The completed project can be found here.

GitHub - varokas/spark-demo

Contribute to varokas/spark-demo development by creating an account on GitHub.

GitHubvarokas

1. PySpark
2. Jupyter Notebook connecting to Pyspark
3. Writing Iceberg Table Locally
4. Writing Iceberg Table to AWS (TBD)
5. Reading Parquet files from AWS (TBD)

PySpark

Install Java and Sparks via SDK Man.

$ curl -s "https://get.sdkman.io" | bash

$ sdk install java 17.0.13-zulu
$ sdk install spark 3.5.3

# Uses (sdk list java) OR (sdk list sparks) to see all available version

Install UV

# On macOS and Linux.
curl -LsSf https://astral.sh/uv/install.sh | sh

Jupyter Notebook

Using uv to setup the project and add libraries

$ uv init 
$ uv add pyspark jupyterlab

Then we can run bringup the notebook using this command

$ uv run jupyter lab

Minimally we can connect to by creating Sparksession using

from pyspark.sql import SparkSession

spark = SparkSession.builder \
      .master("local[*]") \
      .appName("spark-demo") \
      .config(map={
         ## Configuration goes here
      }) \
      .getOrCreate()

Starting spark this way would create a WebUI at 4040. we can inspect this address by evaluating

spark.sparkContext.uiWebUrl

Local Iceberg Table

For a short experimentation with Local Iceberg table, we can configure sparks to store metadata in a local file. The example below shows how we could setup a catalog named local , where the data files are stored at $PWD/warehouse

import os
cwd = os.getcwd()

spark = SparkSession.builder \
      .master("local[*]") \
      .appName("spark-demo") \
      .config(map={
          "spark.jars.packages": "org.apache.iceberg:iceberg-spark-runtime-3.5_2.12:1.7.0",          
          "spark.sql.extensions": "org.apache.iceberg.spark.extensions.IcebergSparkSessionExtensions",

          "spark.sql.catalog.local": "org.apache.iceberg.spark.SparkSessionCatalog",
          "spark.sql.catalog.local.type": "hive",
          "spark.sql.catalog.local": "org.apache.iceberg.spark.SparkCatalog",
          "spark.sql.catalog.local.type": "hadoop",
          "spark.sql.catalog.local.warehouse": f"{cwd}/warehouse",
      }) \
      .getOrCreate()

after setting up spark session, we can create and use the iceberg tables from pyspark.

Data will be written to designated directory

Installing

$ curl -LsSf https://astral.sh/uv/install.sh | sh

New Project

Uses uv init to initialize a project with pyproject.toml configuration file. Use uv add to add new dependencies.

$ uv init example-project
Initialized project `example-project` at `/Users/vpanusuwan/projects/example-project`

$ cd example-project

$ uv add pandas
Using Python 3.9.6 interpreter at: /usr/local/bin/python3

Creating virtualenv at: .venv

Resolved **7 packages** in 78ms

   **Built** example-project @ file:///Users/vpanusuwan/projects/example-project

Prepared **7 packages** in 724ms

Installed **7 packages** in 161ms

 + **example-project**==0.1.0 (from file:///Users/vpanusuwan/projects/example-project)

 + **numpy**==2.0.1

 + **pandas**==2.2.2

 + **python-dateutil**==2.9.0.post0

 + **pytz**==2024.1

 + **six**==1.16.0

 + **tzdata**==2024.1

Run Project

Using uv run is similar to poetry run, where the code is executed from within the project

uv run app.py

Visual studio Code Integration

VSCode should automatically picks up the environment in .venv . If not, uses the environment selector on the bottom right corner to do so.

Following the instruction here Tensorflow Plugin - Metal - Apple Developer

Python (Miniforge)

First, we need to install miniforge. Easiest way to do that is to use pyenv. The tool allow us to install multiple version of pythons. More importantly, we can specify a version of python needed for each folder. Much more convinient than keep switching global versions

pyenv install miniforge3

mkdir demo-tensorflow-metal
pyenv local miniforge3

Install Tensorflow and it dependencies

conda install -c apple tensorflow-deps

python -m pip install tensorflow-macos
python -m pip install tensorflow-metal

Install and Run Jupyter

conda install jupyterlab

jupyter lab

Try MNIST demo

Simply follow along with Keras MNIST Demo

If everything is set up correctly, we should see that Metal Device is set to M1

Quite impressive performance from a fanless Macbook Air !

demo-tensorflow-metal/mnist.ipynb at main · varokas/demo-tensorflow-metal

Contribute to varokas/demo-tensorflow-metal development by creating an account on GitHub.

