Config Management Camp 2023 Ghent
Breakfast
FREE Coffee, Tea, Fruit Juice, Water, Croissant, and breakfast snacks
Opening of CfgMgmtCamp 2023 after 2 years of absence
We rewind the clock and ask ourselves: what if Infrastructure as Code never existed? What different solutions might we have come up with to the problems we faced? We’ll leave you full of possibilities about the future.
Since infrastructure as code burst onto the scene alongside the DevOps movement, the players in the game have changed dramatically.
If you were to choose an infrastructure as code tool in 2022, you'd have more choices than ever before. So how do you choose between them? In this talk, we'll take a look at the available tools not through the laundry list of features each tool offers, but what the user experience of those tools looks like not just to you, but to your customers and your colleagues.
Break
Feature branching is still popular due to the rise of distributed version control systems but certainly also due to OSS and GitHub. Although branch creation has become extremely easy, it comes with a certain invisible cost. Branches break the flow of the IT delivery process, impacting stability and throughput.
The session explores why teams are using feature branches, what problems are introduced by using them and what techniques exist to avoid them altogether. It explores exactly what's evil about feature branches, which is not necessarily the problems they introduce - but rather, the real reasons why teams are using them.
After the session, you'll understand a different branching strategy and how it relates to Continuous Integration.
You've got kubernetes up and running - finally! - but now the developers aren't using it. Many organizations have faced this when building platforms, and this talk will go over how they've built the right process, team, and culture around their developer platforms to help developers. These practices are being called "platform engineering" now, but they've been going on for over ten years, so there's a lot to draw from instead of having to learn from old mistakes.
Terraform is an awesome tool for managing infra state, but not everyone likes the HCL module system. CUE is an great language for abstracting away repetitive config, but is unaware of state. As luck may have it, Terraform accepts json as input, and CUE can write json as output, so we can combine the two for fun and profit!
Mgmt is a real-time automation tool that is fast and safe.
As we get closer to a 0.1 release that we'll recommend as "production ready", we'll look at what we've been stuck on and what's left.
In particular the complexity of building "lambdas" for an FRP language was more difficult than I had imagined, and I'll be asking for your help to finish mgmt.
There have also been a lot of fun new concepts which have landed since the last conference, and I'll demo many of these ideas for you.
As you already know, mgmt uses a real-time, reactive programming language to model the desired state over time, and a powerful event-driven engine to apply this state.
We'll show lots of real-time demos to keep everyone entertained.
Finally we'll talk about some of the future designs we're planning and make it easy for new users to get involved and help shape the project.
This is not just a presentation, it's a challenge to every CFGMGMT Camp participant.
Tiny Puppet can install EVERY application on EVERY OS, both from the command line ( tp install app ) and as Puppet code ( tp::install { 'app': } ).
If it can't already do it now, it will be able do it by the end of the conference.
Ready to accept the challenge?
A quick overview of the Rudder users: their IT size, number and type of people working on configuration management, metrics about their uses and most common use cases.
To have the most extensive infos we sent a survey to our Rudder users to gather this data and we'll present here the results and insights from this survey.
What is Nix? Why do we Nix? How do we Nix? All that and more during this chaotic 5 minute talk all about Nix. In this insanely dense and fast ignite talk, Bryan will talk about what Nix is, and why it's so remarkable.
Do you still remember the infamous "web-scale" video about MongoDB?
It's been a while, so what is web-scale (not), how can it apply today, and is it still useful? Or will it always be stuck on its ironic use?
Lunch
The HoGent cantina offers us a nice lunch menu.
As participants of CfgMgmtCamp, you can get a discounted special menu.
Registration is required, as a voucher presented to get the discount.
- Flemish Meat Stew and Belgian fries
- Flemish Vegeterian Stew and Belgian fries
- Vol-au-vent and Belgian fries
- Meat Lasagne
- Spinash Lasagne
As of Dec 1st, I'm working for a brand-new startup: https://overmind.tech/ to help build a new company providing new infrastructure insights.
This talk is the story of my first 60 days as first employee: * onboarding (problem space, go, terraform, aws) * development environment (VS Code, remote containers, CI) * cultural foundations (collaboration, communication) * development (from prototype to demo site)
With this talk I want to give a pretty raw report on the things that happened in these two months in the hope that sharing this experience provides insights (e.g. if you're considering the step yourself) to at least entertainment of following along the ride.
Do you have a colleague or friend that just can't stop talking about Nix? How it's reproducible, the future of software. Why it's so much better than the other tools out there. He just won't stop talking about it. And now, you've given in. You decided to give it a try, but where to start?
If the above is you, this talk is for you! Bryan will give his best attempt at giving a gentle introduction to Nix. After this talk, you hopefully understand Nix's values, and where to find more help if you happen to need it.
Currently when we think of Infrastructure as Code (IaC), one tool seems to stand out and has become a de-facto standard: Terraform.
With Terraform you can easily build, edit and version your whole infrastructure by using Terraform builtin providers or custom ones.
But sometimes there is no provider for the infrastructure you intend to use, not even the lone no-star repository in a lost corner of the internet, only a custom REST API. What can you do? Going back to manual operations? Create your own scripts?
In this talk Horacio and Aurélie will show you, step by step, how to go from an infrastructure API to a fully functional yet light Terraform provider. By taking as base a REST API, they will explain the basics of provider creation, give some pointers on how to do a simple yet efficient provider architecture and show you the code and the provider in action.
