Thursday, April 22, 2021

Use Infrastructure as Code to achieve DevOPs at scale

What is infrastructure as code ?

changing from imperative to declarative

Adoption of IAC

we found that many companies are only starting out on their IaC journey, with 63 % companies just starting

imperative: procedural steps and doesn't define the in steps. is not reusable

declarative: you are declaring what the end step looks like and something else is doing the hard work. is model based, defines the desire end state. executes what needs to happen to achieve that desire end-state

is reusable

Operating at Scale:

management and governance

advanced security

leveling up with the self service environments

observability and monitoring

cloud financial management

Tools for IaC:

Terraform

Densify

Corestack

chef

puppet

HashiCorp Terraform:

- Tool to build, change and version control your infrastructure

- supports exisiting service providers and custom

Enterprise terraform:

workspaces

private module registry

configuration designer

Cloud Cost Optimization using Densify and Terraform:

- Densify optimizes the cost of cloud and container infrastructure in real time

- It uses SaaS based predictive analytics

- Can be enabled to constantly publish optimization recommendations

- Densify can be integrated with Terraform and these recommendations can be referenced by Terraform to enable automated optimization of every instance

- Densify + Terraform = Optimization as Code

Sunday, April 11, 2021

DevOps security

JuiceShop Org Example

Operations --- wants to ensure a system availability

Development --wants to deliver applications fast

Business value of DevOps

Customer-Centric --- 106 times faster lead time from commit to deploy

safety --- 7 times lower change failure rate

reliability and availability: time to restore less than 1 hour

Background story, development team and datacenter had different version of nodejs and also some network patching was missed by the network guy. Hence they had to come up with some plan to create a pipeline for the process.

New Environment:

TASK-1

TASK-2:

3 cloud instances

TASK3

TASK4

jenkins tower plugin

same pipeline step:

stage('deploy cloud instances with tower'){

node {

ansibleTower(

towerServer: 'JuiceShop Tower',

templateType: 'workflow',

jobTemplate: 'Cloud instances workflow')

same ansible module for cloud:

ec2:

count_tag:

exact_count: "{{ec2_count}}"

instance_tags:

Name: ec2_devops

function: webservers

Configure virtual server:

-name: Create JuiceShop App VS

bigip_virtual_server:

description: AnsibleJuiceShopVIP

destination: "{{f5_private_shop}}"

pool: AnsibleJuiceShopPool

workflow : functionality on ansible tower that allows to use small pieces of automation to solve complex problems

dynamic inventory: connect all the metadata and make it available for rest of the automation

What is the achieve at the end ??

frequent release and clean release

automation testing

faster infrastructure and consistent

configured load balancer

Now a hacker wants to run some basic phising and able to bypass the security getting admin privilege and got in:

sql injection attack: when malicious user is able to interact with database directly

cross site scripting attack: execute hacker's malicious code from the website

This can be pretty detrimental both for the customers and application

One more test ?

How is credit card stored?

in text and can access the customer's credit card records

What went wrong ? Where was security ??

---- How the ansible automation platform helped juiceShop ??

Ansible security automation might help:

1.Hardening: auditing existing systems . patching vulnerabilities.enforcing least privilege on systems

2. Compliance Management: implementing regulatory standards

3. Response and remediation: investigation enrichment , threat , hunting and incident response

Write a new playbook :

security integrated into juiceshop pipeline

some security terms:

static code analysis

dynamic code analysis

network isolation or micro segmentation: when hacker got access to one system, it would be isolated an no other systems would be accessible

Secured JuiceShop App Deployment:

Tuesday, April 6, 2021

Github ssh shenanigans for Macbook

Generating a new SSH key and adding it to the ssh-agent

After you've checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.

Open Terminal.
Paste the text below, substituting in your GitHub email address.
```
$ ssh-keygen -t ed25519 -C "your_email@example.com"
```
Note: If you are using a legacy system that doesn't support the Ed25519 algorithm, use:
```
$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```
This creates a new ssh key, using the provided email as a label.
```
> Generating public/private ed25519 key pair.
```
When you're prompted to "Enter a file in which to save the key," press Enter. This accepts the default file location.
```
> Enter a file in which to save the key (/Users/you/.ssh/id_ed25519): [Press enter]
```

At the prompt, type a secure passphrase. For more information, see "Working with SSH key passphrases".

> Enter passphrase (empty for no passphrase): [Type a passphrase]
> Enter same passphrase again: [Type passphrase again]

Adding your SSH key to the ssh-agent

Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add command, and not an application installed by macports, homebrew, or some other external source.

Start the ssh-agent in the background.

$ eval "$(ssh-agent -s)"
> Agent pid 59566

If you're using macOS Sierra 10.12.2 or later, you will need to modify your ~/.ssh/config file to automatically load keys into the ssh-agent and store passphrases in your keychain.
- First, check to see if your ~/.ssh/config file exists in the default location.
```
$ open ~/.ssh/config
> The file /Users/you/.ssh/config does not exist.
```
- If the file doesn't exist, create the file.
```
$ touch ~/.ssh/config
```
- Open your ~/.ssh/config file, then modify the file, replacing ~/.ssh/id_ed25519 if you are not using the default location and name for your id_ed25519 key.
```
Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519
```
  Note: If you chose not to add a passphrase to your key, you should omit the UseKeychain line.
Add your SSH private key to the ssh-agent and store your passphrase in the keychain. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_ed25519 in the command with the name of your private key file.
```
$ ssh-add -K ~/.ssh/id_ed25519
```
Note: The -K option is Apple's standard version of ssh-add, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent. If you chose not to add a passphrase to your key, run the command without the -K option.
If you don't have Apple's standard version installed, you may receive an error. For more information on resolving this error, see "Error: ssh-add: illegal option -- K."
Add the SSH key to your GitHub account.

Adding a new SSH key to your GitHub account

To configure your GitHub account to use your new (or existing) SSH key, you'll also need to add it to your GitHub account.

Before adding a new SSH key to your GitHub account, you should have:

After adding a new SSH key to your GitHub account, you can reconfigure any local repositories to use SSH. For more information, see "Switching remote URLs from HTTPS to SSH."

Note: DSA keys (SSH-DSS) are no longer supported. Existing keys will continue to function, but you cannot add new DSA keys to your GitHub account.

Copy the SSH public key to your clipboard.
If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace.
```
$ pbcopy < ~/.ssh/id_ed25519.pub
# Copies the contents of the id_ed25519.pub file to your clipboard
```
Tip: If pbcopy isn't working, you can locate the hidden .ssh folder, open the file in your favorite text editor, and copy it to your clipboard.
In the upper-right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH and GPG keys.
Click New SSH key or Add SSH key.
In the "Title" field, add a descriptive label for the new key. For example, if you're using a personal Mac, you might call this key "Personal MacBook Air".
Paste your key into the "Key" field.
Click Add SSH key.
If prompted, confirm your GitHub password.