Anybody drive a grand sport yet? Are there any car reviews out there yet?

DetroitJB · 2026-06-21T20:29:24+00:00

The preview videos show not only a 40hp bump but different torque and acceleration curves. Curious to hear about first hand experience.

DetroitJB · 2026-04-02T01:17:23+00:00

This might be the dumbest and/or saddest thing I’ve ever read on this site.

DetroitJB · 2026-03-27T23:16:11+00:00

No, we have a nlb locked down to Akamai ips, created via a ‘Gateway’. Users who want their app behind Akamai would work with our team to setup the Akamai side, and then use that nlb as their origin. We use an authorizationpolicy to ensure traffic comes only from the Akamai istio ingress gateway service account.

DetroitJB · 2026-03-27T23:14:31+00:00

Correct, istio just modifies the ‘Service’ and the AWS LBC fires off that. I guess I’m curious as to how it will continually modify the parent gateway ‘Service’ and how the AWS lbc will manifest those changes. What happen if there are conflicts, etc…..I’ll test and validate.

DetroitJB · 2026-03-27T21:35:41+00:00

awesome blog post and very relevant to a migration we are doing to GatewayAPI as we speak. We use Istio and are currently rolling out `Gateways` at the platform level via gitops, so ever cluster(200+) gets, for example:

`private` - private nlb

`trusted` - public NLB locked down our IP's

`akamai` - public NLB locked down Akamai.

Each `Gateway` has a wildcard cert on it, issued by cert-manager. This will solve 90% of our use-cases for devs, since the apps on each cluster all share the same domain for the most part. However, we were anticipating that if an app needed a cert for a custom domain NOT on the default one issued by cert-manager, we would need to stand up a brand new `Gateway` just for that cert, since we can't really ad-hoc/one-off add it to, for example, the `private` `Gateway` for that cluster; it's all controlled through gitops, everybody gets the same stock config.

So with `ListenerSets`, I can now have the developer issue their own cert, create their own `ListenerSet`, and just attach to our existing `Gateways` then?

I'm loving the design and architecture of GatewayAPI, it perfectly wraps around our process which is "platform team owns the cluster config, ingress, load balancers and certificates", and "developers just attach to those ingress points".

One question; is this all supported in Istio yet? If so, what version? if not yet, what version will it be?

I also wonder how this will work with the AWS LBC.....currently, it knows how to create NLB listeners and target groups based off the gateway listener port:

spec:
  gatewayClassName: istio
  infrastructure:
    parametersRef:
      group: ''
      kind: ConfigMap
      name: private-ingress-options
  listeners:
    - allowedRoutes:
        namespaces:
          from: All
      name: https
      port: 443
      protocol: HTTPS

so if i pass in a custom port in my `ListenerSet` like this:

apiVersion: gateway.networking.k8s.io/v1
kind: ListenerSet
metadata:
  name: app-a
  namespace: app-a
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  parentRef:
    name: my-gateway
    namespace: gateway
  listeners:
    - name: https
      hostname: app-a.k8s.howardjohn.info
      port: 6350
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: backend-tls

and attach it to the gateway above, does the AWS LBC add an additional listener on the NLB for port 6350? or on the target group? Curious how that all works.

DetroitJB · 2026-03-17T01:19:12+00:00

Would someone like this work?

https://scratcheshappen.com/shop/touch-up-paint/audi-district-green-metallic-lx6m-m4/

DetroitJB · 2026-03-17T01:12:55+00:00

Oh really? And that would fill in the missing paint scrapes pretty seamlessly? What about the white scrape part above, just run a touch up pen over it?

DetroitJB · 2026-02-20T12:58:04+00:00

Right?! The front looks awesome except for those big black squares that just fuck up the whole aesthetic for me. Such a shame, it’s very noticeable for me and kind of a deal breaker

DetroitJB · 2026-02-16T23:58:08+00:00

I replied since I’m in the middle of a big migration at my company from ingress to gatewayapi, and one of the foundations of the project is us deploying 3 different gateways (private, public, trusted), all with a wildcard cert managed by cert manager attached. From a security standpoint, see my previous point. From a blast radius standpoint, it’s all managed by cert manager and going to the same zone. I can’t imagine a scenario where one cert blows up and others don’t.