Will they succeed in this new mission?
or: The Power of Hiera5
We sometimes see people struggling when it comes to Puppet.
Mostly this is due to time needed to learn about the details of Puppet, like Puppet Language syntax.
There are two general ways on how to manage your infrastructure using Puppet:
- own code
- YAML data
Rudder is an open source security and configuration management tool that focuses on compliance and continuous audit. It allows users from different teams and background to configure and extract data through both the UI and API, providing a fast feedback loop. Since its first release 10 years ago, Rudder has been used by organizations of all sizes, from small installations to large deployments of over 15,000 nodes.
In this talk, we will introduce Rudder and explain what sets it apart from similar tools. We will also discuss the current evolution of Rudder towards operational security and its impact on the product. If you are new to Rudder or interested in learning more about compliance and configuration management, this talk is for you.
It's been some while since we met in person! In this talk, we'll look back over the last few years, take stock of where the Ansible Community is at, and talk about what might be coming for the future.
Gathering pieces of information for a task or a project is a wasteful act and could result in duplicated work done by different people.
Onboarding, your ability to maintain code or infrastructure and systems handover - Documentation plays a crucial part in all these processes.
In this talk, I’ll show you a structured way to write technical docs, without being a technical writer - So you will deliver highly valuable information to your audience, to your best ability.
I’ll explain why should you care about these docs, how do they serve your best interests (Yes, there’s more than one!) and what a wide impact it could make on employees and even on your entire organization.
All previous editions of this were described as "another year, another update". This time it hasn't been a year since the last one, but much more. That means there's more to cover in the "what's new" and "what changed" parts, but there should still be room to look at the future. We will also have an open discussion with the community. Come share your update.
This is a free slot in the Rudder room to come and talk with us, get help about your uses cases with Rudder, tell what you miss and what you like, and hack with us
The Ansible-enabled resource module building and scaffolding tool to generate resource modules may help you automate all of the use cases for security platforms, and it has never been simpler to enable Ansible automation for all potential vendors.
In this live demo, we shall see how to set up a "Production-Ready Kubernetes Cluster" using an extendable framework built around Argo CD in 5 minutes. With a plethora of cloud-native solutions popping up every day, it can be pretty daunting for engineers to select the "right" tool for their technology stack, and it becomes all the more challenging to integrate them to get to day-2 operations. The hivenetes/k8s-bootstrapper project leverages Terraform and the Argo CD "App of Apps" pattern to integrate popular battle-tested open-source software and solutions that provide a production-grade out-of-box Kubernetes experience. In addition, the bootstrapper project is customizable and extendable, allowing teams to build their stack without much hassle.
Terraform is a GREAT tool, but like a lot of other things in life, it has its pitfalls and bad practices.
Since you are working with Terraform, you probably went through its documentation, which can tell you what resources can be used - BUT do you always have a clear path towards using these resources? How should modules be constructed? How should you structure your Terraform code in general?
In this talk, I’ll cover the good, the bad, and the ugly when it comes to Terraform. I will show practices for working with Terraform that were put together with a lot of blood, sweat, and tears, so you’ll ultimately have a go-to approach and a paved way for working with Terraform, whether it’s an existing codebase or a new functionality altogether, and also hopefully make you think about the big picture and utilize Terraform in a broader context rather than just an “infrastructure as code" tool.
Cloud Native tools like Infrastructure as Code (IaC) & Helm have made managing infrastructure as well as cloud-native apps easier in a lot of ways, but there are many challenges that companies accept as the cost of adopting them. IaC is good at provisioning individual infrastructure components (a few resources together), and tools like helm are good at deploying applications, but engineering teams want an entire environment with various components like networking, platform (ec2/eks), database, k8s apps, etc. to run their business applications.
To provision and teardown an entire environment, these teams have two options. They can either hand-roll imperative pipelines to manage individual components and then manage complex dependencies between these components or create a monolith deployment for the entire environment. These approaches are inefficient and slow down feature development and innovation. They also make replicating, visualizing & understanding environments difficult. What if there were a better way?
This talk digs into these challenges and then looks at how to resolve them. We will introduce Environment as Code (EaC) which is an abstraction over cloud-native tools that provides a declarative way of defining an entire environment. It has a Control Plane that manages the state of the environment, including component dependencies, and detects drift, and enables reconciliation.
Key Takeaways:
- Challenges adopting Cloud Native tools like Infrastructure as Code, Helm, etc.
- What is Environment as Code?
- How can Environment as Code help resolve those challenges?
Who understands how to install CoreOS, can also install OpenShift 4. You can provision CoreOS-Hosts using Foreman. In this talk I explain the route and the obstacles with provisioning CoreOS and how to use this deploy an OpenShift cluster.
To help sysadmins everywhere the Onestein organization (specialized in Odoo implementations) invested 4 month of research to create a set of easy to use Ansible playbooks to configure single sign on (SSO) for popular open source applications to enable them to authenticate to a Keycloak server as the central identity provider.
These playbooks have been published on https://github.com/onesteinbv/project_single_sign_on.
The list of supported applications are currently:
Bitwarden
Jenkins
Gitlab
Keycloak (not SSO, but the identity provider)
Nextcloud,
Odoo
Xwiki
Zabbix.
All playbooks and servers are for Ubuntu servers and are meant to be used as a starting point.