GitHubvarokas

References

• Tensorflow Plugin - Metal - Apple Developer
• Simple MNIST convnet

I'll keep this page updated as things improves. I'll note the PR waiting on the fix if applicable

Brew

(Brew Mostly works now)

Java

Many things in this category.

SDKMan – The gateway to Java installation. To install the Azul native M1 JDK, change the flag sdkman_rosetta2_compatbile=true in .sdkman/etc/config. The JDK will then Shows up

IntelliJ - Just Works!

Gradle - Works, but the output fallback to legacy mode. Fixed in 7.0 nightly

Java Packages with Native Extensions - E.g. Netty using NIO. They provides an Arm binary, but you'd need to grab the latest versions

Python

PyEnv - Works. Preferred way to install Python anyway. Python 3.9.1, which is the official version supporting Apple Silicon compiles and works. 3.8.6 does not work though.

Data Science Libs - NumPy, a foundation package of anything data science, would not install via Pip. A fix is in the unreleased Numpy 1.20. The workaround is to install MiniForce (Miniconda) which provides a precompiled version of the libs. Then we can use conda install numpy for now.

pyenv install miniforge3-4.9

conda install pandas

Docker

(Mostly works now)

Keep in mind that while most popular projects provides an arm64  images, many doesn't. Docker will run the x64 images under qemu emulation and is much much slower. If you have a precompiled images you use and share with your team. You may need to build another one

It is possible to use buildx to cross build arm64 docker image from Intel machines. This is very useful for CI. I may do a separate blog for this.

Terraform

(Mostly works now)

Misc Things that Just Works

These can be install normally via brew

• XCode – Works very very well. Faster than any Macs you've run it on.
• Fish Shell
• GoLang – v1.16 beta for now
• iTerm2
• Visual Studio Code
• 1Password
• NodeJS - Works

Things to Try / Don't work yet

• Haskell - https://gitlab.haskell.org/ghc/ghc/-/issues/18664

New for AWS Lambda – Container Image Support | Amazon Web Services

With AWS Lambda, you upload your code and run it without thinking about servers. Many customers enjoy the way this works, but if you’ve invested in container tooling for your development workflows, it’s not easy to use the same approach to build applications using Lambda. To help you with that, you …

Amazon Web ServicesDanilo Poccia

To me, three most compelling reasons are:

Simplified Dependencies Management. No longer needed to pack dependencies in zip file. This was especially annoying for Java and Python.

Better Local Testing . Since this is docker based. The code we run on our machine is exactly the same running in AWS. Say – If a role and permission is misconfigured, the function blows up locally rather than later in prod.  

Greater Size Limit. Instead of 50MB zip file limit, Lambda allows for up to 10GB container image size. This is great news for Data Scientist around the world deploying their 500MB+ models.

Steps

1. Create a docker image that can be run on lambda
2. Upload to Amazon ECR
3. Create Function

The follow steps shows detail for Python.

Find a base image

We could use any correctly created custom images. It is far easier to based off  Amazon provided images. We will end up with images that behaves very close to how AWS runs in production today when deploying zip file. (CloudWatch Logging and metrics exported and all).

Deploy Python Lambda functions with container images - AWS Lambda

Deploy your Python Lambda function code as a container image using an AWS provided base image or the runtime interface client.

AWS Lambda

Create a custom image

First, Create the app code (app.py). This should looks exactly like a normal lambda function. We'd need a handler function which accepts an event and lambda context, returning function result.

def handler(event, context):
    return {"hello":"world"}

Copy the function into our docker image. Run the function with <file_name>.<function_name> in CMD.

FROM public.ecr.aws/lambda/python:3.8

COPY app.py ./
CMD ["app.handler"]      

Build our image

$ docker build . -t lambda-docker-python

Running and Testing

These steps should be very familiar to anybody who has been using docker.

docker run -p 9000:8080 lambda-docker-python:latest

Now we could invoke our functions using curl. Per Lambda Runtime Interface Client library doc, the correct route to the deployed handler is /2015-03-31/functions/function/invocations . (Not sure why they impose this convention though – but you'll get 404 otherwise).

