-
How To Renew Certificates in Kubernetes Clusters, Revisited
There is a lot of TLS certificates used by the core of a Kubernetes cluster and a popular one is the client-server pair used by kubectl to authenticate to the cluster control plane. In my previous notes on how to renew certificates in a Kubernetes cluster with kubeadm, I found that the steps are quite…
-
Blog Deployed With Jsonnet, Grafana Tanka and ArgoCD
It’s been a year since I did the ‘Hello World’ with Jsonnet and Tanka, then I made a simple side-loader container to install Tanka as a plugin to ArgoCD and finally deployed an httpbin container with ArgoCD + Tanka + Jsonnet. However since Jsonnet wasn’t used in my work, those things were shelved afterwards. Recently…
-
Easy Kubernetes Secret Integration with ExternalSecrets
In a Kubernetes cluster, A Kubernetes Secret is a resource type to hold sensitive data for the apps to use, such as an API key or database password. Secrets are namespaced so if I have RBAC access to a namespace, I can pretty much see all the secrets there, as the secrets are only base64…
-
Installation of Fedora 36 on Dell XPS 13 9380
I happened to have acquired a used Dell XPS 13 9380, which is a nice little ultrabook with Intel 8th gen i7 CPU, 16GB memory(not upgrade-able), 512GB nvme SSD and a beautiful 13″ 4k screen. It has Windows 10 installed. Of course I have no intention to continue to use the stock Windows 10. At…
-
Better Resilience for Kubernetes Pods
I happened to notice that all 3 pods serving this blog in my Kubernetes cluster were allocated to a same node. I thought Kubernetes will try its best to shuffle pods of a deployment into different nodes by default but guess I expected too much. Note the knode3 below Have you spotted the problem? In…
-
How to Regulate Egress Access in Kubernetes with Istio
Usually I don’t mind to give pods unlimited egress access, ie. the pods I deployed can access the whole internet if it needs to. However when the pods take input from users it’s a whole different story. For example, running some sandbox applications such as an online Python learning environment, the workload can be abused…
-
Flyway Container, MySQL and SSL/mTLS
Flyway is a handy utility to manage database schema migrations. Very similar to the schema migration mechanism in Ruby on Rails or Django, but Flyway is a standalone tool. So it’s best suited for some project which doesn’t have database schema management yet. I needed to use Flyway for a project I worked with, the…
-
Passing Environment Variables to Terraform with RegExp
In a Terraform template, an input variable can be used to set some configuration point for a resource, such as In some scenario the input variable can get its value from an environment variable in the shell where terraform runs. It looks like This is handy where there is just a few variables. If there…