A note on dates: this post was written in 2020 using Terraform 0.12 and the nodejs12.x Lambda runtime. The architecture still holds up well, but if you’re following along today, check the current AWS provider docs and use a supported Lambda runtime and Terraform version. In particular, the aws_s3_bucket resource has since been split into smaller resources (aws_s3_bucket_acl, aws_s3_bucket_logging, aws_s3_bucket_website_configuration and so on). Recently I had the chance to create a static website using S3 and CloudFront.

In this talk, Chris Munns walks through building APIs with Amazon API Gateway - covering how it fits into a serverless architecture, the design choices you’ll face, and how to operate APIs in production. A solid primer if you’re putting an API Gateway in front of Lambda or your own backends.

In this talk, Paavan Mistry explains how to encrypt Kubernetes secrets at rest in etcd on Amazon EKS. By default, Kubernetes stores secrets only base64-encoded - not encrypted - so anyone who gains access to the API server or to etcd can read them in the clear. The talk shows how to use AWS KMS envelope encryption to protect secrets at rest, which is an easy win for anyone running EKS in production.

Bill Gates is famously a voracious reader, getting through dozens of books a year and publishing detailed recommendations on his blog, GatesNotes. This video collects fifteen of his picks. What I like about his lists is how little of it is about technology. Gates reads widely - history, public health, psychology, science, biography - and that breadth clearly feeds into how he thinks about hard problems. There’s a lesson in that for people who work in tech.

Amazon’s Leadership Principles are used in everything from hiring to design reviews, and they’ve become hugely influential well beyond Amazon itself. This video walks through them. The fourteen principles: Customer Obsession Ownership Invent and Simplify Are Right, A Lot Learn and Be Curious Hire and Develop the Best Insist on the Highest Standards Think Big Bias for Action Frugality Earn Trust Dive Deep Have Backbone; Disagree and Commit Deliver Results (Amazon has since added two more - “Strive to be Earth’s Best Employer” and “Success and Scale Bring Broad Responsibility” - bringing the total to sixteen.

Amazon’s Leadership Principles are used in everything from hiring to design reviews, and they’ve become hugely influential well beyond Amazon itself. This video walks through them. The fourteen principles: Customer Obsession Ownership Invent and Simplify Are Right, A Lot Learn and Be Curious Hire and Develop the Best Insist on the Highest Standards Think Big Bias for Action Frugality Earn Trust Dive Deep Have Backbone; Disagree and Commit Deliver Results (Amazon has since added two more - “Strive to be Earth’s Best Employer” and “Success and Scale Bring Broad Responsibility” - bringing the total to sixteen.

Arnold Schwarzenegger gave this commencement speech at the University of Southern California, and the six rules he lays out have stuck with me. They’re simple, but they apply just as much to a career in engineering as to anything else. His six rules: Trust yourself. Work out who you really are and what you want, rather than what others expect of you. Break the rules. Not the laws - the conventions.

Bill Gates is famously a voracious reader, getting through dozens of books a year and publishing detailed recommendations on his blog, GatesNotes. This video collects fifteen of his picks. What I like about his lists is how little of it is about technology. Gates reads widely - history, public health, psychology, science, biography - and that breadth clearly feeds into how he thinks about hard problems. There’s a lesson in that for people who work in tech.

Have you ever wondered how your browser resolves a domain name when you hit Enter on a URL? Here’s how it works, at a high level. Your browser first looks in its own cache for the address. If it doesn’t find it, it checks the OS cache, and finally the ISP’s cache. If the name isn’t cached, the next step is the /etc/hosts file. If there’s an IP address there, the browser tries to load the page from that server.

This talk by Dawid Ziolkowski at DevOpsDays Warsaw is a clear introduction to Istio. If you’ve heard of service meshes but never quite grasped what problems they solve, it’s a good place to start - it covers what a mesh gives you (traffic management, observability and mutual TLS between services) and how Istio implements it on top of Kubernetes.

By default, the JVM’s maximum heap size is 1/4 of the physical memory available - you can read about this in the Oracle GC tuning guide. This means that if you don’t define -Xmx in your JVM parameters, the container will set 1/4 of the host memory as the maximum heap size. On a recent enough JVM (8u191+ and 10+), the JVM is container-aware: if you set a Kubernetes resource limit, the JVM uses that limit rather than the host’s memory to size the heap.

