You've probably gotten to a point where you need to manage multiple clusters using GitOps, knowing that managing the argocd instance itself can be considered tedious or painful, haha, meaning you sure do not want to install new argocd instances on other new kubernetes clusters.
So you've deployed a few resources on AWS, EC2, and Redis instance, exposed port 6379, and made sure other resources in the VPC have access to the Redis instance and all.
You've tried hardening by default for your resources, that's good, but by mistake, your Redis instance was deployed into the public subnets, which makes the service accessible by any internet user.
Been following the tech communities in Ekiti from 100 Level, passionate about every bit of it, the way I swiftly leave classes to the Tech Hub even made my colleagues nickname me "Techub".
But then there was no clear path, no focus, looking around there were no cyber security communities, so what was I doing? I joined the dev communities, going to every event just for taking the swag and yes learning too.
In my past article about signing container images, got some comments which led me to digging about keyless signing of container images.
Okay you've moved your infrastructure provisioning from visiting the console page and now adopted IaC ( Infrastructure as Code) for provisioning your infrastructure using terraform.
So along the way you discovered that you will be needing some sensitive credentials like github token to use with aws amplify, datadog api and key deployments?
So you've moved your organization secret management process to Hashicorp Vault on Kubernetes ? everything is working well, but you are about promote to production, this brings alot of questions about stability, recovery and fully opeartional vault servicing your deployments.
You are definately finding ways to autoscale up and down your nodes in kubernetes cluster, and figuring out which autoscaler is the best can be hard since there are many options, which one should you go for?
Well, i would advice going for Karpenter instead of the native Cluster Autoscaler, both project are sponsored by the aws team though, but Karpenter is fast when it comes to scaling up and scaling down the nodes.
There are many tools for handling complex architecture of deploying changes of your applications from the build stage to your cluster, most times the term and process of archiving this is called GitOps only if github is being used as the single source of truth in the scenerio.
when it comes to containerized environment gracefull shutdown, process management and reducing attack surface, i believe we cant leave dumb-init out of it.
When you are preparing your vault environment for production, you would want to implement the end-to-end tls setup as stated in the hashicorp vault production-ready documentation.