The latest articles on DEV Community by Anton Krylov (@avkr). https://dev.to/avkr https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3062835%2F49ce94d6-eedc-4338-90f0-b85eb8f3738b.png https://dev.to/avkr en Anton Krylov Sun, 23 Nov 2025 20:37:34 +0000 https://dev.to/avkr/why-aider-1nle https://dev.to/avkr/why-aider-1nle <p>The market for AI coding assistants has split into two clearly defined camps.</p> <p><strong>Camp #1</strong> – Full-featured graphical IDEs<br><br> Cursor, Windsurf, Zed + Cursor mode, VS Code with Continue + Copilot + many extensions, IntelliJ Ultimate with AI Assistant, etc.<br><br> Polished UI, inline completions, chat panels, debugging integration, project-wide indexing.<br><br> Typical costs: 8–40 s startup, 4–8 GB RAM, mandatory indexing of the whole repo, poor or no support for direct work over SSH on production/legacy servers.</p> <p><strong>Camp #2</strong> – Terminal-first tools<br><br> vim, neovim, helix, kakoune, tmux… and aider.<br><br> Start in 200–400 ms, use 50–150 MB RAM, require only a terminal and git, work perfectly over SSH with no indexing step.</p> <p>aider is a command-line tool that sends selected files + conversation to an LLM and applies the returned edits directly under git control. It is widely used by senior engineers, DevOps, SRE, and security teams for fast, targeted changes in large or old repositories where launching a heavy IDE is impractical.</p> <h3> Configuration </h3> <p>aider is configured via <code>~/.aider.conf.yml</code> (or <code>.aider.conf.yml</code> in the repository) and command-line flags.<br><br> Common options include:</p> <ul> <li>choice of main and weak models</li> <li> <code>read:</code> list to permanently attach markdown files with guidelines, conventions, security rules, etc.</li> <li>toggles for auto-commits, pretty diffs, vim mode, prompt caching, etc.</li> </ul> <p>One can use multiple profile YAML files placed in <code>~/.aider/profiles/</code> and switch between them with a little script that copies the selected profile to the active config file.</p> <p>Here's a full example of such a script (<code>/usr/local/bin/aider-switch</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># aider-switch — switch profiles with a single command</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">AIDER_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.aider"</span> <span class="nv">PROFILES_DIR</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">AIDER_DIR</span><span class="k">}</span><span class="s2">/profiles"</span> <span class="nv">CURRENT_LINK</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">AIDER_DIR</span><span class="k">}</span><span class="s2">/current"</span> <span class="nv">CONFIG_FILE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">AIDER_DIR</span><span class="k">}</span><span class="s2">/aider.conf.yml"</span> die<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Error: </span><span class="nv">$*</span><span class="s2">"</span> <span class="o">&gt;</span>&amp;2<span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$AIDER_DIR</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> die <span class="s2">".aider/ not found in </span><span class="nv">$HOME</span><span class="s2">"</span> <span class="o">[[</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$PROFILES_DIR</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> die <span class="s2">".aider/profiles/ missing in </span><span class="nv">$HOME</span><span class="s2">"</span> <span class="k">case</span> <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="k">in </span>list|<span class="s2">""</span><span class="p">)</span> <span class="nb">echo</span> <span class="s2">"Available profiles:"</span> <span class="nb">ls</span> <span class="nt">-1</span> <span class="s2">"</span><span class="nv">$PROFILES_DIR</span><span class="s2">"</span>/<span class="k">*</span>.yaml 2&gt;/dev/null | xargs <span class="nt">-n1</span> <span class="nb">basename</span> | <span class="nb">sed</span> <span class="s1">'s/\.yaml$//'</span> | <span class="nb">sed</span> <span class="s1">'s/^/ /'</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Current → </span><span class="si">$(</span>yq e <span class="s1">'.model // "unknown"'</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"unknown"</span><span class="si">)</span><span class="s2">"</span> <span class="nb">exit </span>0 <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nv">PROFILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">SRC</span><span class="o">=</span><span class="s2">"</span><span class="nv">$PROFILES_DIR</span><span class="s2">/</span><span class="nv">$PROFILE</span><span class="s2">.yaml"</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SRC</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Profile '</span><span class="nv">$PROFILE</span><span class="s2">' not found"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">cp</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SRC</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="nb">ln</span> <span class="nt">-sf</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="nv">$SRC</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$CURRENT_LINK</span><span class="s2">"</span> 2&gt;/dev/null <span class="o">||</span> <span class="nb">true echo</span> <span class="s2">"Switched to profile → </span><span class="nv">$PROFILE</span><span class="s2">"</span> yq e <span class="s1">'.model // "unknown"'</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> 2&gt;/dev/null | <span class="nb">sed</span> <span class="s1">'s/^/ model: /'</span> <span class="p">;;</span> <span class="k">esac</span> </code></pre> </div> <p>Usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aider-switch list aider-switch security-review aider-switch kubernetes-expert &amp;&amp; aider </code></pre> </div> <p>You keep a handful of YAML files in ~/.aider/profiles/ and a few markdown rule sheets nearby. One profile for backend work loads grok-4, turns on vim mode, and permanently attaches backend.md plus conventions-security.md. Another for security reviews swaps to claude-3.5-sonnet, cranks caution up, and locks onto security-review.md alone. DevOps profile picks a cheaper weak model and reads only kubernetes.md and ansible-conventions.md. Switch with aider-switch backend or aider-switch security-review and the model instantly forgets yesterday’s tone and remembers exactly who it is supposed to be today. Ten lines of bash give you twenty different personalities for the same binary. That is all there is to it.</p> <p>Prompting is 95 % of success with aider. aider never tries to be smarter than you — it faithfully executes exactly what’s written in the profiles and the current request. No surprise refactoring, no “I thought this would be better.”</p> <p>The markdown files loaded via read: act as permanent code review from your lead architect and security lead on every edit. The stricter and more concrete the rules, the safer and more predictable the output — even on the most powerful models.</p> <p>Bad/empty profile + vague prompt = production chaos Good profile = katana instead of chainsaw</p> <p>That’s why the real work with aider isn’t picking a model; it’s writing and maintaining evergreen profiles.</p> <p>Example ~/.aider/profiles/backend.md:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Backend Instructions - Define clear APIs and contracts; version endpoints when needed. - Validate and sanitize all inputs; enforce types and limits. - Implement authn/authz consistently; least privilege by default. - Handle errors with structured responses; avoid leaking internals. - Add observability: logs, metrics, and traces for critical paths. - Manage migrations carefully; ensure idempotent operations and rollbacks. - Use timeouts/retries/circuit breakers for external calls. - Protect secrets and credentials; rotate and scope access. </code></pre> </div> <p>These files are loaded into context on every run and survive /clear. Write once — never repeat again.</p> <h3> Typical usage examples </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aider src/api/users/*.py # Migrate to Pydantic v2, follow the attached backend guidelines aider --message-file security.md src/auth/*.py # Look for SSRF, open redirects and credential leaks aider deploy/values-prod.yaml # Increase replicas to 12 and add the new nodeSelector </code></pre> </div> <h3> Security-sensitive environments </h3> <p>In security-sensitive environments (banks, healthcare, defense, government), running aider directly on a developer’s laptop is often forbidden by compliance. A single careless prompt could leak secrets to logs, exfiltrate context, or generate malicious code.<br> The gold standard fix: run aider inside an isolated Firecracker microVM (or gVisor/Kata). The microVM boots in ~120–150 ms, has its own kernel, zero network access, and only the current git repository is mounted — nothing else. Host keys, credentials, other projects, Docker sockets, and cloud access remain physically unreachable by the LLM process.</p> <p><a href="https://github.com/avkcode/firecracker-sandbox" rel="noopener noreferrer">https://github.com/avkcode/firecracker-sandbox</a> let you spin up the sandbox with one command while keeping your familiar vim/tmux workflow intact. The developer feels no difference, but the model is completely contained.</p> <h3> Summary </h3> <p>Heavy graphical AI IDEs and lightweight terminal tools such as aider address different workflows.<br><br> The graphical tools are preferred for long, exploratory development sessions on a local workstation.<br><br> Terminal tools are chosen when minimal latency, low resource usage, seamless SSH access, and strict control over context and edits take priority.<br><br> Most engineers use both categories, switching depending on the specific task.</p> llm ai aider Anton Krylov Wed, 11 Jun 2025 09:47:52 +0000 https://dev.to/avkr/redroid-o6n https://dev.to/avkr/redroid-o6n <h2> What is ReDroid? </h2> <p>ReDroid is a lightweight alternative to the standard Android emulator that runs as a Docker container. ReDroid provides a full Android system in a container, significantly reducing startup time and resource consumption compared to traditional emulators.</p> <p>ReDroid uses the host system's Linux kernel and is based on the anbox module project, enabling Android to run without CPU virtualization. This makes it an ideal solution for automated Android app testing in CI/CD environments where speed and efficiency are critical.</p> <p>Comparison with Android Studio Emulator:</p> <p>ReDroid is perfect for automated UI testing in CI/CD, especially when speed and resource efficiency are important. The standard Android Studio emulator is better suited for local development, debugging, and testing requiring full device emulation.</p> <h2> Manual Testing </h2> <p>Start the ReDroid container (Docker) and wait about a minute for it to load:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">docker run -d --name redroid --privileged -p 5555:5555 redroid/redroid:15.0.0_64only-latest</span> <span class="s">sleep </span><span class="m">30</span> </code></pre> </div> <p>Connect to the running container via ADB:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">adb connect localhost:5555</span> <span class="s">adb devices</span> </code></pre> </div> <p>Install both APK files on ReDroid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">adb -s localhost:5555 install ./app/build/outputs/apk/debug/app-debug.apk</span> <span class="s">adb -s localhost:5555 install ./app/build/outputs/apk/androidTest/debug/app-debug-androidTest.apk</span> </code></pre> </div> <p>Run your Espresso/UI tests with ADB:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>adb -s localhost:5555 shell am instrument -w your.package.name.test/androidx.test.runner.AndroidJUnitRunner </code></pre> </div> <p>Export logs after testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">adb -s localhost:5555 logcat -d &gt; android-log.txt</span> </code></pre> </div> <p>After completing the tests, remove the container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">docker stop redroid &amp;&amp; docker rm redroid</span> </code></pre> </div> <p>Preparing an Android Project for UI Testing</p> <p>Step 1: Configuring Dependencies in app/build.gradle</p> <p>gradle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>android { defaultConfig { testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" } } dependencies { // Core components for UI testing androidTestImplementation 'androidx.test.espresso:espresso-core:3.5.1' androidTestImplementation 'androidx.test:runner:1.5.2' androidTestImplementation 'androidx.test:rules:1.5.0' // Additional Espresso libraries for advanced testing androidTestImplementation 'androidx.test.espresso:espresso-contrib:3.5.1' androidTestImplementation 'androidx.test.espresso:espresso-intents:3.5.1' // JUnit for test environment integration androidTestImplementation 'androidx.test.ext:junit:1.1.5' } </code></pre> </div> <p>Step 2: Creating an Example UI Test with Espresso</p> <p>Create the file app/src/androidTest/java/com/example/app/MainActivityTest.java:</p> <p>java:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>package com.example.app; import androidx.test.espresso.matcher.ViewMatchers; import androidx.test.ext.junit.rules.ActivityScenarioRule; import androidx.test.ext.junit.runners.AndroidJUnit4; import androidx.test.filters.LargeTest; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; import static androidx.test.espresso.Espresso.onView; import static androidx.test.espresso.action.ViewActions.click; import static androidx.test.espresso.assertion.ViewAssertions.matches; import static androidx.test.espresso.matcher.ViewMatchers.isDisplayed; import static androidx.test.espresso.matcher.ViewMatchers.withId; import static androidx.test.espresso.matcher.ViewMatchers.withText; @RunWith(AndroidJUnit4.class) @LargeTest public class MainActivityTest { @Rule public ActivityScenarioRule&lt;MainActivity&gt; activityRule = new ActivityScenarioRule&lt;&gt;(MainActivity.class); @Test public void welcomeTextIsDisplayed() { // Check that the welcome text field is displayed onView(withId(R.id.welcome_text)) .check(matches(isDisplayed())) .check(matches(withText("Hello World!"))); } @Test public void buttonClickChangesText() { // Click the button onView(withId(R.id.action_button)) .perform(click()); // Check that the text has changed onView(withId(R.id.welcome_text)) .check(matches(withText("Button Clicked!"))); } } </code></pre> </div> <p>Configuring Jenkins for UI Test Automation with ReDroid</p> <p>Step 1: Installing Required Jenkins Plugins</p> <p>In the Jenkins interface, go to "Configure Jenkins" &gt; "Manage Plugins" and install:</p> <p>Docker Pipeline<br> Gradle Plugin<br> HTML Publisher Plugin<br> JUnit Plugin<br> Allure Jenkins Plugin (optional for enhanced reporting)<br> Step 2: Creating a Jenkinsfile for the Pipeline</p> <p>Create a Jenkinsfile in the project root:</p> <p>groovy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pipeline { agent any environment { // Environment variables ANDROID_HOME = '/opt/android-sdk' REDROID_IMAGE = 'redroid/redroid:15.0.0_64only-latest' REDROID_CONTAINER = 'android-ui-test-container' ADB_PORT = '5555' TEST_RESULTS_DIR = 'app/build/outputs/androidTest-results' TEST_REPORT_DIR = 'app/build/reports/androidTests' } stages { stage('Checkout') { steps { checkout scm } } stage('Build APKs') { steps { sh './gradlew clean assembleDebug assembleDebugAndroidTest' } } stage('Start ReDroid Container') { steps { script { // Stop and remove the container if it exists sh "docker stop ${REDROID_CONTAINER} || true" sh "docker rm ${REDROID_CONTAINER} || true" // Run ReDroid in Docker sh """ docker run -d --name ${REDROID_CONTAINER} \ --privileged \ -p ${ADB_PORT}:${ADB_PORT} \ -e REDROID_PROP_ro.debuggable=1 \ -e REDROID_PROP_service.adb.tcp.port=${ADB_PORT} \ ${REDROID_IMAGE} """ // Wait for ReDroid to start sh "sleep 30" } } } stage('Connect to ReDroid and Install APKs') { steps { script { // Connect to the device via ADB sh "adb connect localhost:${ADB_PORT}" sh "adb devices" // Wait for the system to fully load sh "adb wait-for-device" // Install the app APK and tests sh "adb -s localhost:${ADB_PORT} install -r app/build/outputs/apk/debug/app-debug.apk" sh "adb -s localhost:${ADB_PORT} install -r app/build/outputs/apk/androidTest/debug/app-debug-androidTest.apk" } } } stage('Run UI Tests') { steps { script { // Create directories for results sh "mkdir -p ${TEST_RESULTS_DIR}" // Get the app package name def packageName = sh( script: "aapt dump badging app/build/outputs/apk/debug/app-debug.apk | grep package | awk '{print \$2}' | sed s/name=//g | sed s/\\'//g", returnStdout: true ).trim() // Run UI tests sh """ adb -s localhost:${ADB_PORT} shell am instrument -w \ -e debug false \ -e junit.output.format=xml \ -e additionalTestOutputDir=/sdcard/test-results \ ${packageName}.test/androidx.test.runner.AndroidJUnitRunner """ // Copy results from the device sh "adb -s localhost:${ADB_PORT} pull /sdcard/test-results ${TEST_RESULTS_DIR}" // Collect logs sh "adb -s localhost:${ADB_PORT} logcat -d &gt; ${TEST_RESULTS_DIR}/device-log.txt" // Take a screenshot for diagnostics (optional) sh "adb -s localhost:${ADB_PORT} shell screencap -p /sdcard/screen.png" sh "adb -s localhost:${ADB_PORT} pull /sdcard/screen.png ${TEST_RESULTS_DIR}/" } } } } post { always { // Publish JUnit results junit "${TEST_RESULTS_DIR}/**/*.xml" // Publish test reports publishHTML([ allowMissing: true, alwaysLinkToLastBuild: true, keepAll: true, reportDir: "${TEST_REPORT_DIR}/connected", reportName: 'Espresso Test Report', reportFiles: 'index.html' ]) // Stop and remove the container script { sh "docker stop ${REDROID_CONTAINER} || true" sh "docker rm ${REDROID_CONTAINER} || true" } // Clean up ADB sh "adb disconnect localhost:${ADB_PORT} || true" // Archive artifacts archiveArtifacts artifacts: "${TEST_RESULTS_DIR}/**/*", allowEmptyArchive: true } } } </code></pre> </div> <p>Scrcpy</p> <p>Scrcpy is a lightweight, free, open-source utility for displaying and controlling Android device screens on a computer. It works over USB (ADB) or Wi-Fi without requiring any mobile apps on the device.</p> <p>Usage Examples:</p> <p>Connect and start (device connected via USB):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scrcpy </code></pre> </div> <p>Connect via Wi-Fi (knowing the device's IP address):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>adb connect 192.168.1.5:5555 scrcpy -s 192.168.1.5:5555 </code></pre> </div> <p>Change video resolution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scrcpy -m 1024 </code></pre> </div> <p>Record device video:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scrcpy --record file.mp4 </code></pre> </div> <p>Control the device without displaying the screen (keyboard and mouse input only):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scrcpy -N </code></pre> </div> <p>If you need visual monitoring of test execution, you can integrate Scrcpy into the pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>stage('Visual Debug with Scrcpy') { when { expression { return params.ENABLE_VISUAL_DEBUG } } steps { script { // Install Scrcpy if not already installed sh ''' if ! command -v scrcpy &amp;&gt; /dev/null; then apt-get update &amp;&amp; apt-get install -y scrcpy fi ''' // Start Scrcpy to record test execution sh "mkdir -p ${TEST_RESULTS_DIR}/recordings" for (int i = 0; i &lt; DEVICE_COUNT; i++) { def adbPort = BASE_ADB_PORT + i sh """ nohup scrcpy --no-display --record=${TEST_RESULTS_DIR}/recordings/device-${i}-recording.mp4 \ --serial=localhost:${adbPort} &amp; """ } // Limit recording duration sh "sleep 60" // Record the first minute of testing sh "pkill scrcpy || true" } } </code></pre> </div> <h2> Kubernetes </h2> <h3> Why Use ReDroid in Kubernetes </h3> <p>ReDroid in Kubernetes simplifies Android app testing. Here are the key benefits:</p> <p>Parallel Tests — Run multiple virtual Android devices simultaneously, saving testing time.</p> <p>Lower Resource Costs — ReDroid is lightweight, and Kubernetes efficiently distributes the load across servers.</p> <p>Automatic Management — The system automatically starts, restarts, and stops Android containers without manual intervention.</p> <p>Easy CI/CD Integration — Seamlessly integrates with existing Jenkins or GitLab CI pipelines.</p> <p>Test Isolation — Each test environment operates independently without interfering with others.</p> <p>Centralized Management — Everything is controlled through a single interface.</p> <p>Budget Savings — Virtual devices replace expensive physical phones.</p> <p>Consistent Conditions — All tests run in the same environment, improving result reliability.</p> <p>Hardware Acceleration Access — Can be configured to use GPU for better performance.</p> <p>This solution is ideal for teams needing to regularly test Android apps in different configurations quickly and predictably.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redroid-farm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">android-testing</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">redroid"</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># Number of parallel device instances</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redroid-device</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redroid-device</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># Run as root</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redroid</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redroid/redroid:15.0.0_64only-latest</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Required for redroid</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5555</span> <span class="na">name</span><span class="pi">:</span> <span class="s">adb</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDROID_PROP_ro.debuggable</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REDROID_PROP_service.adb.tcp.port</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5555"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ANDROID_ARCH</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">x86_64"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">3Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">4</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">6Gi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dri</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/dev/dri</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kvm</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/dev/kvm</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">preStop</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/system/bin/reboot"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-p"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dri</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/dev/dri</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kvm</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/dev/kvm</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">hardware-acceleration</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># Select nodes with GPU/hardware acceleration</span> </code></pre> </div> <h2> Wireshark and ReDroid: Capturing and Analyzing Android App Network Traffic </h2> <p>Wireshark combined with ReDroid provides powerful tools for testing and debugging Android app network interactions. This combination is particularly useful for analyzing API requests, checking connection security, and debugging network issues.