Ship It! Ship It! #50

Kaizen! We are flying ✈️

This is our 5th Kaizen where we talk about the next improvement to changelog.com: we are now running on fly.io and our PostgreSQL is managed. This is a migration that many were curious about, including Simmy de Klerk, the person that requested this episode.

After migrating all our media files to AWS S3 (check episode 40), we thought that this part was going to be easy. Plan met reality. Pull request 407 has all the details.

We want to emphasise the type of partner relationships that we seek at Changelog & why they are important to us, as well as to our listeners. Honeycomb & Fly embody the principles that we care about, and Gerhard thinks that we are currently missing a Kubernetes partner.


Discussion

Sign in or Join to comment or subscribe

2022-04-27T22:42:23Z ago

On the topic of secrets management, I would recommend keeping your secrets in a vault and syncing them to Fly with some automation. Don’t ask Fly.io to build all the vault features, when many options already exist :-) It would also be cool if Fly.io could pull secrets from a few different vaults.

In my case I use Azure’s KeyVault to store my secrets. I then use a very simple script to copy those secrets from KeyVault into my DigitalOcean Kubernetes cluster.

2022-04-27T22:47:46Z ago

The syncing of your secrets could be as simple as a bash script that pipes az keyvault secret show into flyctl secrets set

https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-show
https://fly.io/docs/reference/secrets/#setting-secrets

Jerod Santo

Jerod Santo

Omaha, Nebraska

Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.

2022-05-02T15:25:19Z ago

I don’t understand the advantage of that strategy from our perspective. Why store our secrets in one place and then have to propagate them (however simple that is) to the actual place we want to use them?

One reason I can think of is, what if we want to use those same secrets in N places? But that gives me serious YAGNI vibes…

Are there other advantages that I’m not thinking of?

2022-05-02T19:30:07Z ago

In addition to the 1-N argument you brought up:

  1. Like your source code and S3 storage, keeping your secrets in an independent place allows you to continue using it as you move from one planform to another. It would have been handy when you were moving from Linode to Fly.

  2. A dedicated secrets manager is going to be more feature-rich and reliable than anything bolted onto a platform where it’s not their main business. I would trust KMS to keep my secrets safe, backed up and all that. I wouldn’t count on Fly for that.

0:00 / 0:00