cnsmunich25/content/day2/06_compliance.md

title, weight, tags

title	weight	tags
Automating Compliance and Infrastructure Plumbing: Tackling the Boring Stuff	6	compliance backstage

They basicly presented a bunch of examples about how their platforn handles createion of different resource. Most of the examples were too detailed, so i did not note them down. The DX also did not feel that easy (at least from their examples and screenshots)

The "Blueprint"

Idea

• Centralized Configuration (Source of truth)
• Automatic Provisioning and managmeent of services
• Continuos reconciliation
• Version control (git) for auditing

Platform components

• Classic: Slow manual provisioning with a tendency towards config drift
• Service Catalog: YAML files in a central repo following the backstage definition
• Automation: GitOps
• Backstage: For The UI

Implementation

• A bunch of backstage components with operators (some crossplane, some not)
• Example - New resource with Namespace: Namespace get's created in Kubernetes and Elasticsearch alongside a EntraID Group with members for the rolebinding for the Namespace
• Example - DNS: Registers Route in Kong, DNS in ExternalDNS and generates Certificate for Route (via Certmanager)
• Monitoring: Elasticsearch, CR(D) Status/Events, Backstage Catalog (just shows the kubernetes Status)

Challenges

• Developer buy-in -> Workshops, talks, enforcement b/c compliance and stuff
• Integration with existing systems
• Conflicting requirements -> They just forced this via "b/c compliance needs unified interface"

Q&A

• Why the backstage YAML format: Well the engineers decided to
• How did you convince them to switch over from service now: No one was sad to get rid of service now
• Is the backstage read-only: No, it also supports write actions (natively and through headlamp)

TL;DR

• They use git (ops) for Auditing
• They use operators and crossplane for reconciliation
• Backstage acts as the UI for all of this (visualizes Service Status and relationships)