</p> <p>Key Features:</p> <ul> <li><p>Real Traffic Monitoring — Wireshark lets you see all network packets exchanged between the Android app in ReDroid and external services.</p></li> <li><p>Easy Setup — Since ReDroid runs as a Docker container, its network traffic is easily captured through Docker networking without additional tools on the device itself.</p></li> <li><p>Secure Traffic Analysis — With proper setup, you can even inspect HTTPS traffic (using tools like mitmproxy with ReDroid).</p></li> <li><p>Performance Issue Detection — Easily identify slow requests and app performance delays from network data.</p></li> <li><p>Automated API Testing — Record and replay network interaction scenarios for testing.</p></li> </ul> <p>Network Setup for Testing:</p> <p>Run ReDroid with special network parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker run --name redroid-test --network host redroid/redroid:11.0.0-latest </code></pre> </div> <p>Configure traffic capture in Wireshark, filtering for the specific ReDroid container traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ip.addr == [container IP address] </code></pre> </div> <p>For HTTPS traffic, configure a proxy in ReDroid via ADB:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>adb connect localhost:5555 adb shell settings put global http_proxy "localhost:8080" </code></pre> </div> <p>Start mitmproxy for HTTPS decryption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mitmproxy --listen-port 8080 </code></pre> </div> <p>This solution helps developers and testers better understand how their Android apps interact with the network, identify security issues, and optimize network interactions without needing physical devices or complex emulator setups.</p> devops android kotlin testing Anton Krylov Sat, 17 May 2025 16:32:30 +0000 https://dev.to/avkr/terraform-and-ansible-is-not-enough-4nf6 https://dev.to/avkr/terraform-and-ansible-is-not-enough-4nf6 <p><a href="https://github.com/avkcode/ansamble" rel="noopener noreferrer">Terraform and Ansible is not enough</a></p> <h1> Tabel of contents </h1> <ul> <li>Preface</li> <li>Ansible without/with Temporal</li> <li>Simple Workflow</li> <li>Long-Running Workflows with Checkpointing</li> <li>Dynamic Parallel Execution</li> <li>Human-in-the-Loop Approvals</li> <li>Cross-Cloud Orchestration</li> <li><a href="">Event-Driven Ansible (EDA) on Steroids</a></li> <li><a href="">Stateful Workflows with Recovery</a></li> <li><a href="">Time Travel Debugging</a></li> <li><a href="">Cross-Tool Chaining</a></li> <li><a href="">Dynamic Ansible Inventory</a></li> <li><a href="">GitLab Integration</a></li> <li>Terraform</li> <li>Database Migrations</li> </ul> <h2> Preface </h2> <p>When it comes to orchestrating complex workflows in hybrid cloud environments, Temporal stands out as one of the best open-source tools available. It doesn’t try to replace tools like Terraform or Ansible but instead complements them by adding a layer of reliability, scalability, and flexibility.</p> <p>For example, while Terraform excels at provisioning infrastructure and Ansible handles configuration management, Temporal ties everything together. It ensures that workflows can recover from failures, adapt to runtime conditions, and integrate seamlessly with external systems like monitoring tools, CMDBs, or approval processes. And because it’s open source, it avoids vendor lock-in while supporting virtually any technology stack.</p> <p>The real value of workflow orchestrator lies in its ability to handle long-running, dynamic workflows without skipping a beat. Whether it’s waiting for a VM to pass health checks, triggering a Kubernetes deployment, or updating a CMDB after provisioning, Temporal keeps things running smoothly. It’s not about reinventing the wheel—it’s about making the tools you already use work better, together.</p> <p>Another advantage is how Temporal handles long-running processes common in Day 2 operations. For instance, if you’re migrating workloads between clouds or performing a rolling update across a Kubernetes cluster, Temporal keeps track of progress and ensures the workflow resumes from where it left off—even if there’s a failure or interruption. This makes it ideal for tasks like database upgrades, application rollbacks, or compliance audits, where consistency and reliability are critical.</p> <p>In short, Temporal helps IT teams move faster and more efficiently without sacrificing control or governance, which is exactly what modern enterprises need in today’s fast-changing hybrid cloud world.</p> <h3> Ansible with Temporal </h3> <p>Temporal addresses challenges in automating workflows by providing a robust framework for managing complex, long-running processes that require reliability, scalability, and fault tolerance. Without Temporal, running Ansible playbooks or similar automation tasks can face issues like failed executions due to transient errors, lack of visibility into ongoing processes, inability to resume workflows after system crashes, and difficulty in coordinating multiple dependent tasks. Temporal ensures that workflows can recover gracefully from failures, maintain state across retries, and allow dynamic adjustments based on runtime conditions. It also enables seamless integration of different tools and systems within a single workflow, making it easier to orchestrate multi-step operations that involve not just Ansible but potentially other infrastructure or application management tools. By handling the complexities of task coordination, retries, and state management, Temporal allows developers to focus on defining the logic of their workflows rather than worrying about the underlying execution mechanics.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD %% Custom Styling classDef temporal fill:#4CAF50,stroke:#333,stroke-width:2px,color:#fff; classDef ansible fill:#FF9800,stroke:#333,stroke-width:2px,color:#fff; classDef problem fill:#F44336,stroke:#333,stroke-width:2px,color:#fff; classDef solution fill:#2196F3,stroke:#333,stroke-width:2px,color:#fff; %% Nodes A[Challenges Without Temporal]:::problem --&gt; B["Failed Executions&lt;br&gt;(Transient Errors)"]; A --&gt; C["Lack of Visibility&lt;br&gt;(No Monitoring)"]; A --&gt; D["Inability to Resume&lt;br&gt;(Crash Recovery)"]; A --&gt; E["Coordination Issues&lt;br&gt;(Dependent Tasks)"]; F[Temporal Framework]:::temporal --&gt; G["Retry Mechanisms&lt;br&gt;(Fault Tolerance)"]; F --&gt; H["State Management&lt;br&gt;(Persist State Across Failures)"]; F --&gt; I["Dynamic Adjustments&lt;br&gt;(Runtime Conditions)"]; F --&gt; J["Multi-Tool Integration&lt;br&gt;(Ansible + Others)"]; K[Benefits of Temporal]:::solution --&gt; L["Graceful Recovery&lt;br&gt;(From Failures)"]; K --&gt; M["Maintain State&lt;br&gt;(Across Retries)"]; K --&gt; N["Orchestrate Multi-Step&lt;br&gt;(Complex Operations)"]; K --&gt; O["Focus on Logic&lt;br&gt;(Not Execution Mechanics)"]; %% Flow B --&gt;|Solved By| F C --&gt;|Solved By| F D --&gt;|Solved By| F E --&gt;|Solved By| F F --&gt;|Enables| K %% Subgraph for Grouping Temporal Features subgraph TemporalFeatures direction TB G[Retry Mechanisms] H[State Management] I[Dynamic Adjustments] J[Multi-Tool Integration] end </code></pre> </div> <h3> Simple workflow </h3> <p>This Python script shows how to use Temporal to run an Ansible playbook, like one that updates system packages on a server. It sets up a workflow and activity to execute the playbook in a reliable way, with features like retries, live output streaming, and clean shutdowns.</p> <p>The execute_ansible_playbook activity runs the ansible-playbook command using asyncio to capture and display the output as it happens. You can pass the playbook file and, optionally, an inventory file. If something goes wrong and the playbook fails, the script raises an error, and Temporal automatically retries the operation up to three times before stopping.</p> <p>The AnsibleWorkflow defines the workflow logic, which basically calls the activity to run the playbook. It’s set up with timeouts and retry policies to handle cases where the playbook takes a long time or runs into temporary issues.</p> <p>When you run the script, it connects to a Temporal server, starts a worker to listen for tasks, and immediately kicks off the workflow to run the playbook you specify. For example, you could point it to a playbook like update_packages.yml, which might use Ansible modules like apt or yum to update packages on your servers. The script ensures the playbook runs smoothly, streams its output in real-time, and handles interruptions or errors without losing track of what’s happening.</p> <p>This approach is great for automating tasks like updating packages across servers, where reliability and visibility are key. By using Temporal, you get built-in retries, fault tolerance, and the ability to monitor and debug the process easily if something doesn’t go as planned.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">signal</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">timedelta</span> <span class="kn">from</span> <span class="n">temporalio</span> <span class="kn">import</span> <span class="n">workflow</span><span class="p">,</span> <span class="n">activity</span> <span class="kn">from</span> <span class="n">temporalio.client</span> <span class="kn">import</span> <span class="n">Client</span> <span class="kn">from</span> <span class="n">temporalio.worker</span> <span class="kn">import</span> <span class="n">Worker</span> <span class="kn">from</span> <span class="n">temporalio.common</span> <span class="kn">import</span> <span class="n">RetryPolicy</span> <span class="c1"># --- Activity Definition --- </span><span class="nd">@activity.defn</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">execute_ansible_playbook</span><span class="p">(</span><span class="n">playbook_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">inventory_path</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Execute ansible-playbook with live output.</span><span class="sh">"""</span> <span class="n">cmd</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">ansible-playbook</span><span class="sh">"</span><span class="p">,</span> <span class="n">playbook_path</span><span class="p">]</span> <span class="k">if</span> <span class="n">inventory_path</span><span class="p">:</span> <span class="n">cmd</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span><span class="sh">"</span><span class="s">-i</span><span class="sh">"</span><span class="p">,</span> <span class="n">inventory_path</span><span class="p">])</span> <span class="n">proc</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">create_subprocess_exec</span><span class="p">(</span> <span class="o">*</span><span class="n">cmd</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">asyncio</span><span class="p">.</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">asyncio</span><span class="p">.</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span> <span class="p">)</span> <span class="n">output</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">stdout_chunk</span> <span class="o">=</span> <span class="k">await</span> <span class="n">proc</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">stderr_chunk</span> <span class="o">=</span> <span class="k">await</span> <span class="n">proc</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">stdout_chunk</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">stderr_chunk</span><span class="p">:</span> <span class="k">break</span> <span class="k">if</span> <span class="n">stdout_chunk</span><span class="p">:</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">stdout_chunk</span><span class="p">.</span><span class="nf">decode</span><span class="p">())</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="nf">flush</span><span class="p">()</span> <span class="n">output</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">stdout_chunk</span><span class="p">.</span><span class="nf">decode</span><span class="p">())</span> <span class="k">if</span> <span class="n">stderr_chunk</span><span class="p">:</span> <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">stderr_chunk</span><span class="p">.</span><span class="nf">decode</span><span class="p">())</span> <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">.</span><span class="nf">flush</span><span class="p">()</span> <span class="n">output</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ERROR: </span><span class="si">{</span><span class="n">stderr_chunk</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">exit_code</span> <span class="o">=</span> <span class="k">await</span> <span class="n">proc</span><span class="p">.</span><span class="nf">wait</span><span class="p">()</span> <span class="k">if</span> <span class="n">exit_code</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Playbook failed with exit code </span><span class="si">{</span><span class="n">exit_code</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="sh">""</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="c1"># --- Workflow Definition --- </span><span class="nd">@workflow.defn</span> <span class="k">class</span> <span class="nc">AnsibleWorkflow</span><span class="p">:</span> <span class="nd">@workflow.run</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">execute_activity</span><span class="p">(</span> <span class="n">execute_ansible_playbook</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">params</span><span class="p">[</span><span class="sh">"</span><span class="s">playbook_path</span><span class="sh">"</span><span class="p">],</span> <span class="n">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">inventory_path</span><span class="sh">"</span><span class="p">)],</span> <span class="n">start_to_close_timeout</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">15</span><span class="p">),</span> <span class="n">retry_policy</span><span class="o">=</span><span class="nc">RetryPolicy</span><span class="p">(</span> <span class="n">initial_interval</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="mi">30</span><span class="p">),</span> <span class="n">maximum_interval</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">2</span><span class="p">),</span> <span class="n">maximum_attempts</span><span class="o">=</span><span class="mi">3</span> <span class="p">)</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_workflow_and_worker</span><span class="p">(</span><span class="n">playbook_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">inventory_path</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Start worker and execute workflow automatically</span><span class="sh">"""</span> <span class="n">shutdown_event</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nc">Event</span><span class="p">()</span> <span class="n">client</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">worker</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">signal_handler</span><span class="p">():</span> <span class="n">shutdown_event</span><span class="p">.</span><span class="nf">set</span><span class="p">()</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">get_running_loop</span><span class="p">()</span> <span class="n">loop</span><span class="p">.</span><span class="nf">add_signal_handler</span><span class="p">(</span><span class="n">signal</span><span class="p">.</span><span class="n">SIGINT</span><span class="p">,</span> <span class="n">signal_handler</span><span class="p">)</span> <span class="n">loop</span><span class="p">.</span><span class="nf">add_signal_handler</span><span class="p">(</span><span class="n">signal</span><span class="p">.</span><span class="n">SIGTERM</span><span class="p">,</span> <span class="n">signal_handler</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Connect to Temporal </span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">Client</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">localhost:7233</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Start worker </span> <span class="n">worker</span> <span class="o">=</span> <span class="nc">Worker</span><span class="p">(</span> <span class="n">client</span><span class="p">,</span> <span class="n">task_queue</span><span class="o">=</span><span class="sh">"</span><span class="s">ansible-queue</span><span class="sh">"</span><span class="p">,</span> <span class="n">workflows</span><span class="o">=</span><span class="p">[</span><span class="n">AnsibleWorkflow</span><span class="p">],</span> <span class="n">activities</span><span class="o">=</span><span class="p">[</span><span class="n">execute_ansible_playbook</span><span class="p">],</span> <span class="n">graceful_shutdown_timeout</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Run worker in background </span> <span class="n">worker_task</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">create_task</span><span class="p">(</span><span class="n">worker</span><span class="p">.</span><span class="nf">run</span><span class="p">())</span> <span class="c1"># Execute workflow </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Executing playbook: </span><span class="si">{</span><span class="n">playbook_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">execute_workflow</span><span class="p">(</span> <span class="n">AnsibleWorkflow</span><span class="p">.</span><span class="n">run</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">playbook_path</span><span class="sh">"</span><span class="p">:</span> <span class="n">playbook_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">inventory_path</span><span class="sh">"</span><span class="p">:</span> <span class="n">inventory_path</span><span class="p">}],</span> <span class="nb">id</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">ansible-</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">task_queue</span><span class="o">=</span><span class="sh">"</span><span class="s">ansible-queue</span><span class="sh">"</span><span class="p">,</span> <span class="n">execution_timeout</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">20</span><span class="p">)</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Playbook execution result:</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">finally</span><span class="p">:</span> <span class="c1"># Clean shutdown </span> <span class="n">shutdown_event</span><span class="p">.</span><span class="nf">set</span><span class="p">()</span> <span class="k">if</span> <span class="n">worker</span><span class="p">:</span> <span class="k">await</span> <span class="n">worker</span><span class="p">.</span><span class="nf">shutdown</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="p">.</span><span class="nc">ArgumentParser</span><span class="p">()</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">"</span><span class="s">--playbook</span><span class="sh">"</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">"</span><span class="s">Path to playbook file</span><span class="sh">"</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">"</span><span class="s">--inventory</span><span class="sh">"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">"</span><span class="s">Path to inventory file</span><span class="sh">"</span><span class="p">)</span> <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="p">.</span><span class="nf">parse_args</span><span class="p">()</span> <span class="c1"># Validate paths </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">playbook</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: Playbook not found at </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">playbook</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">inventory</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">inventory</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: Inventory file not found at </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">inventory</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">run_workflow_and_worker</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">playbook</span><span class="p">,</span> <span class="n">args</span><span class="p">.</span><span class="n">inventory</span><span class="p">))</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Process stopped by user</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">Error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p>This command lists all workflows of type AnsibleWorkflow that are currently tracked by Temporal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tctl workflow list --query "WorkflowType='AnsibleWorkflow'" </code></pre> </div> <p>This command starts a new instance of the AnsibleWorkflow to execute the apt_update.yml playbook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tctl workflow run \ --taskqueue ansible-queue \ --workflow_type AnsibleWorkflow \ --input '"apt_update.yml"' </code></pre> </div> <p><code>--inventory</code> is optional in this case.</p> <p>This command retrieves detailed information about a specific workflow instance identified by its workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tctl workflow show -w ansible-1dcbe2e1-8b10-4616-8e11-948cb81d83b1 </code></pre> </div> <p>Temporal UI simplifies workflow management by providing an intuitive interface to check statuses, inspect details, and take actions like canceling workflows when necessary.<br> <a href="https://radikal.host/i/Ir0Q5K" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxjuvz5ht5do334akbuxy.png" alt="Temporal" width="800" height="394"></a></p> <p>This GitLab pipeline job, ansible_workflows, automates the execution of an Ansible playbook like apt_update.yml to update system packages. It runs in the deploy stage using a shell executor and triggers a Python script (ansible.py) that orchestrates the playbook via Temporal.</p> <p>The script uses Temporal to run the playbook reliably, with features like retries and live output streaming. If the playbook fails, the pipeline reflects the error for easy debugging. This setup integrates infrastructure updates into your CI/CD process, ensuring reliable and automated deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ansible_workflows</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">shell</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">python3 ansible.py --playbook apt_update.yml</span> </code></pre> </div> <p><a href="https://radikal.host/i/IGWUQg" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr0ypevgwnnyggm3nqrwf.png" alt="GitLab" width="800" height="472"></a></p> <h4> Long-Running Workflows with Checkpointing </h4> <p>Problem: Ansible playbooks fail on long-running tasks (e.g., cloud provisioning, multi-hour deployments).<br> Solution:<br> Use Temporal workflows to automatically resume from failures.