this post was submitted on 22 Sep 2025
19 points (100.0% liked)

Sysadmin

11392 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world
19
Contractors, Argocd, an AWS account and 2 top level domains (lemmy.ml)
submitted 3 weeks ago by dastanktal@lemmy.ml to c/sysadmin@lemmy.world
9 comments fedilink hide all child comments
 

So we just hired a contractor. We wanted a mid level devops like engineer that can handle cleanup tasks that we are far behind on. Grunt work, mostly like cleaning up terraform repos, adjusting configuration to comply with audits.

What we go instead is a highly pushy dude who really wants to push us to a specific stack architecture.

Right now we use a pretty old but standard setup of public lb to nginx, to app load-balancer to our app servers.

We want to move to Kubernetes but there have been some roadblockers with the way this app location is configured.

He's been trying to push us to move to a tool chain that uses terragrunt and terraform to deploy kubernetes and argocd.

We finally agreed to let him do what he wanted, and the very first thing he asked for is a separate AWS account, and the ability to register two top-level domains through Route 53.

Myself and management talked about it and while we understand the requirement for the AWS account,and how does complicate network infrastructure, we're a bit concerned about why he wants to register two new domains to work with.

I've been doing this for almost 10 years now, and I've read all of the documentation for these tools, and while I haven't used argocd and Terragrunt, I don't see any reason why they could not work with us to use one of our pre-existing domains.

top 9 comments
sorted by: hot top controversial new old
[–] slazer2au@lemmy.world 13 points 3 weeks ago

Have you asked him the reason for the 2 domains?

My initial thoughts would be a CDN and testing domains if you don't have those yet.

[–] theit8514@lemmy.world 7 points 3 weeks ago (3 children)

I do a lot of Architecting for my company and it's often easier to have direct access to DNS to make quick changes rather than wait one or more days for an engineer to go change records. If this is just going to be a test environment perhaps you could delegate a subdomain of your current domain. E.g. Add NS records for test.example.com that point to the NS of the contractors hosted zone. This gives you control to tear it down (delete the NS records) but allows the contractor the ability to build the environment out.

[–] dastanktal@lemmy.ml 3 points 3 weeks ago

Apparently subdomains are inadequate, but after talking with some other people and seeing what you guys have to say, I can understand these requirements. He also created a network map, so we are able to better understand it.

[–] procesd@lemmy.world 1 points 3 weeks ago

In k8s, being able to use things like External DNS and automatically and declaratively manage DNS entries with code saves so much time you won't want to go back once you get used to it.

It takes a while to get your head sorted around it and also to deploy but automagically having your DNS entries, your certificates, et etc sorted feels great.

You hired this guy to do new things, let him do them (as a PoC)

[–] pupbiru@aussie.zone 0 points 3 weeks ago

absolutely this

CSP is also a possibility, but really you’re talking about an internal attack on your own infrastructure: either by infra teams on your production or devs on your infrastructure (or an external malicious actor able to deploy code)… i think that’s just so unlikely that it’s not worthy of concern unless you’re something like a bank

[–] frongt@lemmy.zip 4 points 3 weeks ago

Sounds like he's already a poor fit, but if you wanted to know why the domains, you should probably ask him. I can't think of a reason.

The cynic in me suspects he might try to run some side job out of your infrastructure.

[–] vk6flab@lemmy.radio 3 points 3 weeks ago

Go with your gut.

[–] possiblylinux127@lemmy.zip 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Get a different job

  • r/sysadmin Reddit, probably
[–] dastanktal@lemmy.ml 5 points 3 weeks ago

This ain't reddit, and everyone starts somewhere.