Automating Compliance and Infrastructure Plumbing: Tackling the Boring Stuff

They basicly presented a bunch of examples about how their platforn handles createion of different resource. Most of the examples were too detailed, so i did not note them down. The DX also did not feel that easy (at least from their examples and screenshots)

The “Blueprint”

Idea

  • Centralized Configuration (Source of truth)
  • Automatic Provisioning and managmeent of services
  • Continuos reconciliation
  • Version control (git) for auditing

Platform components

  • Classic: Slow manual provisioning with a tendency towards config drift
  • Service Catalog: YAML files in a central repo following the backstage definition
  • Automation: GitOps
  • Backstage: For The UI

Implementation

  • A bunch of backstage components with operators (some crossplane, some not)
  • Example - New resource with Namespace: Namespace get’s created in Kubernetes and Elasticsearch alongside a EntraID Group with members for the rolebinding for the Namespace
  • Example - DNS: Registers Route in Kong, DNS in ExternalDNS and generates Certificate for Route (via Certmanager)
  • Monitoring: Elasticsearch, CR(D) Status/Events, Backstage Catalog (just shows the kubernetes Status)

Challenges

  • Developer buy-in -> Workshops, talks, enforcement b/c compliance and stuff
  • Integration with existing systems
  • Conflicting requirements -> They just forced this via “b/c compliance needs unified interface”

Q&A

  • Why the backstage YAML format: Well the engineers decided to
  • How did you convince them to switch over from service now: No one was sad to get rid of service now
  • Is the backstage read-only: No, it also supports write actions (natively and through headlamp)

TL;DR

  • They use git (ops) for Auditing
  • They use operators and crossplane for reconciliation
  • Backstage acts as the UI for all of this (visualizes Service Status and relationships)