niggl/cnsmunich25
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cnsmunich25/content/day2/06_compliance.md
Nicolai Ort b78b472be2
Some checks failed
Build latest image / build-container (push) Failing after 32s
Details
docs(day2): Added compliance automation talk notes
2025-07-22 14:45:02 +02:00

55 lines
2.2 KiB
Markdown
Raw Blame History

---
title: Automating Compliance and Infrastructure Plumbing: Tackling the Boring Stuff
weight: 6
tags:
- compliance
- backstage
---
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
They basicly presented a bunch of examples about how their platforn handles createion of different resource.
Most of the examples were too detailed, so i did not note them down.
The DX also did not feel that easy (at least from their examples and screenshots)
## The "Blueprint"
### Idea
- Centralized Configuration (Source of truth)
- Automatic Provisioning and managmeent of services
- Continuos reconciliation
- Version control (git) for auditing
### Platform components
- Classic: Slow manual provisioning with a tendency towards config drift
- Service Catalog: YAML files in a central repo following the backstage definition
- Automation: GitOps
- Backstage: For The UI
### Implementation
- A bunch of backstage components with operators (some crossplane, some not)
- Example - New resource with Namespace: Namespace get's created in Kubernetes and Elasticsearch alongside a EntraID Group with members for the rolebinding for the Namespace
- Example - DNS: Registers Route in Kong, DNS in ExternalDNS and generates Certificate for Route (via Certmanager)
- Monitoring: Elasticsearch, CR(D) Status/Events, Backstage Catalog (just shows the kubernetes Status)
### Challenges
- Developer buy-in -> Workshops, talks, enforcement b/c compliance and stuff
- Integration with existing systems
- Conflicting requirements -> They just forced this via "b/c compliance needs unified interface"
## Q&A
- Why the backstage YAML format: Well the engineers decided to
- How did you convince them to switch over from service now: No one was sad to get rid of service now
- Is the backstage read-only: No, it also supports write actions (natively and through headlamp)
## TL;DR
- They use git (ops) for Auditing
- They use operators and crossplane for reconciliation
- Backstage acts as the UI for all of this (visualizes Service Status and relationships)
Reference in New Issue View Git Blame Copy Permalink