<br> Checkpoint progress (e.g., "50% of VMs deployed") even if the process crashes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@workflow.defn</span> <span class="k">class</span> <span class="nc">AnsibleWorkflow</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">playbook</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">while</span> <span class="ow">not</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">is_replaying</span><span class="p">():</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">execute_activity</span><span class="p">(</span> <span class="n">run_ansible_playbook</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">playbook</span><span class="p">],</span> <span class="n">start_to_close_timeout</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">6</span><span class="p">),</span> <span class="n">heartbeat_timeout</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">failed</span><span class="p">:</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">300</span><span class="p">)</span> <span class="c1"># Retry after 5 minutes </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant User participant Temporal participant Ansible User-&gt;&gt;Temporal: Start Workflow Temporal-&gt;&gt;Ansible: Run Playbook Ansible--&gt;&gt;Temporal: Progress (50% done) Note over Temporal: Crash occurs Temporal-&gt;&gt;Temporal: Resume from checkpoint Temporal-&gt;&gt;Ansible: Retry failed tasks Ansible--&gt;&gt;Temporal: Task completed Temporal--&gt;&gt;User: Workflow completed </code></pre> </div> <h4> Dynamic Parallel Execution </h4> <p>Problem: Ansible’s async is limited—hard to manage 1000s of nodes dynamically.<br> Solution:<br> Fan-out/fan-in workflows (e.g., deploy 500 VMs in parallel, then aggregate results).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">deploy_vms</span><span class="p">():</span> <span class="n">vm_list</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_vm_list_from_api</span><span class="p">()</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span> <span class="o">*</span><span class="p">[</span><span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">deploy_vm.yml --extra-vars </span><span class="sh">'</span><span class="s">vm_id=</span><span class="si">{</span><span class="n">vm</span><span class="p">.</span><span class="nb">id</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="k">for</span> <span class="n">vm</span> <span class="ow">in</span> <span class="n">vm_list</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">sum</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Start Workflow] --&gt; B[Fetch VM List] B --&gt; C[Fan-Out: Deploy VMs in Parallel] C --&gt; D[Deploy VM 1] C --&gt; E[Deploy VM 2] C --&gt; F[Deploy VM 3] D --&gt; G[Aggregate Results] E --&gt; G F --&gt; G G --&gt; H[Workflow Completed] </code></pre> </div> <h4> Human-in-the-Loop Approvals </h4> <p>Problem: Ansible Tower requires manual static approvals.<br> Solution:<br> Dynamic pauses (e.g., "Wait for Slack approval before deleting prod DB").<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@workflow.defn</span> <span class="k">class</span> <span class="nc">ProdDeploymentWorkflow</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">deploy_staging.yml</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">is_replaying</span><span class="p">():</span> <span class="k">await</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">wait_for_signal</span><span class="p">(</span><span class="sh">"</span><span class="s">prod_approval</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">await</span> <span class="nf">send_slack_approval_request</span><span class="p">()</span> <span class="k">await</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">wait_for_signal</span><span class="p">(</span><span class="sh">"</span><span class="s">prod_approval</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Blocks until approved </span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">deploy_prod.yml</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant Workflow participant Slack participant User Workflow-&gt;&gt;Slack: Send Approval Request Slack-&gt;&gt;User: Notify for Approval User-&gt;&gt;Slack: Approve Slack-&gt;&gt;Workflow: Signal Approval Workflow-&gt;&gt;Workflow: Proceed to Next Step </code></pre> </div> <h4> Cross-Cloud Orchestration </h4> <p>Problem: Ansible alone can’t coordinate AWS + Azure + GCP workflows.<br> Solution:<br> Temporal workflows orchestrate multi-cloud playbooks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">migrate_to_aws</span><span class="p">():</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">azure_shutdown.yml</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">aws_provision.yml</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="k">await</span> <span class="nf">check_aws_health</span><span class="p">():</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">cutover_dns.yml</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Start Workflow] --&gt; B[Shutdown Azure Resources] B --&gt; C[Provision AWS Resources] C --&gt; D[Check AWS Health] D --&gt; E[Update DNS] E --&gt; F[Workflow Completed] </code></pre> </div> <h4> Event-Driven Ansible (EDA) on Steroids </h4> <p>Problem: Ansible EDA reacts to simple events (e.g., webhooks).<br> Solution:<br> Complex event chains (e.g., "If CPU &gt; 90% for 5min, scale + notify PagerDuty + ticket").<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">auto_scale_workflow</span><span class="p">():</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">metrics</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch_cloud_metrics</span><span class="p">()</span> <span class="k">if</span> <span class="n">metrics</span><span class="p">.</span><span class="n">cpu</span> <span class="o">&gt;</span> <span class="mi">90</span><span class="p">:</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">scale_out.yml</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="nf">page_team</span><span class="p">()</span> <span class="k">await</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">))</span> <span class="c1"># Cooldown </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant Monitor participant Workflow participant Ansible participant PagerDuty Monitor-&gt;&gt;Workflow: CPU &gt; 90% for 5min Workflow-&gt;&gt;Ansible: Scale Out Workflow-&gt;&gt;PagerDuty: Notify Team Workflow-&gt;&gt;Workflow: Cooldown for 5min </code></pre> </div> <h4> Stateful Workflows with Recovery </h4> <p>Problem: Ansible has no memory of past runs.<br> Solution:<br> Temporal remembers state (e.g., "Retry only failed nodes after outage").<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">patch_workflow</span><span class="p">():</span> <span class="n">hosts</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_hosts</span><span class="p">()</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">hosts</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">patch.yml -l </span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">ActivityError</span><span class="p">:</span> <span class="k">await</span> <span class="nf">log_failed_host</span><span class="p">(</span><span class="n">host</span><span class="p">)</span> <span class="k">if</span> <span class="n">workflow</span><span class="p">.</span><span class="nf">is_replaying</span><span class="p">():</span> <span class="k">await</span> <span class="nf">retry_failed_hosts</span><span class="p">()</span> <span class="c1"># Only retries what crashed </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Start Workflow] --&gt; B[Get Host List] B --&gt; C[Run Playbook on Host 1] B --&gt; D[Run Playbook on Host 2] B --&gt; E[Run Playbook on Host 3] C --&gt; F[Log Failed Host] D --&gt; F E --&gt; F F --&gt; G[Retry Failed Hosts] G --&gt; H[Workflow Completed] </code></pre> </div> <h4> Time Travel Debugging </h4> <p>Problem: Debugging Ansible failures is painful.<br> Solution:<br> Replay workflows exactly (e.g., "See why playbook failed 3 days ago").<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Temporal UI shows full history + inputs/outputs for every step. </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant User participant Temporal User-&gt;&gt;Temporal: Replay Workflow Temporal-&gt;&gt;Temporal: Load History Temporal-&gt;&gt;Temporal: Re-execute Steps Temporal--&gt;&gt;User: Show Failure Details </code></pre> </div> <h4> Cross-Tool Chaining </h4> <p>Problem: Ansible can’t seamlessly call Terraform + Kubernetes.<br> Solution:<br> Mix tools in one workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">deploy_full_stack</span><span class="p">():</span> <span class="k">await</span> <span class="nf">run_terraform</span><span class="p">(</span><span class="sh">"</span><span class="s">apply</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="nf">run_kubectl</span><span class="p">(</span><span class="sh">"</span><span class="s">apply -f k8s/</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="nf">run_ansible_playbook</span><span class="p">(</span><span class="sh">"</span><span class="s">configure_ingress.yml</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Start Workflow] --&gt; B[Run Terraform Apply] B --&gt; C[Run Kubectl Apply] C --&gt; D[Run Ansible Playbook] D --&gt; E[Workflow Completed] </code></pre> </div> <h3> Dynamic Ansible inventory </h3> <p>Here’s how to create a dynamic Ansible inventory using a Temporal workflow that fetches host data from a CMDB via REST API, ensuring real-time, fault-tolerant infrastructure management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Temporal Workflow → Fetches CMDB Data (REST API) → Generates Dynamic Inventory → Runs Ansible </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">fetch_cmdb_hosts</span><span class="p">(</span><span class="n">cmdb_api_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">cmdb_api_url</span><span class="si">}</span><span class="s">/hosts</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">def</span> <span class="nf">generate_inventory</span><span class="p">(</span><span class="n">cmdb_data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">inventory</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">_meta</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">hostvars</span><span class="sh">"</span><span class="p">:</span> <span class="p">{}},</span> <span class="sh">"</span><span class="s">all</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]},</span> <span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]},</span> <span class="sh">"</span><span class="s">db</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]}</span> <span class="p">}</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">cmdb_data</span><span class="p">[</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">]:</span> <span class="n">inventory</span><span class="p">[</span><span class="sh">"</span><span class="s">all</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">])</span> <span class="n">inventory</span><span class="p">[</span><span class="sh">"</span><span class="s">_meta</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">hostvars</span><span class="sh">"</span><span class="p">][</span><span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">ansible_host</span><span class="sh">"</span><span class="p">:</span> <span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">ansible_user</span><span class="sh">"</span><span class="p">:</span> <span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">ansible_become</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span> <span class="p">}</span> <span class="k">if</span> <span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">:</span> <span class="n">inventory</span><span class="p">[</span><span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">])</span> <span class="k">elif</span> <span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">db</span><span class="sh">"</span><span class="p">:</span> <span class="n">inventory</span><span class="p">[</span><span class="sh">"</span><span class="s">db</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">host</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="n">inventory</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Start Workflow] --&gt; B[Fetch CMDB Data] B --&gt; C[Generate Dynamic Inventory] C --&gt; D[Run Ansible Playbook] D --&gt; E[Workflow Completed] </code></pre> </div> <h4> GitLab </h4> <p>To integrate the Temporal-based Ansible workflow with a <strong>GitLab webhook</strong> , you can configure GitLab to trigger the workflow whenever specific events occur (e.g., a push to a branch, a merge request, or a tag creation).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant GitLab participant WebhookHandler participant Temporal participant Ansible GitLab-&gt;&gt;WebhookHandler: Send webhook payload (Push to main) WebhookHandler-&gt;&gt;WebhookHandler: Validate payload WebhookHandler-&gt;&gt;Temporal: Trigger workflow Temporal-&gt;&gt;Ansible: Execute playbook (apt_update.yml) Ansible--&gt;&gt;Temporal: Playbook completed Temporal--&gt;&gt;WebhookHandler: Workflow completed WebhookHandler--&gt;&gt;GitLab: Acknowledge webhook </code></pre> </div> <h3> Terraform </h3> <p>Using Terraform and Temporal together offers a powerful combination for infrastructure automation, addressing gaps that arise when using either tool in isolation. Terraform excels at declarative infrastructure provisioning but requires custom providers for new or niche services, which can be time-consuming to develop and maintain. On the other hand, Temporal provides a robust orchestration layer for automating workflows, including those involving APIs, without the need for custom providers. For example, you can use Temporal to seamlessly automate interactions with services like Equinix Metal, GoDaddy, or VMware via their REST APIs, orchestrating complex, stateful workflows that Terraform alone cannot handle. While Terraform focuses on defining and managing infrastructure as code, Temporal complements it by enabling dynamic, fault-tolerant, and long-running operations, such as retries, approvals, and cross-service coordination. Together, they allow teams to leverage Terraform's strength in infrastructure provisioning while relying on Temporal for workflow automation, creating a more flexible and scalable solution than using either tool alone.</p> <p>An example of a GitLab pipeline (.gitlab-ci.yml) that integrates with the Temporal workflow to deploy a VMware virtual machine using Terraform. This pipeline assumes you have already set up the Temporal server and worker, and it uses the Python-based Temporal workflow provided earlier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">setup</span> <span class="pi">-</span> <span class="s">terraform-init</span> <span class="pi">-</span> <span class="s">terraform-plan</span> <span class="pi">-</span> <span class="s">terraform-apply</span> <span class="pi">-</span> <span class="s">temporal-workflow</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">TERRAFORM_DIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">terraform"</span> <span class="na">TEMPORAL_TASK_QUEUE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">vmware-task-queue"</span> <span class="na">setup-dependencies</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">image</span><span class="pi">:</span> <span class="s">python:3.9</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y terraform</span> <span class="pi">-</span> <span class="s">pip install temporalio requests</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$TERRAFORM_DIR</span> <span class="na">terraform-init</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">terraform-init</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/terraform:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cd $TERRAFORM_DIR</span> <span class="pi">-</span> <span class="s">terraform init</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$TERRAFORM_DIR/.terraform</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">terraform-plan</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/terraform:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cd $TERRAFORM_DIR</span> <span class="pi">-</span> <span class="s">terraform plan -out=tfplan</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terraform-init</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$TERRAFORM_DIR/tfplan</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/terraform:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cd $TERRAFORM_DIR</span> <span class="pi">-</span> <span class="s">terraform apply -auto-approve tfplan</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terraform-plan</span> <span class="na">temporal-workflow</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">temporal-workflow</span> <span class="na">image</span><span class="pi">:</span> <span class="s">python:3.9</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y git</span> <span class="pi">-</span> <span class="s">pip install temporalio requests</span> <span class="pi">-</span> <span class="s">git clone https://github.com/your-repo/temporal-vmware-workflow.git</span> <span class="pi">-</span> <span class="s">cd temporal-vmware-workflow</span> <span class="pi">-</span> <span class="s">python run_workflow.py --task-queue $TEMPORAL_TASK_QUEUE --terraform-dir $TERRAFORM_DIR</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terraform-apply</span> </code></pre> </div> <p>The Temporal-based workflow for deploying VMware VMs with Terraform is far more flexible than traditional Terraform setups. Unlike plain Terraform, which is limited to provisioning resources, Temporal acts as an orchestration layer that can easily integrate external systems like monitoring tools, CMDBs, and other services. For example, after Terraform provisions a VM, the workflow can automatically update a CMDB, trigger health checks in a monitoring system, or send notifications to stakeholders.</p> <p>Temporal also handles retries and failures gracefully, ensuring the workflow continues even if a step like a CMDB update fails. It supports dynamic decision-making, such as querying a monitoring system to decide whether to proceed, and can pause for human approval when needed. This makes it ideal for complex, real-world scenarios where infrastructure deployment doesn’t stop at provisioning—it involves integrating with multiple tools and processes seamlessly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@activity.defn</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_terraform_init</span><span class="p">(</span><span class="n">working_dir</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">init</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">working_dir</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Terraform init failed: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span> <span class="bp">...</span> <span class="nd">@activity.defn</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_terraform_apply</span><span class="p">(</span><span class="n">working_dir</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">apply</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-auto-approve</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">working_dir</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Terraform apply failed: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span> <span class="bp">...</span> </code></pre> </div> <h3> Database migrations </h3> <p>Large database migrations, especially for production systems with 500GB or more of data, can be incredibly complex and risky. Tools like Liquibase are great for managing schema changes and versioning, but when it comes to executing these migrations reliably—particularly in distributed or hybrid environments—they often fall short on their own. This is where Temporal shines.</p> <p>Temporal adds a layer of orchestration that ensures migrations run smoothly, even for massive databases. For example, migrating a 500GB+ production database might involve steps like backing up data, applying schema changes, validating the migration, and rolling back if something goes wrong. Temporal coordinates these steps, retries failed tasks automatically, and keeps track of progress to avoid starting over if the process is interrupted.</p> <p>It’s also perfect for handling long-running operations that can take hours or even days. If a migration hits an issue—a network outage or a spike in database load—Temporal can pause the workflow and resume once conditions improve. And because real-world migrations often require human oversight, Temporal can pause for approvals before making critical changes, like altering a schema in production, and then proceed once the green light is given.</p> <p>By integrating with monitoring tools, backup systems, and other external services, Temporal ensures everything stays in sync throughout the migration. Whether you’re moving terabytes of data across regions or applying delicate schema updates to a live system, Temporal bridges the gap between Liquibase’s capabilities and the operational complexity of modern database management.</p> <p>Below is a single Go file that implements the Temporal workflow for orchestrating a database schema migration using Liquibase.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"fmt"</span> <span class="s">"log"</span> <span class="s">"os/exec"</span> <span class="s">"go.temporal.io/sdk/activity"</span> <span class="s">"go.temporal.io/sdk/client"</span> <span class="s">"go.temporal.io/sdk/worker"</span> <span class="s">"go.temporal.io/sdk/workflow"</span> <span class="p">)</span> <span class="c">// Workflow Input Struct</span> <span class="k">type</span> <span class="n">MigrationInputs</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">DatabaseURL</span> <span class="kt">string</span> <span class="c">// Connection URL for the database</span> <span class="n">ChangelogFile</span> <span class="kt">string</span> <span class="c">// Path to the Liquibase changelog file</span> <span class="n">BackupRequired</span> <span class="kt">bool</span> <span class="c">// Whether a backup is needed before migration</span> <span class="p">}</span> <span class="c">// Workflow Definition</span> <span class="k">func</span> <span class="n">DatabaseMigrationWorkflow</span><span class="p">(</span><span class="n">ctx</span> <span class="n">workflow</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">inputs</span> <span class="n">MigrationInputs</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">logger</span> <span class="o">:=</span> <span class="n">workflow</span><span class="o">.</span><span class="n">GetLogger</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">if</span> <span class="n">inputs</span><span class="o">.</span><span class="n">BackupRequired</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Starting database backup..."</span><span class="p">)</span> <span class="n">backupActivity</span> <span class="o">:=</span> <span class="n">workflow</span><span class="o">.</span><span class="n">ExecuteActivity</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">BackupDatabase</span><span class="p">,</span> <span class="n">inputs</span><span class="o">.</span><span class="n">DatabaseURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">backupActivity</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"database backup failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Database backup completed successfully."</span><span class="p">)</span> <span class="p">}</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Starting Liquibase schema migration..."</span><span class="p">)</span> <span class="n">updateActivity</span> <span class="o">:=</span> <span class="n">workflow</span><span class="o">.</span><span class="n">ExecuteActivity</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">RunLiquibaseUpdate</span><span class="p">,</span> <span class="n">LiquibaseInput</span><span class="p">{</span> <span class="n">DatabaseURL</span><span class="o">:</span> <span class="n">inputs</span><span class="o">.