Cloudflare’s Origin CA Issuer on k8s

If you are using Cloudflare in front of a web service you somehow need to secure the traffic between Cloudflare and your origin. Typical options for achieving this has been issuing a certificate with Let’s Encrypt or using a Cloudflare Origin CA certificate.

A great option for k8s specific use cases is the recently added Origin CA Issuer controller. Used together with cert-manager CertificateRequest feature it enables a fully automatic workflow for both issuing and renewal of Origin CA certificates.

Read more →

Private CA with CFSSL

When hosting internal domains one mildly irritating thing is the browser warnings of “Not secure” and “Your connection is not private”. A quick remedy for this might be to issue a certificate from Let’s Encrypt with auto-renewal and call it a day.

In my opinion this is not the right solution for domains targeting an internal audience.

Read more →

Talkyard on k8s

Talkyard is an open source software that provides discussion and commenting capabilities to sites. For example the comments on this very site are powered by Talkyard.

As the official Talkyard releases already comes containerized and works well as a Docker Compose deployment I figured it would be a fun project to make Talkyard run on k8s. This post will be a step-by-step guide on how to deploy Talkyard to a Kubernetes cluster.

Read more →

Troubleshooting Longhorn and DNS Networking

Lately I’ve been trying out Longhorn as the persistent storage engine for stateful k8s-workloads. Overall I am really impressed by Longhorn. Installing on a cluster is a breeze and creating replicated volumes works great.

After a routine reboot of one worker node (which had been properly drained and cordoned beforehand) any pod with an attached Longhorn-volume would refuse to start.

Read more →

Deploying Gitlab with Podman

For my private projects I run a self-hosted GitLab instance deployed with the official Community Edition Docker image. In addition to Git repository management GitLab comes packed with a lot of features such as Continuous Integration/Deployment, Wikis, Kubernetes cluster integration and much more. Those looking for a minimal Git solution should probably look elsewhere.

Read more →

Securing Ansible Vault With Google Cloud

When working with Ansible you will at some point have to deal with data that is of a more sensitive nature such as passwords, API- & certificate keys etc. Storing secrets in plain text is bad practice, but still quite common.

If possible the best option is to simply not store any secrets at all and instead fetch/inject these during deployment or runtime with tools such as Hashicorp’s Vault. But for smaller projects this can be too expensive, complex and time-consuming to configure. Thankfully Redhat has included a tool called Ansible Vault in the default Ansible installation. Ansible Vault can encrypt secrets inline or separate files and then automatically decrypt during playbook execution.

Read more →

hello world

During the winter holiday I managed to find time to start working on this blog. The plan was to launch before New Year’s Eve and get a head start on 2021. But as always when it comes to technology projects delays get introduced one way or another. Now in this particular case these delays were very much self-inflicted by my ability to scope-creep.

What started out as a simple blog to be hosted directly on Github Pages or from object storage such as AWS S3 quickly evolved into something else.

Read more →