Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2016-01-21

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:49 ilbot3 joined #confidant
02:49 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
07:56 lyftbot joined #confidant
09:46 wm-bot joined #confidant
18:07 DanyC joined #confidant
19:03 lyftbot joined #confidant
21:24 lyftbot [pnathan] looking through the docs quickly - I don't see a 'recommendations for production' discussion
21:24 lyftbot [pnathan] am I missing the right paragraph in the Friendly Manual?
21:28 woodrow hey pnathan, did we reference a section that doesn’t exist? :)
21:28 woodrow or are you looking for recommendations for operating confidant in production that we don’t cover
21:29 lyftbot [pnathan] often services will be all 'in production, you REALLY WANT TO DO... x y z'
21:29 lyftbot [pnathan] I was eyeballing for something like that, that's all
21:35 woodrow gotcha
21:35 woodrow i think ryan will be back shortly and he’ll be able to provide better answers than I
21:36 Ryan_Lane hey pnathan
21:36 lyftbot [pnathan] hiya, Ryan
21:37 Ryan_Lane there's no production recommendations doc right now
21:37 Ryan_Lane what kind of info were you looking for?
21:38 lyftbot [pnathan] broadly, the load levels, monitoring endpoints, upgrade paths
21:38 Ryan_Lane there's a /healthcheck endpoint
21:38 lyftbot [pnathan] ah, "load levels" => "how much load can this node take before it falls over"
21:39 Ryan_Lane gotcha
21:39 lyftbot [pnathan] (the boring operational things)
21:39 Ryan_Lane indeed
21:39 Ryan_Lane the load is mostly related to dynamo
21:39 Ryan_Lane and kms
21:39 Ryan_Lane confidant itself is basically just crud
21:40 Ryan_Lane if you launch confidant using gevent it can generally handle a pretty high load, but you need to ensure dynamo is provisioned properly
21:40 Ryan_Lane it's basically all reads
21:40 lyftbot [pnathan] @pnathan nods
21:41 Ryan_Lane it also depends on how you're fetching from confidant
21:41 Ryan_Lane one option is to have each host fetch on a schedule and to cache
21:41 Ryan_Lane and also cache the KMS auth token
21:42 Ryan_Lane confidant keeps a cache of kms auth tokens in memory so that it needs to hit kms less often
21:42 Ryan_Lane it'll also cache decrypted data keys in memory
21:43 Ryan_Lane avg gets in our case are ~35ms
21:43 Ryan_Lane p95 is ~45, p99 is ~70ms
21:43 lyftbot [pnathan] "fast" :)
21:43 Ryan_Lane yeah. generally :)
21:43 Ryan_Lane but...
21:44 Ryan_Lane it depends on how many credentials you have mapped to a service
21:44 Ryan_Lane if you have like 100 mapped to a service it'll be a lot slower than 75ms
21:49 lyftbot [pnathan] Yah. :)
21:49 Ryan_Lane hmm... what other kinds of things can I think of....
21:49 Ryan_Lane for the most part internally we haven't had any issues with confidant
21:49 lyftbot [pnathan] ah.... authorization for people editing credentials
21:50 Ryan_Lane upgrade wise, we're designing it to be as backwards compatible as possible
21:50 Ryan_Lane but... we'll have upgrade scripts in the cases they're needed
21:50 Ryan_Lane when you say authorization for people...?
21:51 Ryan_Lane right now it's google auth
21:51 Ryan_Lane soon we'll also have a way to use a cli to edit/read using KMS auth
21:52 lyftbot [pnathan] """It's possible to restrict access to a subset of users that authenticate using Google authentication:
21:52 lyftbot export USERS_FILE='/etc/confidant/users.yaml'
21:52 lyftbot export GOOGLE_AUTH_EMAIL_SUFFIX='@example.com'
21:52 lyftbot In the above configuration, Confidant will limit authentication to users with the email domain @example.com. Additionally, Confidant will look in the users.yaml file for a list of email addresses allowed to access Confidant.
21:52 lyftbot """
21:52 lyftbot [pnathan] I'm reading that as two-phase user capabilities... either "admin" or "no-access"
21:52 Ryan_Lane that's basically it, yeah
21:53 Ryan_Lane we currently don't have fine-grained authz
21:53 Ryan_Lane it's in future plans, but we haven't had a need to prioritize it. we probably will in the next quarter or two
21:54 Ryan_Lane we have a different feature coming up that makes it both necessary and a little less necessary :D
21:57 Ryan_Lane right now you either have access for all secrets and services or none
22:00 Ryan_Lane (if you need access control before we get to it, I'm happy to discuss implementation plans and we'd be happy to accept PRs)
22:00 Ryan_Lane also would be good to ensure whatever we're planning on doing also works for you
22:35 wm-bot joined #confidant
22:35 abrody joined #confidant
22:37 woodrow welcome abrody!
22:39 Ryan_Lane abrody: howdy
22:39 abrody 👋
22:40 woodrow abrody: you might ask ryan about docker
23:34 contrapumpkin joined #confidant

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary