How We Write GitHub Actions in Go
Go with GitHub Actions Introduction Since the release of GitHub Actions in 2019, GitHub has been heavily investing in improvements to the CI / CD experience. As part of this investment, repeatable tasks can be provided as custom actions and shared externally with the community or internally within a GitHub Enterprise instance. At Blend, we’ve benefited from adopting GitHub Actions. We have built tooling that enables writing an action in Go and automates the release process for actions within our GitHub Enterprise instance.
Scaling MongoDB for a Growing Customer Base
MongoDB Introduction Here at Blend, one of the primary databases we use is MongoDB. MongoDB gives a number of important features, including flexible schemas, horizontal scalability, and solid operational tooling which have let us grow quickly as a business. An important aspect of this success is how we organize data in our database; we want to ensure isolation between our customers’ data as much as possible in a single MongoDB cluster.
A Day in the Life of a (Secure) Request
All hops Introduction In this post, we will walk through the infrastructure components we use at Blend to secure incoming requests—a day in the life of a request, if you will. There are a variety of commonly-used mechanisms to secure cloud computing environments, which often involve load balancers and special-purpose proxy servers. As a result, requests from a client to an application server typically make a number of intermediate network hops en route to their final destination.
Choosing a blockchain platform for Finprint
Note: Finprint isn’t under active development, but we think the lessons we learned are still valuable for other developers evaluating blockchain platforms. We recently open-sourced Finprint, a data sharing protocol that aims to empower consumers with the ability to own and securely share their financial data. Finprint’s goal of bringing control and transparency to consumers was a natural fit for the decentralized nature of blockchain platforms. We built our first implementation of the protocol on Ethereum in the Solidity smart contract language.
Making security audits more like the doctor’s office is a good thing
Security certifications are table stakes for Blend. Of course, this is also true for other organizations in critical infrastructure spaces like financial services, healthcare, and government contracting. Proof of a comprehensive security compliance program is often necessary to sell your product or services, and the audits that precede certification can be costly in terms of fees, time, and lost opportunities to improve other components of your security program.
Migrating the Kubernetes Network Overlay With Zero Downtime
At Blend, we make extensive use of Kubernetes on AWS to power our infrastructure. Kubernetes has many moving parts, and most of these components are swappable, allowing us to customize clusters to our needs. An important component of any cluster is the Container Network Interface (CNI), which handles the networking for all pods running on the cluster. Choosing the right CNI for each use case is critically important and making changes, once serving production traffic, can be painful.
Moving a Business-Critical Monolith to Kubernetes
At Blend we have been pushing for Kubernetes adoption across all services for the last two years. Migrating our monolith from AWS ECS to a self-hosted Kubernetes cluster marked a major milestone. Moving business-critical applications in general requires deliberate planning and in many cases major updates to deployment pipelines, system monitoring, testing, and infrastructure. This post will explore the migration strategies and lessons learned as we got the monolith up and running across deployments with zero downtime.
Encrypting Streams in Go
At Blend, we deal with highly sensitive consumer financial data. We use several data stores — Postgres, MongoDB, CockroachDB, and Etcd — all of which need to be backed up. While MongoDB and Postgres give us prebuilt tools for encrypting backups, Etcd and CockroachDB do not. Our standard practice is to encrypt these backups before storing them. This became more challenging as our backups grew. Encrypting backups in memory At the beginning the backups were small, and we were able to use Vault’s transit features to encrypt them.
DCS: Giving the power of configuration to the user
If you’re not familiar with Blend, think of us as a modern experience for getting a loan. We offer a guided, personalized front end application that makes it easy for borrowers to connect their account data and more structured and secure for lenders to process it. We process loan applications for over 130 financial institutions including Wells Fargo and US Bank. To make the borrowing experience seamless, we integrate behind the scenes with our customers’ in-house tech stacks and dozens of third-party vendors.
Building a versioned UI deploy system for fast, stable deploys and rollbacks
At Blend, we’re working to bring simplicity and transparency to consumer lending. In the last two years, the Blend engineering team has doubled from 50 engineers to more than 100. Unsurprisingly, our codebase has grown in size and complexity as well. As the team has grown, we’ve embraced the principle of distributed ownership. On the UI team, this means owning our own technical health, and, as of a few months ago, our own release.