This means we could invoke our function by this curl

$ curl -XPOST "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{}'
{"hello": "world"}

### If we look at docker run logs, we'd see a very familiar lambda logging -- this is great!
..
START RequestId: 826b34b9-498e-4468-9e4c-ffa7db08b050 Version: $LATEST
END RequestId: 826b34b9-498e-4468-9e4c-ffa7db08b050
REPORT RequestId: 826b34b9-498e-4468-9e4c-ffa7db08b050	Init Duration: 0.43 ms	Duration: 165.74 ms	Billed Duration: 200 ms	...
..

Adding Dependencies

In my opinion, this is the most compelling reason to use Docker image based lambda. We do not need to do dependencies packing gymnastics to make it work. We just define and download it like we would in local machine/our docker.

For python, that means creates a requirements.txt and invoke a pip install on the file.

requests==2.25.1

FROM public.ecr.aws/lambda/python:3.8

COPY requirements.txt ./
RUN pip install -r requirements.txt

COPY app.py ./
CMD ["app.handler"]

import requests

def handler(event, context):
  r = requests.get("https://api.covidtracking.com/v1/us/daily.json")
  j = r.json()

  return [ {"states": r["states"], "positive": r["positive"]} for r in j]

Create ECR Repository

Follow the manual steps or uses CDK. Optionally we may want to keep only last 10 images instead of indefinitely keeps all versions.

ecr_repo2 = ecr.Repository(self, "lambda-docker-python", repository_name="lambda-docker-python")
ecr_repo2.add_lifecycle_rule(max_image_count=10)

Note the created repository id, which would be in form of <account>.dkr.ecr.<region>.amazonaws.com/<repo_name>. We need it to login and upload

Upload Image to ECR

First, Logging into ECR requires AWS CLI to obtain password. We can then pipe into docker login. Per instruction here. Replace 820792572713 with your aws account number.

$ aws ecr get-login-password | docker login --username AWS --password-stdin 820792572713.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded

Then we can tag and upload the image.

$ docker tag lambda-docker-python:latest 820792572713.dkr.ecr.us-west-2.amazonaws.com/lambda-docker-python:latest

$ docker push 820792572713.dkr.ecr.us-west-2.amazonaws.com/lambda-docker-python:latest

Create Function

Either create it manually (the UI is very easy to figure out).

Or hacker-style 😎 in CLI. Creating via CLI requires a lambda role to be created beforehand (which I recommends anyway).

aws lambda create-function \
    --role arn:aws:iam::820792572713:role/fn_lambda_role \
    --function-name lambda-docker-python \
    --package-type Image \
    --code ImageUri=820792572713.dkr.ecr.us-west-2.amazonaws.com/lambda-docker-python:latest

Invoke Function

Enough set up, let's invoke our function in prod.

$ aws lambda invoke --function-name "lambda-docker-python" /dev/stdout

That's it!

Updating Function

Later on if we have any changes to our function we'd want to

1. Rebuild docker image
2. Re upload docker image
3. Update Function

aws lambda update-function-code \
    --function-name lambda-docker-python \
    --image-uri 820792572713.dkr.ecr.us-west-2.amazonaws.com/lambda-docker-python:latest

These are clearly can be automated. The script itself is left as exercise for the readers 😊 .

Find a very minimal sample code in github link below.

varokas/lambda-docker-python

Contribute to varokas/lambda-docker-python development by creating an account on GitHub.

GitHubvarokas

Assuming we are familiar with SBT and have that installed

$ sbt new scala/scala-seed.g8

A minimal Scala project.

name [Scala Seed Project]: Lambda Scala Seed

Template applied in /Users/vpanusuwan/projects/./lambda-scala-seed

Add Lambda Library

The libraries contains event classes which is a typed input for lambda. Check latest version at mvnrepository for java-core and java-events separately.

    libraryDependencies ++= Seq(
      "com.amazonaws" % "aws-lambda-java-core" % awsLambdaVersion,
      "com.amazonaws" % "aws-lambda-java-events" % awsLambdaEventsVersion,
      scalaTest % Test
    )

Create handler function

Create a class with method of any name in any package. The important thing is that the method accepts a lambda event

package example

import com.amazonaws.services.lambda.runtime.Context
import com.amazonaws.services.lambda.runtime.events.{APIGatewayV2HTTPEvent, APIGatewayV2HTTPResponse}

class Main  {
  def handler(apiGatewayEvent: APIGatewayV2HTTPEvent, context: Context): APIGatewayV2HTTPResponse = {
    println(s"body = ${apiGatewayEvent.getBody()}")
    return APIGatewayV2HTTPResponse.builder()
      .withStatusCode(200)
      .withBody("okay")
      .build()
  }
}

