After weeks of planning and a lot of GIF’s in the #hackaton channel, we started the first Fullstaq Hackaton on Saturday morning. The weeks prior we already made an extensive list of topics that we would like to hack on during this weekend.
The list included topics like a Gitlab powered CI/CD pipeline as an improvement for our company website, a hack workshop from one of our engineers, a Gitlab operator for Kubernetes, an introduction to Pulumi and a redesign for the internal Terraform stack.
Nine people showed up at our Oosterhout office for the kickoff at 10 am. After the introduction by Gerrit teams were made and we started on the first projects.
One of the to do’s on the list for the first Fullstaqathon was carrying out a hack workshop given by our colleague Wiard van Rij. After a brief introduction to ethical hacking and HackerOne (Where companies can post bug bounties for finding vulnerabilities) we checked the Responsible Disclosure from the national government and decided that they would be our target for this workshop.
Amongst a couple of other tools, we mostly focussed on Amass and Aquatone. Amass gave us the ability to scrape the DNS records of our target and Aquatone executed some basic HTTP-based attacks to swiftly validate exposed endpoints.
Apart from these tools, we also used our wide expertise and some other hack techniques to check the security of the target.
We found several things which we reported to the NCSC (Nationaal Cyber Security Centrum). We got an automated reply which stated that they strive to pick up our report within 3 working days. More information about our findings will show up in a followup blog post, as we are not allowed to share the details of our findings until the NCSC grants permission to share them.
We already did the work to rebuild the site in Hugo instead of WordPress ahead of the weekend (you can read more on that here). Now we just needed to get it live. But not just for the weekend, this would be the foundation of our web presence for the foreseeable future. So that means: fully automated, able to handle any load and easy to use and adapt!
Since Hugo generates static content, this is actually very easy: we heavily used gitlab review apps, that we push off to google cloud buckets, fronted by a dynamic load balancer that routes traffic for a specific (review) branch to the bucket.
To top things off we push release notifications to our chat:
And even better: hacked together a cloud function that will catch your messages to us on the contact page!
We only got around to discussing the Gitlab operator after finishing a bunch of quick wins. When we did start on the project on Sunday we quickly realized that the scope was too large and needed more refinement before even starting on it. Nevertheless, we spent a large part of the afternoon reading up on operator patterns and specifically looking at kubebuilder. Rio Kierkels delivered an MVP controller capable of pinging a temporary Gitlab instance for its status & version, and made sure the controller would log in JSON (why is this not the default?!). We bootstrapped the Gitlab instance from the cloud native helm chart provided by Gitlab, which still demands a solid understanding of all of Gitlab’s parameters.
Watch later posts for more, we’ve got plans for automated project/groups management and CI setup through kubernetes custom resources :-).
After 2 days of hacking it was time to wrap-up and evaluate the first Fullstaqathon while enjoying a great beer from one of our favorite bars, De Beurs in Oosterhout. The feedback was unanimous, the first Fullstaqathon was a great success, but there is room for improvement in terms of preparation and refinement of subjects. Nevertheless this will become a recurring event! Would you like to join the next one? We are looking for new colleagues!