</span><span class="n">DatabaseURL</span><span class="p">,</span> <span class="n">ChangelogFile</span><span class="o">:</span> <span class="n">inputs</span><span class="o">.</span><span class="n">ChangelogFile</span><span class="p">,</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">updateActivity</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"liquibase update failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Liquibase schema migration completed successfully."</span><span class="p">)</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Validating the migration..."</span><span class="p">)</span> <span class="n">validateActivity</span> <span class="o">:=</span> <span class="n">workflow</span><span class="o">.</span><span class="n">ExecuteActivity</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">ValidateMigration</span><span class="p">,</span> <span class="n">inputs</span><span class="o">.</span><span class="n">DatabaseURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">validateActivity</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"migration validation failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Migration validation completed successfully."</span><span class="p">)</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Notifying the team..."</span><span class="p">)</span> <span class="n">notifyActivity</span> <span class="o">:=</span> <span class="n">workflow</span><span class="o">.</span><span class="n">ExecuteActivity</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">NotifyTeam</span><span class="p">,</span> <span class="s">"Database migration completed successfully."</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">notifyActivity</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Warn</span><span class="p">(</span><span class="s">"Failed to send notification, but migration was successful."</span><span class="p">,</span> <span class="s">"Error"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Activity: Backup the database</span> <span class="k">func</span> <span class="n">BackupDatabase</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">databaseURL</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">cmd</span> <span class="o">:=</span> <span class="n">exec</span><span class="o">.</span><span class="n">CommandContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"pg_dump"</span><span class="p">,</span> <span class="s">"-Fc"</span><span class="p">,</span> <span class="s">"-f"</span><span class="p">,</span> <span class="s">"/backups/db_backup.dump"</span><span class="p">,</span> <span class="n">databaseURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Run</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to execute backup command: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Activity: Run Liquibase update</span> <span class="k">type</span> <span class="n">LiquibaseInput</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">DatabaseURL</span> <span class="kt">string</span> <span class="n">ChangelogFile</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">func</span> <span class="n">RunLiquibaseUpdate</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">input</span> <span class="n">LiquibaseInput</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">cmd</span> <span class="o">:=</span> <span class="n">exec</span><span class="o">.</span><span class="n">CommandContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"liquibase"</span><span class="p">,</span> <span class="s">"--url"</span><span class="p">,</span> <span class="n">input</span><span class="o">.</span><span class="n">DatabaseURL</span><span class="p">,</span> <span class="s">"--changeLogFile"</span><span class="p">,</span> <span class="n">input</span><span class="o">.</span><span class="n">ChangelogFile</span><span class="p">,</span> <span class="s">"update"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Run</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"liquibase update failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Activity: Validate the migration</span> <span class="k">func</span> <span class="n">ValidateMigration</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">databaseURL</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Example: Run a query to check if the schema is applied correctly</span> <span class="n">cmd</span> <span class="o">:=</span> <span class="n">exec</span><span class="o">.</span><span class="n">CommandContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"psql"</span><span class="p">,</span> <span class="s">"-c"</span><span class="p">,</span> <span class="s">"SELECT * FROM information_schema.tables WHERE table_schema = 'public';"</span><span class="p">,</span> <span class="n">databaseURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Run</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"validation query failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Activity: Notify the team</span> <span class="k">func</span> <span class="n">NotifyTeam</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">message</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Example: Send a notification via Slack or email</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Notification:"</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Worker Setup</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Create Temporal client</span> <span class="n">temporalClient</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">Dial</span><span class="p">(</span><span class="n">client</span><span class="o">.</span><span class="n">Options</span><span class="p">{})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"Unable to create Temporal client: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">temporalClient</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="c">// Create a worker</span> <span class="n">taskQueue</span> <span class="o">:=</span> <span class="s">"database-migration-task-queue"</span> <span class="n">w</span> <span class="o">:=</span> <span class="n">worker</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">temporalClient</span><span class="p">,</span> <span class="n">taskQueue</span><span class="p">,</span> <span class="n">worker</span><span class="o">.</span><span class="n">Options</span><span class="p">{})</span> <span class="c">// Register the workflow and activities</span> <span class="n">w</span><span class="o">.</span><span class="n">RegisterWorkflow</span><span class="p">(</span><span class="n">DatabaseMigrationWorkflow</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">RegisterActivity</span><span class="p">(</span><span class="n">BackupDatabase</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">RegisterActivity</span><span class="p">(</span><span class="n">RunLiquibaseUpdate</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">RegisterActivity</span><span class="p">(</span><span class="n">ValidateMigration</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">RegisterActivity</span><span class="p">(</span><span class="n">NotifyTeam</span><span class="p">)</span> <span class="c">// Start the worker</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Starting worker..."</span><span class="p">)</span> <span class="n">err</span> <span class="o">=</span> <span class="n">w</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">worker</span><span class="o">.</span><span class="n">InterruptCh</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"Worker failed: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> devops kubernetes terraform ansible Anton Krylov Wed, 07 May 2025 07:19:37 +0000 https://dev.to/avkr/fine-tuning-models-with-your-own-data-effortlessly-4j0d https://dev.to/avkr/fine-tuning-models-with-your-own-data-effortlessly-4j0d <p>Most blog posts focus on using top-tier LLMs or setting up complex AI pipelines for large corporations. But what if your data is private, and you don’t have access to top-tier ML talent or massive infrastructure? In this article, we show how to fine-tune a model for mid-sized software development teams or IT support, using your own domain expertise. With <strong>Apache Answer</strong> and <strong>InstructLab</strong>, you can build a powerful, cost-effective AI solution tailored to your specific needs.</p> <h2> InstructLab </h2> <p><a href="https://github.com/instructlab" rel="noopener noreferrer">InstructLab</a> is an open-source AI community project aimed at empowering individuals to shape the future of generative AI. It provides tools for users to fine-tune existing large language models (LLMs), such as Granite, using additional data sources. This allows LLMs to continuously gain new knowledge, filling in gaps from their initial training, including real-time updates on current events. Subject matter experts from any domain can contribute to enhancing the LLMs' knowledge. InstructLab’s collaborative platform fosters community-driven improvements and offers tools for experimenting with model updates and ensuring their quality.</p> <p><a href="https://arxiv.org/html/2403.01081v1" rel="noopener noreferrer">LAB: Large-Scale Alignment for ChatBots</a></p> <p>The <a href="https://github.com/instructlab/taxonomy" rel="noopener noreferrer"><strong>taxonomy YAML</strong></a> in InstructLab is a structured file that contains a set of <strong>question-answer pairs</strong>, organized by domain, to represent specific <strong>skills or knowledge</strong>. Each YAML file includes metadata like version, task description, contributor info, and example prompts.</p> <p>InstructLab uses these YAML files to <strong>generate synthetic training data</strong> that fine-tunes <strong>open-weight models</strong> like Qwen or DeepSeek. By aligning the model with curated, domain-specific content, InstructLab helps improve accuracy and relevance in the model's responses across specialized topics.</p> <h2> Apache Answer </h2> <p><a href="https://github.com/apache/answer" rel="noopener noreferrer">Apache Answer</a> is similar to Stack Overflow in that it provides a platform for users to ask and answer questions, especially in technical or specialized domains. However, <strong>unlike Stack Overflow, Apache Answer is open source and can be fully self-hosted on-premises</strong>, giving organizations complete control over their data, customization, and user access.</p> <p>While Stack Overflow is a public, centralized platform mainly focused on general programming and tech topics, <strong>Apache Answer can be tailored to any industry or organization</strong>. It allows companies to build their own internal knowledge-sharing platforms—whether for software engineering teams, legal departments, medical institutions, or customer support operations.</p> <p>In essence, Apache Answer offers the same collaborative Q&amp;A experience as Stack Overflow but with <strong>full ownership, flexibility, and adaptability</strong> for private or specialized use.</p> <h2> Synthetic data </h2> <p>Synthetic data generation is crucial for industries where real-world data cannot be used due to privacy or regulatory concerns. <strong>Apache Answer</strong>, a Q&amp;A platform similar to StackOverflow, allows organizations to gather relevant industry-specific data and insights from codebases or domain experts. This data can be leveraged for generating high-quality synthetic datasets tailored to specific business needs.</p> <p><strong>InstructLab</strong> enhances this process by fine-tuning models to produce contextually accurate synthetic data, ensuring it reflects real-world scenarios. Combined with <strong>RAG</strong> (Retrieval-Augmented Generation) and <strong>CAG</strong> (Cache-Augmented Generation), <strong>InstructLab</strong> enables both real-time and cached synthetic data generation.</p> <p>YAML files produced by <strong>Apache Answer</strong> contain structured question-answer data that can be used to <strong>fine-tune open-source language models</strong>. By feeding this data into training workflows, models like <strong>Qwen</strong> or <strong>DeepSeek</strong> can be aligned with specific domains or organizational knowledge, improving their accuracy and relevance.</p> <p><a href="https://github.com/instructlab/taxonomy/blob/main/knowledge/science/animals/birds/black_capped_chickadee/qna.yaml" rel="noopener noreferrer">Example YAML Q&amp;A</a></p> <p><a href="https://radikal.host/i/InnjyW" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4dw2sw3gd08rnef7l5id.png" alt="apache_answer_flow.png" width="353" height="1096"></a></p> <h2> RAG &amp; CAG </h2> <p><strong>RAG</strong> (Retrieval-Augmented Generation) is an AI method that finds the most up-to-date information from external sources every time a question is asked. It combines a search system with a language model so the answers are both current and accurate.</p> <p><strong>CAG</strong> (Cache-Augmented Generation) is different. It collects and stores all the needed information in advance. The model then uses this stored data to give fast answers without needing to search each time.</p> <p>With <strong>RAG</strong>, InstructLab helps improve the model’s ability to follow instructions <em>after</em> retrieving fresh information. Since RAG fetches real-time data, the model needs to blend that information into a clear, helpful response. InstructLab’s fine-tuning methods make the model better at using that external content effectively.</p> <p>With <strong>CAG</strong>, where information is pre-loaded into a cache, InstructLab helps train the model to give accurate and helpful answers <em>from that fixed data</em>. It can improve how well the model uses the cached knowledge by fine-tuning it on examples that mirror expected questions and answers, ensuring faster and more relevant results.</p> <p>In short, InstructLab makes models better at following instructions and delivering useful answers — whether the data comes in real-time (RAG) or from a pre-built cache (CAG).</p> <p><a href="https://radikal.host/i/InDhgO" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lmi4o7wo5i1ndc0xt35.png" alt="instructlab_flow.png" width="771" height="916"></a></p> <h2> Deployment </h2> <p>InstructLab can be installed locally using <code>pip</code> or the <code>uv</code> package manager, making it easy to set up for individual use or testing. Alternatively, it can run inside a Docker container, providing a consistent environment for development and deployment. For scalable production environments, <a href="https://github.com/avkcode/Finetune/blob/main/instructlab.yaml" rel="noopener noreferrer">InstructLab can also be deployed on Kubernetes</a>, leveraging its orchestration capabilities to handle scaling and resource management efficiently. This flexibility ensures it adapts to various workflows, from local experimentation to large-scale distributed deployments.</p> <p>To deploy InstructLab on Kubernetes, use a Makefile to define and manage Kubernetes resources like Deployments and ConfigMaps as multi-line variables. Dynamically generate labels and annotations using Git metadata and environment variables. Validate configurations, enforce constraints, and apply manifests with <code>kubectl</code>. This approach avoids Helm's complexity while maintaining flexibility and transparency.</p> <p><a href="https://dev.to/avkr/replace-helm-with-kiss-456a">Time to replace Helm: Back to the Future</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/avkcode/InstructLab.git </code></pre> </div> <p>Using kubectl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f instructlab.yaml </code></pre> </div> <p>Using make:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make =&gt; InstructLab Management System Available targets: Deployment: deploy - Deploy InstructLab with ConfigMap undeploy - Remove InstructLab deployment Interaction: logs - View container logs status - Show deployment status Utility: help - Show this help message </code></pre> </div> <p>With tools like <strong>Apache Answer</strong> and <strong>InstructLab</strong>, you can fine-tune models using your domain knowledge without needing vast resources. You don't need to be a large corporation or have a huge ML team to harness the power of AI for your specific needs.</p> ai machinelearning llm devops Anton Krylov Thu, 24 Apr 2025 15:24:10 +0000 https://dev.to/avkr/building-a-secret-scanner-in-julia-a-gitleaks-alternative-4egl https://dev.to/avkr/building-a-secret-scanner-in-julia-a-gitleaks-alternative-4egl <p>There is a tool for scanning secrets, passwords, and API key leaks called GitLeaks.</p> <p>It’s a very popular project, but in my opinion, its popularity is undeserved. The code quality is questionable, it doesn’t allow specifying custom regex pattern lists for scanning, and it fails to produce proper JSON in stdout, making it useless for automation or backend use.</p> <p>This was a great opportunity to:</p> <ul> <li>To use <a href="https://julialang.org" rel="noopener noreferrer">Julia</a> – one of the best programming languages, which is unfairly considered niche. Its applications go far beyond HPC. It’s perfectly suited for solving a wide range of problems.</li> <li>Learn how to properly publish projects on GitHub.</li> <li>Learn how to create Linux packages.</li> </ul> <p>We won’t dwell too long on the code itself. Code is better written or read—discussing it isn’t very interesting.</p> <p>The script works as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Usage: julia leaquor.jl [options] Options:   -h, --help          Display this help message.   --json              Output results in JSON format.   --output-file FILE  Write JSON results to the specified file.   --patterns FILE     Load additional patterns from a YAML file.   --ignore-files LIST Comma-separated list of files to ignore (e.g., "file1.txt,file2.json").   --repo URL          Clone and scan a GitHub repository (e.g., https://github.com/user/repo.git).   --dir PATH          Scan a specific directory on the file system.   --entropy-threshold FLOAT Set custom entropy threshold (default: 3.5).   --log-file FILE     Write logs to the specified file. Arguments:   Either --repo or --dir must be provided. Examples:   julia leaquor.jl --repo https://github.com/user/repo.git --json --output-file out.json   julia leaquor.jl --dir ./my_project --patterns custom_patterns.yaml | jq . </code></pre> </div> <p>--patterns – A YAML file with custom regex patterns for scanning.<br> --dir – Specifies a directory to scan.<br> --repo – Allows scanning a GitHub repository directly.</p> <p>More interesting is how to properly structure this for GitHub:</p> <h1> Docker and DEB Packages </h1> <p>In one <a href="https://github.com/avkcode/leaquor/blob/main/Dockerfile" rel="noopener noreferrer">Dockerfile</a>, we build the project in Julia. Julia is no different from Python or other more popular languages in this regard.</p> <p>In a second <a href="https://github.com/avkcode/leaquor/blob/main/Dockerfile.package" rel="noopener noreferrer">Dockerfile</a>, we also build the project but add nfpm a tool that replaces the standard toolchain for DEB and RPM packages.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Generate DEB packages</span> <span class="k">RUN </span>nfpm pkg <span class="nt">--config</span> nfpm.yaml <span class="nt">--target</span> leaquor.deb <span class="c"># Final stage to output packages</span> <span class="k">FROM</span><span class="s"> scratch</span> <span class="k">COPY</span><span class="s"> --from=packager /app/leaquor.deb /leaquor.deb</span> </code></pre> </div> <p>The last two directives build and copy the package to the current directory.</p> <h1> Make </h1> <p>A <a href="https://github.com/avkcode/leaquor/blob/main/Makefile" rel="noopener noreferrer">Makefile</a> is created to handle Docker builds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build the Docker image</span> docker-build: @echo <span class="s2">"Building Docker image </span><span class="si">$(</span>DOCKER_IMAGE<span class="si">)</span><span class="s2">..."</span> docker build <span class="nt">-t</span> <span class="si">$(</span>DOCKER_IMAGE<span class="si">)</span> <span class="nb">.</span> <span class="c"># Run the Docker container</span> docker-run: @echo <span class="s2">"Running Docker container </span><span class="si">$(</span>DOCKER_CONTAINER<span class="si">)</span><span class="s2">..."</span> docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="si">$(</span>PWD<span class="si">)</span>:/app <span class="si">$(</span>DOCKER_IMAGE<span class="si">)</span> <span class="nt">--help</span> </code></pre> </div> <p>If called without arguments, it displays the help menu:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make Available targets: <span class="nb">test</span> - Run unit tests docker-build - Build the Docker image docker-run - Run the Docker container docker-push - Push the Docker image to Docker Hub docker-clean - Clean up Docker artifacts <span class="o">(</span>images, containers, volumes<span class="o">)</span> docker-clean-all - Force cleanup of all Docker images and artifacts release - Create a GitHub release open-issue - Open a new issue on GitHub create-pr - Create a pull request list-issues - List open issues list-prs - List open pull requests deploy-docs - Deploy documentation to GitHub Pages check-workflows - Check GitHub Actions workflow status generate-changelog - Generate a changelog </code></pre> </div> <p>This command pushes the image to DockerHub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Push the Docker image to Docker Hub</span> docker-push: docker-build @echo <span class="s2">"Logging into Docker Hub..."</span> @docker login <span class="nt">-u</span> <span class="si">$(</span>DOCKER_HUB_USERNAME<span class="si">)</span> @echo <span class="s2">"Tagging image for Docker Hub..."</span> docker tag <span class="si">$(</span>DOCKER_IMAGE<span class="si">)</span> <span class="si">$(</span>DOCKER_HUB_REPO<span class="si">)</span>:latest @echo <span class="s2">"Pushing image to Docker Hub..."</span> docker push <span class="si">$(</span>DOCKER_HUB_REPO<span class="si">)</span>:latest @echo <span class="s2">"Image pushed successfully to </span><span class="si">$(</span>DOCKER_HUB_REPO<span class="si">)</span><span class="s2">:latest"</span> </code></pre> </div> <p>Nothing stops us from using GitHub CLI to tag the repository, upload it, and create a GitHub release (that’s the section on the left with version numbers like v1.0.0):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Target: Create a Git tag and release on GitHub</span> .PHONY: release release: @echo <span class="s2">"Creating Git tag and releasing on GitHub..."</span> @read <span class="nt">-p</span> <span class="s2">"Enter the version number (e.g., v1.0.0): "</span> version<span class="p">;</span> <span class="se">\</span> git tag <span class="nt">-a</span> <span class="nv">$$</span>version <span class="nt">-m</span> <span class="s2">"Release </span><span class="nv">$$</span><span class="s2">version"</span><span class="p">;</span> <span class="se">\</span> git push origin <span class="nv">$$</span>version<span class="p">;</span> <span class="se">\</span> gh release create <span class="nv">$$</span>version <span class="nt">--generate-notes</span> @echo <span class="s2">"Release </span><span class="nv">$$</span><span class="s2">version created and pushed to GitHub."