|
My main problem with caddy is that they're visibly really really really desperate to start generating some sweet RoI for their investors and best of luck to them but I don't want to get hitched to their poo poo in case they ram some other crap down my throat. Traefik's devs for whatever reason seem less desperate. nginx is somewhat desperate but not nearly as much as caddy.
|
#
?
Nov 29, 2020 17:33
|
|
|
|
| # ? Apr 18, 2024 17:10 |
|
|
Back in 1.0, when the main guy was still developing it in his spare time, they briefly tried adding a HTTP header in the free binary release "Caddy server made possible by {sponsor company}". I thought that was totally fine, since it was not much different from a "powered by WordPress" at the bottom of your blog, it was clearly announced in advance, and you could easily build from source to remove it, but Hacker News absolutely lost their poo poo over it like it was malware and still keep bringing it up. Nowadays there's a couple of small companies paying the devs a salary, one of them being ZeroSSL, which is basically "let's encrypt but with an optional paid plan". Caddy is pretty clearly a marketing tool for them, since I had no idea they existed until a Caddy released explained they were now supported as an alternative ACME provider. If Caddy ever deprecates Let's Encrypt support in favour of ZeroSSL only, that'll be the sign that they started to make compromises to generate cash.
|
|
#
?
Nov 29, 2020 20:08
|
|
|
NihilCredo posted:do not take this as a suggestion you should switch ingress controller on a forum whim, _especially_ if you have a working kuby goldbernetes setup going for god's sake the caddy ingress controllers are toys. anyone who tries to shove that config in a cluster is rapidly going to discover they have quite some work to do before they have something usable
|
|
#
?
Nov 29, 2020 21:55
|
|
|
what were your Concerns about my design anyway, I'm curious
|
|
#
?
Nov 29, 2020 22:57
|
|
|
we all live in prisons of our own past decisions, but infrastructure people have it 100x worse
|
|
#
?
Nov 30, 2020 00:20
|
|
|
Sapozhnik posted:what were your Concerns about my design anyway, I'm curious you're asking ingresses to do something that isn't in the spec. even if everything works out fine now, you're no longer depending on ingress in general but traefik in particular. that complicates migrating to a different ingress controller. it's also a weird thing to do, which means either you have a truly unusual use case, or you're overcomplicating your design in pursuit of aesthetics. unusual use cases exist, but so do devs who fall in love with a pretty design and convince themselves that it's necessary
|
|
#
?
Nov 30, 2020 01:15
|
|
|
I'm not actually doing anything nonstandard with Ingress, although that's more than I can say for every example I've seen documented out in the wild; everybody seems to use vendor-specific annotations. The prefix behavior is idiotic but that's what the spec says so I added code to my services to make their URL prefixes configurable from the same environment variable that controls their public base URLs. I don't think it's an unusual use case at all, it's just pointless busywork. As far as the service is concerned it listens on http://0.0.0.0:8080/ or whatever, it shouldn't need to know where it's mounted in that particular deployment's public-facing URL namespace and be forced to listen under http://0.0.0.0:8080/api/whateverservice/. To make a really tortured analogy, when I mount a filesystem somewhere on a unix system I expect that filesystem's root directory to get mounted, not some deep subdirectory that matches whatever mount point I'm targeting. What on earth is the point of requiring that?
|
|
#
?
Nov 30, 2020 02:27
|
|
|
i agree that its ugly but unless you expect the prefix to change at some point, is it causing a problem. how much effort is it worth to make your URLs pretty if you want a metaphor, it's mapping, not mounting
|
|
#
?
Nov 30, 2020 14:52
|
|
|
At a minimum it ensures some level of consistency. WebWorker scope badly broke that.
|
|
#
?
Nov 30, 2020 15:04
|
|
|
ikanreed posted:At major bank name omitted, there was a major trading application where the manager in charge of the project insisted "lock statements cause slowness" banned them from the code. This resulted in a solution the team's devs called "Luck based synchronization". i once was hired by a friend of my boss to do a contracting gig to review some code and figure out why their database was so slow. the devs at the company kept fighting me, saying i didnt need to see the code to figure out why it was slow. they kept sandbagging me non stop, trying to keep me from seeing whatever they have written. eventually their manager told them to show me the code or else they would be fired. it sure felt like they were afraid that i was going to expose their terrible programming. in about 30 minutes i found a job that was running that would do a bunch of prep work, loading some file and sorting it in memory, etc before doing any queries. they were explicitly locking their biggest table before all of that stuff, which caused everything else to halt from writing. the actual queries they were running took about 100ms. i moved the lock to right before the queries were executed, and it fixed all their problems. locks good, but devs bad
|
|
#
?
