Group items tagged

application’s logic is a great example of a component

Aspects cross-cut our application - when we use some kind of persistence (e.g. a database) or network communication (such as ZMQ sockets) our components need to know about it.

It’s responsible for pushing snippets scenario

SRP-conformant object

the join points in Ruby

advice

In most cases after and before advice are sufficient.

to provide a join point

You’ll often see empty methods in code written in AOP paradigm

provide aspect code to link with our use case

use case is a pure domain object, without even knowing it’s connected with some kind of persistence and logging layer.

Aspect-oriented programming is fixing the problem with polluting pure logic objects with technical context of our applications.

we treat our glues as a configuration part, not the logic part of our apps.

ACLs allows flexible network traffic forwarding based on a variety of factors like pattern-matching and the number of connections to a backend

A backend is a set of servers that receives forwarded requests

adding more servers to your backend will increase your potential load capacity by spreading the load over multiple servers

mode http specifies that layer 7 proxying will be used

specifies the load balancing algorithm

health checks

A frontend defines how requests should be forwarded to backends

use_backend rules, which define which backends to use depending on which ACL conditions are matched, and/or a default_backend rule that handles every other case

A frontend can be configured to various types of network traffic

Load balancing this way will forward user traffic based on IP range and port

Generally, all of the servers in the web-backend should be serving identical content--otherwise the user might receive inconsistent content.

Using layer 7 allows the load balancer to forward requests to different backend servers based on the content of the user's request.

allows you to run multiple web application servers under the same domain and port

acl url_blog path_beg /blog matches a request if the path of the user's request begins with /blog.

Round Robin selects servers in turns

Selects the server with the least number of connections--it is recommended for longer sessions

This selects which server to use based on a hash of the source IP

ensure that a user will connect to the same server

require that a user continues to connect to the same backend server. This persistence is achieved through sticky sessions, using the appsession parameter in the backend that requires it.

HAProxy uses health checks to determine if a backend server is available to process requests.

The default health check is to try to establish a TCP connection to the server

If a server fails a health check, and therefore is unable to serve requests, it is automatically disabled in the backend

However, your load balancer is a single point of failure in these setups; if it goes down or gets overwhelmed with requests, it can cause high latency or downtime for your service.

A high availability (HA) setup is an infrastructure without a single point of failure

a static IP address that can be remapped from one server to another.

If that load balancer fails, your failover mechanism will detect it and automatically reassign the IP address to one of the passive servers.

Encrypted cookies are an important security feature in Laravel.

All of this encryption and decryption is handled in Laravel by the Encrypter using PHP's built-in security tools, including OpenSSL.

Passwords are not encrypted, they are hashed.

Crypt (symmetric encryption) and Hash (one-way cryptographic hashing).

Laravel uses this same method for cookies, both the sender and receiver, using APP_KEY as the encryption key.

something like user passwords, you should never have a way to decrypt them. Ever.

Unique: The collision rate (different inputs hashing to the same output) should be very small

Laravel hashing implements the native PHP password_hash() function, defaulting to a hashing algorithm called bcrypt.

a one-way hash, we cannot decrypt it. All that we can do is test against it.

User password storage should never be reversible, and therefore doesn’t need APP_KEY at all.

Any good credential management strategy should include rotation: changing keys and passwords on a regular basis

update the key on each server.

their sessions invalidated as soon as you change your APP_KEY.

make and test a plan to decrypt that data with your old key and re-encrypt it with the new key.

name-based virtual hosting

Edge routerA router that enforces the firewall policy for your cluster.

A Kubernetes ServiceA way to expose an application running on a set of Pods as a network service. that identifies a set of Pods using labelTags objects with identifying attributes that are meaningful and relevant to users. selectors.

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.

An Ingress can be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name based virtual hosting.

Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

Ingress frequently uses annotations to configure some options depending on the Ingress controller,

An optional host.

A list of paths

A backend is a combination of Service and port names

has an associated backend

Both the host and path must match the content of an incoming request before the load balancer directs traffic to the referenced Service.

HTTP (and HTTPS) requests to the Ingress that matches the host and path of the rule are sent to the listed backend.

An Ingress with no rules sends all traffic to a single default backend.

Ingress controllers and load balancers may take a minute or two to allocate an IP address.

A fanout configuration routes traffic from a single IP address to more than one Service, based on the HTTP URI being requested.

nginx.ingress.kubernetes.io/rewrite-target: /

describe ingress

get ingress

Name-based virtual hosts support routing HTTP traffic to multiple host names at the same IP address.

an Ingress resource without any hosts defined in the rules, then any web traffic to the IP address of your Ingress controller can be matched without a name based virtual host being required.

secure an Ingress by specifying a SecretStores sensitive information, such as passwords, OAuth tokens, and ssh keys. that contains a TLS private key and certificate.

An Ingress controller is bootstrapped with some load balancing policy settings that it applies to all Ingress, such as the load balancing algorithm, backend weight scheme, and others.

review the controller specific documentation to see how they handle health checks

edit ingress

After you save your changes, kubectl updates the resource in the API server, which tells the Ingress controller to reconfigure the load balancer.

kubectl replace -f on a modified Ingress YAML file.

