YAML files dominate configuration in the cloud native ecosystem. They’re used by Kuberentes, Helm, Tekton, and many other projects to define custom configuration and workflows. But YAML has its oddities, which is why the Cloud Native Buildpacks project chose TOML as its primary configuration format.

TOML is a minimal configuration file format that's easy to read because of its simple semantics. You can learn more about TOML from the official documentation, but a simple buildpack TOML file looks like this:

Using Research Grants to Foster Innovation

life , Software Architect

As CEO of Disney, Michael Eisner had a policy that any employee could come to his office and pitch an idea. He believed that breaking down hierarchical barriers allowed innovative ideas to come from anywhere, and it worked. Disney invested in many of those pitches, some of which became the kernels for films like The Little Mermaid and Pocahontas. Research grants engineer

At Heroku, we know our employees are full of innovative ideas waiting for investment. That’s why any engineer can propose a project through a process we call Research Grants. If the proposal is funded, that engineer gets about two weeks to experiment with their idea and create a work product that can lead to innovative new technologies or even...

Samurai Duke and the Legend of OpenJDK

life , Software Architect

What is Duke? No one knows his species or genus. People say he’s a Java Bean or a Software Agent, but all we know for sure is that he reminds us of the more than twenty-year legacy of the Java language and its community. The Java community has such an affinity for Duke that designers have created surfing Duke, astronaut Duke, rockstar Duke, macramé Duke, and of course Heroku’s Samurai Duke.

Java DukeBut how can all of these Duke variants exist without violating copyright or trademark laws? After all, Duke represents the language at the middle of one of the fiercest copyright battles in the history of software. The answer, it turns out, can teach us a great deal about how to nurture an open source...

When we open-sourced buildpacks nearly seven years ago, we knew they would simplify the application deployment process. After a developer runs git push heroku master, a buildpack ensures the application's dependencies and compilation steps are taken care of as part of the deploy.

As previously announced, we've taken the same philosophies that made buildpacks so successful and applied them towards creating Cloud Native Buildpacks (CNB), a standard for turning source code into Docker images without the need for Dockerfiles. In this post, we'll take a look at how CNBs work, how they aim to solve many of the problems that exist with Dockerfile, and how you can use them with the...

Ten Ways to Secure your Applications

engineering , Software Architect

This blog post is adapted from a talk given by Joe Kutner at Devoxx 2018 titled "10 Mistakes Hackers Want You to Make."

Building self-defending applications and services is no longer aspirational--it’s required. Applying security patches, handling passwords correctly, sanitizing inputs, and properly encoding output is now table stakes. Our attackers keep getting better, and so must we.

In this blog post, we'll take a look at several commonly overlooked ways to secure your web apps. Many of the examples provided will be specific to Java, but any modern programming language will have equivalent tactics.

1. Ensure dependencies are up-to-date

Every year, OWASP, a group of...

Pushing an app to the cloud can feel like launching a probe into space. Once your project is thousands of miles away you can't bang on it with a hammer or replace broken parts when there's a problem. Your debugging efforts must rely on the instrumentation, telemetry, and remote controls included with the app when it was deployed. On Heroku, we've gladly done some of that prep work for you.

Two new Heroku features, Heroku Exec and Language Runtime Metrics, improve your production monitoring, inspecting, and debugging experience on the platform. With Heroku Exec, you can create secure TCP and SSH tunnels into a dyno, which facilitate SSH sessions, port forwarding, remote...

On the Rise of Kotlin

news , Software Architect

It’s rare when a highly structured language with fairly strict syntax sparks emotions of joy and delight. But Kotlin, which is statically typed and compiled like other less friendly languages, delivers a developer experience that thousands of mobile and web programmers are falling in love with.

The designers of Kotlin, who have years of experience with developer tooling (IntelliJ and other IDEs), created a language with very specific developer-oriented requirements. They wanted a modern syntax, fast compile times, and advanced concurrency constructs while taking advantage of the robust performance and reliability of the JVM. The result, Kotlin 1.0, was released in February 2016 and its...

Nothing beats Ruby when it comes to rapid development, quick feedback, and delightful coding. The Ruby runtime and traditional ruby frameworks favor synchronous programming, which makes them easy to use and understand. But microservices and real-time apps require asynchronous programming and non-blocking IO to enable maximum throughput. That's where JRuby comes in.

You can build reactive microservices in Ruby using JRuby and frameworks like Ratpack. JRuby interprets Ruby code into Java Virtual Machine (JVM) bytecode to gain the performance and concurrency benefits of Java without writing any Java code or XML. But the performance benefits of the JVM are just the beginning. You can also...

A common challenge when building microservices is providing a unified interface to the consumers of your system. The fact that your services are split into small composable apps shouldn’t be visible to users or result in substantial development effort.

To solve this problem, Netflix (a major adopter of microservices) created and open-sourced its Zuul proxy server. Zuul is an edge service that proxies requests to multiple backing services. It provides a unified “front door” to your system, which allows a browser, mobile app, or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one. You can...

1995 was the year AOL floppy disks arrived in the mail, Netscape Navigator was born and the first public version of Java was released. Over the next two decades, Java witnessed the multi-core revolution, the birth of the cloud, and the rise of polyglot programming. It survived these upheavals by evolving with them, and it continues to evolve even as we celebrate Java's twentieth birthday this year.

But the JVM turning twenty doesn’t make it out-of-date. On the contrary, Java's evolution has lead to a kind of renaissance. That's why we sat down with RedMonk earlier this month to discuss Java's past, present, and future on the Opinionated Infrastructure Podcast. Our...

Over the past few years, Netflix has open sourced many of the components that make up its production platform. These include Eureka for service discovery, Hystrix for handling service failure, Ribbon for client side load balancing, and many others.

These projects are powerful, mature, and benefit from Netflix’s many years of experience deploying service-oriented applications in the cloud. Adding credence to this, IBM, Yelp, Hotels.com and many others have adopted these technologies for their own systems. And there’s nothing stopping you from building them into your applications, too.

Well, nothing except that many of the Netflix projects have a high barrier to entry because they're...

Subscribe to the full-text RSS feed for Joe Kutner.