Hi there 馃憢

This blog is a sort “knowledge stash”. A log of my journey in the industry. You will find posts about Kubernetes, Docker, Spring Boot, Kafka, CI/CD Pipelines and other stuff. Writing things down helps memorizing, offloads brain capacity and can help others.

Achieving multi-tenant metrics with Prometheus Agent: a first building block

This is the first post of a series of articles about multi-tenant metrics with Prometheus Agent; here you will read how to enable Prometheus Agent mode and how to ingest metrics to a central Prometheus instance but also the limitations of this setup. Let鈥檚 say you鈥檙e managing 5 - 10 to n Kubernetes clusters (or hopefully Vclusters) for your tenants and you want to provide metrics to the developers: cpu usage, memory usage, custom metrics etc....

July 25, 2022 路 7 min 路 Justin

LDAP authentication with Dex on Kubernetes with Vcluster (K3S)

We set up our Vcluster but now we want to give proper access to the developers by leveraging their existing ldap credentials. The idea is to use DEX as a federated openid provider and kubelogin as a plugin for oidc integration. Scenario We鈥檙e going to achieve something like this: the user issues a command targeting our vcluster鈥檚 api server (kubectl get pods, for example), kubelogin will open the default browser on the user鈥檚 machine and display a login page....

June 11, 2022 路 8 min 路 Justin

How we reduced Kubernetes Clusters Sprawl by adopting Vclusters: An Introduction

With the consistent increasing of projects we were experiencing a huge growth of Kubernetes clusters for dev and test environments; each project had its own cluster with its stack: Nginx, Prometheus, Opa Gatekeeper etc. Moreover, each cluster had a different Kubernetes version with legacy clusters still pinned to the 1.15.x version. This meant we had to manage a different set of stacks (Prometheus, Nginx etc) since the skew between versions were too big....

April 24, 2022 路 9 min 路 Justin

Secure Your Docker Images With Cosign (and OPA Gatekeeper)

We built CI/CD pipelines so far which have Docker images as output but how we make sure about the provenance of the workload we run on Kubernetes? How can be sure that the containers we are running are run from images built from our pipelines? One way to ensure trust with Docker images is to sign these images. We can sign them during our CI pipeline and then verify the signature at runtime when deploying....

January 19, 2022 路 9 min 路 Justin

Centralized (multi tenant) Logging with Kubernetes: Part 3

This is a series. You can find part 1 here and part 2 here. On this last post I am going to cover the monitoring (with Prometheus and Grafana) for OpenSearch and Fluentd. FluentD If you recall from part-1, we set up a specific configuration for Prometheus in Fluentd main-fluentd-conf.yaml kind: ConfigMap apiVersion: v1 metadata: name: fluentd-es-config namespace: logging labels: addonmanager.kubernetes.io/mode: Reconcile data: fluent.conf: |-<source> type forward bind port 32000 </source> [....

December 12, 2021 路 3 min 路 Justin