Nov 30, 2020 15:48
|
|
|
Maybe they were actually galaxy brain devs doing something like story 1 here https://www.dodgycoder.net/2012/02/coding-tricks-of-game-developers.html?m=1 Just waiting for the right moment to move the lock, and you stole their glory, you monster.
|
|
#
?
Nov 30, 2020 16:34
|
|
|
i made a few grand for 30 mins of actual work im ok with it
|
|
#
?
Nov 30, 2020 16:53
|
|
|
CRIP EATIN BREAD posted:i made a few grand for 30 mins of actual work im ok with it Good old "knowing what button to push" billing.
|
|
#
?
Nov 30, 2020 17:14
|
|
|
ikanreed posted:Good old "knowing what button to push" billing. well it did take almost a week of management fighting with their employees to let me see the code. so it was a week where i did nothing but work on other projects until they finally let me see the code.
|
|
#
?
Nov 30, 2020 17:48
|
|
|
Chome  developers cap their virtual desktop size to 9,999 x 9,999, I need, let's see here, ..., 78K x 3,500 pixels.
|
|
#
?
Dec 1, 2020 21:53
|
|
|
ugh this loving hyphenation code is hosed up ive now considered like 5 different ways to handle it, but they all either immediately shows as unworkable or requires a ton of refactoring
|
|
#
?
Dec 2, 2020 12:31
|
|
|
Carthag Tuek posted:ugh this loving hyphenation code is hosed up Pushdown automata?
|
|
#
?
Dec 2, 2020 14:19
|
|
|
ikanreed posted:Pushdown automata? im not sure how that would work like creating an object that holds the individual parts of the hyphenated word, then have that object pretend to be the full word, by dynamically combining the properties of the parts?
|
|
#
?
Dec 2, 2020 14:59
|
|
|
Bloody posted:our biggest bottleneck is that we are stuck on 32-bit and a 64 bit migration requires a total rewrite good luck. one of my first projects i worked on was all C, written with a big endian cpu in mind (and it constantly did things like cast a long pointer to a char pointer for serialization, encoding, etc), and not a single thing was abstracted. they constantly re-implemented reading/writing bytes all over the project, about 1 million lines. oh yeah, they also depended on divide by 0 not causing a fault and just returning 0.  we tried our damndest to port it to x86 but... well....
|
|
#
?
Dec 2, 2020 19:39
|
|
|
simply override the division operator to include a if denominator == 0 check
|
|
#
?
Dec 2, 2020 19:44
|
|
|
but yeah im pretty sure the 64-bit port is never gonna happen. i think we're more likely to do a rewrite/new product at that point
|
|
#
?
Dec 2, 2020 19:44
|
|
|
want to check if i'm designing a total horror or just a mild horror our application uses RBAC with keycloak as openid authorization endpoint, so endpoints check keycloak's jwt tokens in the auth bearer header for permissions i got asked to design the implementation of the following feature: a regular user can ask permission to temporarily access $restricted_feature. when they do, the request is sent to their manager's app, who can approve or deny it. if they approve it, the user is granted the appropriate role for e.g. 30 minutes. i don't want to have to manually check for overrides everywhere, so I am considering something like this when the manager sends 'ok, grant $permission to user', the backend 1- logs in to keycloak's admin api using a backend-only set of elevated credentials with role-management and impersonation roles 2- grants the role to the user 3- impersonates the user 4- requests a jwt token with a custom (short) expiration date using this plugin 5- immediately revokes the role from the user 6- sends the jwt token to the user's app, which uses it in lieu of the one it has, until it expires and gets automatically refreshed as usual (the new token won't have the permission anymore) pros: - 100% transparent to the existing endpoints and auth flows, both client and server side cons: - if the user happens to log in between steps 2 and 5, he will be granted the permission for the duration of the regular access token. it might be possible to fix this by disabling the user's regular login during this operation, if this doesn't also block impersonation - would likely break if we ever implemented jwt remote validation (i assume jwts with claims the user no longer possesses would not pass validation, same as if they were revoked)
|
|
#
?
Dec 2, 2020 20:13
|
|
|
I would be worried about users getting into weird states if any of the account modification steps failed. Idk how keycloak works but monitoring for that sort of failure case might also be a challenge if you don't have an external source of truth. Could you clone the user to a new account without a login or something first? You could also write your own plugin to allow overrides lol
|
|
#
?