Nickel is a new configuration language being developed at Tweag. We are
developing tools and libraries for writing Terraform deployments in Nickel. Our
aim is improved modularity and reusability of infrastructure as code projects
by leveraging Nickel's gradual typing and expressive record merging.
We’re improving the security posture of the entire Puppet ecosystem, from scanning Forge modules for malware, to changing Puppet code to make it harder to write vulnerable code, to providing guidance on writing secure Puppet code yourself.
Observability tools are brilliant for the applications that we deal with every day. But when things go wrong in an area we don’t know well we find ourselves looking at a bunch of numbers we don’t understand. In this talk, I’ll dive into how these unknown unknowns always crop up at the worst possible time, why we can’t defeat them, and how we can learn to deal with them much, much more effectively.
Designing a scalable and robust Risk Engine using HashiCorp Configuration Language (HCL)
Infrastructure as Code should really be Infrastructure as Configuration.
DevOps, SRE and other engineers dealing with infrastructure are mostly managing
pure configuration data by writing, editing and auditing JSON, YAML or similar
serialization formats.
Purely data-oriented languages like JSON might be fine for managing small and
simple infrastructure, but when the size and complexity of a configuration grows,
data languages don't seem to be the right tool anymore.
There is no way to reuse data and have a single source of truth, with all the
pain and inconsistencies that duplication inevitably brings with time. We can't
express data dependencies either. For example, the open
ports of a firewall may depend on which services are enabled on a server. In
JSON, everything must be hardcoded.
In the end, Configuration Management looks like the poor sibling of Software
Engineering. What about tests, types, LSP integration for real-time feedback,
completion and documentation? What about modularity, code reuse, abstraction?
In this talk, I will present Nickel, a configuration programming language I am
currently working on at Tweag, to help finally entering the era of Configuration
as Code. I'll discuss more specifically the approach of Nickel to modularity,
which is how to write small and reusable configuration snippets that can be
combined into a complex configuration, based on a merging operation.
Break
This talk will cover HCL (HashiCorp Configuration Language) and how it evolved over the last years to become the fastest-growing language on GitHub in 2022. HCL powers Terraform, Packer, and many more infrastructure as code tools. We'll look at how a DSL, such as HCL, can be authored comfortably with the help of a language server in an LSP (Language Server Protocol) aware editor (such as VS Code or Sublime Text).
Vox Pupuli manages 175+ Puppet modules and heavily relies on GitHub Actions to do so. During this talk we'll go over how that's built, maintained and used.
Rudder is used in critical contexts and the focus on its security has increased over the years, along with the threats. This talk will give an overview of how security topics are handled by the Rudder team, how they have evolved over time and what are our plans to handle current challenges. We will expose:
- our recent features and architectural changes improving software security, especially in terms of node/server communication, user authentication and attack surface limitation.
- our process to handle vulnerabilities reported or discovered in Rudder.
- our efforts for software supply chain securitization, in particular regarding dependencies management and build infrastructure (dedicated signature server, ephemeral build environments, etc.)
- and finally how we try to steer the dev culture towards security topics awareness, through integration of security assessments to our specification processes, and regular training and discussions.
Apply patches and critical updates to your Linux kernel without rebooting your system. Maximize uptime and perform critical security updates and major bug fixes. In this talk I will show how this technology can be combined and used with Foreman.
One of the emerging standards for cloud (native) security is OPA, the Open Policy Agent; an open source standard under the Cloud Native Computing Foundation.
On a regular basis, articles and tweets pass by discussing whether some specific tool is imperative or declarative. It’s no surprise that Pulumi is often the tool being debated.
This talk will explain why the right combination of imperative and declarative implementation aspects on your tool(s) deliver the power you need to solve your problems.
Ringo will analyse the following tools and pinpoint which parts of them are imperative and declarative:
- an older tool (Chef)
- two current tools (Pulumi, Helm)
- a recent one from another domain (Dagger)
To wrap up, Ringo will reason why the introduction of imperative programming languages in our tooling solves our most pressing need: integration!
Ansible ecosystem continues to grow and mature. Recent enhancements include Ansible Content Collections, automation execution environments, and an increasing list of integrations using plugins and modules. It is more important than ever that both new and experienced content creators have access to tools that help them write better content faster. This talk will cover how you can use the newly created Ansible developer tools like ansible-navigator, ansible-builder and VSCode Ansible extension to write and build automation content following good practices at a much faster speed.
The nomad team has been working very hard on making templated deploys easy for this they have released the tech preview of nomad-pack. This talk discusses some of my observations while migrating nomad job files over to nomad-pack
Sharing how to use Puppet with an immutable image model for running VM's. This talk will discuss why you might want to adopt the immutable image model and how to use Puppet to build those images. Real world examples with lessons learned.
Kubernetes doesn’t come with a built-in node autoscaling out of the box and as many other things it leaves it to the platform team to implement the appropriate strategy. Efficient node autoscaling is essential for ensuring that Kubernetes clusters can handle dynamic workloads and environments. In this talk, I will cover how Karpenter (an open-source node provisioning project) can be used to automate and manage Kubernetes nodes lifecycle by trying to make smarter decisions when it comes to right sizing your compute. It should result in improved resource utilization, reduced costs, and the ability to quickly and easily scale up or down based on workload demands compared to similar battle tested solutions. So does this really addresses all the scaling problems, what are still the gaps and how does it work in practice? I’ll also run a live demo to show how to use it and what to expect.