Configure Assembly Plugin

Next is to configure the assembly plugin to produce a single fat jar containing our code and all the dependencies together. See latest version of the plugin at https://github.com/sbt/sbt-assembly

In project/plugins.sbt

addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "0.15.0")

In build.sbt, configure the fat jar merging strategies. At very minimum we should discard contents in META-INF. Also overrides a jar name.

assemblyJarName in assembly := "lambda-scala-seed.jar"

assemblyMergeStrategy in assembly := {
  case PathList("META-INF", xs @ _*) => MergeStrategy.discard
  case x => MergeStrategy.first
}

Package

sbt assembly

Then finds the packaged jar at target/scala-2.13/<jarname>

Create Function

Install aws cli tool https://aws.amazon.com/cli/. Uses following commands to deploy / update the function.

First, Lambda needs a role to execute, which should at least have the AWSLambdaBasicExecutionRole policy attached. The policy simply enables a write to CloudWatch logs. A cdk snipplet to create such role would be.

 lambda_basic_policy = iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AWSLambdaBasicExecutionRole")
 
role = iam.Role(self, "fn_lambda_role", role_name="fn_lambda_role", assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"))
role.add_managed_policy(lambda_basic_policy)

Then we can deploy the jar to lambda

aws lambda create-function \
  --function-name lambda-scala-seed \
  --role "arn:aws:iam::<aws_account_no>:role/fn_lambda_role" \
  --zip fileb://target/scala-2.13/lambda-scala-seed.jar \
  --runtime java11 \
  --memory 256 \
  --handler "example.Main::handler"

Test Function

aws lambda invoke --function-name "lambda-scala-seed" /dev/stdout

Update Function

 aws lambda update-function-code \
 --function-name "lambda-scala-seed" \
 --zip fileb://target/scala-2.13/lambda-scala-seed.jar

References

• https://aws.amazon.com/blogs/compute/writing-aws-lambda-functions-in-scala/
• Events Example – https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/java-events

Install

brew install node
npm install -g aws-cdk    

Initialize

cdk init app --language python

python3 -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements.txt

pip install aws-cdk.aws-s3 # module to manage s3

Define

Edit {project_name}/{project_name}_stack.py

from aws_cdk import core
from aws_cdk import aws_s3 as s3


class FnInfraStack(core.Stack):

    def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        s3.bucket(self, "TestingBucketVarokas", versioned=True, )

Preview the cloud formation template with

cdk synth

Deploy

We can then immediately deploy the changes as CloudFormation stack

cdk --profile varokas deploy

Changes and Diffs

Any changes to the code can be diff-ed against currently deployed stack

Limitations

There isn't a way to import existing AWS resources to CDK yet

Support importing existing resources into a stack · Issue #84 · aws/aws-cdk-rfcs

Importing existing resources into a CloudFormation stack is now supported! 🎉 The CDK should provide a elegant way to support this. https://aws.amazon.com/blogs/aws/new-import-existing-resources-int...

GitHubaws

A workaround exist by creating a failed CloudFormation deployment and fix the template.

How to import existing AWS resources into CDK stack

If you are not creating your account from scratch at the same time when you’re starting to work with CDK, you might need to import existing resources to CDK stack to be able to manage them. This is…

MediumMaria Verbenko

References

Getting started with the AWS CDK - AWS Cloud Development Kit (AWS CDK)

This topic introduces you to important AWS CDK concepts and describes how to install and configure the AWS CDK.

AWS Cloud Development Kit (AWS CDK)

What do we mean by Sorted?

For a sorted list, every element is smaller or equals to the next one. From this very definition we can check if a list is sorted by

1. Checking that the first element is less than or equal to the next one
2. Recursively check that the rest is sorted

isSorted [] = True
isSorted [x] = True
isSorted (x0:x1:xs) = (x0 <= x1) && isSorted(x1:xs)

Recursive Sorting algorithms

These sorting algorithms divide the given list into 2 subproblems of roughly the same size. There are two prominent algorithms in this category.

• Merge sort - uses a linear time algorithm to combine the two sorted lists
• Quick sort - uses a linear time algorithm to partition values into left (less than) and right (more than) a pivot.