Dec 2, 2020 20:53
|
|
|
we are starting to look at various implementations to try to set up some SSO for things, but none of the options feel great. keycloak seems to suffer from redhat syndrome and its huge and bulky, and requires a lot of static configuration files. we were looking at fusionauth which seems to have some really nice APIs, but they charge you a monthly license to get LDAP/AD support (which is dumb). finally I came across something called ORY Hydra which ONLY does the OAuth2 stuff (no user management), and requires you to set up a REST endpoint that does the login/logout/confirm access stuff, that you implement yourself and point Hydra at, and they handle all the JWT stuff, token generation, etc.
|
|
#
?
Dec 2, 2020 22:41
|
|
|
Sounds like a big secfuck in making. Go for it.
|
|
#
?
Dec 2, 2020 22:43
|
|
|
i really dont give a poo poo what happens to any of the users tbh i'll jsut bail if there's a disaster
|
|
#
?
Dec 2, 2020 23:06
|
|
|
CRIP EATIN BREAD posted:keycloak seems to suffer from redhat syndrome and its huge and bulky, and requires a lot of static configuration files. fwiw we're running keycloak from the official docker image with zero configuration files. just environment variables pointing them to a postgres instance, then everything gets saved in the "keycloak" db the stuff im considering would be the first time we have to add extra configuration (a command flag to enable the token_exchange feature since it's been in 'preview' since literally eight majors ago, idk either)
|
|
#
?
Dec 2, 2020 23:07
|
|
|
the only thing that sounds kinda off is the back-end pushing a new token to the client? (is there always just one client? will they definitely be logged in when the manager approves it?) and I guess if they need 2 temp. roles they have to request them both in a single transaction.
|
|
#
?
Dec 3, 2020 00:44
|
|
|
NihilCredo posted:want to check if i'm designing a total horror or just a mild horror dont manually check for overrides everywhere, just do it once. you have some function that checks whether some JWT has some permission, and do the override check there
|
|
#
?
Dec 3, 2020 01:01
|
|
|
a team that consume messages we publish to a queue migrated their queue receiver and in the process somehow managed to change their processing from "if I encounter an error, take the message off and alert but continue to process" to "if there's an error, throw a cascade of alerts, crash the process and leave the message on the queue so when you restart it blows up again and the queue fills up" none of their exceptions are being handled and are coming from the lack of any logical validation on what they're doing when they process a message (inserting rows in a table), so needless to say they have raised this as a sender side incident 
|
|
#
?
Dec 3, 2020 01:15
|
|
|
the solution to the problems caused by a queue is, of course, another queue
|
|
#
?
Dec 3, 2020 01:36
|
|
|
NihilCredo posted:want to check if i'm designing a total horror or just a mild horror It's probably easier in the long run to just have the overrides be granted by a separate system that can better manage expiring and revoking them and stuff like that. I would guess it's also pretty important for your logging and stuff that you know that person-x used this feature thanks to the override granted by manager y. So you want to explicitly check for an override to make sure you note that down.
|
|
#
?
Dec 3, 2020 01:39
|
|
|
cool av posted:the solution to the problems caused by a queue is, of course, another queue i'm a staff data engineer and this is correct
|
|
#
?
Dec 3, 2020 03:32
|
|
|
we use kafka for data streams/events and everything ive done with it rules but guys at work keep pushing 30mb messages onto the topic, for no good reason.
|
|
#
?
Dec 3, 2020 03:37
|
|
|
the reason is "its easier for us to do it this way" and it's the only good reason to do anything
|
|
#
?
Dec 3, 2020 03:44
|
|
|
Anyone have any comparative experience with data pipeline tools? I was loving around with Dagster today since it's pretty turnkey but am curious if there's some good reason to go with Airflow or something instead.
|
|
#
?
Dec 3, 2020 04:14
|
|
|
i think airflow is gonna be the boring one that most peeps use, w luigi comin in second
|
|
#
?
Dec 3, 2020 04:17
|
|
|
borat voice my husband likes prefect
|
|
#
?
Dec 3, 2020 04:50
|
|
|
shoeberto posted:Anyone have any comparative experience with data pipeline tools? I was loving around with Dagster today since it's pretty turnkey but am curious if there's some good reason to go with Airflow or something instead. if you care about offloading poo poo to people who care more than you, airflow has hosted versions on basically every cloud you can think of
|
|
#
?
Dec 3, 2020 05:15
|
|
|
|
| # ? Apr 18, 2024 17:10 |
|
|
Nomnom Cookie posted:the reason is "its easier for us to do it this way" and it's the only good reason to do anything all the stuff they put in there is stdout and stderr output from a forked process
|
|
#
?
Dec 3, 2020 06:23
|
|