The OpenKAT-project is a series of integrated projects started to fill in the gap between technical checks, compliance questions, automated warning and non repudiation of the information gathered and presented.
OpenKAT takes a radical different approach on security while not discarding what we have built during the last decades. Just like a cat you see more while looking at the same information just by interpreting it differently. KAT (cat in Dutch) delivers information on vulnerabilities in a forensic accurate manners, monitors environments and more over proves how things change over time.
The OpenKAT project was started by the Ministry of Health, Welfare and Sport.
Ansible has thousands of modules, plugins, roles and collections that can be leveraged to automate (almost) anything anywhere.
Could we use Ansible to build Ansible ? Why not ?
What could go wrong ? ¯\(ツ)/¯
The pulp_deb plugin is entering a new phase of the software lifecycle, and we want you to tell us what the plugin development should focus on! We will provide an update on the latest features and how we got here, but the focus will be on where we plan to go next.
Topics will include the new optimize sync mode, work to expand the test coverage for improved reliability and maintainability, open community submissions, as well as remaining unsolved design challenges.
You will also get to meet Tobias Grigo, our latest plugin maintainer.
Immutable architecture is the backbone of infrastructure as code, to ensure production environments cannot be changed during runtime. While this has the benefits of its inherent safety measures, this can also be restrictive, all while creating new challenges for security. Immutable concepts are much more effective when it comes to securing cloud-native environments and infrastructure, which is becoming an increasingly more complex task.
This talk will focus on some of the fundamentals of immutable architecture, best practices, and recommended design patterns to work around its limitations and enhance security, as well as what you most certainly should not be doing when running immutable architecture both from an infrastructure and security perspective.
This will be demonstrated through a real-world example of deploying a single-tenant SaaS in an automated pipeline, typical challenges encountered, and what was learned on the way, through a Terraform, Kubernetes, and step functions example.
Initially, there was a call from users to improve our product’s user experience. In light of our ever-growing UX debt, we started working. Fortunately, we weren’t alone in our fight. Our continuous engagement with users and the entire community on multiple levels allowed us to overcome challenges as well as our (sometimes wild) assumptions. In this talk, we will take a look at the path we took and how even you can influence our next projects.
Kubernetes adoption is reaching sky-high, it has a large and rapidly growing ecosystem not just limited to the IT industry but also in industries like automobile, pharmaceutical, financial, etc to increase automation and reduce IT cost. With the increased reliance of individuals and businesses on Kubernetes and at such a tremendous scale, a simple misconfiguration, inadequate restrictions or safeguards in place to the Kubernetes infrastructure put the enterprise at risk and can cause operational dysfunction and exploit security. Companies adopting Kubernetes are taking a preventable yet big risk if they are not looking at mitigating the risks that come with it. The more reliant we become on Kubernetes, the more critical it is to keep the environment safe and secure.
In this talk we will discuss the security challenges associated with setting up and securing a Kubernetes cluster. It includes strategies for system administrators, DevSecOps, developers and security professionals, helping them avoid common misconfigurations and implement recommended hardening measures and mitigations when deploying Kubernetes. Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations. We will focus on below specific security configurations that can help build more secure Kubernetes clusters.
- Container and Pod security
- Network separation and hardening
- Authentication and authorization
- Audit Logging and Threat Detection
Post this talk, the audience will be able to understand the particular security risks related to Kubernetes and how one can prevent or mitigate them.
Breakfast
FREE Coffee, Tea, Fruit Juice, Water, Croissant, and breakfast snacks
The opening of YAMLCamp 2023, after 2 years of YAML engineering from the basement
Configuration has become the number one complexity problem to solve. Every part of your tech stack—databases, apps, schemas, services, workflows, policy, models, networking—must be configured. We show how CUE can help unify these silos.
Will talk about experience of IDPs at 3 different companies, how it can help companies grow rapidly by delivering more features with better quality by creating IDPs and standardise. The talk will cover the build block of IDPs both from technical and process perspectives to support developers to focus on deliver features.
Engineers at small and large companies are deploying their applications using managed Kubernetes services in the cloud because they are convinced it will enable them to migrate their workloads across providers easily. However, in reality, most container platforms are not feature-complete. So, the move comes with a series of external concerns that can make it problematic: e.g. monitoring, identity management, data gravity, deployment pipelines, dependent services, and many more!
In this talk, we’ll follow the migration journey of a demo application from AWS to GCP and we will identify a series of practical software development and system architecture best practices that you can follow to increase the level of portability of your Kube application.
Furthermore, we will consider configuration and components in the Kubernetes ecosystem that you can deploy to significantly simplify any platform lock-in constraints.
Ansible and Terraform are two very powerful but unique open source IT tools that are often compared in competitive discussions. Evaluating these tools for your use isn’t a simple comparison, since there’s no one "right" way to automate or one automation tool to use—just as there is not only one way to solve a problem. The two tools are better together and can work in harmony to create a better experience for developers and operations teams.
This talk will discuss how using Terraform and Ansible can create powerful workflows and introduce you to the Ansible content and tools to help make this possible.
Adding features like auto complete, go to definition, or documentation on hover for a language takes significant effort. Traditionally this work had to be repeated for each development tool, as each tool provides different APIs for implementing the same feature. So it meant for each IDE a separate implementation is required for a given language.
In comes language server protocol which was developed by Microsoft Visual Studio Code and standardised in collaboration with RedHat and Codenvy. LSP is an open, JSON-RPC based protocol for use between source code editors or IDEs and servers that provide programming-specific features. The goal of the protocol is to allow programming language support to be implemented and distributed independently of any given editor or IDE.
