• 2023-10-31

    • gha for capability tests
      • check example in core-terraform-kong
    • check the 1.25 readiness (deprecated apis)

  • 2023-10-30

    • short day (mortgage stuff)
    • planning
    • helped out TV - yay!
    • doc changes arising from webpresence convo on slack

  • 2023-10-26 and 27 - Vacation

  • 2023-10-25

    • PPE TPR2 approved, create cluster PR imminent.
    • CEIP_4629: Capability testing
      • change inspector IAM thru terraform
        AWS_PROFILE="cortex-svc-acc-nonprod" terraform init -backend-config key=state/781632261136/dev/dataplane/terraform.state -backend-config bucket=core-elsevier-platforms-state-nonprod
AWS_PROFILE="cortex-svc-acc-nonprod" terraform plan -target="aws_iam_role.inspector_agent_role"
AWS_PROFILE="cortex-svc-acc-nonprod" terraform apply -target="aws_iam_role.inspector_agent_role"

resource "aws_iam_role" "inspector_agent_role" {
    ~ assume_role_policy    = jsonencode(
        ~ {
            ~ Statement = [
                ~ {
                    ~ Principal = {
                        ~ AWS = "arn:aws:iam::781632261136:role/Cortex-Inspector" -> [
                            + "arn:aws:iam::781632261136:role/Cortex-Inspector",
                            + "arn:aws:iam::781632261136:role/Core-Elsevier-Platform-Service-Role-dev",
                          ]
                      }
                      # (3 unchanged attributes hidden)
                  },
                - {
                    - Action    = "sts:AssumeRole"
                    - Effect    = "Allow"
                    - Principal = {
                        - AWS = "arn:aws:iam::781632261136:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_EnterpriseAdmin_49b40ec9ce6b8ead"
                      }
                    - Sid       = "Statement1"
                  },
              ]
              # (1 unchanged attribute hidden)
          }
      )
  }

  • 2023-10-24

    • CEIP-4629: argo structure and IAM for capability testing
      • Back and forth with Thomas and then Daniel about the right IAM role to use for tests
      • use Cortex Inspector Agent inside partner cluster
    • Advisor conversation with Khush and Daniel
    • DKP assessment review
      • 3 products: DKP?, ImageFinder, SCT
      • No DevOps engineer, contractor till Dec
      • Something uses Solr?
      • Front end talks to GraphDB assumption in same cluster
      • Imagefinder
        • RDS
        • Redis, Memchache (managed)
        • Cloudfront in prod only
        • SQS, S3
        • most critical
      • DKP
        • GraphDB
      • Arch: Ben Cox, not Richard?
        • Ryan delegate architect
        • DKP budget for contractor, may fall under Stuart White(?)

  • 2023-10-23

  • CEIP-4629: Agree how to integrate PoC with Argo application sets to provide env vars

    • IAM diagrams
    • Jsonnet tranformation

  • 2023-10-19

  • kbom

    • no knowledge of helm, looks at containers since that is what may be introspected
    • lots of properties, property name looks like a URI scheme
      • eg resource kind and api group are not ‘first class’
           {
       "name": "ksoc:kbom:k8s:component:apiVersion",
       "value": "apps/v1"
     },
     {
       "name": "ksoc:kbom:k8s:component:namespace",
       "value": "newrelic"
     }
    • trivy, cannot get anything meaningful out of it:
      • https://aquasecurity.github.io/trivy/v0.46/tutorials/kubernetes/cluster-scanning/
         trivy k8s --report summary cluster
 2023-10-19T16:31:06.598+0100	FATAL	get k8s artifacts with node info error: running node-collector job: warning event received: Error creating: admission webhook "validate.kyverno.svc-ignore" denied the request:

 policy Pod/trivy-temp/node-collector-68cbf6c494-9fl9n for resource violations:

 disallow-host-namespaces:
   host-namespaces: 'validation error: Sharing the host namespaces is disallowed. The
     fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must not be set to true.
     rule host-namespaces failed at path /spec/hostPID/'
 disallow-host-path:
   host-path: 'validation error: HostPath volumes are forbidden. The fields spec.volumes[*].hostPath
     must not be set. rule host-path failed at path /spec/volumes/0/hostPath/'
  (FailedCreate)

  • 1-2-1 / OKRs OKR 1: understanding - SBOM & crtxctl

    • apprentice able to use
    • include argo impact

    OKR 2: Capability testing

    • evaluation and choice
    • working on engineers machine
    • test first
    • tool for confidence in releases
    • integrated in Argo for automated approach OKR 3: training
    • identify initial content scope of first course
    • identify relevant stakeholders
    • initial release
    • prepare roadmap for OKR 4: know your customer
    • ISO
    • NPS & Metrics
      • prepare and advocate
    • liaise with partners
      • how many helped
      • identified blockers such as Raven

2023-10-18

  • CEIP-4139: argo / robot
    • further clean up, iam, review comments, README
    • start on metrics server
    • start on build / publish GHA
  • OKRs
    • dump 2, add 2
  • CEIP-4646 - cleanup crtxctl diff

2023-10-17

  • check status of few items in cortex-warnings
  • CEIP-4139: argo / robot
    • repease apiserver access thru second calico policy
    • investigate finaliser failure
    • metrics server must be up!!!!!
  • PPE TPR2
    • James wants a better diagram showing cluster deployment

2023-10-16

  • Metrics done by Felipe?
    • they are now
  • CEIP-4139: argo / robot

    • Liam reverted his attenmpt to expose CoreDNS to pods (fargate related)

    • GHA for image

2023-10-13

  • CEIP-4139: argo / robot
    • now run calico tests rather than just cortex
    • enable parity in local and incluster running
    • remove finalizers when namespae refuses to disppear: export NAMESPACE=capability-testing; kubectl get ns ${NAMESPACE} -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/${NAMESPACE}/finalize" -f -

2023-10-12

  • dev duty - minimal

  • training follow up

  • CEIP-4139: argo / robot

    • test incluster approach as ran out of time yesterday
    • breakthru!

2023-10-11

  • training

    • re-record video
    • make updates suggested by Claire
    • review with James

  • CEIP-4139: argo / robot

    • switched to incluster config as cannot resolve aws endpoint to exec update-kubeconfig

2023-10-10

  • CEIP-4139: argo / robot terraform for assuming role - may in fact not be needed?

2023-10-09

  • CEIP-4139: argo / robot
    • back to notes from Felipe about namespace and service account

2023-10-06: vacation

2023-10-05

  • Argo/ Robot: little progress beyond conversation with Felipe / Luis on service account
  • most of day fixing GHA for crtxctl w Ashish

2023-10-04

  • half day
  • revelation of jobs running on target cluster

2023-10-03

  • booked half day off retrospectively
  • very late start after college and driving.
  • dev duty
    • Joy had already reviewed.
  • Argo capability testing
    argocd repo add git@github.com:elsevier-centraltechnology/cortex-operations.git --name cortex-operations --ssh-private-key-path ~/id_rsa
# git push here
argocd app get tigera-operator-cortex-build-team-dev-alpha --hard-refresh 
argocd app sync tigera-operator-cortex-build-team-dev-alpha

2023-10-02

  • PPE tech assessment review: notes added to runway tracker
    • Do not publish images to Artifactory but ECR
    • Srinivas as TIO (CWS xp)
    • running own GHA
    • pact broker?
    • perf only as and when
    • EBS volumes in us east 1 -> check which kind
    • Route53 -> check external 53
    • AWS secret manager -> think using KSI
    • Apollo depends (async)
    • do have t3 and t2 in prod