Merge Sort

Given 2 already sorted lists, compare only the first element from both lists. The smaller value got appended to the result. Repeat this process with that smaller value removed from consideration.

merge :: Ord a => [a] -> [a] -> [a]
merge [] [] = []
merge xs [] = xs
merge [] ys = ys
merge (x:xs) (y:ys) 
  | x <= y    = x : merge xs (y:ys)
  | otherwise = y : merge (x:xs) ys

The full merge sort algorithm simply halves a given unsorted list, recursive call to sort each half. Afterward, combining the two sorted halves with the merge algorithm defined above.

split :: [a] -> ([a], [a])
split [] = ([], [])
split xs = splitAt (length(xs) `div` 2) xs

mSort :: Ord a => [a] -> [a]
mSort [] = []
mSort [x] = [x]
mSort xs = merge (mSort left) (mSort right)
  where 
    (left, right) = split xs

Quicksort

Here is a classic intro in showing the expressive power of Haskell.

1. Uses the first value x as a pivot point. Loop and separate values into ≤ x group and >x group.
2. Recursively calls quick sort into the two groups
3. join the ≤ x, x, and >x group together

There's no guarantee that the two groups are partitioned into equal sizes. There exists a way to do quick sort in-place without additional memory, however.

qSort :: Ord a => [a] -> [a]
qSort [] = []
qSort (x:xs) = qSort(left) ++ [x] ++ qSort(right)
  where
      left  = [y | y <- xs, y <= x]
      right = [y | y <- xs, y >  x]

Quadratic time sorting algorithms

Also known as O(n^2). These algorithms have a similar outline where the problem size is reduced by 1 per iteration of execution. Each iteration itself takes a linear time, making this O (n^2) in total.

Selection Sort

Finds a min value from a list, adds to answer, repeats on the remaining list excluding the selected min value.

sSort :: Ord a => [a] -> [a]
sSort [] = []
sSort xs = min : sSort(remaining)
  where min = minimum xs
        remaining = delete min xs

Insertion Sort

Maintain a sorted list (the answer), starting from empty. Insert a new value one element at a time from original lists at the right index in the sorted answer.

orderedInsert :: Ord a => a -> [a] -> [a]
orderedInsert a [] = [a]
orderedInsert a (x:xs)
  | a < x     = a:x:xs
  | otherwise = x:(orderedInsert a xs)

iSort :: Ord a => [a] -> [a]
iSort [] = []
iSort (x:xs) = orderedInsert x (iSort xs)

Bubble Sort

Closely related to selection sort. Instead of selecting a max value, bubbles the value as we compare each element.

bSort :: Ord a => [a] -> [a]
bSort [] = []
bSort xs = bSort(init bubbled) ++ [last bubbled]
  where
    bubbled = bubble xs

bubble :: Ord a => [a] -> [a]
bubble [] = []
bubble [x] = [x]
bubble (x0:x1:xs)
  | x0 < x1   = x0 : bubble( x1:xs )
  | otherwise = x1 : bubble( x0:xs )

Using SOPS, we can check in the encrypted secrets (e.g. connection passwords) along with the code. The only thing out of sight is the encryption key wrapping these passwords.

The added value also is that SOPS understand structured file (JSON,YAML) and encrypt only values, leaving the keys intact to easily inspect.

Example – This file could be checked into github along with the code.

{
  "postgres_password": "ENC[AES256_GCM,data:PsyN..,type:str]",
  "aws_access_key": "ENC[AES256_GCM,data:PsyN..,type:str]",
}

mozilla/sops

Simple and flexible tool for managing secrets. Contribute to mozilla/sops development by creating an account on GitHub.

GitHubmozilla

Installation

MacOS

$ brew install sops

Windows

1. Go to the latest release page: https://github.com/mozilla/sops/releases/latest
2. Download sops-v3.5.0.exe (or whatever the latest version is)
3. Rename the file from sops-v3.5.0.exe to just sops.exe
4. Copy the file sops.exe to C:\Windows\System32.
5. Or – Alternately, put the file in any directory and set the Path environment variable accordingly

Encryption Key Configuration

The most important configuration for SOPS is what encryption key to use. In many case this is the only configuration needed.

Create a .sops.yaml at the root directory of the project with one of the configuration outlined below.