Thus a single language implementation can provide features for different IDE’s that understands language server protocol.
This talk will cover about what is LSP and how is is used to support Ansible language for different editors
Ignition is a one-time provisioning software, single binary, running from the initramfs and with a simple configuration.
You have written Ansible inventory scripts that use Puppet as a source.
But these tricks will make Ansible even more smooth.
Let's be honest, whether consciously or not we all do it. In this talk we'll discuss how far down the rabbit whole one can go, while serving only a single static html page.
From the humble beginnings as a markdown file to actual website and several layers of monitoring and automation. We ll discuss the architecture behind my personal website that also doubles as the vehicle that i use to learn new tools and techniques. So don't be surprised to come across an application deployed using waypoint onto a vm build using packer that resides in a fully terraformed AWS environment
In this ignite talk, I will expose quickly the benefits of not writing Dockerfiles but rather using Nix expressions to generate Docker images.
What does Aiven do? My son's almost 8 years old and he doesn't shy away from asking the real questions. I struggled, of course, I'm used to explaining what I do - and by extend the company or client I work for does - to either people that are in the larger Tech industry and with whom I have a shared vocabulary, or to people (family members and neighbors) for whom "IT stuff" totally suffices.
My son falls in neither of those categories. So I tried, I grabbed my sketchbook to explain to him what exactly open source software is, what managed services entail, and how I make my money.
It turned out to be a very good exercise. Find out how online games store MokertjeGaaf fulfills orders, and personalizes recommendations, by using all open source data infrastructure!
Lunch
The HoGent cantina offers us a nice lunch menu.
As participants of CfgMgmtCamp, you can get a discounted special menu.
Registration is required, as a voucher presented to get the discount.
- Meatballs in Tomato Sauce with Mashed Potatoes, peas and carrots
- Vegetarian balls in Tomato Sauce with Mashed Potatoes, peas and carrots
- Vol-au-vent and Belgian fries
- Meat Lasagne
- Spinash Lasagne
Small teams often require dedicated resources and tools to manage their own infrastructure. How can we make infrastructure management accessible to everyone?
In this talk, we’ll discover what GitLab offers to make managing Infrastructure as Code a breeze. GitLabs Terraform features empower everyone on the team to make and review infrastructure changes. GitLab provides a backend for Terraform state management and CI/CD templates to deploy changes effortlessly without needing to access the target platform.
Finally, we’ll look into how we can use the GitLab Terraform Provider to manage the lifecycle of various GitLab resources, like users, groups and projects.
Tracking a request’s flow across different components in distributed systems is essential. With the rise of microservices, their importance has risen to critical levels. Some proprietary tools for tracking have been used already: Jaeger and Zipkin naturally come to mind.
Observability is built on three pillars: logging, metrics, and tracing. OpenTelemetry is a joint effort to bring an open standard to them. Jaeger and Zipkin joined the effort so that they are now OpenTelemetry compatible.
In this talk, I’ll describe the above in more detail and showcase a (simple) use case to demo how you could benefit from OpenTelemetry in your distributed architecture.
It's been at least 2 years since we met f2f!
In this session, I'd like to give a quick overview of key features and changes to the Pulp project in the last couple of years.
We'll also take a look at the future plans, and, hopefully, hear from you!
Do you miss anything? Are our plans in line with your needs? What can we improve?
Infrastructure management tools have a special place among software regarding security, as they usually run ubiquitously, with high privileges and a relatively high attack surface. This makes them targets of choice, especially in the current context of increased threats on software supply chains.
What are our (new) responsibilities as software editors in an open source ecosystem? They include a precise identification and authentication of all software components (to provide a Software Bill of Material) and constraints on the build process and software distribution models.
This talk will give an overview of the current state of the rapidly evolving software supply chain standards and tooling (e.g. SLSA, SBOMs, etc.). It will also explore more concrete items, focused on dependencies management in open source ecosystems and our experience with Rudder.
It's been 3 years since the last state of the CFEngine. Join us for a quick overview of what's new in CFEngine since last time. Last time 3.15.0 was new, this time 3.15.x has reached the end of the road, 3.18.x is mid-life, and 3.21.x is the new hotness.
Proposed as a follow up to FOSDEM 2022's Simple (but useful) Ansible reporting with ara, this presentation goes deeper into the internals of how Ansible and ara works together and what the developer experience looks like.
Why should companies use open source Puppet modules?
Why should they contribute to open source projects and even publish home-grown modules?
Many companies like to use open source software but prefer to keep their own code in-house. They think their business is more secure if they keep their code private. But that's not true!
This talk will focus on all the aspects about open source (with a focus on Puppet modules) in companies, how it increases the security about the platforms, brings you happier engineers and reduced onboarding time for new hires!
Imagine waking up one morning to find out that your beloved open source database, which lies at the heart of your system, is being relicensed. What does that mean? Can you still use it as before? Could the new license be infectious and require you to open source your own business logic?
This doom’s day nightmare scenario isn’t hypothetical. It is, in fact, very real, for databases and other OSS, with several examples over the past year alone.
On this talk Horovits will review some of the less known risks of open source, and share his lessons learned from Elasticsearch’s recent relicensing move, as well as other case studies from the past year. If you use OSS, you’ll learn how to safeguard yourself. If you’re in the process of evaluating a new OSS, you’ll learn to look beyond the license and consider additional criteria. If you're debating open-sourcing a project, you'll gain important perspectives to consider.
