I have been working and using Istio for the past 1 year. Istio provide tons of feature, and I heavily using Istio Ingress gateway to expose my services to publics. There is an use cases when some other proxy like HAProxy is pointing to Istio gateway. The configuration on HAProxy might changes because Istio Gateway implement Server Name Indicator (SNI). Server Name Indicator will provide proxy to be apply to serve multiple domain on single proxy.
Not every application we found has a single sign-on build-in feature, this is a little tricky if you want to make it public but only want to provide access to the authenticated user. Luckily, there is an open-source project call oauth2-proxy that acts as a middleware as an authenticating system.
There are times when we really struggle to troubleshoot the networking behaviour of our applications. The reason behind this is because the application not omitted a networking log stuff, for example what protocol they used, what the source & destination IP, what is the domain they call, etc.
Over the past one week ago, I try to spike and setup private PKI in my lab environment mostly for ingress and gateway testing. There is a reason why I don’t go with public one like Let’s Encrypt because you need to buy a domain and host in ACME supported DNS01 challenge like AWS route53 and the pricing is too high.
GIMX is an open source gaming adapter that make your computer as an adapter/hub for your gaming devices. In this blog, I will try to integrate mouse and keyboard to PS4 and using Battlefield 5 as the example. Beside computer, you also need an component to connect your computer PS4 (GIMX adapter).
Since in the last six month, I mainly working on Istio that leverage envoy as the sidecar proxy and require to understand the Envoy. I decide to leverage Envoy as reverse proxy in my lab environment. Why not? Envoy as proxy is mature and already graduate from CNCF and easy to configure.
Let’s Encrypt already support generating wildcard certificate for your domain since 2018. This article will help you generate wildcard certificate without setup web server and prefer using DNS challenge
Istio CA certificate is the most sensitive object in Istio. When enable multicluster shared control plane, the CA certificate got shared on multiple cluster. Once this certificate leak out to public, there is no way but replacing the old CA certificate with the new one.
Mutual TLS communication is about trusting each other between client and server. It is different from standard TLS that only client need to trust the server. In mutual TLS, server also need to trust client.
I have hard time thinking how easily capture packet request in Kubernetes pod object when trying to debug mutual TLS communication between pod. I can run tcpdump inside the pod, but sometime pod only have read only access and its hard to see the tcpdump. With tcpdump, I also can generate wireshark format to analyze better, but its not funny to copy the result of tcpdump from pod to or desktop everytime I want to capture.
Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. Velero have ability to backup cluster, migrate cluster resource to other cluster, and also replicate cluster to other cluster.
Since my job is mainly related to cloud stuff, I need to change tools version multiple time. Some tools like kubectl, istioctl, and helm have multiple version and behave different between the version. Changing version of these tools is not easy and repetitive task.
Kubernetes installed with kubeadm can be upgraded with simple command from kubeadm itself.
Istio is a service mesh platform that can control and modify traffic policy behaviour in Kubernetes by injecting sidecar to a container. Multicluster Replicated Control Plane is an uses cases to enable communication between two service in two difference service meshes without using Ingress and can enable mutual TLS between the service.