--- title: Automating Compliance and Infrastructure Plumbing: Tackling the Boring Stuff weight: 6 tags: - compliance - backstage --- They basicly presented a bunch of examples about how their platforn handles createion of different resource. Most of the examples were too detailed, so i did not note them down. The DX also did not feel that easy (at least from their examples and screenshots) ## The "Blueprint" ### Idea - Centralized Configuration (Source of truth) - Automatic Provisioning and managmeent of services - Continuos reconciliation - Version control (git) for auditing ### Platform components - Classic: Slow manual provisioning with a tendency towards config drift - Service Catalog: YAML files in a central repo following the backstage definition - Automation: GitOps - Backstage: For The UI ### Implementation - A bunch of backstage components with operators (some crossplane, some not) - Example - New resource with Namespace: Namespace get's created in Kubernetes and Elasticsearch alongside a EntraID Group with members for the rolebinding for the Namespace - Example - DNS: Registers Route in Kong, DNS in ExternalDNS and generates Certificate for Route (via Certmanager) - Monitoring: Elasticsearch, CR(D) Status/Events, Backstage Catalog (just shows the kubernetes Status) ### Challenges - Developer buy-in -> Workshops, talks, enforcement b/c compliance and stuff - Integration with existing systems - Conflicting requirements -> They just forced this via "b/c compliance needs unified interface" ## Q&A - Why the backstage YAML format: Well the engineers decided to - How did you convince them to switch over from service now: No one was sad to get rid of service now - Is the backstage read-only: No, it also supports write actions (natively and through headlamp) ## TL;DR - They use git (ops) for Auditing - They use operators and crossplane for reconciliation - Backstage acts as the UI for all of this (visualizes Service Status and relationships)