Configure Istio Gateway as Haproxy backend

I have been working and using Istio for the past 1 year. Istio provide tons of feature, and I heavily using Istio Ingress gateway to expose my services to publics. There is an use cases when some other proxy like HAProxy is pointing to Istio gateway. The configuration on HAProxy might changes because Istio Gateway implement Server Name Indicator (SNI). Server Name Indicator will provide proxy to be apply to serve multiple domain on single proxy.

Read More

Leverage Single Sign-On with oauth2-proxy and Istio

Not every application we found has a single sign-on build-in feature, this is a little tricky if you want to make it public but only want to provide access to the authenticated user. Luckily, there is an open-source project call oauth2-proxy that acts as a middleware as an authenticating system.

Read More

Istio Access/connection logging

There are times when we really struggle to troubleshoot the networking behaviour of our applications. The reason behind this is because the application not omitted a networking log stuff, for example what protocol they used, what the source & destination IP, what is the domain they call, etc.

Read More

Integrate mouse and keyboard to PS4 with GIMX

GIMX is an open source gaming adapter that make your computer as an adapter/hub for your gaming devices. In this blog, I will try to integrate mouse and keyboard to PS4 and using Battlefield 5 as the example. Beside computer, you also need an component to connect your computer PS4 (GIMX adapter).

Read More

Leverage Envoy as a reverse proxy

Since in the last six month, I mainly working on Istio that leverage envoy as the sidecar proxy and require to understand the Envoy. I decide to leverage Envoy as reverse proxy in my lab environment. Why not? Envoy as proxy is mature and already graduate from CNCF and easy to configure.

Read More

Replacing Istio CA Certificate

Istio CA certificate is the most sensitive object in Istio. When enable multicluster shared control plane, the CA certificate got shared on multiple cluster. Once this certificate leak out to public, there is no way but replacing the old CA certificate with the new one.

Read More

Mutual TLS communication between Istio mesh

Mutual TLS communication is about trusting each other between client and server. It is different from standard TLS that only client need to trust the server. In mutual TLS, server also need to trust client.

Read More

Capture pod packet with sniff

I have hard time thinking how easily capture packet request in Kubernetes pod object when trying to debug mutual TLS communication between pod. I can run tcpdump inside the pod, but sometime pod only have read only access and its hard to see the tcpdump. With tcpdump, I also can generate wireshark format to analyze better, but its not funny to copy the result of tcpdump from pod to or desktop everytime I want to capture.

Read More

Backup Kubernetes Cluster using Velero

Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. Velero have ability to backup cluster, migrate cluster resource to other cluster, and also replicate cluster to other cluster.

Read More

Managing tools version using asdf

Since my job is mainly related to cloud stuff, I need to change tools version multiple time. Some tools like kubectl, istioctl, and helm have multiple version and behave different between the version. Changing version of these tools is not easy and repetitive task.

Read More

Install Istio Multicluster Replicated Control Plane

Istio is a service mesh platform that can control and modify traffic policy behaviour in Kubernetes by injecting sidecar to a container. Multicluster Replicated Control Plane is an uses cases to enable communication between two service in two difference service meshes without using Ingress and can enable mutual TLS between the service.

Read More