Skip to content

Kubernetes

Proxy Dockerhub access with K3S

ChatGPT Generated title image

The Problem

When you are running a Kubernetes cluster, you will often deploy images from Dockerhub.

This can be slow, as the images have to be downloaded from the internet.

This can be a problem if you have a slow internet connection, or if you have to deploy many images at once.

You also waste bandwidth, as the images are downloaded multiple times.

In addition, you might want to be able to scan the images for security vulnerabilities before deploying them. Or you need to authenticate to download the images, as many images run into rate limiting issues otherwise.

The Solution

One way to solve this problem is to use a proxy.

This proxy can be used to cache images, so that they do not have to be downloaded from Dockerhub every time.

This is also known as a Pull Through Cache1 2, which is a common solution to this problem.

This can speed up the deployment process, as the images are already available on the local network. And prevents being rate limited, as the images are only downloaded from Dockerhub Once. An additional benefit, is that the hosts do not need to have direct access to Dockerhub, and do not need to the credentials, limiting the exposure of the credentials.

Azure Entra SSO for TAP GUI via Keycloak

ChatGPT Generated title image

In recent years, I've worked with many customers who want to add SSO to a developer tool but run into blocking issues.

These are the two most common issues:

  1. there is no update-compatible way to configure Proxy configuration
  2. they want to use Technical Accounts, but they are not supported or allowed by their corporate SSO solution

Working with customers on Tanzu Application Platform(TAP)1, I often run into the first.

Tanzu Developer Portal2, the main GUI of TAP, is based on Backstage3 and the authentication is in Backstage is provided by adding plugins.

Many of these authentication plugins do not support configuring an outgoing Proxy other than changing the plugin's code.

This is not an acceptable solution for our customers.

This guide explores how we can leverage Keycloak4 to function as an authentication proxy.

Automate Image signing with Tekton Chains to Private Registry

As we hear about more and more (software) Supply Chain attacks, securing our software supply chain becomes increasingly important. One of the ways to do this is to sign our container images.

In this post, we will look at how to automate the signing of container images using Tekton Chains6.

We use the Tekton Operator, Kyverno, SecretGen Controller, and Kaniko to automate the signing of the images. Then, verify the image's signature using the cosign tool.

ChatGPT Generated title image

Homelab Introduction

In this blog I'll explain how I've setup my homelab, what I use it for and how I manage it.

The homelab is a collection of Raspberry Pi's, a Western Digital NAS, some network switches, a Fritz Box, and two Asus Mini PCs.

The homelab is primary used for explorig and learning new technologies, such as Kubernetes, GitOps, DevSecOps, and self-hosting my own applications.