I have worked on bringing CFEngine to various odd platforms such as Termux on Android to help our Nick Anderson hack on policy on-the-go, Alpine in support of my interest in PostmarketOS, ARM/aarch64 for Raspberry Pis and most recently Yocto in support of IoT.
https://cfengine.com/blog/2022/aarch64-debian11-ubuntu22-nightly-packages-available/
https://cfengine.com/blog/2021/cfengine-for-iot/ (yocto)
https://cfengine.com/blog/2020/cfengine-3-17-0a1-termux-better-android-termux-support/
Maintaining a good balance in a diverse team can be difficult, but it is definitiely worth the effort. I would like to share with you what I have learned to make working together with our differences more easy, fun and productive.
Pulp allows you to manage content of different types, but what if you need a whole group of people to manage Pulp? What if you want to host a content service on top of your Pulp installation?
In this talk we will give an overview of RBAC (role based access control) concepts in Pulp, as well as introduce domains and how you can operate in multi-tenant environments.
Configuration Management is nearly ubiquituous and a solved problem. It allows system administrator and developpers to excel at their job and many uses cases which would hardly be feasible without it.
Most notably, the main features of configuration management, continuous configuration and compliance are enabler for hardening of systems by security team, and to reach and maintain an improved Security Posture.
This talk will present how and why Rudder is evolving to incorporate operational security into its core features while strenghtening the fundamentals of configuration management. We'll show the impacts on the product, mainly on the compliance aspect with integration of compliance information from other sources and making the compliance queryable using GraphQL, and what it changes on the software principle.
Designing an Ansible Automation Platform cluster is not as easy as it looks. Specifically when everything is spread over the globe and should be high available.
In today’s Cloud Native world, dependencies are everywhere. We not only think about Software dependencies like some random shiny Java library but we must keep up on the Helm chart used to deploy and configure the monitoring system. We need to track that container image used to run our CI environment. We must update our documentation each time requirements change.
Too often those dependencies come as a whole, they imply change management before landing on Git repositories, and too often they get ignored or pushed back until it’s too late.
In a world full of Open source everywhere, teams are both producers and consumers of changes. As producers, they are responsible for delivering the best product.
As consumers, they need to leverage as fast as possible what the ecosystem has to offer.
When it comes to automating changes, using a declarative dependency management tool can be handy to automate processes that are team specific. But not everything has to be team specific. Quite the opposite, Let’s identify together those minor changes that will improve the overall deliver-ability of the ecosystem so it benefits both producers and consumers of change.
Prometheus has options to relabel targets in order to dynamically change its configuration. That relabeling feature has seen some major improvements in the last few years. Let's see how you can simplify your Prometheus configuration or make it more flexible and fine-grained thanks to the target relabeling.
The Solarwinds hack made headlines by directly attacking the software supply chain. To mitigate such attacks in the future we need an automated approach to digitally signing and checking software components that verify the origins and authenticity of the software. The purpose of this talk is to introduce the audience to Code signing, its role in DevSecOps and get familiar with the sigstore project.
Most Puppet users have had the experience of evaluating modules on the Puppet Forge. Maybe you have too. Maybe you were comparing a handful that all claimed to meet your needs, or maybe you were just determining whether a specific module met your standards for deploying into your production environment. With tools like puppet-lint and the PDK, it's fairly straightforward to evaluate code quality. But what about the health of the project itself? Is it actively maintained? Are Forge releases kept up to date? What are the chances that the latest release was compromised with a hidden bitcoin miner?
How do you answer those sorts of questions? You probably
- Skimmed the module's README for signs of the author's diligence.
- Poked through the issue list and pull requests on the repository hosting the module source to see how responsive the maintainers were to community collaboration.
- Checked the changelog for consistency.
- Maybe you even checked the commit history to see if there were unreleased fixes, or compared tags against the published version(s).
Wouldn't it be nice to automate some of this due diligence? That's what denmark does. The Shakespeare quote refers to corruption at the top of a political hierarchy making its way down through the entire state. In the context of this tool, it means that often we can detect concerns with a project by sniffing around the edges and seeing if anything rolling downhill stinks.
Learn about how CFEngine can leverage Ansible modules for new promise types extending the policy language and functionality.
Puppet code that uses exec resources that execute interpolated string commands are often vulnerable to shell execution. This new lint check identifies many of these. This talk runs through the check and how it works, how to run the check and how to integrate it into your own CI testing. It will talk about future Forge integrations. And it will go through the process of writing a puppet-lint plugin to encourage others to write more.
Can this piece of content be trusted? Or does it meet my acceptance criteria?
These are the questions of the utmost importance.
One of the primary problems one must solve in the nowadays tricky world is to validate that content is authentic, not tampered or maliciously manipulated, and is coming from the correct trusted source.
Pulp manages and distributes content. Content, however, can come from external and different sources.
In this talk, let’s take a look at how the ability to add and store additional trusted metadata in Pulp alongside content can serve in the content attestation and verification.
CFEngine Build enables users to share / reuse / manage modules for CFEngine. All parts of it are open source; the website, the CLI, the modules themself. Come with us on a journey as we look at how it works, the architecture/technology, how it was developed, and what you can do with CFEngine Build.
Learn how to use Ansible ecosystem projects, like Ansible core, collections and AWX to build and operate internal developer platforms.
