So we just hired a contractor. We wanted a mid level devops like engineer that can handle cleanup tasks that we are far behind on. Grunt work, mostly like cleaning up terraform repos, adjusting configuration to comply with audits.
What we go instead is a highly pushy dude who really wants to push us to a specific stack architecture.
Right now we use a pretty old but standard setup of public lb to nginx, to app load-balancer to our app servers.
We want to move to Kubernetes but there have been some roadblockers with the way this app location is configured.
He’s been trying to push us to move to a tool chain that uses terragrunt and terraform to deploy kubernetes and argocd.
We finally agreed to let him do what he wanted, and the very first thing he asked for is a separate AWS account, and the ability to register two top-level domains through Route 53.
Myself and management talked about it and while we understand the requirement for the AWS account,and how does complicate network infrastructure, we’re a bit concerned about why he wants to register two new domains to work with.
I’ve been doing this for almost 10 years now, and I’ve read all of the documentation for these tools, and while I haven’t used argocd and Terragrunt, I don’t see any reason why they could not work with us to use one of our pre-existing domains.
Have you asked him the reason for the 2 domains?
My initial thoughts would be a CDN and testing domains if you don’t have those yet.
I do a lot of Architecting for my company and it’s often easier to have direct access to DNS to make quick changes rather than wait one or more days for an engineer to go change records. If this is just going to be a test environment perhaps you could delegate a subdomain of your current domain. E.g. Add NS records for test.example.com that point to the NS of the contractors hosted zone. This gives you control to tear it down (delete the NS records) but allows the contractor the ability to build the environment out.
Apparently subdomains are inadequate, but after talking with some other people and seeing what you guys have to say, I can understand these requirements. He also created a network map, so we are able to better understand it.
In k8s, being able to use things like External DNS and automatically and declaratively manage DNS entries with code saves so much time you won’t want to go back once you get used to it.
It takes a while to get your head sorted around it and also to deploy but automagically having your DNS entries, your certificates, et etc sorted feels great.
You hired this guy to do new things, let him do them (as a PoC)
absolutely this
CSP is also a possibility, but really you’re talking about an internal attack on your own infrastructure: either by infra teams on your production or devs on your infrastructure (or an external malicious actor able to deploy code)… i think that’s just so unlikely that it’s not worthy of concern unless you’re something like a bank
Sounds like he’s already a poor fit, but if you wanted to know why the domains, you should probably ask him. I can’t think of a reason.
The cynic in me suspects he might try to run some side job out of your infrastructure.
Go with your gut.
Get a different job
- r/sysadmin Reddit, probably
This ain’t reddit, and everyone starts somewhere.