The key could be any PGP key. Alternately the key could also be provided by a Key Management Service (KMS) in AWS or Google Cloud. A good choice especially if the code eventually would be deployed to these cloud providers.

AWS KMS

A master key can be created in hardware security modules via AWS Key Management Service (KMS). We need arn of the key with a corresponding AWS Profile that has a permission to use the key.

$ aws --profile myprofile configure
AWS Access Key ID [None]: KEY_ID
AWS Secret Access Key [None]: SECRET_ACCESS_KEY

# Create .sops.yaml At project root
$ vi .sops.yaml
creation_rules:
  # If assuming roles for another account use "arn+role_arn".
  # See Advanced usage
  - kms: "arn:aws:kms:..."
    aws_profile: myprofile

The permission needed for key operations are:

"Action": [
  "kms:Encrypt",
  "kms:Decrypt",
  "kms:ReEncrypt*",
  "kms:GenerateDataKey*",
  "kms:DescribeKey"
],

For slightly more advanced use cases. We could also access master key from another account using AWS AssumeRole mechanism. This is particularly useful when we have one master key in production, but wanted to also access it from our staging AWS account. See https://github.com/mozilla/sops#assuming-roles-and-using-kms-in-various-aws-accounts

PGP (optionally via Keybase)

For personal use cases, using a PGP key probably suffice. If you are a keybase user, you already have a PGP key. We needed to do the followings

1. Install GPG
2. Export private keys from Keybase
3. Import the keys to local machine
4. (optional) Remove passphrase from the key
5. Create .sops.yaml at the project

$ brew install gpg ## or apt install gpg 
$ gpg --import private_key.asc

... (take note of the key ID: 0701C740FB8D24E9)
...
gpg: key 0701C740FB8D24E9: secret key imported
...
...

# This is important for the passphrase screen to show up in console
$ export GPG_TTY=$(tty)
$ gpg --edit-key 0701C740FB8D24E9
gpg> passwd
# 1. Type current passphrase
# 2. Type "" (Blank)
# 3. Type "" (Confirm Blank)

$ vi .sops.yaml
creation_rules:
  - pgp: 0701C740FB8D24E9

Generate new GPG Key (And export)

Sometimes we want to generate and managed the GPG key without keybase

$ gpg --full-generate-key

Kind of key : (1) RSA and RSA (default)
keysize: 3072
Key is valid for? : 0 (Do not expire)

Real name: <name>
Email: <email>
Comment: (blank)

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Enter Passphrase 2 times (cannot be blank)

public and secret key created and signed.

pub   rsa3072 2020-11-26 [SC]
      3F73E4821B848420CDEAEAD585E2DE2374D6377A  ---> Note this value
uid                      test1 <test1@test2.com>
sub   rsa3072 2020-11-26 [E]

# Remove the passphrase if wanted
# This is important for the passphrase screen to show up in console
$ export GPG_TTY=$(tty)
$ gpg --edit-key 3F73E4821B848420CDEAEAD585E2DE2374D6377A
gpg> passwd
# 1. Type current passphrase
# 2. Type "" (Blank)
# 3. Type "" (Confirm Blank)

Encrypt / Decrypt files

Create

Create a new file via sops will launch an editor

$ sops secret.enc.json
{
  "example_key": "example_value",
}

The resulting json would retain the same keys, with values encrypted. An extra metadata is added as an extra key in JSON

$ cat secret.enc.json                                                                                            
{
	"example_key": "ENC[AES256_GCM,data:PsyNr6jRJLIPN3P0tA==,iv:Ne63tk8f6uD9GLiHQoyrS/BrK4WL2I6+9Ul8nO6PkDw=,tag:rF8Hm4gm0+xlA3BqKivY7w==,type:str]",
	"sops": {
		...
        ... (metadata here)
	}
}%

Edit

Editing an existing files would launch and editor and encrypt the file.

$ sops secret.enc.json

Encrypt / Decrypt Existing Files

$ sops -e secret.json > secret.sops.json

$ sops -d secret.sops.json > secret.sops

⚠️ Important - If the PGP key has passphrase, make sure this environment variables is set or you will run into problems

GPG_TTY=$(tty)

Cannot decrypt with GPG 2.2.5 and SOPS 3.0.0 · Issue #304 · mozilla/sops

It appears the utility is looking for a secret key in a file but my GPG installation (through macOS homebrew) uses the gpg-agent. I cannot decrypt files as demonstrated below. $ sops --version sops...