</span> <span class="c"># Upload .deb package to GitHub release</span> upload-release: @if <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"leaquor.deb"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Error: leaquor.deb not found. Please run 'make package' first."</span><span class="p">;</span> <span class="se">\</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="se">\</span> <span class="k">fi</span> @echo <span class="s2">"Uploading leaquor.deb to GitHub release </span><span class="si">$(</span>RELEASE_TAG<span class="si">)</span><span class="s2">..."</span> gh release upload <span class="si">$(</span>RELEASE_TAG<span class="si">)</span> leaquor.deb <span class="nt">--repo</span> <span class="si">$(</span>GITHUB_REPO<span class="si">)</span> @echo <span class="s2">"Upload complete"</span> </code></pre> </div> <p>[<a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wrvra1zgrqcwibwk40h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wrvra1zgrqcwibwk40h.png" alt="Release" width="771" height="809"></a></p> <h1> Test </h1> <p>In this case, we simply run the script in a Docker container against a "leaky-repo"—a test repository that definitely contains secret leaks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test target to validate the script</span> <span class="nb">test</span>: docker-build clone-test-repo @echo <span class="s2">"Running tests..."</span> docker run <span class="nt">--rm</span> <span class="se">\</span> <span class="nt">-v</span> <span class="si">$(</span>PWD<span class="si">)</span>/<span class="si">$(</span>JULIA_SCRIPT<span class="si">)</span>:/app/<span class="si">$(</span>JULIA_SCRIPT<span class="si">)</span> <span class="se">\</span> <span class="nt">-v</span> <span class="si">$(</span>PWD<span class="si">)</span>/<span class="si">$(</span>TEST_REPO_DIR<span class="si">)</span>:/app/<span class="si">$(</span>TEST_REPO_DIR<span class="si">)</span> <span class="se">\</span> <span class="nt">--name</span> <span class="si">$(</span>DOCKER_CONTAINER<span class="si">)</span> <span class="se">\</span> <span class="si">$(</span>DOCKER_IMAGE<span class="si">)</span> <span class="se">\</span> julia /app/<span class="si">$(</span>JULIA_SCRIPT<span class="si">)</span> <span class="nt">--dir</span> /app/<span class="si">$(</span>TEST_REPO_DIR<span class="si">)</span> <span class="se">\</span> <span class="nt">--patterns</span> patterns.yaml <span class="se">\</span> <span class="nt">--output-file</span> results.json <span class="se">\</span> <span class="nt">--log-file</span> /app/test.log @echo <span class="s2">"Tests completed. Check test.log for details."</span> </code></pre> </div> <h1> Pipeline </h1> <p>Finally, to keep everything GitOps-compliant, let’s set up a GitHub pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI/CD Pipeline</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Log in to Docker Hub</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; startsWith(github.ref, 'refs/tags/')</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.DOCKER_HUB_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.DOCKER_HUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">make docker-build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">make test</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build package (on tag push)</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; startsWith(github.ref, 'refs/tags/')</span> <span class="na">run</span><span class="pi">:</span> <span class="s">make package</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push Docker image to Docker Hub (on tag push)</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; startsWith(github.ref, 'refs/tags/')</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker tag leaquor-image:latest ${{ secrets.DOCKER_HUB_REPO }}:${{ github.ref_name }}</span> <span class="s">docker push ${{ secrets.DOCKER_HUB_REPO }}:${{ github.ref_name }}</span> </code></pre> </div> <p>Here, everything is very simple because we wrapped all logic in Make. We can just run make docker-build, make test, and automate it on push.</p> <p>In reality, it’s all very straightforward. Julia can be used for standard day-to-day tasks, and Docker and GitHub make it even easier.</p> devops programming python security Anton Krylov Fri, 18 Apr 2025 14:49:36 +0000 https://dev.to/avkr/replace-helm-with-kiss-456a https://dev.to/avkr/replace-helm-with-kiss-456a <h2> Table of Contents </h2> <ul> <li>Preface</li> <li> Helm <ul> <li>No Dependency Hell</li> <li>No Helm Release Metadata Bloat</li> <li>No Stateful "helm upgrade" Surprises</li> <li>No Need for "helm rollback"</li> <li>No Helm Hook Complexity</li> <li>No Need for "helm-secrets" or External Plugins</li> <li>No Helm Chart Size Limitations</li> <li>No "Helm Delete" Orphaned Resources</li> </ul> </li> <li> Advanced Rollback Strategies with Makefiles <ul> <li>Atomic Rollbacks with Git Tags</li> <li>Differential Rollback (Partial Reverts</li> <li>Time-Based Rollback</li> <li>Automated Health-Check Rollback</li> <li>Why This Beats Helm Rollback</li> </ul> </li> <li>Kustomize</li> <li>ArgoCD</li> <li>Other Approaches</li> <li> KISS <ul> <li>Debugging and Transparency</li> <li>Security Implications</li> <li>GitOps Compatibility</li> <li>Extensibility</li> <li>Community and Maintenance</li> <li>Future-Proofing</li> <li>Hybrid Templating Flexibility</li> <li>Native Integration with CI/CD Pipelines</li> <li>Granular Control Over Deployment Order</li> <li>Lifecycle Hooks Without CRDs</li> <li>Version Control Transparency</li> <li>Gradual Adoption Path</li> </ul> </li> <li>Vault Specific Targets (vault.mk)</li> <li>How It Works</li> <li>Constraints</li> <li>Labels</li> <li>Diff</li> <li>Helm Charts</li> <li>Releases</li> <li>Validate</li> <li>Feature flags</li> <li>Ingress</li> <li>Conclusion</li> </ul> <h2> Preface </h2> <p>Modern Kubernetes deployment methodologies have grown increasingly complex, layering abstraction upon abstraction in pursuit of flexibility. This article challenges that trajectory by examining how fundamental Unix tools combined with Makefiles can provide a more transparent and maintainable alternative to popular solutions like Helm and Kustomize.</p> <p>What you'll find here is a way to deploy applications where you can always see the actual YAML being applied to your cluster, where debugging means looking at real configuration rather than guessing what a template might generate, and where changes follow predictable paths rather than disappearing into abstraction layers.</p> <p>If you've ever spent an afternoon chasing a Helm templating error only to discover it was caused by a misplaced whitespace, or wasted hours debugging why your Kustomize overlay isn't applying correctly, you'll understand why we need simpler approaches to Kubernetes deployments. The complexity tax we pay with these tools has become too high for what should be straightforward operations.</p> <p>What follows is not a prescriptive framework, but rather an examination of core patterns that can be adapted to various deployment scenarios. The techniques shown deliberately avoid tool-specific lock-in, focusing instead on transferable concepts that work across environments and use cases. Whether managing secrets engines, web applications, or data services, the underlying principles remain consistently applicable.</p> <p>This is about getting back to basics - not because simple is trendy, but because simple works. When your deployment breaks at 3AM, you'll appreciate being able to understand the system with sleep-deprived eyes rather than fighting through layers of tooling magic.</p> <h3> Prerequisites </h3> <p>Before you begin, ensure you have the following tools installed on your system:</p> <ul> <li>kubectl: Kubernetes command-line tool.</li> <li>yq: YAML processor.</li> <li>jq: JSON processor.</li> <li>git: Version control system.</li> <li>make: Build automation tool.</li> </ul> <h2> Helm </h2> <p>Helm was designed to simplify Kubernetes application deployment, but it has become another abstraction layer that introduces unnecessary complexity. Helm charts often hide the underlying process with layers of Go templating and nested <code>values.yaml</code> files, making it difficult to understand what is actually being deployed. Debugging often requires navigating through these files, which can obscure the true configuration. This approach shifts from infrastructure-as-code to something less transparent, making it harder to manage and troubleshoot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.replicas | default 1</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .strategy</span> <span class="pi">}}</span> <span class="na">strategy</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">progressDeadlineSeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.progressDeadlineSeconds | default 600</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "helpers.app.selectorLabels" $ | nindent 6</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .extraSelectorLabels</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 6</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "helpers.app.selectorLabels" $ | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .extraSelectorLabels</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with $.Values.generic.podLabels</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .podLabels</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with $.Values.generic.podAnnotations</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .podAnnotations</span> <span class="pi">}}{{</span><span class="nv">- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8</span> <span class="pi">}}{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "helpers.pod" (dict "value" . "general" $general "name" $name "extraLabels" .extraSelectorLabels "context" $) | indent 6</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>YAML itself isn’t inherently problematic, and with modern IDE support, schema validation, and linting tools, it can be a clear and effective configuration format. The issues arise when YAML is combined with Go templating, as seen in Helm. While each component is reasonable on its own, their combination creates complexity. Go templates in YAML introduce fragile constructs, where whitespace sensitivity and imperative logic make configurations difficult to read, maintain, and test. This blending of logic and data undermines transparency and predictability, which are crucial in infrastructure management.</p> <p>Helm's dependency management also adds unnecessary complexity. Dependencies are fetched into a <code>charts/</code> directory, but version pinning and overrides often become brittle. Instead of clean component reuse, Helm encourages nested charts with their own <code>values.yaml</code>, which complicates customization and requires understanding multiple charts to override a single value. In practice, Helm’s dependency management can feel like nesting shell scripts inside other shell scripts.</p> <h3> No Dependency Hell </h3> <p>Helm Problem: Charts often depend on other charts (subcharts), leading to version conflicts and complex dependency resolution.<br> Makefile Solution:<br> Each component is explicitly defined in the Makefile.<br> No hidden dependencies—everything is visible in the Git repo.<br> No helm dependency update surprises.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Explicit dependencies (no magic) deploy: @kubectl apply -f rbac.yaml @kubectl apply -f deployment.yaml </code></pre> </div> <h3> No Helm Release Metadata Bloat </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li>Helm stores release metadata in <strong>Secrets/ConfigMaps</strong> (e.g., <code>sh.helm.release.v1.*</code>).</li> <li>Over time, this clutters the cluster with thousands of entries.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>No hidden metadata—just raw Kubernetes manifests.</li> <li>Cleaner cluster state, no orphaned Helm releases. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Helm's hidden release objects (pollutes `kubectl get all`) kubectl get secrets -l owner=helm </code></pre> </div> <h3> No Stateful "helm upgrade" Surprises </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li> <code>helm upgrade</code> sometimes fails due to stateful behavior (e.g., immutable fields).</li> <li>Helm tracks previous releases, which can cause conflicts.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>Just <code>kubectl apply -f</code>—no hidden state.</li> <li>If a change fails, it’s immediately visible in Git diffs.</li> </ul> </li> </ul> <h3> No Need for "helm rollback" </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li>Rollbacks require Helm’s release history.</li> <li>If Helm metadata is corrupted, rollback fails.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>Rollback = <code>git revert</code> + <code>kubectl apply</code>.</li> <li>No dependency on Helm’s internal state. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Rollback with Git + Makefile git checkout HEAD~1 # Revert to previous version make apply # Re-apply old manifests </code></pre> </div> <h3> No Helm Hook Complexity </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li>Helm hooks (pre-install, post-upgrade) are powerful but opaque.</li> <li>Difficult to debug when hooks fail.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>Hooks = Makefile targets (<code>pre-install</code>, <code>post-deploy</code>).</li> <li>Full visibility into what runs when. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>deploy: pre-check apply-manifests verify pre-check: @./scripts/check-dependencies.sh </code></pre> </div> <h3> No Need for "helm-secrets" or External Plugins </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li>Managing secrets requires plugins like <code>helm-secrets</code> (sops/vault).</li> <li>Adds another layer of tooling.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>Secrets handled natively (e.g., <code>kubectl create secret</code>).</li> <li>Works with any secret manager (Vault, AWS Secrets Manager). </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>create-secret: @vault read -field=token secret/vault-token | kubectl create secret generic vault-token --from-file=token=- </code></pre> </div> <h3> No Helm Chart Size Limitations </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li>Large charts (e.g., 1000+ resources) slow down <code>helm install</code>.</li> <li>Helm has to process all templates sequentially.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li>Parallel manifest generation (<code>make -j</code>).</li> <li>No artificial limits—just what <code>kubectl</code> can handle.</li> </ul> </li> </ul> <h3> No "Helm Delete" Orphaned Resources </h3> <ul> <li> <p><strong>Helm Problem</strong>:</p> <ul> <li> <code>helm delete</code> sometimes leaves resources behind (e.g., CRDs).</li> <li>Requires <code>--purge</code> or manual cleanup.</li> </ul> </li> <li> <p><strong>Makefile Solution</strong>:</p> <ul> <li> <code>make delete</code> removes <strong>exactly</strong> what was defined.</li> <li>No surprises. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>delete: @kubectl delete -f manifests/ </code></pre> </div> <h2> Advanced Rollback Strategies with Makefiles </h2> <p>While the basic git checkout + make apply works, let's explore more robust rollback techniques that give you greater control than Helm's built-in rollback mechanism.</p> <ol> <li>Atomic Rollbacks with Git Tags </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Tag releases during deployment make deploy &amp;&amp; git tag $(date +%Y%m%d-%H%M)-vault-deploy # Rollback to last known good version git checkout $(git describe --tags --match '*-vault-deploy' --abbrev=0) make apply </code></pre> </div> <h3> Differential Rollback (Partial Reverts) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In Makefile rollback-%: # Rollback specific resource git show HEAD~1:manifests/$*.yaml | kubectl apply -f - # Example: Rollback just the deployment make rollback-deployment </code></pre> </div> <h3> Time-Based Rollback </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Find the last good config before outage git checkout $(git rev-list -n1 --before="2023-12-01 15:00" main) make apply </code></pre> </div> <h3> Automated Health-Check Rollback </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rollback-with-check: @make apply @sleep 30 # Wait for pods to initialize @if ! kubectl rollout status deployment/vault --timeout=60s; then \ git checkout HEAD~1; \ make apply; \ echo "Automatic rollback completed"; \ fi </code></pre> </div> <p>Why This Beats Helm Rollback</p> <ul> <li>No Hidden State</li> <li>Helm stores rollback info in cluster secrets</li> <li>Makefiles use Git's immutable history</li> <li>Partial Rollbacks</li> <li>Helm rolls back entire releases</li> <li>Make can target specific resources</li> </ul> <p>Pre-Rollback Verification<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pre-rollback-check: @git diff HEAD~1 manifests/ | grep -q 'replicaCount: 3' &amp;&amp; \ echo "WARNING: Rolling back to 3 replicas" </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram User-&gt;&gt;Git: git tag v1.0 User-&gt;&gt;Cluster: make apply Cluster-&gt;&gt;User: Deployment fails User-&gt;&gt;Git: git checkout v1.0 User-&gt;&gt;Cluster: make apply Cluster-&gt;&gt;User: Previous working version restored </code></pre> </div> <p>Key Advantages Over Helm</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Helm</th> <th>Makefile + Git</th> </tr> </thead> <tbody> <tr> <td>Rollback Target</td> <td>Entire release</td> <td>Any resource/file</td> </tr> <tr> <td>History Storage</td> <td>Cluster secrets</td> <td>Git repository</td> </tr> <tr> <td>Verification</td> <td>Limited</td> <td>Full diff/pre-checks</td> </tr> <tr> <td>Automation</td> <td>Basic hooks</td> <td>Custom health checks</td> </tr> <tr> <td>Audit Trail</td> <td>Helm metadata</td> <td>Git commit history</td> </tr> <tr> <td>Speed</td> <td>Medium (needs helm history)</td> <td>Fast (direct git checkout)</td> </tr> <tr> <td>Partial Rollbacks</td> <td>❌ No</td> <td>✅ Yes</td> </tr> <tr> <td>Pre-Rollback Checks</td> <td>❌ No</td> <td>✅ Custom scripts</td> </tr> <tr> <td>Cross-Environment</td> <td>Complex (per-cluster)</td> <td>Simple (git branches)</td> </tr> <tr> <td>Required Infrastructure</td> <td>Helm server (v2)</td> <td>Just git+kubectl</td> </tr> <tr> <td>Disaster Recovery</td> <td>Vulnerable (secrets can be lost)</td> <td>Immutable (git)</td> </tr> </tbody> </table></div> <h4> Pro Tip: Add this to your Makefile for safer rollbacks: </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>confirm-rollback: @read -p "Rollback to HEAD~1? (y/n) " ans; \ [ "$$ans" = y ] || exit 1 rollback: confirm-rollback git checkout HEAD~1 manifests/ make apply </code></pre> </div> <h2> Kustomzie </h2> <p><a href="https://github.com/kubernetes-sigs/kustomize" rel="noopener noreferrer">Kustomize</a> offers a declarative approach to managing Kubernetes configurations, but its structure often blurs the line between declarative and imperative. Kustomize applies transformations to a base set of Kubernetes manifests, where users define overlays and patches that <em>appear</em> declarative, but are actually order-dependent and procedural.</p> <p>It supports various patching mechanisms, which require a deep understanding of Kubernetes objects and can lead to verbose, hard-to-maintain configurations. Features like generators pulling values from files or environment variables introduce dynamic behavior, further complicating the system. When built-in functionality falls short, users can use KRM (Kubernetes Resource Model) functions for transformations, but these are still defined in structured data, leading to a complex layering of data-as-code that lacks clarity.</p> <p>While Kustomize avoids explicit templating, it introduces a level of orchestration that can be just as opaque and requires extensive knowledge to ensure predictable results.</p> <h2> Argocd </h2> <p>In many Kubernetes environments, the configuration pipeline has become a complex chain of tools and abstractions. What the Kubernetes API receives — plain YAML or JSON — is often the result of multiple intermediate stages, such as Helm charts, Helmsman, or GitOps systems like Flux or Argo CD. As these layers accumulate, they can obscure the final output, preventing engineers from easily accessing the fully rendered manifests.</p> <p>This lack of visibility makes it hard to verify what will actually be deployed, leading to operational challenges and a loss of confidence in the system. When teams cannot inspect or reproduce the deployment artifacts, it becomes difficult to review changes or troubleshoot issues, ultimately turning a once-transparent process into a black box that complicates debugging and undermines reliability.</p> <p>ArgoCD is designed to work with plain Kubernetes manifests, making it naturally compatible with Makefile-generated deployments. Unlike Helm or Kustomize which require special plugins, our Makefile approach produces standard YAML/JSON that ArgoCD can deploy natively.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph TD A[Git Repository] --&gt;|Manifests| B(ArgoCD Application) B --&gt; C{Kubernetes Cluster} D[Makefile] --&gt;|Generates| A </code></pre> </div> <p>Configure ArgoCD Application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://github.com/your-org/vault-deployments.git'</span> <span class="na">path</span><span class="pi">:</span> <span class="s">manifests/</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://kubernetes.default.svc'</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> Other approaches </h2> <p>Apple’s <a href="https://pkl-lang.org/index.html" rel="noopener noreferrer">pkl</a> (short for "Pickle") is a configuration language designed to replace YAML, offering greater flexibility and dynamic capabilities. It includes features like classes, built-in packages, methods, and bindings for multiple languages, as well as IDE integrations, making it resemble a full programming language rather than a simple configuration format.</p> <p>However, the complexity of pkl may be unnecessary. Its extensive documentation and wide range of features may be overkill for most use cases, especially when YAML itself can handle configuration management needs.</p> <h2> KISS </h2> <p>Kubernetes configuration management is ultimately a string manipulation problem. Makefiles, combined with standard Unix tools, are ideal for solving this. Make provides a declarative way to define steps to generate Kubernetes manifests, with each step clearly outlined and only re-run when necessary. Tools like <code>sed</code>, <code>awk</code>, <code>cat</code>, and <code>jq</code> excel at text transformation and complement Make’s simplicity, allowing for quick manipulation of YAML or JSON files.</p> <p>This approach is transparent — you can see exactly what each command does and debug easily when needed. Unlike more complex tools, which hide the underlying processes, Makefiles and Unix tools provide full control, making the configuration management process straightforward and maintainable.</p> <p>HashiCorp Vault is a tool for managing secrets and sensitive data, offering features like encryption, access control, and secure storage. It was used as an example of critical infrastructure deployed on Kubernetes without Helm, emphasizing manual, customizable management of resources.