Cloud Native Diary #3
Great feedback for Cloud Native Spring in Action, Spring Boot 3, SLSA, SBOMs, multi-architecture Buildpacks, and platforms.
In Cloud Native Diary, I weekly share my journey working with application development, platform engineering, and cloud native technologies.
This week was fantastic! I got more great feedback from the readers of my book and upgraded the code samples to Spring Boot 3. I started working on a proposal to add SLSA support in kpack. And I joined inspiring conversations in the CNCF Platforms Working Group.
News about "Cloud Native Spring in Action"
This past week I got more great feedback about my book Cloud Native Spring in Action. I'm thrilled to hear that people are enjoying the book and find it useful.
All the examples in the book are based on Spring Boot 2.7 and are freely available on GitHub. If you're looking into Spring Boot 3.0, I have good news for you! I started maintaining a separate branch of my book repository where I'll do my best to keep the examples up-to-date with the latest Spring Boot 3.x release. In the next few days, you'll find a detailed description of what is different compared to the examples in my book. There are only a few minor changes, so you can still follow my book even if you use Spring Boot 3.
Next week, my book will finally be available in ePub and Kindle formats (printed and PDF are already available). Shortly after, it will also be included in the O'Reilly Learning Platform.
Dan Vega included my book in his latest newsletter and mentioned me about my content on Spring Security. I want to thank Dan for that and for all the great material he produces about Spring and Java, delivering great value to the community.
Laurentiu Spilca published the top three books he read in 2022 and put my book on top. I'm really happy about that! If you work with Java and Spring, I can't recommend enough Laurentiu's fantastic books: Spring Security in Action, Spring Start Here, and Troubleshooting Java.
This week Maciej Walkowiak launched Just, a "command-line toolkit for developing Spring Boot applications". You run
just run and it just works! Congratulations Maciej!
Buildpacks, SBOMs and SLSA
As a regular user of Cloud Native Buildpacks, I'm really excited about the work that DaShaun Carter has been doing to bring ARM64 and multi-architecture support to Paketo Buildpacks. My main workstation is a MacBook Pro with Apple Silicon, so being able to use Buildpacks seamlessly across architectures is a tremendous improvement!
pack build ghcr.io/thomasvitale/band-service --builder dashaun/builder:tiny
The Paketo project is gathering ideas for the 2023 roadmap. Please help us get ARM64 and multi-architecture support to the top of the list by voting on this GitHub discussion.
Last week, I talked about kpack, a Kubernetes-native implementation of Cloud Native Buildpacks. I suggested a feature to have kpack generate and sign a SLSA provenance attestation. I have now started working on an RFC to elaborate on this idea. If you're interested in helping with this proposal, feel free to contact me. I'll aim to design a solution to achieve SLSA level 3 with kpack.
I also suggested kpack to post-process the SBOMs produced by Buildpacks to include them in a standard in-toto attestation that can be signed, published, and used by vulnerability scanners out-of-the-box. It's being pointed out to me that it would make more sense to have this capability in Buildpacks itself, so I'll bring this up there for further discussion.
Platforms, GitOps, and APIs
This past week, I joined another meeting of the CNCF Platforms Working Group. We've been working on a whitepaper to define cloud native platforms, their capabilities, and the organizational structure to work with them. Soon, all the material will be published to GitHub. I'm looking forward to that! You can follow the work by joining the #wg-platforms channel in the CNCF Slack.
As always, it was a very inspiring meeting. Among other things, we discussed GitOps as one of the most used operational models in platform engineering. But it's not the only one. When the focus is on the developer experience and the end-user platform APIs, I see GitOps as an implementation detail. If you're interested in GitOps, I recommend checking the great work done by the CNCF GitOps Working Group.
Platform APIs are essential to provide the best possible experience to developers and, in general, to the platform users. During the week, Mauricio Salatino published a video showcasing how to build a FaaS platform on top of Kubernetes, focusing on the developer experience and designing good APIs. Crossplane, Knative, and vCluster are the primary tools used in the presentation. I recommend checking it out. It's an extended demo from his talk at KubeDay Japan 2022 (you can find the slides here).
This is probably the last issue of Cloud Native Diary in 2022. See you next year!
Cover picture from Pexels.