CloudPro #20: AWS SSL/TLS certificates expiring-update them asap, Okta hacked again, New AWS Coursera Certificate, Open source LLMs on GCloud

Get smarter about cloud and security

Welcome to a brand new edition of the CloudPro! Today, we’ll talk about:

Masterclass:

1. How to deploy Mistral 7B Instruct on your Kubernetes cluster using TGI

2. How to run 15,000+ tasks in a single Amazon ECS cluster

3. How to build a workflow orchestrator for Kubernetes

4. How to manage multiple Kubernetes clusters

5. How to make the EKS cluster safe from attacks without affecting its regular use

Secret Knowledge:

1. How to manage Kubernetes resources in Terraform: Kubernetes provider

2. Observing Java Applications Running Via Docker Compose Using OpenTelemetry

3. Container image scanning with Trivy in AWS CDK

4. What are Kubernetes Volume Snapshots

5. How to use Vector Databases(Pinecone, Chrome, Weviate) in Python

Techwave:

1. Update your Amazon RDS and Aurora SSL/TLS Certificates before they expire.

2. Okta got hacked. Again.

3. Introducing GKE Stateful High Availability (HA) Controller

From the Cloud World:

1. New AWS Cloud Technology Consultant Professional Certificate

2. Google Cloud has introduced intellectual property indemnity for generative AI products

3. Kubernetes introduces ingress2gateway

4. Netlify launches Composable Jamstack Framework for Web Apps

5. Serve open-source LLMs on Google Cloud

HackHub:

1. cezarguimaraes/pkgsite

2. nuclio/nuclio

3. solo-io/squash

4. datreeio/datree

5. project-zot/zot

Cheers,

Shreyans Singh

Editor-in-Chief

PS: I hope you will enjoy today's newsletter! I’m all ears for your thoughts – the good, the great, and the "meh." Share your feedback and snag a free Packt eBook. It's a win-win. Can't wait to hear what you think!

Share your feedback and get a free Packt eBook!

---

⭐ MasterClass: Tutorials & Guides

⭐How to deploy Mistral 7B Instruct on your Kubernetes cluster using TGI:

1. Add Helm Repository: Use `helm repo add substratusai https://substratusai.github.io/helm` to add the Helm repository.

2. Create Configuration File: Make a `values.yaml` file with deployment settings.

3. Deployment: Deploy Mistral 7B Instruct with `helm install`.

4. Check Pod Status: Verify the pod status with `kubectl describe pod`.

5. Check Logs: Ensure the model initializes correctly with `kubectl logs`.

6. Port Forwarding: Expose the model to your local machine with `kubectl port-forward`.

7. Access the Model: Explore the API endpoints in the TGI API documentation.

8. Run Inference: Use tools like `curl` to send JSON requests for content generation based on specific instructions.

⭐How to run 15,000+ tasks in a single Amazon ECS cluster:

1. Prepare your environment with sufficient private IPv4 addresses.

2. Configure AWS Fargate vCPU-based quotas to meet your scaling needs.

3. Amazon ECS services using AWS Cloud Map-based service discovery have a hard limit of 1,000 tasks.

4. An Amazon ECS cluster can run up to 5,000 services, with each service handling up to 5,000 tasks.

5. Consider AWS Application Load Balancer (ALB) quotas when scaling services associated with ALBs.

6. If your workload exceeds hard limits, consider a cell-based architecture.

7. These concepts mainly apply to AWS Fargate but have similar considerations for Amazon ECS with Amazon EC2.

⭐How to build a workflow orchestrator for Kubernetes:

Workflow Orchestration in Kubernetes:

1. The author created Flowmium, a workflow orchestrator for Kubernetes.

2. It's designed to manage and chain multiple tasks or jobs in a sequential manner.

3. These tasks can be interdependent, where one task relies on the output of another.

4. This is particularly valuable for creating data processing pipelines and multi-step computations.

Components:

1. Planner: Responsible for analyzing the flow, detecting dependencies, and planning task deployments.

2. Task: Each task gets converted into a Kubernetes Job manifest and is responsible for handling input, running a specific command, and producing output.

3. Scheduler: Manages flow status, tracks task progress, and schedules task deployments.

4. Executor: Ties everything together, handling requests, deploying tasks, and monitoring their status.

Framework for Python:

1. The author created a Python framework for defining tasks as simple functions with dependencies

2. Users define tasks as functions and their dependencies using decorators.

⭐How to manage multiple Kubernetes clusters:

1. SIG-Multicluster, a part of Kubernetes, deals with managing multiple Kubernetes clusters and the applications they host.

2. It aims to enable seamless communication between workloads in different clusters, share cluster metadata, and break down cluster boundaries.