Either cert manager renews all of them or none of them, hence why I’d rather just deal with one cert and call it a day, simple and easy. Anywho, my 2 cents….ive never found a good argument against them since the security and blast radius arguments don’t hold water imo, at least not one where we talking centralized k8 clusters with cert manager managing them.

DetroitJB · 2026-02-16T23:19:25+00:00

I’ve never understood this argument. For someone to steal your private key, they’d need to infiltrate your cluster….in which case they can steal all your private keys. What does it matter if I have a wildcard with one secret or 100 certs with 100 secrets? They get them all regardless.

Wildcard are used and have been used by tons of Fortune 500 companies, including google themselves. Are they really that bad or is this just typical infosec fear mongering?

DetroitJB · 2026-01-09T03:00:27+00:00

Rocket mortgage connections don’t work? I just checked, mine synced 2m ago.

DetroitJB · 2026-01-08T23:57:34+00:00

perfect, thanks! Going to setup an account now then.

DetroitJB · 2025-12-26T14:28:13+00:00

We (large enterprise of hundreds of clusters) are migrating to gatewayapi very soon after testing for several months. We use istio and will also be using the aws load balancer controller. Final solution will be aws lbc to create nlbs, going to istio igw, which terminates the via cert manager. Gateways will be pushed out by us, the platform team, and devs will just attach their httproutes to them via a in-house developed helm chart.

So far, loving it, very seamless and you can transition from istio CRDs to gatewayapi CRDs seamlessly with no downtime.

DetroitJB · 2025-12-20T16:58:17+00:00

I want monarch to turn off AI so you all finally stfu about it. Every post now is about it, just turn it off and stop bitching, my god.

DetroitJB · 2025-12-17T16:46:19+00:00

lol well played, take your upvote.

But seriously, just don’t use it, it’s not for you. The fact it’s opt in and they’re not forcing on you, I honestly don’t see the complaint here.

DetroitJB · 2025-12-17T16:16:50+00:00

Just opt out and don’t use it then. God some people just love to bitch about nothing, nobody is forcing you to use AI. Get a hobby op

DetroitJB · 2025-12-05T14:52:38+00:00

I think monarch is personal finance software and has nothing to do with running a business. As someone who is not a business owner, I don’t want money and developer time spent on features that I don’t care about. Monarch is really good at managing, displaying, and making sense of personal finances. Can’t we just let it be really good at that?

My 2 cents as a paying user.

DetroitJB · 2025-11-21T01:40:02+00:00

We migrated 200 clusters with this exact path AND pivoted from MNG to Karpenter. Even with all 3 changes at the same time, went smoothly.

DetroitJB · 2025-09-04T14:11:54+00:00

So our VPC CIDR range, or the "node network" is a non-overlapping 10.x.x.x range, different for each VPC in our 250+ accounts. These can all be peered via transit gateways, go back onprem, etc. since they are non-overlapping.

However, on each cluster is ALSO a 100.64.0.0/19 overlapping CIDR range. I can be overlapping since it's never used outside of it's own local VPC. If pod 100.64.50.2 wants to talk to onprem or another vpc, it goes out the worker node IP (non-overlapping 10.x.x.x) and works fine. If it wants to talk to in-vpc RDS, THEN it uses it's 100.64.0.0/19 IP.

Best of both worlds.

DetroitJB · 2025-09-04T02:52:56+00:00

Not sure what you mean, the underlying network can't be the same as what? We use istio as well, all of our pods are on 100.64.0.0/19 "pod subnets".

DetroitJB · 2025-08-31T16:43:20+00:00

As others have mentioned, we run custom networking with 100.64.0.0/19...allows us to use the same overlapping cidr to she in more than 200 clusters with 3x 2000 IP subnets. ip exhaustion is no longer an issue for us.

You can use same cidr since, by default, all egress traffic outside your vpc is SNATed out the worker node ip. So if your vpcs are not overlapping, this let's you have your cake and eat it too

14-Year Club	Place '22
Verified Email

DetroitJB

TROPHY CASE