing to see them in the OpenFaaS. Finally, there are plenty of links and resources if you want to go deeper and a FAQ towards the end.
Deploying Argo CD and Sealed Secrets with Helm
The documentation for ArgoCD suggests creating a namespace for deploying services and applications. You need to provide a public and a private key for the target repository to do that. Without giving a private key for a git repository, ArgoCD won't be able to retrieve deployment manifests for your application. Repository details, such as the private key, are safely stored in the secrets tool.
How to tackle Kubernetes observability challenges with Pixie
Decentralized systems observability has always been challenging. The more abstraction a decentralized system has, the more difficult it is to reason about it, debug and troubleshoot. The main reason that makes Kubernetes observability so tricky is the volatile nature of workloads and resources. Pixie uses eBPF (Extended Barkley Packet Filter) to capture telemetry data without the need for manual instrumentation automatically. Pixie is an open-source observability tool for Kubernetes applications.