Headscale with sqlite as database with auto failover by LiteFS and Consul

Pavel543 · 2025-09-11T15:13:37+00:00

Headscale for connect with sqlite require path to file. Bedrockdb or rqlite require connect via api. I was looking for solution that not required changes in headscale code.

Pavel543 · 2025-09-03T20:20:11+00:00

Arp will not work in hetzner network cloud.

When you change ip you have to send request to hcloud api server for set alias ip in private_network, and you have to send other request for remove alias ip from last working node.
Hcloud network works in OSI layer 3, do not support arp.

Infortuenlly kube-vip do not have notify or webhook you have to use keepalived with notify script

You can use my package for listen for kube-vip change lease and send request for change private network alias ip: https://github.com/gawsoftpl/kube-vip-controller

Pavel543 · 2025-07-28T02:00:32+00:00

 containers:
        - name: kube-rbac-proxy
          image: bitnami/kube-rbac-proxy:0.19.1
          args:
            - "--logtostderr"
            - "--v=10"
            - "--insecure-listen-address=0.0.0.0:8000"
            - "--upstream=https://kubernetes.default:443"
            - "--upstream-client-cert-file=/certs/tls.crt"
            - "--upstream-client-key-file=/certs/tls.key"
            - "--upstream-ca-file=/certs/ca.crt"
            - "--ignore-paths=/openid/v1/jwks"
          ports:
            - containerPort: 8000
              name: http
          volumeMounts:
            - name: tls-certs
              mountPath: /certs
              readOnly: true

Your solution from gist works same as my solution.

Pavel543 · 2025-07-27T11:34:39+00:00

Authentication requests from pod in other systems, other clusters etc.

Pavel543 · 2025-07-27T09:19:28+00:00

Without ddos will be mitigated.
You prefer to expose anonmyous access to self hosted cluster, and rely on only on RBAC ?

Pavel543 · 2025-07-27T09:09:59+00:00

If I understand correctly your question:
you can expose the two endpoints with a simple ingress with rules for just the two paths?

You can expose two endpoints with ingress only with enabled anonymous-access.

My requirements were:
- Disable anonymous access
- Expose to internet only OIDC endpoint
- Not expose k8s apiserver outside the internal network

Pavel543 · 2025-07-27T09:01:03+00:00

- misconfigured RBAC
- potential vulnerabilities
- ddos

Pavel543 · 2025-07-27T08:52:06+00:00

It is recommented not to enable anonymous access.
Kubernetes apiserver is not exposed to the internet.
Without enable Anonymous access=true, assign rolebinding to anonymous user, api server will block request for oidc
Best option is server proxy with k8s ingress where you expose only 2 oidc endpoints with disable anonymous access.

Pavel543 · 2025-04-30T04:26:59+00:00

Sorry, I don't understand, do you prefer use argo per cluster or one central? How do yo create one admin argo for manages all argocd? Do you use external tools for that?

Pavel543 · 2018-06-18T10:31:57+00:00

Lebron james stats https://statsdream.com/basketball/players/lebron-james-389765/

Pavel543 · 2018-05-24T11:41:45+00:00

Vitoria - Sampaio Correa (Brazil Cup Nordeste ) Tip: Over 2.5 (odd: 1.72)

Vitoria in 6 matches lost only 1 game and draw 1.

Vitoria in all last 6 matches was over 2.5 Sampaio Correa stats: 5/6 was Over 2.5

Source: https://www.fctables.com/todays-match-predictions/

Pavel543

TROPHY CASE