Kaizen! We are flying ✈️
This is our 5th Kaizen where we talk about the next improvement to changelog.com: we are now running on Fly.io and our PostgreSQL is managed. This is a migration that many were curious about, including Simmy de Klerk, the person that requested this episode.
After migrating all our media files to AWS S3 (check episode 40), we thought that this part was going to be easy. Plan met reality. Pull request 407 has all the details.
We want to emphasise the type of partner relationships that we seek at Changelog & why they are important to us, as well as to our listeners. Honeycomb & Fly embody the principles that we care about, and Gerhard thinks that we are currently missing a Kubernetes partner.
Sign in or Join to comment or subscribe
On the topic of secrets management, I would recommend keeping your secrets in a vault and syncing them to Fly with some automation. Don’t ask Fly.io to build all the vault features, when many options already exist :-) It would also be cool if Fly.io could pull secrets from a few different vaults.
In my case I use Azure’s KeyVault to store my secrets. I then use a very simple script to copy those secrets from KeyVault into my DigitalOcean Kubernetes cluster.
The syncing of your secrets could be as simple as a bash script that pipes
az keyvault secret showinto
flyctl secrets set
I really like this idea! We already have AWS and use S3 extensively, so my instinct tells me that we should go with KMS. This would be a fantastic follow-up for episode 60. Thanks Nabeel!
Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.
I don’t understand the advantage of that strategy from our perspective. Why store our secrets in one place and then have to propagate them (however simple that is) to the actual place we want to use them?
One reason I can think of is, what if we want to use those same secrets in N places? But that gives me serious YAGNI vibes…
Are there other advantages that I’m not thinking of?
In addition to the 1-N argument you brought up:
Like your source code and S3 storage, keeping your secrets in an independent place allows you to continue using it as you move from one planform to another. It would have been handy when you were moving from Linode to Fly.
A dedicated secrets manager is going to be more feature-rich and reliable than anything bolted onto a platform where it’s not their main business. I would trust KMS to keep my secrets safe, backed up and all that. I wouldn’t count on Fly for that.
Kelsey made some good points when Vault makes sense here: https://changelog.com/shipit/44
I intend to talk to Rosemary & Rob from HashiCorp about Vault in a future episode.