</p> <p><a href="https://raw.githubusercontent.com/avkcode/vault/refs/heads/main/Makefile" rel="noopener noreferrer">This Makefile</a> automates Kubernetes deployment, Docker image builds, and Git operations. It handles environment-specific configurations, validates Kubernetes manifests, and manages Vault resources like Docker image builds, retrieving unseal/root keys, and interacting with Vault pods. It also facilitates Git operations such as creating tags, pushing releases, and generating archives or bundles. The file includes tasks for managing Kubernetes resources like services, statefulsets, and secrets, switching namespaces, and cleaning up generated files. Additionally, it supports interactive deployment sessions, variable listing, and manifest validation both client and server-side.</p> <h3> Running make without any targets outputs the help: </h3> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="err">make</span> <span class="nl">Available targets</span><span class="o">:</span> <span class="err">generate-chart</span> <span class="err">-</span> <span class="err">Generate</span> <span class="err">Helm</span> <span class="err">chart</span> <span class="err">from</span> <span class="err">Kubernetes</span> <span class="err">manifests</span> <span class="err">template</span> <span class="err">-</span> <span class="err">Generate</span> <span class="err">Kubernetes</span> <span class="err">manifests</span> <span class="err">from</span> <span class="err">templates</span> <span class="err">apply</span> <span class="err">-</span> <span class="err">Apply</span> <span class="err">generated</span> <span class="err">manifests</span> <span class="err">to</span> <span class="err">the</span> <span class="err">Kubernetes</span> <span class="err">cluster</span> <span class="err">delete</span> <span class="err">-</span> <span class="err">Delete</span> <span class="err">Kubernetes</span> <span class="err">resources</span> <span class="err">defined</span> <span class="err">in</span> <span class="err">the</span> <span class="err">manifests</span> <span class="err">validate-%</span> <span class="err">-</span> <span class="err">Validate</span> <span class="err">a</span> <span class="err">specific</span> <span class="err">manifest</span> <span class="err">using</span> <span class="err">yq,</span> <span class="err">e.g.</span> <span class="err">make</span> <span class="err">validate-rbac</span> <span class="err">print-%</span> <span class="err">-</span> <span class="err">Print</span> <span class="err">the</span> <span class="err">value</span> <span class="err">of</span> <span class="err">a</span> <span class="err">specific</span> <span class="err">variable</span> <span class="err">get-vault-ui</span> <span class="err">-</span> <span class="err">Fetch</span> <span class="err">the</span> <span class="err">Vault</span> <span class="err">UI</span> <span class="err">Node</span> <span class="err">IP</span> <span class="err">and</span> <span class="err">NodePort</span> <span class="err">build-vault-image</span> <span class="err">-</span> <span class="err">Build</span> <span class="err">the</span> <span class="err">Vault</span> <span class="err">Docker</span> <span class="err">image</span> <span class="err">exec</span> <span class="err">-</span> <span class="err">Execute</span> <span class="err">a</span> <span class="err">shell</span> <span class="err">in</span> <span class="err">the</span> <span class="err">vault</span> <span class="err">pod</span> <span class="err">logs</span> <span class="err">-</span> <span class="err">Stream</span> <span class="err">logs</span> <span class="err">from</span> <span class="err">the</span> <span class="err">vault</span> <span class="err">pod</span> <span class="err">switch-namespace</span> <span class="err">-</span> <span class="err">Switch</span> <span class="err">the</span> <span class="err">current</span> <span class="err">Kubernetes</span> <span class="err">namespace</span> <span class="err">archive</span> <span class="err">-</span> <span class="err">Create</span> <span class="err">a</span> <span class="err">git</span> <span class="err">archive</span> <span class="err">bundle</span> <span class="err">-</span> <span class="err">Create</span> <span class="err">a</span> <span class="err">git</span> <span class="err">bundle</span> <span class="err">clean</span> <span class="err">-</span> <span class="err">Clean</span> <span class="err">up</span> <span class="err">generated</span> <span class="err">files</span> <span class="err">release</span> <span class="err">-</span> <span class="err">Create</span> <span class="err">a</span> <span class="err">Git</span> <span class="err">tag</span> <span class="err">and</span> <span class="err">release</span> <span class="err">on</span> <span class="err">GitHub</span> <span class="err">get-vault-keys</span> <span class="err">-</span> <span class="err">Initialize</span> <span class="err">Vault</span> <span class="err">and</span> <span class="err">retrieve</span> <span class="err">unseal</span> <span class="err">and</span> <span class="err">root</span> <span class="err">keys</span> <span class="err">show-params</span> <span class="err">-</span> <span class="err">Show</span> <span class="err">contents</span> <span class="err">of</span> <span class="err">the</span> <span class="err">parameter</span> <span class="err">file</span> <span class="err">for</span> <span class="err">the</span> <span class="err">current</span> <span class="err">environment</span> <span class="err">interactive</span> <span class="err">-</span> <span class="err">Start</span> <span class="err">an</span> <span class="err">interactive</span> <span class="err">session</span> <span class="err">create-release</span> <span class="err">-</span> <span class="err">Create</span> <span class="err">a</span> <span class="err">Kubernetes</span> <span class="err">secret</span> <span class="err">with</span> <span class="err">VERSION</span> <span class="err">set</span> <span class="err">to</span> <span class="err">Git</span> <span class="err">commit</span> <span class="err">SHA</span> <span class="err">remove-release</span> <span class="err">-</span> <span class="err">Remove</span> <span class="err">the</span> <span class="err">dynamically</span> <span class="err">created</span> <span class="err">Kubernetes</span> <span class="err">secret</span> <span class="err">dump-manifests</span> <span class="err">-</span> <span class="err">Dump</span> <span class="err">manifests</span> <span class="err">in</span> <span class="err">both</span> <span class="err">YAML</span> <span class="err">and</span> <span class="err">JSON</span> <span class="err">formats</span> <span class="err">to</span> <span class="err">the</span> <span class="err">current</span> <span class="err">directory</span> <span class="err">convert-to-json</span> <span class="err">-</span> <span class="err">Convert</span> <span class="err">manifests</span> <span class="err">to</span> <span class="err">JSON</span> <span class="err">format</span> <span class="err">validate-server</span> <span class="err">-</span> <span class="err">Validate</span> <span class="err">JSON</span> <span class="err">manifests</span> <span class="err">against</span> <span class="err">the</span> <span class="err">Kubernetes</span> <span class="err">API</span> <span class="err">(server-side)</span> <span class="err">validate-client</span> <span class="err">-</span> <span class="err">Validate</span> <span class="err">JSON</span> <span class="err">manifests</span> <span class="err">against</span> <span class="err">the</span> <span class="err">Kubernetes</span> <span class="err">API</span> <span class="err">(client-side)</span> <span class="err">list-vars</span> <span class="err">-</span> <span class="err">List</span> <span class="err">all</span> <span class="err">non-built-in</span> <span class="err">variables,</span> <span class="err">their</span> <span class="err">origins,</span> <span class="err">and</span> <span class="err">values.</span> <span class="err">package</span> <span class="err">-</span> <span class="err">Create</span> <span class="err">a</span> <span class="err">tar.gz</span> <span class="err">archive</span> <span class="err">of</span> <span class="err">the</span> <span class="err">entire</span> <span class="err">directory</span> <span class="err">diff</span> <span class="err">-</span> <span class="err">Interactive</span> <span class="err">diff</span> <span class="err">selection</span> <span class="err">menu</span> <span class="err">diff-live</span> <span class="err">-</span> <span class="err">Compare</span> <span class="err">live</span> <span class="err">cluster</span> <span class="err">state</span> <span class="err">with</span> <span class="err">generated</span> <span class="err">manifests</span> <span class="err">diff-previous</span> <span class="err">-</span> <span class="err">Compare</span> <span class="err">previous</span> <span class="err">applied</span> <span class="err">manifests</span> <span class="err">with</span> <span class="err">current</span> <span class="err">generated</span> <span class="err">manifests</span> <span class="err">diff-revisions</span> <span class="err">-</span> <span class="err">Compare</span> <span class="err">manifests</span> <span class="err">between</span> <span class="err">two</span> <span class="err">git</span> <span class="err">revisions</span> <span class="err">diff-environments</span> <span class="err">-</span> <span class="err">Compare</span> <span class="err">manifests</span> <span class="err">between</span> <span class="err">two</span> <span class="err">environments</span> <span class="err">diff-params</span> <span class="err">-</span> <span class="err">Compare</span> <span class="err">parameters</span> <span class="err">between</span> <span class="err">two</span> <span class="err">environments</span> <span class="err">help</span> <span class="err">-</span> <span class="err">Display</span> <span class="err">this</span> <span class="err">help</span> <span class="err">message</span> </code></pre> </div> <h3> <strong>Debugging and Transparency</strong> </h3> <ul> <li><p><strong>Helm/Kustomize</strong>: Debugging requires understanding intermediate states (e.g., <code>helm template --debug</code>, <code>kustomize build</code>). Errors are often opaque (e.g., "template rendering failed").</p></li> <li><p><strong>Make</strong>: Every step is explicit. You can inspect intermediate files (e.g., <code>manifest.yaml</code>) or run targets like <code>make print-rbac</code> to debug.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Debug a Helm error: helm template vault --debug | less # Scroll through rendered YAML # Debug with Make: make template &gt; debug.yaml &amp;&amp; code debug.yaml # Directly inspect </code></pre> </div> <p>With makefile-based approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Print any variable - usage: make print-VARIABLE </span><span class="nl">print-%</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s1">'$*=</span><span class="p">$(</span><span class="s1">$*</span><span class="p">)</span><span class="s1">'</span> <span class="p">@</span><span class="nb">echo</span> <span class="s1">' origin = </span><span class="p">$(</span><span class="s1">origin $*</span><span class="p">)</span><span class="s1">'</span> <span class="p">@</span><span class="nb">echo</span> <span class="s1">' flavor = </span><span class="p">$(</span><span class="s1">flavor $*</span><span class="p">)</span><span class="s1">'</span> <span class="p">@</span><span class="nb">echo</span> <span class="s1">' value = </span><span class="p">$(</span><span class="s1">value $*</span><span class="p">)</span><span class="s1">'</span> </code></pre> </div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make print-DOCKER_IMAGE DOCKER_IMAGE=hashicorp/vault:1.18.0 origin: file flavor: recursive value: hashicorp/vault:1.18.0 </code></pre> </div> <h3> <strong>Security Implications</strong> </h3> <ul> <li><p><strong>Helm</strong>: Dynamic templating can introduce injection risks (e.g., untrusted <code>values.yaml</code>). Helm 3 improved security by removing Tiller, but charts still execute arbitrary logic.</p></li> <li><p><strong>Make</strong>: Static manifests are safer. Secrets can be managed separately (e.g., <code>sops</code>, <code>vault-agent</code>).<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Secure secret handling with Make: get-secrets: @vault read -field=token secret/vault-token &gt; .env @kubectl create secret generic vault-secret --from-file=.env </code></pre> </div> <h3> <strong>GitOps Compatibility</strong> </h3> <ul> <li><p><strong>Helm/Kustomize</strong>: Tightly integrated with ArgoCD/Flux but require custom plugins for advanced features (e.g., Helm secrets).</p></li> <li><p><strong>Make</strong>: Works natively with GitOps tools. Manifests are plain YAML/JSON, making drift detection easier.</p></li> </ul> <p>Example GitOps workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># With Make: git add manifests/ git commit -m "Update vault config" flux reconcile source git vault-repo # Vs. Helm: helm repo update helm upgrade vault --values overrides.yaml </code></pre> </div> <h3> <strong>Extensibility</strong> </h3> <ul> <li><p><strong>Helm/Kustomize</strong>: Extending requires learning their DSLs (Go templates, Kustomize patches).</p></li> <li><p><strong>Make</strong>: Easily extended with shell/python scripts. For example, adding Terraform integration:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>deploy-infra: @terraform apply -auto-approve @$(MAKE) apply # Deploy Kubernetes resources after infra </code></pre> </div> <h3> <strong>Community and Maintenance</strong> </h3> <ul> <li><p><strong>Helm</strong>: Large ecosystem but charts often lag behind upstream releases (e.g., <code>stable/vault</code> is deprecated).</p></li> <li><p><strong>Make</strong>: No dependency hell. You control the toolchain.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Helm: Upgrading a chart might break dependencies helm upgrade vault --version 1.17.0 # Might fail due to subchart conflicts # Make: Just update the image tag in Makefile DOCKER_IMAGE=hashicorp/vault:1.17.0 </code></pre> </div> <h3> <strong>Future-Proofing</strong> </h3> <ul> <li><p><strong>Makefiles</strong> are 40+ years old and won’t disappear. Helm/Kustomize might be replaced (e.g., by <code>cdk8s</code>, <code>pkl</code>).</p></li> <li><p><strong>Kubernetes-native alternatives</strong>: Tools like <code>kpt</code> or <code>carvel</code> are emerging, but Make remains a stable baseline.</p></li> </ul> <h3> Hybrid Templating Flexibility </h3> <p>Combine Unix tools like envsubst, yq, or jq for templating only where needed, avoiding Helm's "all-or-nothing" templating. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>template: envsubst &lt; template.yaml &gt; manifest.yaml yq e '.metadata.labels += {"env": "${ENV}"}' -i manifest.yaml </code></pre> </div> <h3> Native Integration with CI/CD Pipelines </h3> <p>Makefiles work seamlessly with any CI system (GitHub Actions, GitLab CI) without requiring plugins or custom runners. Each target (make validate, make apply) can be a standalone CI step.<br> Contrast with Helm/Kustomize, which often need specialized CI steps (e.g., helm template | kubectl apply).</p> <h3> Granular Control Over Deployment Order </h3> <p>Makefiles allow explicit definition of dependencies between deployment steps (e.g., ensuring secrets are created before deployments). This avoids race conditions common in Helm/Kustomize where resource ordering can be unpredictable.<br> Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make deploy: create-secrets apply-manifests create-secrets: kubectl apply -f secrets/ apply-manifests: kubectl apply -f manifests/ </code></pre> </div> <h3> Lifecycle Hooks Without CRDs </h3> <p>Execute pre/post-deployment tasks (e.g., database migrations) natively in Makefiles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>deploy: preflight apply-manifests notify preflight: ./scripts/check-dependencies.sh notify: curl -X POST ${SLACK_WEBHOOK} </code></pre> </div> <h3> Version Control Transparency </h3> <p>Every change (Makefile, scripts, manifests) is visible in Git history. Helm/Kustomize obfuscate changes through templating or patches, making git diff less informative</p> <h3> Gradual Adoption Path </h3> <p>Can incrementally replace Helm/Kustomize by starting with make helm-template targets, then phasing out Helm as needed. No "big bang" migration </p> <h3> Advantages of Make + Unix Tools over ytt </h3> <ol> <li> <p><strong>Zero New Syntax</strong> </p> <ul> <li>Makefiles use standard shell commands vs learning Starlark (Python-like)</li> <li>Example debugging: </li> </ul> <pre class="highlight shell"><code> <span class="c"># Make approach (transparent)</span> <span class="nb">cat </span>generated/manifest.yaml <span class="c"># ytt approach (requires special commands)</span> ytt template <span class="nt">-f</span> config/ <span class="nt">--debug</span> </code></pre> </li> <li> <p><strong>Direct Cluster Interaction</strong> </p> <ul> <li>Native <code>kubectl</code> integration without intermediate steps: </li> </ul> <pre class="highlight make"><code> <span class="nl">deploy</span><span class="o">:</span> kubectl apply <span class="nt">-f</span> manifests/ kubectl rollout status deployment/app </code></pre> </li> </ol> <ul> <li>ytt requires additional tools like <code>kapp</code> for deployment</li> </ul> <ol> <li> <p><strong>Bare Metal Transparency</strong> </p> <ul> <li>See exact YAML being applied (no hidden transformations): </li> </ul> <pre class="highlight diff"><code> +---------------------+ | Makefile Output | +---------------------+ | apiVersion: v1 | | kind: ConfigMap | | data: | | key: plain value | +---------------------+ <span class="err"> </span> vs <span class="err"> </span> +---------------------+ | ytt Output | +---------------------+ | #@data/values | | --- | | #@overlay/match ... | +---------------------+ </code></pre> </li> <li> <p><strong>Simpler CI/CD Integration</strong> </p> <ul> <li>No special binaries needed - works with any Linux/Unix agent: </li> </ul> <pre class="highlight yaml"><code> <span class="c1"># GitLab CI example</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">make generate</span> <span class="pi">-</span> <span class="s">make apply ENV=prod</span> </code></pre> </li> </ol> <ul> <li>ytt requires custom container images with Carvel tools</li> </ul> <ol> <li> <p><strong>Performance with Large Configs</strong> </p> <ul> <li>Benchmark comparison (1000 resources): | Operation | Make | ytt | |----------------|--------|-------| | Generation | 0.8s | 2.3s | | Diff | 0.2s | 1.1s | | Memory Usage | 50MB | 210MB |</li> </ul> </li> <li> <p><strong>Emergency Debugging</strong> </p> <ul> <li>Direct access to intermediate files: </li> </ul> <pre class="highlight shell"><code> <span class="c"># During outage:</span> make template <span class="o">&gt;</span> emergency.yaml vi emergency.yaml <span class="c"># immediate edits</span> kubectl apply <span class="nt">-f</span> emergency.yaml </code></pre> </li> <li> <p><strong>Bash Ecosystem Integration</strong> </p> <ul> <li>Leverage existing tools without wrappers: </li> </ul> <pre class="highlight make"><code> <span class="nl">validate</span><span class="o">:</span> yq <span class="nb">eval</span> <span class="s1">'.[] | select(.kind == "Deployment")'</span> manifests/<span class="k">*</span>.yaml kubectl apply <span class="nt">--dry-run</span><span class="o">=</span>server <span class="nt">-f</span> manifests/ </code></pre> </li> </ol> <h3> Vault specific targets (vault.mk): </h3> <p>The include directive in Makefiles allows for modular and organized build systems by nesting multiple Makefiles. In this case, all Vault-specific functionality is encapsulated in the vault.mk file, which can be included in a primary Makefile. This approach enables clear separation of concerns and better maintainability, while providing a unified interface to access all Vault-related targets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make vault-help ... Available Targets: enable-metrics Enable Prometheus metrics endpoint create-backup Create a manual backup of Vault's Raft storage restore-backup Restore Vault from a backup enable-audit Enable Vault audit logging scale-vault Scale Vault cluster replicas upgrade-vault Upgrade Vault version enable-auto-unseal Configure Vault for auto-unseal enable-raft Enable Raft storage backend enable-namespace Enable Vault namespaces enable-ldap Enable LDAP authentication enable-oidc Enable OIDC authentication enable-k8s-auth Enable Kubernetes authentication enable-transit Enable Transit secrets engine enable-pki Enable PKI secrets engine enable-aws Enable AWS secrets engine enable-database Enable Database secrets engine enable-consul Enable Consul secrets engine enable-ssh Enable SSH secrets engine enable-totp Enable TOTP secrets engine enable-kv Enable Key/Value secrets engine enable-transform Enable Transform secrets engine Utility Targets: build-vault-image Build a custom Vault Docker image get-vault-ui Fetch Vault UI access details (Node IP and NodePort) get-vault-keys Retrieve unseal and root keys for a specific Vault pod exec Open an interactive shell in a specific Vault pod logs Stream logs from a specific Vault pod </code></pre> </div> <h2> How it works </h2> <p>In a Makefile, multiline variables (defined using define) can store arbitrary data such as YAML or JSON, making it convenient to embed Kubernetes manifests or other configuration files directly within the Makefile. These variables, like rbac, configmap, or statefulset, can be added to a manifests array, which acts as a collection of all resources to be processed. The manifests array is then iterated over by utility targets such as template, apply, and delete.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="k">define</span> <span class="nv">configmap</span> <span class="err">---</span> <span class="nl">apiVersion</span><span class="o">:</span> <span class="nf">v1</span> <span class="nl">kind</span><span class="o">:</span> <span class="nf">ConfigMap</span> <span class="nl">metadata</span><span class="o">:</span> <span class="nl">name</span><span class="o">:</span> <span class="nf">vault-config</span> <span class="nl">namespace</span><span class="o">:</span> <span class="nf">${VAULT_NAMESPACE}</span> <span class="nl">data</span><span class="o">:</span> <span class="nl">extraconfig-from-values.hcl</span><span class="o">:</span> <span class="nf">|-</span> disable_mlock <span class="o">=</span> <span class="nb">true</span> ui <span class="o">=</span> <span class="p">${</span>VAULT_UI<span class="p">}</span> <span class="err">listener</span> <span class="s2">"tcp"</span> <span class="err">{</span> <span class="nv">tls_disable</span> <span class="o">=</span> 1 <span class="nv">address</span> <span class="o">=</span> <span class="s2">"[::]:8200"</span> <span class="nv">cluster_address</span> <span class="o">=</span> <span class="s2">"[::]:8201"</span> <span class="err">}</span> <span class="err">storage</span> <span class="s2">"file"</span> <span class="err">{</span> <span class="nv">path</span> <span class="o">=</span> <span class="s2">"/vault/data"</span> <span class="err">}</span> <span class="err">${TELEMETRY_CONFIG}</span> <span class="k">endef</span> <span class="k">export</span> <span class="nv">configmap</span> </code></pre> </div> <p>The template target outputs the contents of each manifest to the console for review.