3. Running multiple clusters is essential for reasons like optimizing location, achieving isolation for security and cost management, and enhancing reliability.

4. SIG-Multicluster focuses on defining three main APIs: About, Multicluster Services, and Work.

5. These APIs help identify clusters, share services across clusters, and deploy workloads across clusters.

⭐How to make the EKS cluster safe from attacks without affecting its regular use:

1. Use a dedicated VPC for each cluster to isolate workloads, reduce risks, and ensure address execution safety.

2. Implement VPC endpoints for secure and fast access to AWS services.

3. Secure the EKS API by choosing public, private, or both access options.

4. Use OIDC for workloads to access AWS services without access and secret keys.

5. Encrypt ETCD data, especially Kubernetes secrets, with a KMS key.

6. Collect and monitor logs, especially API server and audit logs, but be mindful of the cost.

7. Consider using Bottlerocket for efficient container workload hosting.

---

🔍Secret Knowledge: Learning Resources

🔍How to manage Kubernetes resources in Terraform: Kubernetes provider

Advantages of Terraform for Kubernetes:

1. Terraform simplifies managing Kubernetes resources.

2. It allows changes to infrastructure and application deployments in one commit.

3. Offers a quicker disaster recovery option using Terraform CLI.

Terraform Kubernetes Providers:

1. Kubernetes

2. Helm

Managing Kubernetes Deployment:

1. The blog provides an example of managing a Kubernetes Deployment using Terraform's Kubernetes provider.

2. It shows how to define a deployment using HCL, similar to Kubernetes YAML.

Installing Istio:

1. For complex installations like Istio, the blog suggests using tools like `tfk8s` to automate the YAML-to-HCL conversion.

⭐Observing Java Applications Running Via Docker Compose Using OpenTelemetry:

1. Get the OpenTelemetry agent and any extensions you need.

2. Make a file (e.g., `docker-compose.override.otel.yml`) to extend your original Compose file. Specify the service you want to instrument and set environment variables.

3. Start your application using both the original and override files to include observability.

4. You can then visualize data using tools like Jaeger, Prometheus, and Grafana.

⭐Container image scanning with Trivy in AWS CDK:

1. Trivy is a security tool for vulnerability testing.

2. Advantages: This AWS CDK construct lets you scan container images in your CDK deployment, avoiding unnecessary builds, and can stop the deployment if vulnerabilities are found.

3. How to Use: Install the construct and use the `ImageScannerWithTrivy` construct in your CDK code.

4. Options: You can specify various Trivy options for vulnerability scanning.

5. Stopping Image Push: The construct can prevent image pushes to Amazon Elastic Container Registry (ECR) if vulnerabilities are detected.

⭐What are Kubernetes Volume Snapshots:

1. A Kubernetes Volume Snapshot is like taking a picture of the stuff in your storage.

2. Setting Up a Kubernetes Cluster: You need a Kubernetes cluster with a CSI driver supporting snapshots. Digital Ocean clusters are a cost-effective choice.

3. Deploying a Stateful Workload: Demonstrated using a StatefulSet for deploying a MariaDB database with storage and root password.

4. Creating Test Data: Shows how to create data within the MariaDB.

5. Taking a Snapshot: Demonstrates creating a VolumeSnapshot to capture the database state.

6. Simulating Data Loss: Data loss is simulated by dropping the table in the database.

7. Restoring from a Snapshot: Explains how to restore data using a PersistentVolumeClaim referencing the snapshot.

8. Inspecting the Snapshot: Describes how to inspect the VolumeSnapshotContents to understand the relationship between snapshots and underlying storage.

⭐How to use Vector Databases(Pinecone, Chrome, Weviate) in Python:

Vector Databases are databases optimized for storing and searching high-dimensional vectors, which are often used in applications like search engines and recommendation systems. The article focuses on how to work with vector databases in Python in 2023. They list several libraries and databases, including Chroma, ClickHouse, MyScale, OpenSearch, pgVector, Pinecone, Qdrant, Redis, Vespa, Weaviate, and more.

⚡ TechWave: Cloud News & Analysis

⚡Amazon RDS and Aurora SSL/TLS Certificates are expiring. Update them now.

1. Amazon RDS and Aurora databases are updating their SSL/TLS certificates, and you need to rotate them before the old ones expire in 2024.

2. New Certificates: New certificates are valid for 40 or 100 years, so you won't have to rotate them again for a long time.

3. Identify Impacted Resources: Find the DB instances that need the update.

4. Update Applications: Before applying new certificates to DB instances, update your application's trust store and SSL/TLS certificates.