Pulp (https://pulpproject.org) enables users to organize and distribute software. This talk will be geared towards administrators of Pulp that are interested in any of the following three scenarios: replicating a Pulp instance in an internet connected location, replicating a Pulp instance in an air gapped environment, and preparing their Pulp instance for disaster recovery.
Digital transformation initiatives drive teams and organizations to transition their technology architectures to more modern concepts such as microservices, APIs and serverless frameworks. The distributed nature of these composed architectures are surfacing significant obstacles in developing continuous delivery strategies that orchestrate and support effective CI/CD practices. In this talk, Angel will discuss some challenges associated with CI/CD and composed architectures. He will also offer some strategies on how to understand and potentially solve common challenges teams face.
In 2020 I was able to share a look at a security hardening policy built for Linux systems.
It was built it using rudder.io, but my focus of the talk was more on 'strategy items'.
This talk picks up on feedback received and will focus on the technical side, covering actual policy items that should make sense for most.
The talk should serve people who want to harden their systems just as well as those who just want to hear some ideas. It will be sufficient to have understanding of templating and a general feeling that security matters and image sprawl is best left in the early 2000s.
Collecting Observability data with eBPF aims to help Dev, Ops, and SREs to debug and troubleshoot incidents. Data requires storage, visualization, and verification: Do the Service Level Objectives (SLOs) match, dashboards visualize useful data correlation, network service maps make sense, and what about security policies?
Simulating a production incident is challenging. Chaos engineering enables teams to break things in a controlled environment and verify alerts, SLOs, and data accuracy. Which data retention cycle is best, and which dashboards reduce the mean-time-to-response? Anomaly detection and forecasting would be great too.
This talk dives into the learning steps with eBPF and discusses traditional metrics monitoring and future Observability data collection, storage and visualization. Learn from hands-on examples with chaos experiments that attempt to break eBPF probes, data collection, and policies in unexpected ways … and bring new perspectives into cloud-native reliability.
Do you work in a large organization with multiple teams? Service owners have different priorities than Infrastructure and Security teams and likely different change management processes, too. Do you have local forks of Forge modules? Is upgrading a module difficult because various teams have to agree and test? This talk discusses how layering control repositories can be used in conjunction with CI/CD to solve these issues while reducing risk in your deployments.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
Firewall Builder is an easy firewall configurator for Linux
Pulp is a platform for managing repositories of content, such as software packages, and making them available to a large number of consumers.
With Pulp you can:
Locally mirror all or part of a repository
Host your own content in a new repository
Manage content from multiple sources in one place
Promote content through different repos in an organized way
If you have dozens, hundreds, or thousands of software packages and need a better way to manage them, Pulp can help.
Pulp is completely free and open-source!
In this talk, we will introduce the pulp operator
https://docs.pulpproject.org/pulp_operator/
And explore how we can easily deploy pulp on kubernetes/openshift
Deploying a Thanos setup across multiple Kubernetes clusters has quite some moving parts: all the Thanos components themselves, cloud storage buckets, Prometheus instances, Alertmanagers, TLS certificates for the GRPc connections, ... Managing all that can be a chore, but Terraform is an excellent candidate to automate away the complexity. By combining Terraform, K8s operators and a few special tricks, this talk will introduce a way of working where adding a new k8s cluster to your setup is just a matter of applying a terraform module.
Managing the components of a software project via tickets and requests is time consuming. It wastes developer time to make a request and wait for the outcome. At the same time, centralized platforms governed by SRE or Platform Engineering teams require specialized knowledge and account access.
Red Hat recommends a “start small, think big” approach to automation. Event-Driven Ansible can help you get to the next level of sophistication when it comes to automating your digital landscape. Learn about this new pattern for Ansible, and see how it can help you solve problems more quickly and eliminate basic but important tasks so you can focus on your key priorities and deliverables.
In this session we will:
- Explain Event-Driven Ansible
- Describe the architecture and relation between its components
- Walk you through example automatic remediation use cases
- Show you some getting started tips for writing Ansible Rulebooks
And much more! Join us in this session to understand how to advance on your automation journey with event driven automation. Deliver IT services faster and more efficiently, as you carve out time to work more normal business hours and even sleep more.
The Foreman community maintains a collection of over 70 Ansible modules for interaction with the Foreman API and the various plugin APIs. At cfgmgmtcamp 2020 we talked about the first four years of that journey and promised you quite a lot for the future.
Today we want to talk what those three years allowed us to achieve, how priorities shifted and what else happened.
Including:
- Three major releases: 1.0.0 (2020), 2.0.0 (2021), 3.0.0 (2021) 🥳
- 27 releases in total (since 0.4.0)
- Over 1.2 million downloads on Galaxy
- 21 new roles
redhat.satellite
collectiontheforeman.operations
collection
And of course we will also talk about what we think is next!
This talk is about mindsets and techniques for working as a content developer as part of a devOps team. Content developers combine technical writing with CI/CD tooling to create pipelines that connect cross-functional teams and enable them to share knowledge and expertise in an impactful way. What's more content developers play a vital role in lowering the barrier to entry for users and tell a complete user story via documentation.
CFEngine Build, the new website and tooling to facilitate sharing and consuming CFEngine related content was released in 2020. During this talk The Agent is In, we will live on the edge and write and publish a new module for CFEngine build live. Join us to see if Nick will be able to keep his promise.
Ever wondered how to automate "pulumi up" on a Cloud infrastructure?
