Securing Drupal on Kubernetes

Video Slides

March 20, 2020

Cleanup Large S3 Buckets

I found a neat python tool called s3wipe which brings significant speed improvements when deleting extremely large s3 buckets. It achieves this by using multiple threads and batch deletes. This really helped me out recently when deleting buckets containing several million objects and versions. Example Usage Empty a bucket of all objects, and delete the bucket when done. BUCKET_NAME=project-files-public docker run -it --rm slmingol/s3wipe \ --id ${AWS_ACCESS_KEY_ID} \ --key ${AWS_SECRET_ACCESS_KEY} \ --path "s3://${BUCKET_NAME}" \ --delbucket Remove all objects and versions with a certain prefix, but retain the bucket....

September 20, 2019

Supplemental Groups with Gitlab Runner on OpenShift

Recently I configured gitlab-runner to operate on an openshift cluster. One quirk of this setup is the containers running as random uids, having the side-effect of the build container being unable to clone the project or fetch dependencies. To overcome this issue, we needed to run the build container with a supplemental group which had write access to the $CI_BUILDS_DIR path. Security Context Constraint The cluster administrators set up a securityContextConstraint which allowed the build service account to use supplemental group 80001....

September 18, 2019

K8s Autoscaling Custom Metrics

Lightning talk on autoscaling Kubernetes deployments with custom metrics. Links: Slides PHP-FPM Prometheus Exporter End-to-end tutorial for github.com/directxman12/k8s-prometheus-adapter End-to-end tutorial for github.com/stefanprodan/k8s-prom-hpa PreviousNext custom metric adapter for php-fpm

August 15, 2019

Improve your bash scripts with this boilerplate template

First up - here’s the template. Continue reading below for an explanation of each component. Unofficial Strict Mode set -euo pipefail IFS=$'\n\t' There’s a few things going on here - set -e will exit the script if any command returns a non-zero status. set -u will stop a script if using an undefined variable. set -o pipefail will terminate the script at the first failed command in a pipeline....

March 14, 2019

How to generate temporary download links to S3 objects

S3 has a feature which allows you to generate signed URLs which are valid only for a predefined period of time. This makes it much safer to distribute URLs via email/slack etc.. Process Find the object in the S3 console and note the bucket name and object path. Ensure your AWS credentials are loaded into your environment. Use the AWS CLI to create a pre-signed URL: # TTL is the number of seconds until the URL expires....

March 5, 2019

AWS KMS cryptographic operations on the command line

AWS KMS is a managed service for cryptographic functions in AWS. This service allows you to offload the tough job of key lifecycle management to Amazon. These snippets will allow you to perform basic cryptographic functions - encypt, decrypt, and rewrap. It is assumed you already have a KMS key provisioned, and you have a IAM user with permissions to perform the relevant operations. Encrypt the Contents of a File This command encrypts the contents of contents....

February 28, 2019

How to use count with data resources in Terraform

tl;dr version: "${element(data.github_team.pull.*.id, count.index)}" While writing a little terraform module to manage github repositories, team permissions and branch protection rules, I ran into an issue where github_team_repository resources need the team ID, but github_branch_protection resources need the team slug. This was annoying as I wanted the module to have a single variable which served both purposes. I ended up having a variable var.teams_pull which accepted a list of team slugs....

February 27, 2019

New Relic Free Tier on Acquia

Acquia dropped support for New Relic Lite and Standard in June 2017. Since then, you have only been able to get APM features on Acquia by paying for a New Relic Professional subscription. They also removed the ability to configure the New Relic API key for a given environment. But we can undo this damage! By calling newrelic_set_appname() in your index.php file you can change the account where APM metrics are sent....

February 7, 2019

Encrypted Drupal Database Connections with Amazon RDS

Originally posted 2018-08-08 on the PreviousNext blog. With attackers and data breaches becoming more sophisticated every day, it is imperative that we take as many steps as practical to protect sensitive data in our Drupal apps. PreviousNext use Amazon RDS for our MariaDB and MySQL database instances. RDS supports SSL encryption for data in transit, and it is extremely simple to configure your Drupal app to connect in this manner....

August 8, 2018