5. Test in Non-Production: Test certificate rotation in a non-production environment with the same setup as production.

6. Apply in Production: Schedule or apply certificate rotation in production. Modern engines may not require a restart.

⚡Okta got hacked. Again.

1. On October 2nd, 2023, an Okta support agent asked a BeyondTrust administrator for help with a technical problem. The agent requested the admin to create a HAR file, which contains sensitive information like an API request and a session cookie.

2. This file was necessary to understand and fix the issue. The admin followed the request, made the HAR file, and uploaded it to the Okta support portal.

3. Just 30 minutes later, a hacker used the hidden session cookie in the HAR file to launch an attack on BeyondTrust. Luckily, BeyondTrust detected the attack and thwarted it.

4. After investigating, BeyondTrust discovered that the hacker had used Okta to target them. They promptly informed Okta on October 2nd. However, Okta didn't respond for two weeks.

5. Then, on October 18th, hackers used the same method to attack another Okta customer, Cloudflare. Cloudflare quickly informed Okta about the breach.

6. Finally, on October 20th, Okta admitted they had been hacked, and 170 customers were affected.

⚡Introducing GKE Stateful High Availability (HA) Controller:

1. Stateful applications, like databases and message queues, need to balance cost and availability.

2. You can either run a single replica in one location to save money but risk downtime, or you can run multiple replicas for high availability but at a higher cost.

3. With Stateful HA Operator, you get a middle ground.

4. It uses a new technology called regional persistent disk (RePD) that synchronously replicates data between two locations in a region.

5. This means you can have the availability of multiple replicas without the high cost of running additional compute.

6. If there's a failure, your application can quickly failover to another location.

---

🌐From the Cloud World:

🌐New AWS Cloud Technology Consultant Professional Certificate now available on Coursera:

Coursera now offers the AWS Cloud Technology Consultant Professional Certificate, a program to train individuals for cloud consulting careers. Cloud Consultants advise on cloud app design, development, and infrastructure, and this field is in high demand. The first four courses provide an introduction to cloud technology and AWS services, enabling learners to build a strong foundation. Upon completing all nine courses, you receive a Professional Certificate.

🌐Google Cloud has introduced intellectual property indemnity for generative AI products:

They offer two levels of protection. The first indemnity covers the use of training data to create generative AI models and assures customers that Google will stand behind their services. The second indemnity covers the generated output, providing protection against third-party intellectual property claims related to the generated content. These indemnities aim to give customers confidence and assurance in using generative AI products without worrying about legal risks. This protection applies as long as customers follow responsible AI practices.

🌐Kubernetes introduces ingress2gateway:

1. Ingress, a Kubernetes API, is commonly used for managing external access to services. However, it has limitations such as inadequate support for modern proxy features, a flawed permission model, and a focus mainly on HTTP routing.

2. Gateway API, designed to address these limitations, offers flexibility, expressiveness, and extensibility. It follows a role-oriented approach, enhancing portability and supporting various features like header-based matching, traffic splitting, and request mirroring.

3. To simplify migration from Ingress to Gateway API, Kubernetes has released "ingress2gateway." This tool converts existing Ingress resources into Gateway API resources, making the transition process smoother.

🌐Netlify launches Composable Jamstack Framework for Web Apps:

1. Netlify, a web development platform, has launched a new tool that makes it easier to create web applications.

2. The tool allows developers to build web apps in a flexible way, connecting the front-end to different backend services.

3. It's designed to simplify the process of combining content, data sources, code, and infrastructure, giving developers more flexibility.

4. This tool helps developers move away from old, rigid web app structures and create applications more quickly by automating some of the complex processes that slow down development.

🌐Serve open-source LLMs on Google Cloud:

Google Cloud has improved its serving solution for large language models (LLMs) in Vertex AI Model Garden. This solution is based on open-source vLLM libraries and offers optimized transformer implementation, continuous batching, and tensor parallelism. Benchmark results show that this solution provides up to 19 times higher throughput compared to other libraries, enabling users to serve more requests at a lower cost. Google Cloud provides a Colab notebook example for deploying open-source foundation models on Vertex AI, making it easier to take advantage of this efficient LLM-serving solution.

---

🛠️HackHub: Best Tools for Cloud

🛠️cezarguimaraes/pkgsite: A Helm chart to deploy a fully-featured private pkg.go.dev instance.

🛠️nuclio/nuclio: High-Performance Serverless event and data processing platform

🛠️solo-io/squash: The debugger for microservices

🛠️datreeio/datree: E2E policy enforcement solution to run automatic checks for rule violations

🛠️project-zot/zot: A production-ready vendor-neutral OCI-native container image registry