By default, the JVM’s maximum heap size is 1/4 of the physical memory available - you can read about this in the Oracle GC tuning guide. This means that if you don’t define -Xmx in your JVM parameters, the container will set 1/4 of the host memory as the maximum heap size. On a recent enough JVM (8u191+ and 10+), the JVM is container-aware: if you set a Kubernetes resource limit, the JVM uses that limit rather than the host’s memory to size the heap.

A Service Account provides an identity for processes that run in a pod. When processes inside a pod contact the API server, they are authenticated as a particular Service Account. Create a Service Account using the YAML below. apiVersion: v1 kind: ServiceAccount metadata: name: sa-app-name namespace: namespace-name Once the Service Account is created, you can reference it in your pod spec: apiVersion: v1 kind: Pod metadata: name: app-name spec: serviceAccountName: sa-app-name Now on to Kubernetes Secrets.

This talk by Dawid Ziolkowski at DevOpsDays Warsaw is a clear introduction to Istio. If you’ve heard of service meshes but never quite grasped what problems they solve, it’s a good place to start - it covers what a mesh gives you (traffic management, observability and mutual TLS between services) and how Istio implements it on top of Kubernetes.

In this talk, Paavan Mistry explains how to encrypt Kubernetes secrets at rest in etcd on Amazon EKS. By default, Kubernetes stores secrets only base64-encoded - not encrypted - so anyone who gains access to the API server or to etcd can read them in the clear. The talk shows how to use AWS KMS envelope encryption to protect secrets at rest, which is an easy win for anyone running EKS in production.

Have you ever wondered how your browser resolves a domain name when you hit Enter on a URL? Here’s how it works, at a high level. Your browser first looks in its own cache for the address. If it doesn’t find it, it checks the OS cache, and finally the ISP’s cache. If the name isn’t cached, the next step is the /etc/hosts file. If there’s an IP address there, the browser tries to load the page from that server.

Thank you for considering Opslifeuk Limited. With many years of experience helping clients with digital transformation and cloud migration, our consultants bring deep, hands-on expertise to every engagement. We partner with you at every step of the journey and deliver results built on Quality, Reliability and Technical Competence. Opslifeuk Limited stands for Love, Life and Tech. We believe happy engineers make happy customers - so we do the work we enjoy, and we do it with care.

A Service Account provides an identity for processes that run in a pod. When processes inside a pod contact the API server, they are authenticated as a particular Service Account. Create a Service Account using the YAML below. apiVersion: v1 kind: ServiceAccount metadata: name: sa-app-name namespace: namespace-name Once the Service Account is created, you can reference it in your pod spec: apiVersion: v1 kind: Pod metadata: name: app-name spec: serviceAccountName: sa-app-name Now on to Kubernetes Secrets.

In this talk, Paavan Mistry explains how to encrypt Kubernetes secrets at rest in etcd on Amazon EKS. By default, Kubernetes stores secrets only base64-encoded - not encrypted - so anyone who gains access to the API server or to etcd can read them in the clear. The talk shows how to use AWS KMS envelope encryption to protect secrets at rest, which is an easy win for anyone running EKS in production.

In this talk, Chris Munns walks through building APIs with Amazon API Gateway - covering how it fits into a serverless architecture, the design choices you’ll face, and how to operate APIs in production. A solid primer if you’re putting an API Gateway in front of Lambda or your own backends.

This talk by Dawid Ziolkowski at DevOpsDays Warsaw is a clear introduction to Istio. If you’ve heard of service meshes but never quite grasped what problems they solve, it’s a good place to start - it covers what a mesh gives you (traffic management, observability and mutual TLS between services) and how Istio implements it on top of Kubernetes.

A note on dates: this post was written in 2020 using Terraform 0.12 and the nodejs12.x Lambda runtime. The architecture still holds up well, but if you’re following along today, check the current AWS provider docs and use a supported Lambda runtime and Terraform version. In particular, the aws_s3_bucket resource has since been split into smaller resources (aws_s3_bucket_acl, aws_s3_bucket_logging, aws_s3_bucket_website_configuration and so on). Recently I had the chance to create a static website using S3 and CloudFront.