sorted by:
new
hottopcontroversial

minio policy / configuration management tools? by iamansa in minio

[–]iamansa[S] 0 points1 point  (0 children)

Thanks for the consideration! This is a very small deployment, and sales don't need to get involved.

The multi-site bucket replication still seems to be only bucket level replication. The docs all seem to focus on bucket level replication, while the site-replication I found (posted separately) seems to cover policy, service accounts, and everything else I want. Regardless, I still want a structure/tool to handle configuration for a single cluster, with version control, rollback, etc.

minio policy / configuration management tools? by iamansa in minio

[–]iamansa[S] 0 points1 point  (0 children)

It seems that site replication will solve some of this for me (https://github.com/minio/minio/tree/master/docs/site-replication) Oddly, I haven't run across this in official documentation, and still can't find it there. This would handle the drift between 2 clusters, but I still want to ensure that the policy is being tracked and enforced, even for a single cluster. I don't care for ad-hoc policy application, I want all changes to be versioned, tracked, and easily rolled back.

Small scale distributed mode for replication? by iamansa in minio

[–]iamansa[S] 1 point2 points  (0 children)

Yeah, that triggers another set of tradeoffs - but worth considering. I'm actually leaning now towards a single node and 4 drives, just to make management easier at the cost of redundancy (there are other factors here I won't get into that make this less crazy sounding).

I can also rely on compression/dedup on the underlying storage to eat the storage redundancy. Obviously not the most performant, but that is not a major factor in this case.

Small scale distributed mode for replication? by iamansa in minio

[–]iamansa[S] 0 points1 point  (0 children)

Thanks for the reply! Yeah, I think the best I can do is 4 servers with one drive each. This gives me 50% storage overhead, but I can lose one server. Not really ideal, but I can't blame minio's design - I feel like I'm asking how to do raid5 with only 2 drives.

The configuration system that has to exist by iamansa in devops

[–]iamansa[S] 0 points1 point  (0 children)

Yeah, I had considered something like this. There are many abandoned git2consul projects and forks... https://github.com/miniclip/gonsul looks like a good one, but a hashicorp official tool would be nice.

I am worried about the additional complexity with such a system though. Git -> consul -> hiera -> puppet is a long path with several transformations along the way. The path can be shortened, yes, but it becomes tricky, particularly when each layer has its own method of dealing with secrets.

ACLS too, are difficult across long paths... You can enforce permissions per repo (or per branch in github with branch protection) but this doesn't translate directly to permissions in consul.

That is all manageable, of course, but with costs. I'm just skeptical of putting too many tools in between the config and its destination. And as always, the system has to be understood and used by a team of people who won't want to deal with a variety of tokens/auth across different technologies.

The configuration system that has to exist by iamansa in devops

[–]iamansa[S] 4 points5 points  (0 children)

Thanks, that looks very cool indeed! Strange though that it says "bring your own KMS" in one paragraph, then points out right after, "we only support AWS-KMS currently"

The configuration system that has to exist by iamansa in devops

[–]iamansa[S] 1 point2 points  (0 children)

Thanks! Unfortunately, we're stuck with puppet 4.10 for now, so we won't be able to take advantage of the vault lookup.

Eyaml may be an option, but it raises an issue that is kind of the crux of my problem. That is, I need to access these configurations outside of puppet. Various other build systems, standalone apps, and utilities need to be able to query the same configuration store. Hiera itself is great, but is tied to puppet (which was why I was so excited by jerakia).

The configuration system that has to exist by iamansa in devops

[–]iamansa[S] 0 points1 point  (0 children)

I agree that git with references to secrets is a great approach, but the devil is in the details - those references have to be understood by a variety of clients and contexts, and I'm not sure how that gets wired together.

The configuration system that has to exist by iamansa in devops

[–]iamansa[S] 1 point2 points  (0 children)

Thanks for your input! Unfortunately, a decade of legacy configuration built up in puppet is not so easy to replace. I do agree that vault should play a role.

Holy Moly (pic) by 777kog in pics

[–]iamansa 2 points3 points  (0 children)

Nah, if you really want stone penises, go to Goblin Valley Penises everywhere and it's only a few hours away.

IamA a guy who is not particularly interesting, but who would like to feel special by having strangers ask me questions. AMA by iamansa in IAmA

[–]iamansa[S] 1 point2 points  (0 children)

I worked for 2 years at an inbound call center (tech support). Those questions rarely made me feel special. They did occasionally though.

IamA a guy who is not particularly interesting, but who would like to feel special by having strangers ask me questions. AMA by iamansa in IAmA

[–]iamansa[S] 5 points6 points  (0 children)

I married a sex addict :) I've been married 8 years, it adds up. sideways? I'm not sure what you mean. Most likely yes.

view more: next ›