Hi all, My first question to this community. 😁 We are building a platform and one of the "tasks" I need to do is to automate the creation of access to certain resources, like caching, databases, etc. Is there an already-built solution that can generate the access to diverse backend services as I just mentioned? Something where you give it admin credentials to different database servers and it then creates dbs, client users and passwords (or whatever other auth scheme is necessary) to generate the needed resource "partial" (as I call it). Or, how have you all solved this problem? Scott

Depends on what your platform looks like. Cloud Foundry can do this natively.

Hi Scott. 🙂 Thanks for answering. Interesting. Service Brokering is definitely where I'm heading. And for sure. Cloud Foundry is very similar to what we are also building too, so we are reinventing a wheel. LOL! But, ours is more opinionated. Reading docs and searching some, I ran into Korifi too. I guess I forgot to mention we're using k8s. 🙂 And, googling for "k8s service broker", I ran into Open Service Broker API. That looks real interesting. Digging deeper..... 😁

CF tends to the opinionated, k8s goes the other direction, very choose-your-own-adventure. In orgs that don't need the scale and flexibility of k8s, I tend to recommend either something like CF on the high end or glue scripts and solid CI/CD on the low end over building out a custom platform. Really depends on the number, size, and scaling needs of the workloads as well as the count of dev teams, frameworks, and architectures. Bob's Bait Shop does not need k8s, it barely needs GitLab.

Yeah, our endeavor will end up very large in scale (if it takes off). And, I love k8s. 🙂 We are just the one step away from the pieces coming together and it is making the decision on how to orchestrate the "brokering". I was hoping there would be a finished solution we could piggy-back on, but searching some more, it doesn't look like it.

Do you have the IaC to create the pieces in place and you're just looking to glue them together? Or are you starting with the actual API calls/config of the infra before building the bigger business case item?

Internal Developer Playbooks could be used for this - When we built the playbooks for our IDP this was one of the use cases we had in mind e.g. On a database (or server) catalog item, have a playbook called "Request Access" (With RBAC on who can run/approve the playbook), The playbook then adds the necessary permissions either directly via SQL/API call or via Git commit to a IaC repo. After an optional period it then removes the access it granted.

Hey Scott! You’re describing one of the usecases attached to a platform orchestrator. You could look at what the community is gathering as part of the platform tooling landscape. You’re having the people in here who can talk about the big orchestrators - @Abby Bangser can talk about Kratix and what the CNCF is doing, I can speak about Humanitec. If you would like a more opinionated reference architecture that flows along the platform tooling landscape, you could look here. The ref-archs are OSS and you can have one going in under an hour (they’re completely terraformed) to see if this is something for you. If you have IaC in place to create the stuff you want, I am happy to show you how to connect it. If you don’t, then you can use a resource pack to start experimenting quickly. If you have any questions or would just like to have a friendly chat about platforming in general - shoot me a DM, as I am always happy to get virtual coffee 🙂

That was what I was wondering Jay! Though I will say that some people are solving this wiring at different levels of abstractions which is why I was curious about where they sit. For example, if their Infra as Code isn’t written yet, Crossplane Compositions do a great job of wiring up permissions across things. And if they are starting at the user experience level then I would throw in tools like Radius that can then call out to orchestrators like Humanitec/Kratix but manages the shaping of the user experience on their end.

From the original question:

automate the creation of access to certain resources, like caching, databases, etc. Is there an already-built solution that can generate the access to diverse backend services

May I ask for whom this access is being granted? Is it for the team asking for it to be provisioned? Or is it also people outside that team? If the former, it sounds like a technical problem, but if it is the latter, I'll argue that it is a sociotechnical one! This is about establishing relationships between the team that owns the resource and the other people they provide it to. (I have more thoughts on this, but I'll wait to hear!)

HI @scott molinari 👋 , do you want to leverage your Kubernetes setup and turns it as an Internal Developer Platform?

Puh. Sorry, I was not here sooner to take all the questions and comments and I am really amazed at how many have jumped in with suggestions. Thank you all. Let me take a step back and explain what we have and more of what we would like to have. Currently we have following abilities. 1. The creation of remote dev environments for developers. These environments are internal to a dev k8s cluster and the infra for each environment is created via Terraform. The environments are also templated, meaning a dev can select the environment template and can generate the workspace to work in. The plan is to have both partner (ISVs) and customer (tenant) developers. 2. We are still a couple steps away, but we have the pieces together for an opinionated CI/CD process. 3. All code is stored in Git and currently we are only supporting Github. But other Git repository managers like Gitlab will be supported too. 4. The cluster composition is finished (for now). There are many, many more details as you can imagine. I hope this rough sketch is enough to answer most of the questions. The last piece to our puzzle is the missing "service broker". When a remote development workspace is first started, a process to create the necessary backend resources (database, cache, workflow service, NATS stream, get credentials "stored", etc.) needs to happen. We were basically heading towards writing the API for such a "service broker", and I thought I might ask to see if there might be something already done to either use outright or get ideas from. 😁 I'm thinking some of our resource brokering needs are a bit niche (maybe?). Not sure. Here are the "tools" and "service apps" we have in place. Rancher (with Fleet) Longhorn Cert Manager Ambassador Emissary Ingress ArgoCD with Kargo (experimenting with Kargo) Argo Events and Workflows (we are moving over to Temporal for the workflow and will drop Argo Event and Workflows) Temporal Dagger Sealed Secrets Databases (Elasticsearch w. Kibana, Postgres, MongoDB, Redis) Keycloak Prometheus Memphis (NATS) Mailu Mail Server Coder (for remote dev workspaces) Scott

As Jay said, that sounds a lot like platform orchestration. As in... You have a user need (dev environment) and a lot of stuff they don't care about but do depends on (database/cache/etc). You want the app dev to be able to request their template (what they care about) and you want your infra/ops experts to manage the requirements behind the scenes (e.g. diff behaviour for ISV and internal or different for types of apps). The service broker term is a good one, I just see it as a piece to your puzzle. As in, secrets management across created tools is necessary but not sufficient in most of these cases. A few things come to mind that you may want to consider when evaluating tools (such as jay suggested: humanitec, Kratix.io, home grown etc)... How can the templates and "backend systems" be updated and managed without requiring user intervention. This includes critical security updates, general version upgrades and feature rollouts. How flexible are you to changing requirements. Change is the only constant so is your solution both composable and extensible, but also decomposable so when a component needs to be removed it does all fall apart. And how easy is it to build in business processes. Things like cost management around shutting these down over time, or approvals for external use cases or audit logging and alerting. These are key parts to successful services and your solution should treat them as a first class concern, not a bolt on solution. This is a very emerging space, and you'll have to decide if available tools are mature enough for your needs. Jay mentioned a bunch of the tools in the space, and if you start from first principles you'll end up with the right solution for you.

I’ll hop in to mention, following up on Abby’s questions around tracking everything that’s going on - that’s usually where we see developer portal come in to help. A portal can be that UI frontend that your customers (internal users, developers, etc) interact with to request, provision, de-provision and keep track of the various resources they require. This also makes it easier for you to make changes in the background, without hurting the user experience (both when we’re talking about changing the actual logic running in the background when someone asks for a new environment, or when you need to make some security update to an already existing environment) I suggest taking a look at Port (disclaimer: I lead the DevOps at Port) to see the level of visibility and developer experience that a portal can provide for your use case (you can also check out our demo here