Hashicorp Vault & Jenkins What is HasiCorp Vault? It is an open-source tool that helps teams and projects manage and protect sensitive data and secrets. We want to store and use secrets from vault as much as possible to: Limit secret sprawl To make it easier to rotate secrets from a central place To have finer granularity on which pipelines have access to which secrets Limit secret exposure; If Jenkins server is compromised, the secrets aren’t also compromised Store the Jenkins Secret backup separately from the main backup. Setting up a hashicorp vault instance You can follow Vault’s official documentation to setup a vault instance or use Linode / AWS marketplaces to easi setup a configured instance. ...

I’ve setup a Jenkins server to manage CI/CD for my various projects, and I want to verify if my setup is overly insecure and what things I could do improve my setups security posture. This post will serve mainly as a guide and checklist for myself. Securing the Server I used the linode marketplace to setup my instance. Securing a server is a big topic, and for now, I just want to make sure the basics are covered: ...

Backing up Jenkins Now that I have a running Jenkins instance with a few pipelines setup, I would like to be able to easily recover my setup in case something happens to the main instance. Also, it’s good practice to regularly backup things like your configurations, Jenkins, and databases. But, what do you need to back up exactly? What to Backup It depends exactly on your specific use-case and needs. Do you need to restore the exact version of plugins you had installed? Do you need access to the builds history? Do you need access to old build artifacts? Logs? Jenkins has a guide that details the minimal amount you need to backup in order to restore your pipelines which is a good start. You can add more directories to backup, like jobs, workspaces, plugins, etc.. as the need comes up. I recommend taking time to truly think of your needs and only include what’s truly necessary. ...

Automating my operations - aka DevOps As part of my day job, I regularly interact with systems such as jenkins, terraform, ansible/salt, etc.. without really understand the full power of these systems and what they enable. Time to change and dive in deeper and actually use them for my personal projects. So, what are common tasks that I need to automate: Creating / Destroying the necessary infrastructure, such as setting up VM’s with a sane default firewall with all the common dependencies pre-built into the image or installed as part of user-data. Deploying the apps to the setup machines with any necessary configuration Shutting down and restarting services Updating configuration Deploying new changes to the machines Creating a staging/dev environment to test changes in before they are deployed to production. These tasks can usually be automated and managed via: ...

Securing your Backend I’ve been learning how to use react and nextJS to build a frontend for one of my projects. I’m using Flask to build the API backend server that will provide the main functionality. I want to limit abuse of the API server and came across several options. Options CORS CORS is a mechanism that’s enforced by the browser to limit access to a server’s resources. However, since it’s only a browser enforced mechanism, a user can replay the request using another method like curl. ...

3 Podcasts I’ve been Listening to Podcasts have been around for a long time, but I’ve only started listening to podcasts around the end of 2021/early 2022. I don’t know why I had a bad image of them in my mind and resisted giving them a try. Turns out I was wrong, and podcasts have a variety of formats that aren’t just two guys talking to each other. I could’ve learned a lot while doing chores / driving around instead of listening to the same songs over and over again. ...

Here are things I would’ve found valuable when first starting out: 1. Version control (git) - beyond the basics As a Computer Student I learned and used git as part of my individual projects and group projects. But, that git knowledge was minimal. It consisted of how to check in code, commit, push to remote, resolve conflicts, create a branch, merge a branch. Working on longer term projects with a larger team required a different set of knowledge like: ...

ProxySQL What is ProxySQL? ProxySQL is a performant proxy that offloads the load from the primary mysql db by multiplexing client connection, allowing slow read queries to be redirected to db replicas, and a bunch of other features. I’m going to be focusing on query redirection and the pitfalls I encountered getting it work. Query Redirection There are two main options when it comes to query redirection: Use a different proxysql port or user and have all queries coming from that port or user to use a specific hostgroup Use the query rules to redirect specific queries that match some condition The first option requires changing the application code to use the redirection port or the other user which requires an extra connection. The second option allows specific queries to be redirected by just adding a rule to ProxySQL. At least that’s what it seemed like. ...

Original Problem We have two directories plaintext and secret, which hold the unencrypted files and their encrypted counter parts respectively. We need to detect changes to plaintext and sync them to secret. Common Methods Polling Based The simplest method is to check the directory on a regular interval (polling) for changes by walking the directory and its files and comparing it against the cached last known state. This method can be less efficient and timely than the other two methods below but it’s biggest advantage is it is the least OS dependent. ...