Johannes Schnatterer

XKCD 2347 comes to mind, but I don't feel like laughing.

Health of External Secrets project · Issue #5084 · external-secrets/external-secrets Update 2: OMG thank you all for signing up. We weren't expecting such a positive response from the community <3 Update We've decided to stop releases until more long-term maintainers join our team....

An important building block of many cloud-native architectures just had to stop maintenance:
#ExternalSecretsOperator #ESO.

github.com/external-sec...

The unfortunate fate of so many open source projects: We all use them, but we don't support them. Maintainers burn out.

Cloudogu Platform More flexibility for your software tools.

Facing challenges with air-gapped envs or multi-tenant architectures?
I'd love to hear from you! Schedule here:
🗓️ platform.cloudogu.com/person/johan...

Our goal is to provide a simple UX to platform admins:
Add one file to git, a new tenant gets rolled out.
Change one version number in git, all tenants get upgraded.

#GitOps at it's best!

3/x

The next big thing we are working on is the option to role out dedicated instances per tenant, that are managed centrally.

Kind of like an IDP as a Service (Is #IDPaaS a thing? 😅)

2/x

Diagram showing all parts of GOP K8s-Cluster containing Vault, External Secrets Operator, Grafana, Prometheus, Ingress-nginx, Argo CD. Next to it, Cloudogu Ecosystem containing SCM-Manager and Jenkins. Air-Gapped presenting the challenges: Argo CD: No fetching helm charts from the internet K8s Cluster: No fetching images from the internet Jenkins: No fetching plugins, images, libs, packages, build packs, maven wrapper, etc. from the internet

Diagram depicting Multi-tenant Architecture. One Management Cluster/NS and two Tenant Cluster/NS. Inside of each are Management/Tenant Git Repos and Cluster Resources: Argo CD, Vault, Grafana, External Secrets Operator. Inside the Management Cluster/NS is also GOP. Inste the Tenanat Cluster/NS are also Tenant Applications written in Typescritp, PHP, Python, NodeJS, C#, GO or Java. Arrows show a sequence: 1. Platform Admin Creates, Updates or Deletes Tenant in Management Git Repos 2. Management Argo CD Reads Management Git Repos 3. Argo CD Runs GOP 4. GOP inits Management and Tenant Repos 5. Management Argo Deploys Cluster Resources 6. Tenant Argo CDs read Tenant Git Repos 7. Tenant Argo CDs deploy Tenant Applications

#GitOpsPlayground (GOP) version 0.11.0 finally facilitates running in air-gapped environments:

It can provide standardized #IDP​s,
even when are they are #airgapped,
even when they run on #OpenShift.
🥳

github.com/cloudogu/git...

1/x

GitHub - argoproj-labs/gitops-promoter: A GitOps Environment Promotion Tool A GitOps Environment Promotion Tool. Contribute to argoproj-labs/gitops-promoter development by creating an account on GitHub.

The central elements are the PromotionStrategy and CommitStatus CRDs.

This has the potential to replace promotion CI pipelines 🚀

github.com/argoproj-lab...

YouTube video by CNCF [Cloud Native Computing Foundation] No More Pipelines: Reconciling Environment Promotion Via Commit Statuses W... M. Crenshaw & Z. Aller

ArgoCon: Upgrade on the future experience of UI promotion

@crenshaw-dev.bsky.social and Zach Aller give a sneak peek on how automatic promotion between envs could look like in the future with Argo Project CD.

www.youtube.com/watch?v=Usi3...

GitHub - argoproj-labs/gitops-promoter: A GitOps Environment Promotion Tool A GitOps Environment Promotion Tool. Contribute to argoproj-labs/gitops-promoter development by creating an account on GitHub.

The central elements are the PromotionStrategy and CommitStatus CRDs.

This has the potential to replace promotion CI pipelines 🚀

github.com/argoproj-lab...

Here is an example
github.com/prometheus-c...

While contributing to the kube-prometheus-stack chart last year, #TDD helped me to grasp input and output, especially when dealing with several values.

I would start using helm-unittest for every new helm chart project.

Does anyone have different experiences? Are there any contending frameworks?

Terminal emulator showing this command: helm unittest . -f unittests/prometheus/scrape_config_selector_test.yaml And its output PASS test scrapeConfigSelector unittests/prometheus/scrape_config_selector_test.yaml Charts: 1 passed, 1 total Test Suites: 1 passed, 1 total Tests: 4 passed, 4 total Snapshot: 0 passed, 0 total Time: 152.612251ms

YAML definition of a Helm unit test. Test file can be found at this URL https://github.com/prometheus-community/helm-charts/blob/1251b0/charts/kube-prometheus-stack/unittests/prometheus/scrape_config_selector_test.yaml

Who writes #unittests for #helm #charts? 🙋

Same as for code, they speed up development and prevent recursions.

The helm-unittest plugin makes them easy to use.
github.com/helm-unittes...

I found helm-unittest easy to read, write and execute. See for yourself 👇️

For our next release after 2025030800, we've added support for the Android 15 QPR2 Terminal for running other operating systems using hardware virtualization. It's currently only a terminal but Android is adding support for graphics and GPU acceleration for a future release.

Du hast spannende Neuigkeiten oder möchtest Deine Erfahrungen teilen – rund um #PlatformEngineering #DeveloperExperience & Co?
Dann freuen wir uns auf Deine Vorschläge beim #CallforProposals für die #CLC_Conf im November!

@ixmagazin.bsky.social @dpunkt.bsky.social

Helm Chart should support setting annotations-risk-level in configmap · Issue #12618 · kubernetes/ingress-nginx With controller 1.12 / chart 4.12, annotations seem to be validated differently, breaking our setup, because we use nginx.ingress.kubernetes.io/configuration-snippet annotations, which are rated cr...