GitHubmozilla

Integration Recipes

Many tools provide a plugin to directly read and write encrypted SOPS file.

Terraform

Download the following provider plugin from github

carlpett/terraform-provider-sops

A Terraform provider for reading Mozilla sops files - carlpett/terraform-provider-sops

GitHubcarlpett

$ mkdir -p ~/.terraform.d/plugins
$ curl -L -o ~/.terraform.d/plugins/terraform-provider-sops_v0.5.0_darwin_amd64.zip \
"https://github.com/carlpett/terraform-provider-sops/releases/download/v0.5.0/terraform-provider-sops_v0.5.0_darwin_amd64.zip"

$ unzip ~/.terraform.d/plugins/terraform-provider-sops_v0.5.0_darwin_amd64.zip \
-d ~/.terraform.d/plugins

$ terraform init

Then we could define a data resource that automatically decrypt SOPS json.

provider "sops" {}

data "sops_file" "secrets" {
  source_file = "secrets.enc.json"
}

## Using
provider "aws" {
  region = "us-west-2"
  access_key = data.sops_file.secrets.data["aws_access_key"]
  secret_key = data.sops_file.secrets.data["aws_secret_key"]
}

Encrypted Private Keys

SOPs works with any unstrutured files as well. The data will get encoded into a data key in a resulting json automatically.

$ sops -e private_key > private_key.sops
$ cat private_key.sops
{
  "data": "ENC[AES256_GCM,data:bVr....."
  "sops:: { ... }
}
$ rm private_key

Using the keys, we could just pipe the decrypted result to ssh-add without writing to file first.

ssh-add - <<< $(sops -d private_key.sops)

Python Script

SOPS used to be written in python, but reimplemented in golang. The pip package exists but with many features missing. It is probably better to call it via subprocess.

import subprocess
b = subprocess.check_output(['sops', "-d", "private_key.sops"])

Kubernetes Secrets

Create a new yaml file, but indicates to SOPs that only data and stringData are keys to encrypt

$ sops --encrypted-regex '^(data|stringData)$' secrets-mysecret.yaml

apiVersion: v1
kind: Secret
metadata:
    name: mysecret
type: Opaque
stringData:
  mySecret: hello123

Apply by pipe the decrypted output to K8s

sops -d secrets-mysecret.yaml | kubectl -n workflow apply -f -

Ghost docker hub page is a great place to get started. I added to it to get what I needed. Namely a backup and TLS proxy.

The server

The example used here are based on Ubuntu 18.04. We also needed to install docker on the host. The steps are detailed in the excellent guide below.

How To Install and Use Docker on Ubuntu 18.04 | DigitalOcean

Docker is an application that simplifies the process of managing application processes in containers. In this tutorial, you’ll install and use Docker Community Edition (CE) on Ubuntu 18.04. You’ll install Docker itself, work with containers and images, and push an image to a Docker Repository.

DigitalOceanBrian Hogan

Make sure to open firewall on port 80 and 443. Port 80 won't be doing much, just a redirect to 443.

The services

The docker-compose.yml file below has 3 services

ghost – This is the ghost server itself. Runing on port 2368. Mounted the content directory (mainly images) to the host /var/lib/ghost/content.

db – The mariadb server that ghost server writes to. Change MYSQL_ROOT_PASSWORD to match what ghost server expects

caddy - Our TLS proxy from outside world to our ghost server. This is a much easier route compared to fiddling with nginx and certbot. Make sure to put Caddyfile in /home/ubuntu/caddy/config/Caddyfile to configure the domain name and reverse proxy port correct.

Backup Script

The script tar-up a mounted content directory and calls to MySQL to dump a database. Then it proceeds to upload the result file to S3.

The script assumes there's an aws-cli installed with a profile called backup set up. On Ubuntu this could be as simple as.

$ sudo apt-get install awscli
$ aws configure --profile backup

AWS Access Key ID [None]: <keyname>
AWS Secret Access Key [None]: <secret>
Default region name [None]: <region>
Default output format [None]: yaml

Then put this script in /home/ubuntu/daily_backup.sh

Compared to previous method

The site used to be created via Digital Ocean Marketplace. Although simple and very easy to get started, I was stuck at the (rather old) version. Ghost is still very much in active development. Updating ghost sometimes means update version of NodeJS which may not be as simple when your base OS gets older.