Node: A worker machine in Kubernetes, part of a cluster.

in most common Kubernetes deployments, nodes in the cluster are not part of the public internet.

Edge router: A router that enforces the firewall policy for your cluster.

Service: A Kubernetes Service that identifies a set of Pods using label selectors.

An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.

The Ingress spec has all the information needed to configure a load balancer or proxy server.

An Ingress with no rules sends all traffic to a single default backend and .spec.defaultBackend is the backend that should handle requests in that case.

If defaultBackend is not set, the handling of requests that do not match any of the rules will be up to the ingress controller

A common usage for a Resource backend is to ingress data to an object storage backend with static assets.

Exact: Matches the URL path exactly and with case sensitivity.

Prefix: Matches based on a URL path prefix split by /. Matching is case sensitive and done on a path element by element basis.

multiple paths within an Ingress will match a request. In those cases precedence will be given first to the longest matching path.

Hosts can be precise matches (for example “foo.bar.com”) or a wildcard (for example “*.foo.com”).

Each Ingress should specify a class, a reference to an IngressClass resource that contains additional configuration including the name of the controller that should implement the class.

secure an Ingress by specifying a Secret that contains a TLS private key and certificate.

The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext).

hosts in the tls section need to explicitly match the host in the rules section.

The lock file is always named .terraform.lock.hcl, and this name is intended to signify that it is a lock file for various items that Terraform caches in the .terraform

Terraform automatically creates or updates the dependency lock file each time you run the terraform init command.

If a particular provider has no existing recorded selection, Terraform will select the newest available version that matches the given version constraint, and then update the lock file to include that selection.

the "trust on first use" model

you can pre-populate checksums for a variety of different platforms in your lock file using the terraform providers lock command, which will then allow future calls to terraform init to verify that the packages available in your chosen mirror match the official packages from the provider's origin registry.

The h1: and zh: prefixes on these values represent different hashing schemes, each of which represents calculating a checksum using a different algorithm.

zh:: a mnemonic for "zip hash"

h1:: a mnemonic for "hash scheme 1", which is the current preferred hashing scheme.

To determine whether there still exists a dependency on a given provider, Terraform uses two sources of truth: the configuration itself, and the state.

Version constraints within the configuration itself determine which versions of dependencies are potentially compatible, but after selecting a specific version of each dependency Terraform remembers the decisions it made in a dependency lock file so that it can (by default) make the same decisions again in future.

The lock file is always named .terraform.lock.hcl

You can use role-based access control (RBAC) and other security mechanisms to make sure that users and workloads can get access to the resources they need, while keeping workloads, and the cluster itself, secure. You can set limits on the resources that users and workloads can access by managing policies and container resources.

you need to plan how to scale to relieve increased pressure from more requests to the control plane and worker nodes or scale down to reduce unused resources.

Managed control plane: Let the provider manage the scale and availability of the cluster's control plane, as well as handle patches and upgrades.

The simplest Kubernetes cluster has the entire control plane and worker node services running on the same machine.

You can deploy a control plane using tools such as kubeadm, kops, and kubespray.

Secure communications between control plane services are implemented using certificates.

Separate and backup etcd service: The etcd services can either run on the same machines as other control plane services or run on separate machines

Create multiple control plane systems: For high availability, the control plane should not be limited to a single machine

Some deployment tools set up Raft consensus algorithm to do leader election of Kubernetes services. If the primary goes away, another service elects itself and take over.

Groups of zones are referred to as regions.

if you installed with kubeadm, there are instructions to help you with Certificate Management and Upgrading kubeadm clusters.

Production-quality workloads need to be resilient and anything they rely on needs to be resilient (such as CoreDNS).

Add nodes to the cluster: If you are managing your own cluster you can add nodes by setting up your own machines and either adding them manually or having them register themselves to the cluster’s apiserver.

Set up node health checks: For important workloads, you want to make sure that the nodes and pods running on those nodes are healthy.

Authentication: The apiserver can authenticate users using client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.

Authorization: When you set out to authorize your regular users, you will probably choose between RBAC and ABAC authorization.

Role-based access control (RBAC): Lets you assign access to your cluster by allowing specific sets of permissions to authenticated users. Permissions can be assigned for a specific namespace (Role) or across the entire cluster (ClusterRole).

Attribute-based access control (ABAC): Lets you create policies based on resource attributes in the cluster and will allow or deny access based on those attributes.

Set limits on workload resources

Set namespace limits: Set per-namespace quotas on things like memory and CPU

Prepare for DNS demand: If you expect workloads to massively scale up, your DNS service must be ready to scale up as well.

Concurrency is the separation of tasks to provide interleaved execution.

Parallelism is the simultaneous execution of multiple pieces of work in order to increase speed.

With threads, the operating system switches running threads preemptively according to its scheduler, which is an algorithm in the operating system kernel.

With coroutines, the programmer and programming language determine when to switch coroutines

In contrast to threads, which are pre-emptively scheduled by the operating system, coroutine switches are cooperative, meaning the programmer (and possibly the programming language and its runtime) controls when a switch will happen.

preemption

Coroutines are a form of sequential processing: only one is executing at any given time

Threads are (at least conceptually) a form of concurrent processing: multiple threads may be executing at any given time.