See here for details:

github.com/kubernetes/i...

An example for blocking access to a path via ingress apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-metrics-blocker namespace: my-ns labels: annotations: acme.cert-manager.io/http01-ingress-class: nginx kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" # Allow access from within the cluster only nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8 spec: tls: - hosts: - "example.com" secretName: example-certificate rules: - host: "example.com" http: paths: - path: /metrics pathType: Prefix backend: service: name: my-svc port: number: 8080

A more secure alternative would be to get rid of the annotation.

The best I could come up with is an additional ingress that only allows access to the path from within the cluster.

𝗪𝗵𝗼 𝗰𝗮𝗻 𝗽𝗿𝗼𝘃𝗶𝗱𝗲 𝗮𝗻 𝗲𝗮𝘀𝗶𝗲𝗿 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻?

An insecure workaround is to allow these annotations via values.yaml:

```
allowSnippetAnnotations: true
config:
annotations-risk-level: Critical
```

Heads up #ingressNginx users!

Controller version 1.12 / chart 4.12, contains breaking changes.

Even though a minor release, one change blocks risky annotations like the 'snippet' annotations.

These are often used to block access to specific URLs, like /metrics.

GitHub · Build and ship software on a single, collaborative platform Join the world's most widely adopted, AI-powered developer platform where millions of developers, businesses, and the largest open source community build software that advances humanity.

UPDATE

No, the charts were deleted accidentally and are now back on.
github.com/artifacthub/...

Artifact Hub Find, install and publish Cloud Native packages

Nothing to be found in the announcements
github.com/bitnami/char...
blog.bitnami.com/2024/11/bitn...

ArtifactHub Page of Bitnami organization:
artifacthub.io/packages/sea...

ArtifactHub Page of Helm Chart bitnami/mongodb: artifacthub.io/packages/hel...

ArtifactHub Page of Helm Chart bitnami/mongodb showing: "Sorry, the package you requested was not found."

ArtifactHub Page of Bitnami organization, showing only one reamining helm chart.

Wait, did #Bitnami remove their charts from #ArtifactHub? 😱

I understand they launched premium, introducing rate limit and DockerHub and stopped supporting non-LTS versions in their free tier.

But leaving ArtifactHub? Why?

Can someone share insights here?

💡 Sidenote: I have to add on top of the rate limits, Bitnami also stops maintaining LTS branches, so if you're using tools like Postgresql MongoDB you'll only get support for the latest major version

2025: Increasing GitOps productivity Entdecken Sie das deutsche GitOps Buch. Lernen Sie Best Practices für Continuous Deployment, Kubernetes und sichere GitOps Workflows kennen.

I'm curious about what the rather quick stint through the Through of Dillusion ahead will cause.

Here are my predictions for 2025:
gitops-book.dev/blog/2025-01...

What are your predictions or expectations for 2025 in terms of GitOps?

Did I miss any progress on promotion UX in the flux ecosystem?

Gartner Hype Cycle Diagram for Emerging Technologies 2024, showing, among other things, GitOps almost in the center, almost at the top of the Peak of inflated expectations, color-coded in white, which means Plateau will be reached in <2 years.

Gartner Hype Cycle Diagram for Emerging Technologies 2023, showing, among other things, GitOps in the lower left corner, in the innovation trigger section, color-coded in light blue, which means Plateau will be reached in 2-5 years.

Gartner Hype Cycle Diagram for Software Engineering 2022, showing, among other things, GitOps in the lower left corner, in the innovation trigger section, color coded in light blue, which means Plateau will be reached in 2-5 years.

Gartner Hype Cycle Diagram for Agile and DevOps 2021, showing, among other things, GitOps in the lower left corner, in the innovation trigger section, color coded in light blue, which means Plateau will be reached in 2-5 years.

In 2024 #GitOps reached the peak of inflated expectations.

It could be reaching the plateau of productivity in less than two years, so Gartner predicts.

That's some major progress after being stuck in the lower left corner for as far as I can remember. Which is 2021 😅

Authenticate with DockerHub

And of course, sign up for bitnami premium

Artifact Registry documentation  |  Google Cloud A universal package manager for all your build artifacts and dependencies. Fast, scalable, reliable and secure.

Use a pull through mirror for images, like mirror.gcr.io, which is automatically in place in GKE, for example but can be configured to be used locally. See cloud.google.com/artifact-reg...

Use official Charts and Images if possible.
For example, there is the registry.k8s.io/kubectl since 1.28.0

This impacts their Docker images and might impact their Helm Charts as well.

What can we do about it?

Pull charts from this "registry" (index.yaml at GitHub) https​://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami

bitnami by VMware Tanzu logo

#Bitnami rate limit for DockerHub became effective on January 6. What to do about it?

On rather short notice, bitnami introduced rate limits on their DockerHub Account, "due to business and partner requirements".

github.com/bitnami/cont...

YouTube video by CNCF [Cloud Native Computing Foundation] GitOps Safety: Rendering Accurate ArgoCD Diffs Directly on... Dag Bjerre Andersen & Regina Voloshin

argocd-diff-preview generates diffs using ephemeral #k8s clusters that can then be easily commented on PRs and basically integrates with all CI and SCM systems.
📽️ www.youtube.com/watch?v=3aeP...

4/4

YouTube video by CNCF [Cloud Native Computing Foundation] Space Age GitOps: Lifting off with Argo Promotions (Live Demo!) - Michael Crenshaw & Zach Aller

gitops-promoter, still in development in argo labs, together with a new hydrating phase inside Argo CD, might bring merging and Pull Request (for now with GItHub only) integration into Argo CD.
📽️ www.youtube.com/watch?v=2JmL...

3/