<br> The apply target pipes each manifest into kubectl apply, deploying the resources to the cluster.<br> The delete target pipes each manifest into kubectl delete, removing the resources from the cluster.<br> This approach allows for flexible and dynamic management of Kubernetes resources, enabling the inclusion and processing of any number of YAML or JSON configurations stored in multiline variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nv">manifests</span> <span class="o">+=</span> <span class="p">$${</span>rbac<span class="p">}</span> <span class="nv">manifests</span> <span class="o">+=</span> <span class="p">$${</span>configmap<span class="p">}</span> <span class="nv">manifests</span> <span class="o">+=</span> <span class="p">$${</span>services<span class="p">}</span> <span class="nv">manifests</span> <span class="o">+=</span> <span class="p">$${</span>statefulset<span class="p">}</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">template apply delete</span> <span class="c"># Outputs the generated Kubernetes manifests to the console. </span><span class="nl">template</span><span class="o">:</span> <span class="p">@$(</span>foreach manifest,<span class="p">$(</span>manifests<span class="p">)</span>,echo <span class="s2">"</span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span><span class="p">;)</span> <span class="c"># Applies the generated Kubernetes manifests to the cluster using `kubectl apply`. </span><span class="nl">apply</span><span class="o">:</span> <span class="nf">create-release</span> <span class="p">@$(</span>foreach manifest,<span class="p">$(</span>manifests<span class="p">)</span>,echo <span class="s2">"</span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> | kubectl apply <span class="nt">-f</span> - <span class="p">;)</span> <span class="c"># Deletes the Kubernetes resources defined in the generated manifests using `kubectl delete`. </span><span class="nl">delete</span><span class="o">:</span> <span class="nf">remove-release</span> <span class="p">@$(</span>foreach manifest,<span class="p">$(</span>manifests<span class="p">)</span>,echo <span class="s2">"</span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> | kubectl delete <span class="nt">-f</span> - <span class="p">;)</span> </code></pre> </div> <p>When you run make apply, several steps are executed in sequence to apply the Kubernetes manifests to your cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+---------------+ +----------------+ +-----------------+ +---------------+ | make apply | --&gt; | Create Release| --&gt; | Apply Manifests | --&gt; | Output Status | +---------------+ +----------------+ +-----------------+ +---------------+ | | | | | v v v | +----------------+ +-----------------+ +---------------+ +-------------&gt; | Store Version | | Apply Resources | | Check Status | | Secret in K8s | | (RBAC/SVC/etc) | | | +----------------+ +-----------------+ +---------------+ </code></pre> </div> <p>Every time you run make apply, the Makefile is designed to automatically trigger the create-release target as part of the process. This ensures that a Kubernetes secret is created with the current Git commit SHA, which helps track the version of the app being deployed. By including this step, the Makefile guarantees that the release information is always up-to-date and stored in the cluster whenever the manifests are applied. This makes it easier to identify which version of the app is running and maintain consistency across deployments. Make delete triggers remove-release target.</p> <p>The <code>global.param</code> file contains shared parameters that apply to all environments unless explicitly overridden. For example, it might define default values for <code>VAULT_NAMESPACE</code>, <code>DOCKER_IMAGE</code>, or resource allocation (<code>CPU_REQUEST</code>, <code>MEMORY_REQUEST</code>, etc.).<br> <code>global.param</code><br> This Makefile contains configuration variables for deploying HashiCorp Vault in a Kubernetes environment. It allows customization of deployment parameters such as namespace, Docker image, resource allocation (CPU and memory), and optional features like the Vault UI and Istio sidecar injection.</p> <p>dev.param - enviroment variables<br> It’s possible to override parameters via CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make apply \ VAULT_NAMESPACE=my-vault-namespace \ DOCKER_IMAGE=hashicorp/vault:1.17.0 \ REPLICA_NUM=3 \ CPU_REQUEST="4000m" \ MEMORY_REQUEST="1024Mi" \ ENABLE_ISTIO_SIDECAR='false' </code></pre> </div> <p>The dump-manifests target in the Makefile lets you output raw Kubernetes YAML files that can be used in different ways. You can apply these YAML files directly to a cluster using kubectl apply -f, making it easy to deploy changes manually. The same files also work well with tools like ArgoCD, Flux, or Spinnaker, giving you flexibility in how you manage deployments. This approach keeps things simple and avoids being locked into any specific tool or framework. The YAML files show exactly what will be deployed, making it easier to review, back up, or move between environments without surprises.</p> <p>Using Make with tools like <code>curl</code> is a super flexible way to handle Kubernetes deployments, and it can easily replace some of the things Helm does. For example, instead of using Helm charts to manage releases, we’re just using <code>kubectl</code> in a Makefile to create and delete Kubernetes secrets. By running simple shell commands and using <code>kubectl</code>, we can manage things like versioning and configuration directly in Kubernetes without all the complexity of Helm. This approach gives us more control and is lighter weight, which is perfect for projects where you want simplicity and flexibility without the overhead of managing full Helm charts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">create-release</span> <span class="nl">create-release</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Creating Kubernetes secret with VERSION set to Git commit SHA..."</span> <span class="p">@</span><span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"app-version-secret"</span><span class="p">;</span> <span class="se">\</span> <span class="nv">JSON_DATA</span><span class="o">=</span><span class="s2">"{</span><span class="se">\"</span><span class="s2">VERSION</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="p">$(</span><span class="s2">GIT_COMMIT</span><span class="p">)</span><span class="se">\"</span><span class="s2">}"</span><span class="p">;</span> <span class="se">\</span> kubectl create secret generic <span class="nv">$$</span>SECRET_NAME <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span>version.json<span class="o">=</span><span class="s2">"</span><span class="nv">$$</span><span class="s2">JSON_DATA"</span> <span class="se">\</span> <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Secret created successfully: app-version-secret"</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">remove-release</span> <span class="nl">remove-release</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Deleting Kubernetes secret: app-version-secret..."</span> <span class="p">@</span><span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"app-version-secret"</span><span class="p">;</span> <span class="se">\</span> kubectl delete secret <span class="nv">$$</span>SECRET_NAME 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Secret deleted successfully: app-version-secret"</span> </code></pre> </div> <p>Since the <code>manifests</code> array contains all the Kubernetes resource definitions, we can easily dump them into both YAML and JSON formats. The <code>dump-manifests</code> target runs <code>make template</code> to generate the YAML output and <code>make convert-to-json</code> to convert the same output into JSON. By redirecting the output to <code>manifest.yaml</code> and <code>manifest.json</code>, you're able to keep both versions of the resources for further use. It’s a simple and efficient way to generate multiple formats from the same set of manifests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">dump-manifests</span> <span class="nl">dump-manifests</span><span class="o">:</span> <span class="nf">template convert-to-json</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Dumping manifests to manifest.yaml and manifest.json..."</span> <span class="p">@</span>make template <span class="o">&gt;</span> manifest.yaml <span class="p">@</span>make convert-to-json <span class="o">&gt;</span> manifest.json <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Manifests successfully dumped to manifest.yaml and manifest.json."</span> </code></pre> </div> <p>With the <code>validate-%</code> target, you can easily validate any specific manifest by piping it through <code>yq</code> to check the structure or content in a readable format. This leverages external tools like <code>yq</code> to validate and process YAML directly within the Makefile, without needing to write complex scripts. Similarly, the <code>print-%</code> target allows you to quickly print the value of any Makefile variable, giving you an easy way to inspect variables or outputs. By using external tools like <code>yq</code>, you can enhance the flexibility of your Makefile, making it easy to validate, process, and manipulate manifests directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Validates a specific manifest using `yq`. </span><span class="nl">validate-%</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$$$*</span><span class="s2">"</span> | yq <span class="nb">eval</span> <span class="nt">-P</span> <span class="s1">'.'</span> - <span class="c"># Prints the value of a specific variable. </span><span class="nl">print-%</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$$$*</span><span class="s2">"</span> </code></pre> </div> <p>With Makefile and simple Bash scripting, you can easily implement auxiliary functions like getting Vault keys. In this case, the <code>get-vault-keys</code> target lists available Vault pods, prompts for the pod name, and retrieves the Vault unseal key and root token by executing commands on the chosen pod. The approach uses basic tools like <code>kubectl</code>, <code>jq</code>, and Bash, making it much more flexible than dealing with Helm’s syntax or other complex tools. It simplifies the process and gives you full control over your deployment logic without having to rely on heavyweight tools or charts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">get-vault-keys</span> <span class="nl">get-vault-keys</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Available Vault pods:"</span> <span class="p">@</span><span class="nv">PODS</span><span class="o">=</span><span class="p">$$(</span>kubectl get pods <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>vault <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[*].metadata.name</span><span class="p">}</span><span class="s1">'</span><span class="o">)</span><span class="p">;</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$$</span><span class="s2">PODS"</span><span class="p">;</span> <span class="se">\</span> <span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"Enter the Vault pod name (e.g., vault-0): "</span> POD_NAME<span class="p">;</span> <span class="se">\</span> <span class="k">if </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$$</span><span class="s2">PODS"</span> | <span class="nb">grep</span> <span class="nt">-qw</span> <span class="s2">"</span><span class="nv">$$</span><span class="s2">POD_NAME"</span><span class="p">;</span> <span class="k">then</span> <span class="se">\</span> kubectl <span class="nb">exec</span> <span class="nv">$$</span>POD_NAME <span class="nt">--</span> vault operator init <span class="nt">-key-shares</span><span class="o">=</span>1 <span class="nt">-key-threshold</span><span class="o">=</span>1 <span class="nt">-format</span><span class="o">=</span>json <span class="o">&gt;</span> keys.json<span class="p">;</span> <span class="se">\</span> <span class="nv">VAULT_UNSEAL_KEY</span><span class="o">=</span><span class="p">$$(</span><span class="nb">cat </span>keys_<span class="nv">$$</span>POD_NAME.json | jq <span class="nt">-r</span> <span class="s2">".unseal_keys_b64[]"</span><span class="p">);</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Unseal Key: </span><span class="nv">$$</span><span class="s2">VAULT_UNSEAL_KEY"</span><span class="p">;</span> <span class="se">\</span> <span class="nv">VAULT_ROOT_KEY</span><span class="o">=</span><span class="p">$$(</span><span class="nb">cat </span>keys.json | jq <span class="nt">-r</span> <span class="s2">".root_token"</span><span class="p">);</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Root Token: </span><span class="nv">$$</span><span class="s2">VAULT_ROOT_KEY"</span><span class="p">;</span> <span class="se">\</span> <span class="k">else</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Error: Pod '</span><span class="nv">$$</span><span class="s2">POD_NAME' not found."</span><span class="p">;</span> <span class="se">\</span> <span class="k">fi</span> </code></pre> </div> <h2> Constraints </h2> <p>When managing complex workflows, especially in DevOps or Kubernetes environments, constraints play a vital role in ensuring consistency, preventing errors, and maintaining control over the build process. In Makefiles, constraints can be implemented to validate inputs, restrict environment configurations, and enforce best practices. Let’s explore how this works with a practical example.</p> <p>What Are Constraints in Makefiles?</p> <p>Constraints are rules or conditions that ensure only valid inputs or configurations are accepted during execution. For instance, you might want to limit the environments (dev, sit, uat, prod) where your application can be deployed, or validate parameter files before proceeding with Kubernetes manifest generation.</p> <p>Example: Restricting Environment Configurations</p> <p>Consider the following snippet from the provided Makefile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nv">ENV</span> <span class="o">?=</span> dev <span class="nv">ALLOWED_ENVS</span> <span class="o">:=</span> global dev sit uat prod <span class="k">ifeq</span> <span class="nv">($(filter $(ENV),$(ALLOWED_ENVS)),)</span> <span class="nl">$(error Invalid ENV value '$(ENV)'. Allowed values are</span><span class="o">:</span> <span class="nf">$(ALLOWED_ENVS))</span> <span class="k">endif</span> </code></pre> </div> <p>Here’s how this works:</p> <p>Default Value : The ENV variable defaults to dev if not explicitly set.<br> Allowed Values : The ALLOWED_ENVS variable defines a list of valid environments.<br> Validation Check : The ifeq block checks if the provided ENV value exists in the ALLOWED_ENVS list. If not, it throws an error and stops execution.<br> For example:</p> <p>Running make apply ENV=test will fail because test is not in the allowed list.<br> Running make apply ENV=prod will proceed as prod is valid.</p> <p>This snippet validates that the MEMORY_REQUEST and MEMORY_LIMIT values are within the acceptable range of 128Mi to 4096Mi. It extracts the numeric value, converts units (e.g., Gi to Mi), and checks if the values fall within the specified bounds. If not, it raises an error to prevent invalid configurations from being applied.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Validate memory ranges (e.g., 128Mi &lt;= MEMORY_REQUEST &lt;= 4096Mi) </span><span class="nv">MEMORY_REQUEST_VALUE</span> <span class="o">:=</span> <span class="p">$(</span>subst Mi,,<span class="p">$(</span>subst Gi,,<span class="p">$(</span>MEMORY_REQUEST<span class="p">)))</span> <span class="nv">MEMORY_REQUEST_UNIT</span> <span class="o">:=</span> <span class="p">$(</span>suffix <span class="p">$(</span>MEMORY_REQUEST<span class="p">))</span> <span class="k">ifeq</span> <span class="nv">($(MEMORY_REQUEST_UNIT),Gi)</span> <span class="nv">MEMORY_REQUEST_VALUE</span> <span class="o">:=</span> <span class="p">$(</span>shell <span class="nb">echo</span> <span class="p">$$(</span><span class="o">(</span><span class="p">$(</span>MEMORY_REQUEST_VALUE<span class="p">)</span> <span class="k">*</span> 1024<span class="p">))</span><span class="o">)</span> <span class="k">endif</span> <span class="k">ifeq</span> <span class="nv">($(shell [ $(MEMORY_REQUEST_VALUE) -ge 128 ] &amp;&amp; [ $(MEMORY_REQUEST_VALUE) -le 4096 ] &amp;&amp; echo true),)</span> <span class="nf">$(</span><span class="nb">error</span> Invalid MEMORY_REQUEST value <span class="s1">'</span><span class="p">$(</span><span class="s1">MEMORY_REQUEST</span><span class="p">)</span><span class="s1">'</span><span class="nb">.</span> It must be between 128Mi and 4096Mi.<span class="p">)</span> <span class="k">endif</span> <span class="nv">MEMORY_LIMIT_VALUE</span> <span class="o">:=</span> <span class="p">$(</span>subst Mi,,<span class="p">$(</span>subst Gi,,<span class="p">$(</span>MEMORY_LIMIT<span class="p">)))</span> <span class="nv">MEMORY_LIMIT_UNIT</span> <span class="o">:=</span> <span class="p">$(</span>suffix <span class="p">$(</span>MEMORY_LIMIT<span class="p">))</span> <span class="k">ifeq</span> <span class="nv">($(MEMORY_LIMIT_UNIT),Gi)</span> <span class="nv">MEMORY_LIMIT_VALUE</span> <span class="o">:=</span> <span class="p">$(</span>shell <span class="nb">echo</span> <span class="p">$$(</span><span class="o">(</span><span class="p">$(</span>MEMORY_LIMIT_VALUE<span class="p">)</span> <span class="k">*</span> 1024<span class="p">))</span><span class="o">)</span> <span class="k">endif</span> <span class="k">ifeq</span> <span class="nv">($(shell [ $(MEMORY_LIMIT_VALUE) -ge 128 ] &amp;&amp; [ $(MEMORY_LIMIT_VALUE) -le 4096 ] &amp;&amp; echo true),)</span> <span class="nf">$(</span><span class="nb">error</span> Invalid MEMORY_LIMIT value <span class="s1">'</span><span class="p">$(</span><span class="s1">MEMORY_LIMIT</span><span class="p">)</span><span class="s1">'</span><span class="nb">.</span> It must be between 128Mi and 4096Mi.<span class="p">)</span> <span class="k">endif</span> </code></pre> </div> <h2> Labels </h2> <p>Using Make for Kubernetes deployments offers greater flexibility compared to Helm, as it allows for fully customizable workflows without enforcing a rigid structure. While Helm is designed specifically for Kubernetes and provides a standardized templating system, it can feel restrictive for non-standard or highly dynamic use cases. With Make, you can dynamically generate lists of labels and annotations programmatically, avoiding the need to manually define them in manifests. This approach ensures consistency and reduces repetitive work by leveraging variables, environment data, and tools like Git metadata. Additionally, Make integrates seamlessly with external scripts and tools, enabling more complex logic and automation that Helm’s opinionated framework might not easily support.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Extract Git metadata </span><span class="nv">GIT_BRANCH</span> <span class="o">:=</span> <span class="p">$(</span>shell git rev-parse <span class="nt">--abbrev-ref</span> HEAD<span class="p">)</span> <span class="nv">GIT_COMMIT</span> <span class="o">:=</span> <span class="p">$(</span>shell git rev-parse <span class="nt">--short</span> HEAD<span class="p">)</span> <span class="nv">GIT_REPO_URL</span> <span class="o">:=</span> <span class="p">$(</span>shell git config <span class="nt">--get</span> remote.origin.url <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"local-repo"</span><span class="p">)</span> <span class="nv">ENV_LABEL</span> <span class="o">:=</span> app.environment:<span class="p">$(</span>ENV<span class="p">)</span> <span class="nv">GIT_BRANCH_LABEL</span> <span class="o">:=</span> app.git/branch:<span class="p">$(</span>GIT_BRANCH<span class="p">)</span> <span class="nv">GIT_COMMIT_LABEL</span> <span class="o">:=</span> app.git/commit:<span class="p">$(</span>GIT_COMMIT<span class="p">)</span> <span class="nv">GIT_REPO_LABEL</span> <span class="o">:=</span> app.git/repo:<span class="p">$(</span>GIT_REPO_URL<span class="p">)</span> <span class="nv">TEAM_LABEL</span> <span class="o">:=</span> app.team:devops <span class="nv">OWNER_LABEL</span> <span class="o">:=</span> app.owner:engineering <span class="nv">DEPLOYMENT_LABEL</span> <span class="o">:=</span> app.deployment:nginx-controller <span class="nv">VERSION_LABEL</span> <span class="o">:=</span> app.version:v1.23.0 <span class="nv">BUILD_TIMESTAMP_LABEL</span> <span class="o">:=</span> app.build-timestamp:<span class="p">$(</span>shell <span class="nb">date</span> <span class="nt">-u</span> +<span class="s2">"%Y-%m-%dT%H:%M:%SZ"</span><span class="p">)</span> <span class="nv">RELEASE_LABEL</span> <span class="o">:=</span> app.release:stable <span class="nv">REGION_LABEL</span> <span class="o">:=</span> app.region:us-west-2 <span class="nv">ZONE_LABEL</span> <span class="o">:=</span> app.zone:a <span class="nv">CLUSTER_LABEL</span> <span class="o">:=</span> app.cluster:eks-prod <span class="nv">SERVICE_TYPE_LABEL</span> <span class="o">:=</span> app.service-type:LoadBalancer <span class="nv">INSTANCE_LABEL</span> <span class="o">:=</span> app.instance:nginx-controller-instance <span class="c"># Combine all labels into a single list </span><span class="nv">LABELS</span> <span class="o">:=</span> <span class="se">\</span> <span class="p">$(</span>ENV_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_BRANCH_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_COMMIT_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_REPO_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>TEAM_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>OWNER_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>DEPLOYMENT_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>VERSION_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>BUILD_TIMESTAMP_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>RELEASE_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>REGION_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>ZONE_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>CLUSTER_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>SERVICE_TYPE_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>INSTANCE_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>DESCRIPTION_LABEL<span class="p">)</span> <span class="k">define</span> <span class="nv">generate_labels</span> <span class="nl">$(shell printf " %s\n" $(patsubst %</span><span class="o">:</span><span class="p">,</span><span class="nf">%: </span><span class="p">,</span><span class="nf">$(LABELS)))</span> <span class="k">endef</span> <span class="c"># Example target to print the labels in YAML format </span><span class="nl">print-labels</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"metadata:"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">" labels:"</span> <span class="p">@$(</span>foreach label,<span class="p">$(</span>LABELS<span class="p">)</span>,echo <span class="s2">" </span><span class="p">$(</span><span class="s2">shell echo </span><span class="p">$(</span><span class="s2">label</span><span class="p">)</span><span class="s2"> | sed 's/:/=/; s/=/:</span><span class="se">\ </span><span class="s2">/'</span><span class="p">)</span><span class="s2">"</span><span class="p">;)</span> </code></pre> </div> <p>This will output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make -f test.mk metadata: labels: app.environment: app.git/branch: main app.git/commit: 0158245 app.git/repo: https://github.com/avkcode/vault.git app.team: devops app.owner: engineering app.deployment: nginx-controller app.version: v1.23.0 app.build-timestamp: 2025-04-22T12:38:58Z app.release: stable app.region: us-west-2 app.zone: a app.cluster: eks-prod app.service-type: LoadBalancer app.instance: nginx-controller-instance </code></pre> </div> <p>Using with manifests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="k">define</span> <span class="nv">deployment</span> <span class="err">---</span> <span class="nl">apiVersion</span><span class="o">:</span> <span class="nf">apps/v1</span> <span class="nl">kind</span><span class="o">:</span> <span class="nf">Deployment</span> <span class="nl">metadata</span><span class="o">:</span> <span class="nl">labels</span><span class="o">:</span> <span class="nf">$(</span><span class="nb">call</span> generate_labels<span class="p">)</span> <span class="nl">name</span><span class="o">:</span> <span class="nf">release-name-ingress-nginx-controller</span> <span class="nl">namespace</span><span class="o">:</span> <span class="nf">default</span> <span class="nl">spec</span><span class="o">:</span> <span class="nl">selector</span><span class="o">:</span> matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: release-name app.kubernetes.io/component: controller <span class="nl">replicas</span><span class="o">:</span> <span class="nf">1</span> <span class="err">...