This talk will walk you through it an automated pipeline with
* Pulumi (python code)
* Cloud Build
and will demo an infrastuctural build and a change to it.
pulumi #python #gcp #cloudbuild
Multi-cluster topologies are a key part of Kubernetes: organisations gain many benefits using multiple clusters, such as increased scale, bespoke APIs, blast radius reduction and more. However, multi-cluster deployments also increase complexity.
This talk will examine how we can use open-source technologies to create a platform from multiple Kubernetes clusters and manage this complexity. We will explore creating a bespoke API tailored to the needs of your organisation, and mapping this high-level API to low-level resources across clusters. We will also cover how to avoid the trap of treating many clusters like one cluster, and how to leverage the benefits of multiple clusters. The talk will include a demo of Kratix, an open-source framework for delivering Platform-as-a-product.
On a rainy Monday morning the new Team Lead requested test environments for their latest proof of concepts.
While searching for a solution to provide teams with sort lived environments we have looked at several solutions, from namespaces on a shared cluster, all the way to fully fledged Terraform managed environments.
While you can provision Kubernetes clusters for all teams, our current setup does not make that easy. As the Platform Team we like to keep our focus on operating the primary systems and not drown in requests for new environments.
In this talk I'll show how we finally solved the requests from the teams by utilizing the CNCF vClusters project to give freedom to dev teams while not breaking the bank with hundreds of clusters.
I would like to present some basic ideas around using CFEngine to manage your homedir/workstation.
Related but extending this blog: https://cfengine.com/blog/2020/personal-policy/
Breakfast
FREE Coffee, Tea, Fruit Juice, Water, Croissant, and breakfast snacks
The Ansible Contributor Summit is a full day working session especially for community contributors to interact with one another, as well as with Ansible development teams (Core, AWX, Galaxy etc.). We will discuss important issues affecting the Ansible contributor community to help shape the future of Ansible, with a focus on improving collaboration with our contributors.
In a world where the boundary between applications and infrastructure becomes thinner by the day, how do you link your application services to infrastructure provisioning?
In this workshop, we will simulate the case of a service provider who needs to set up a tenant when a new customer signs up. We will use the Pulumi Automation API to embed Pulumi as part of the solution.
Every participant can tailor the workshop in such a way it applies to their own company (or employer).
Come by our fringe event / room for a chat with the CFEngine team. You can ask questions, suggest features, get free tech support, or sit down to work on your next module.
Container workloads and their orchestrations brings new challenges for networking and observability.
With micro-services architectures increasing the amount of east-west traffic, transient IPs making it harder to correlate network information with workload identity, and application logic split into a multitude of components, traditional SDN approaches are reaching their limit.
Leveraging the eBPF kernel technology, Ciliium is a CNCF project which implements a performant and highly scalable CNI plugin and the while providing metadata-rich observability of the network traffic.
DevOps adoptions usually includes an evolution of processes and tool chains that enable these teams to function optimally. Modern day computing and infrastructure management is definitely shifting away from “ClickOps” management and adopting the Infrastructure as Code (IaC) way of doing business. IaC enables teams to easily define, deploy and maintain compute infrastructures in the form of code. It also provides the ability to effortlessly scale, version and audit infrastructure resources.
In this workshop, attendees will gain a basic understanding of Infrastructure as Code (IaC). They’ll be introduced to the core principles of IaC and have the opportunity to reinforce what they’ve learned in a hands on workshop featuring industry known tools such as Terraform. The workshop will demonstrate specifying, deploying and destroying a Kubernetes cluster via code. The participants will leave with a hands-on experience and understanding of what it takes to manage Infrastructure as Code using continuous delivery concepts.
The main author of https://github.com/purpleidea/mgmt/ will be around to hack on mgmt and you can help us get it closer to 1.0 =D
This event will be an opportunity for anyone that's interested in using Pulp to get together and discuss use cases with each other and Pulp developers. Participants that wish to try out Pulp as a multi-process container will be able to do so with support of other users and/or developers in the room. This event will take place during the first half of the day.
Puppet's Community Day is a space for community and contributors to engage directly with each other and collaboratively learn and make some magic. Do you have a burgeoning project you want to workshop and get feedback and ideas on? Do you want get the first glimpses at changes coming in the Puppet 8 and beyond platforms? Or maybe you'd just like to help shape the next year of the Puppet community.
Lunch
The HoGent cantina offers us a nice lunch menu.
As participants of CfgMgmtCamp, you can get a discounted special menu.
Registration is required, as a voucher presented to get the discount.
- Boeuf (beef) Stroganoff with white rice
- Veggie Stroganoff with white rice
- Vol-au-vent and Belgian fries
- Meat Lasagne
- Spinash Lasagne
Breakout Room for Ansible on Day3
How can you provide a self-service model to infrastructure for your developers, but still have all the operational and security concerns fulfilled? Pulumi Packages to the rescue!
Developers can work together with operations and security people to build out infrastructure components which have all the functional and non-functional requirements integrated. As they are software components, these can be put under source control, unit tested and properly versioned.
Not all teams in a company use or prefer the same language. Pulumi Packages allow for components to be implemented in a single language but still consumed from any of the programming languages supported by Pulumi.
Ringo will shortly explain Pulumi’s architecture, so everyone understands the process. We then start to build the components, create all the SDKs for the Pulumi supported languages and consume at least one component from another language to see all the pieces at work.