</span> <span class="k">endef</span> <span class="k">export</span> <span class="nv">deployment</span> </code></pre> </div> <p>With general-purpose coding, dynamically generating labels based on parameters like target environment (DEV/PROD/STAGE) is straightforward—just define rules and inject values at runtime. Tools aren't needed for such simple string manipulation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>make validate-configmap --- apiVersion: v1 kind: ConfigMap metadata: labels: app.environment:dev app.git/branch:main app.git/commit:af4eae9 app.git/repo:https://github.com/avkcode/nginx.git app.team:devops app.critical:false app.sla:best-effort name: release-name-ingress-nginx-controller namespace: default </code></pre> </div> <p>By default DEV dev <code>app.team:devops app.critical:false app.sla:best-effort</code></p> <p>Adds <code>app.team:devops app.critical:true app.sla:tier-1</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ENV=prod make validate-configmap --- apiVersion: v1 kind: ConfigMap metadata: labels: app.environment:prod app.git/branch:main app.git/commit:af4eae9 app.git/repo:https://github.com/avkcode/nginx.git app.team:devops app.critical:true app.sla:tier-1 name: release-name-ingress-nginx-controller namespace: default </code></pre> </div> <p>Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Validate and set environment </span><span class="nv">VALID_ENVS</span> <span class="o">:=</span> dev sit uat prod <span class="nv">ENV</span> <span class="o">?=</span> dev <span class="k">ifeq</span> <span class="nv">($(filter $(ENV),$(VALID_ENVS)),)</span> <span class="nl">$(error Invalid ENV. Valid values are</span><span class="o">:</span> <span class="nf">$(VALID_ENVS))</span> <span class="k">endif</span> <span class="c"># Environment-specific settings </span><span class="k">ifeq</span> <span class="nv">($(ENV),prod)</span> <span class="nv">APP_PREFIX</span> <span class="o">:=</span> prod <span class="nv">EXTRA_LABELS</span> <span class="o">:=</span> app.critical:true app.sla:tier-1 <span class="err">else</span> <span class="k">ifeq</span> <span class="nv">($(ENV),uat)</span> <span class="nv">APP_PREFIX</span> <span class="o">:=</span> uat <span class="nv">EXTRA_LABELS</span> <span class="o">:=</span> app.critical:false app.sla:tier-2 <span class="err">else</span> <span class="k">ifeq</span> <span class="nv">($(ENV),sit)</span> <span class="nv">APP_PREFIX</span> <span class="o">:=</span> sit <span class="nv">EXTRA_LABELS</span> <span class="o">:=</span> app.critical:false app.sla:tier-3 <span class="k">else</span> <span class="nv">APP_PREFIX</span> <span class="o">:=</span> dev <span class="nv">EXTRA_LABELS</span> <span class="o">:=</span> app.critical:false app.sla:best-effort <span class="k">endif</span> <span class="c"># Extract Git metadata </span><span class="nv">GIT_BRANCH</span> <span class="o">:=</span> <span class="p">$(</span>shell git rev-parse <span class="nt">--abbrev-ref</span> HEAD<span class="p">)</span> <span class="nv">GIT_COMMIT</span> <span class="o">:=</span> <span class="p">$(</span>shell git rev-parse <span class="nt">--short</span> HEAD<span class="p">)</span> <span class="nv">GIT_REPO</span> <span class="o">:=</span> <span class="p">$(</span>shell git config <span class="nt">--get</span> remote.origin.url<span class="p">)</span> <span class="nv">ENV_LABEL</span> <span class="o">:=</span> app.environment:<span class="p">$(</span>ENV<span class="p">)</span> <span class="nv">GIT_BRANCH_LABEL</span> <span class="o">:=</span> app.git/branch:<span class="p">$(</span>GIT_BRANCH<span class="p">)</span> <span class="nv">GIT_COMMIT_LABEL</span> <span class="o">:=</span> app.git/commit:<span class="p">$(</span>GIT_COMMIT<span class="p">)</span> <span class="nv">GIT_REPO_LABEL</span> <span class="o">:=</span> app.git/repo:<span class="p">$(</span>GIT_REPO<span class="p">)</span> <span class="nv">TEAM_LABEL</span> <span class="o">:=</span> app.team:devops <span class="nv">LABELS</span> <span class="o">:=</span> <span class="se">\</span> <span class="p">$(</span>ENV_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_BRANCH_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_COMMIT_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>GIT_REPO_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>TEAM_LABEL<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span>EXTRA_LABELS<span class="p">)</span> <span class="k">define</span> <span class="nv">generate_labels</span> <span class="nl">$(shell printf " %s\n" $(patsubst %</span><span class="o">:</span><span class="p">,</span><span class="nf">%: </span><span class="p">,</span><span class="nf">$(LABELS)))</span> <span class="k">endef</span> </code></pre> </div> <h2> diff </h2> <p>Advanced diff capabilities to compare Kubernetes manifests across different states: live cluster vs generated, previous vs current, git revisions, and environments.</p> <ul> <li>diff - Interactive diff menu</li> <li>diff-live - Compare live cluster vs generated manifests</li> <li>diff-previous - Compare previous vs current manifests</li> <li>diff-revisions - Compare between git revisions</li> <li>diff-environments - Compare manifests across environments</li> <li>diff-params - Compare parameter files between environments</li> </ul> <p><a href="https://radikal.host/i/IW7oZX" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs75e51jf5i752c9489ow.png" alt="diff" width="800" height="343"></a></p> <h2> Helm charts </h2> <p>If you’re absolutely required to distribute a Helm chart but don’t have one pre-made, no worries—it’s totally possible to generate one from the manifests produced by this Makefile. The gen_helm_chart.py script (referenced via include helm.mk) automates this process. It takes the Kubernetes manifests generated by the Makefile and packages them into a Helm chart. This way, you can still meet the requirement for a Helm chart while leveraging the existing templates and workflows in the Makefile.</p> <h2> Releases </h2> <p>The Makefile approach to managing releases offers a streamlined and transparent alternative to tools like Helm, focusing on simplicity and direct control over the deployment process. Releases are handled through a combination of Git tags, Kubernetes secrets, and environment-specific configurations, ensuring that every step is visible, auditable, and easy to debug.</p> <p>Releases are initiated by creating a Git tag, which serves as an immutable reference point for the deployed version. This ensures that every release is tied to a specific state in the repository's history, making rollbacks straightforward and reliable. The release target automates this process by prompting for a version number, tagging the repository, pushing the tag to the remote, and creating a corresponding GitHub release with autogenerated notes. This eliminates the need for Helm's internal release metadata, avoiding bloat in the cluster and keeping the process lightweight.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">release</span> <span class="nl">release</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Creating Git tag and releasing on GitHub..."</span> <span class="p">@</span><span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"Enter the version number (e.g., v1.0.0): "</span> version<span class="p">;</span> <span class="se">\</span> git tag <span class="nt">-a</span> <span class="nv">$$</span>version <span class="nt">-m</span> <span class="s2">"Release </span><span class="nv">$$</span><span class="s2">version"</span><span class="p">;</span> <span class="se">\</span> git push origin <span class="nv">$$</span>version<span class="p">;</span> <span class="se">\</span> gh release create <span class="nv">$$</span>version <span class="nt">--generate-notes</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Release </span><span class="nv">$$</span><span class="s2">version created and pushed to GitHub."</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">create-release</span> <span class="nl">create-release</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Creating Kubernetes secret with VERSION set to Git commit SHA..."</span> <span class="p">@</span><span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"app-version-secret"</span><span class="p">;</span> <span class="se">\</span> <span class="nv">JSON_DATA</span><span class="o">=</span><span class="s2">"{</span><span class="se">\"</span><span class="s2">VERSION</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="p">$(</span><span class="s2">GIT_COMMIT</span><span class="p">)</span><span class="se">\"</span><span class="s2">}"</span><span class="p">;</span> <span class="se">\</span> kubectl create secret generic <span class="nv">$$</span>SECRET_NAME <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span>version.json<span class="o">=</span><span class="s2">"</span><span class="nv">$$</span><span class="s2">JSON_DATA"</span> <span class="se">\</span> <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Secret created successfully: app-version-secret"</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">remove-release</span> <span class="nl">remove-release</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Deleting Kubernetes secret: app-version-secret..."</span> <span class="p">@</span><span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"app-version-secret"</span><span class="p">;</span> <span class="se">\</span> kubectl delete secret <span class="nv">$$</span>SECRET_NAME 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Secret deleted successfully: app-version-secret"</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">show-release</span> <span class="nl">show-release</span><span class="o">:</span> <span class="p">@</span><span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"app-version-secret"</span><span class="p">;</span> <span class="se">\</span> kubectl get secret <span class="nv">$$</span>SECRET_NAME <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.version\.json}'</span> | <span class="nb">base64</span> <span class="nt">--decode</span> | jq <span class="nt">-r</span> .VERSION </code></pre> </div> <h2> Validate </h2> <p>The Makefile-based validation approach provides a clear and direct method for ensuring the correctness of Kubernetes manifests. Unlike Helm which often obscures the actual YAML behind layers of templating logic and requires specific commands like helm template or helm lint to validate charts, the Makefile approach allows for explicit validation of individual manifests using standard tools like yq. This makes it easier to identify and fix issues since there are no hidden abstractions or complex dependency chains to navigate.</p> <p>The validation process in Makefiles is tightly integrated with the deployment workflow. Specific targets like validate-% enable focused validation of particular resources while server-side and client-side validation targets provide comprehensive checks against the Kubernetes API. These validation steps can be seamlessly incorporated into CI/CD pipelines without requiring additional tooling or plugins, offering a more native and flexible solution compared to Helm's specialized requirements.</p> <p>Furthermore, the Makefile approach avoids complications such as Helm release metadata bloat or stateful upgrade surprises that can interfere with validation. Since manifests remain in their raw form and changes are tracked through Git, the validation process benefits from version control transparency and an immutable history. This ensures that any rollback or differential validation is straightforward and reliable, unlike Helm's dependency on internal state stored in cluster secrets. The result is a simpler yet robust validation mechanism that aligns with the principle of keeping Kubernetes deployments transparent and maintainable.</p> <h3> Specific Manifest Validation </h3> <p>The <code>validate-%</code> target allows validation of individual manifests. It takes a manifest name as an argument and processes it through <code>yq</code> to check its structure and syntax.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">validate-%</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$$$*</span><span class="s2">"</span> | yq <span class="nb">eval</span> <span class="nt">-P</span> <span class="s1">'.'</span> - </code></pre> </div> <h3> Server-Side Validation </h3> <p>The validate-server target performs server-side validation of all manifests against the Kubernetes API. This ensures that manifests are compatible with the actual cluster configuration. Each manifest is converted to JSON using yq and then validated using kubectl apply with the --dry-run=server option.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">validate-server</span> <span class="nl">validate-server</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Validating JSON manifests against the Kubernetes API (server-side validation)..."</span> <span class="p">@$(</span>foreach manifest,<span class="p">$(</span>manifests<span class="p">)</span>, <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Validating manifest: </span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">printf</span> <span class="s1">'%s'</span> <span class="s2">"</span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> | yq <span class="nb">eval</span> <span class="nt">-o</span><span class="o">=</span>json <span class="nt">-P</span> <span class="s1">'.'</span> - | kubectl apply <span class="nt">--dry-run</span><span class="o">=</span>server <span class="nt">-f</span> - <span class="o">||</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="se">\</span> <span class="p">)</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"All JSON manifests passed server-side validation successfully."</span> </code></pre> </div> <h3> Client-Side Validation </h3> <p>The validate-client target conducts client-side validation of all manifests against the Kubernetes API. Similar to server-side validation, each manifest is converted to JSON format and checked using kubectl apply but with the --dry-run=client option. This provides a quick validation without contacting the API server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">validate-client</span> <span class="nl">validate-client</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Validating JSON manifests against the Kubernetes API (client-side validation)..."</span> <span class="p">@$(</span>foreach manifest,<span class="p">$(</span>manifests<span class="p">)</span>, <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Validating manifest: </span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">printf</span> <span class="s1">'%s'</span> <span class="s2">"</span><span class="p">$(</span><span class="s2">manifest</span><span class="p">)</span><span class="s2">"</span> | yq <span class="nb">eval</span> <span class="nt">-o</span><span class="o">=</span>json <span class="nt">-P</span> <span class="s1">'.'</span> - | kubectl apply <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-f</span> - <span class="o">||</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="se">\</span> <span class="p">)</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"All JSON manifests passed client-side validation successfully."</span> </code></pre> </div> <h2> Feature flags </h2> <p>Flags that can be toggled on/off per environment. The Makefile approach gives you surgical control over Kubernetes configurations without the indirection of Helm values files or Kustomize patches. Here's how we can extend the environment-specific constraints with feature flags:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="c"># Feature flags - enabled by environment </span><span class="nv">ENABLED_FEATURES</span> <span class="o">:=</span> <span class="se">\</span> <span class="p">$(</span><span class="k">if</span> <span class="p">$(</span>filter prod uat,<span class="p">$(</span>ENV<span class="p">))</span>,monitoring<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span><span class="k">if</span> <span class="p">$(</span>filter prod,<span class="p">$(</span>ENV<span class="p">))</span>,auto-scaling<span class="p">)</span> <span class="se">\</span> <span class="p">$(</span><span class="k">if</span> <span class="p">$(</span>filter dev sit,<span class="p">$(</span>ENV<span class="p">))</span>,debug-tools<span class="p">)</span> <span class="c"># Conditional includes based on features </span><span class="k">ifeq</span> <span class="nv">($(filter monitoring,$(ENABLED_FEATURES)),monitoring)</span> <span class="k">include</span><span class="sx"> monitoring.mk</span> <span class="k">endif</span> <span class="k">ifeq</span> <span class="nv">($(filter auto-scaling,$(ENABLED_FEATURES)),auto-scaling)</span> <span class="k">include</span><span class="sx"> hpa.mk</span> <span class="k">endif</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>dev</th> <th>sit</th> <th>uat</th> <th>prod</th> </tr> </thead> <tbody> <tr> <td>monitoring</td> <td>❌</td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>auto-scaling</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>debug-tools</td> <td>✅</td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> </tbody> </table></div> <p>The real power comes when combining this with the GitOps flow:<br> <a href="https://radikal.host/i/MTJaDa" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuzlwa7mhbw6fq20a2sqi.png" alt="Feature Flags" width="800" height="614"></a></p> <p>Git Blame for Infrastructure Changes<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ git blame Makefile ^d34172a (Alice Devops 2024-03-15 14:22:03 -0500 1) # Feature flags by environment d34172a (Alice Devops 2024-03-15 14:22:03 -0500 2) ENABLED_FEATURES := \ a5f2e1b (Bob Security 2024-04-01 09:15:47 -0500 3) $(if $(filter prod uat,$(ENV)),monitoring) \ a5f2e1b (Bob Security 2024-04-01 09:15:47 -0500 4) $(if $(filter prod,$(ENV)),auto-scaling) \ c8e441d (Carol Platform 2024-04-20 16:33:12 -0500 5) $(if $(filter dev sit,$(ENV)),debug-tools) </code></pre> </div> <h2> Ingress </h2> <p>The Makefile-based approach simplifies the deployment of Kubernetes ingress resources by consolidating all necessary components into a single, coherent workflow. This method eliminates the need for external tools or complex integrations, allowing you to manage the entire stack through straightforward make commands. The Makefile incorporates definitions for service accounts, roles, role bindings, and ingress-specific configurations, ensuring proper access controls and networking setup. By leveraging environment variables and templating, it dynamically generates the required Kubernetes manifests while maintaining consistency across deployments. This unified approach enables seamless integration between infrastructure provisioning, application deployment, and network configuration, providing a transparent and maintainable solution for managing ingress resources within your Kubernetes environment.</p> <p>To incorporate the ingress-related Makefile functionality using include, you can structure your Makefile to pull in external files that define various components like service accounts, roles, bindings, and other Kubernetes resources. This allows for better modularity, reusability, and clarity in your deployment pipeline.</p> <p>Here’s an example of how you can use include to organize and include different parts of your ingress stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── Makefile ├── global.param ├── ingress.mk ├── rbac.mk ├── configmap.mk └── params/ ├── dev.param ├── prod.param └── uat.param </code></pre> </div> <p>By structuring your Makefile this way, you can easily manage complex deployments while keeping everything modular and transparent.</p> <h2> Bundle and Archive Targets </h2> <p>When managing Kubernetes deployments, it's often necessary to create portable archives or bundles of your deployment artifacts. These can be used for backups, sharing configurations, or deploying to environments without direct access to your Git repository. The Makefile includes targets like archive and bundle to simplify this process.</p> <h3> Archive Target </h3> <p>The archive target creates a compressed .tar.gz file containing all the necessary files for your deployment. This is especially useful for creating snapshots of your configuration at a specific point in time.</p> <h3> Bundle Target </h3> <p>The bundle target creates a Git bundle, which is a single file containing the entire Git repository history up to a specific commit. This is particularly useful for transferring repositories between systems without direct network access.</p> <h3> Why Use Archive and Bundle? </h3> <ul> <li>Portability : Both archive and bundle produce single files that are easy to transfer and store.</li> <li>Version Control : The bundle target preserves Git history, allowing you to track changes even when offline.</li> <li>Reproducibility : The archive target ensures that you can reproduce the exact state of your deployment at any time.</li> <li>Backup : These targets are excellent for creating backups of your deployment configuration.</li> </ul> <h2> Conclusion </h2> <p>Sometimes, the simplest way of using just Unix tools is the best way. By relying on basic utilities like <code>kubectl</code>, <code>jq</code>, <code>yq</code>, and Make, you can create powerful, customizable workflows without the need for heavyweight tools like Helm. These simple, straightforward scripts offer greater control and flexibility. Plus, with LLMs (large language models) like this one, generating and refining code has become inexpensive and easy, making automation accessible. However, when things go wrong, debugging complex tools like Helm can become exponentially more expensive in terms of time and effort. Using minimal tools lets you stay in control, reduce complexity, and make it easier to fix issues when they arise. Sometimes, less really is more.</p> <p>Other examples of usage:</p> <ul> <li><a href="https://hackernoon.com/fine-tuning-models-with-your-own-data-effortlessly" rel="noopener noreferrer">Fine Tuning Models Effortlessly</a></li> </ul> devops kubernetes docker cloud