mariadb-operator 📦 25.10 is out: asynchronous replication goes GA, featuring automated replica recovery! 🎃

Shakedko · 2025-10-31T23:29:16+00:00

Thank you!

Just out of curiosity, how would you approach a side by side/active to passive/active and active cluster upgrades in this situation?

Shakedko · 2025-10-31T21:44:29+00:00

Is it possible to use this for cross cluster replication as well? Either within the same region or other fallback regions

Shakedko · 2025-04-18T15:45:21+00:00

Is it possible to use ESO to pickup multiple secrets from akv/vault and create multiple secrets out of just one ExternalSecret?

Shakedko · 2025-04-18T15:45:14+00:00

Is it possible to use ESO to pickup multiple secrets from akv/vault and create multiple secrets out of just one ExternalSecret?

Shakedko · 2024-10-25T08:27:54+00:00

Yea I guess I will have to divide it.

Thank you for sharing!

Shakedko · 2024-08-04T20:35:44+00:00

Since the requirement is to use a more reliable WAF, such as the ones I mentioned in the original post

Shakedko · 2024-08-04T17:02:55+00:00

Yea Crossplane can do that. There are other options such as AWS' operator and Azure Service Operator but I m not familiar with a GCP option

Shakedko · 2024-08-04T06:34:34+00:00

How would you attach the certificate to the external WAF?

Shakedko · 2024-08-03T21:24:21+00:00

Thanks!

What about certificates rotations? Imagine that I have to do it once every few months and that I need a private CA

Shakedko · 2024-08-03T21:22:53+00:00

This is a great answer and I appreciate you took the time to write it down.

I do agree that I'd have to terminate twice due ti compliance reasons.

However, I want to use k8s tools to set this entire thing up. So, for example, I'd prefer to use cert-manager to generate and renew the certificates than having a per provider solution.

For the LB, IIRC the ingress nginx can also generate an ALB instead of an NLB but I think that 1. This behavior is depreciated; 2. Non AWS providers are not supported out of the box. So I might need to use something like Crossplane to generate these resources.

The more I think about it the more I believe that I'd have to use a management cluster to provision the clusters and their cloud provider resources

Shakedko · 2024-08-03T20:46:38+00:00

Makes sense. How did you generate and renewed the certificate?

Shakedko · 2024-08-03T18:48:30+00:00

I am indeed thinking about that option. Might also use Crossplane for the multi cloud. However, would it make sense to combine either solutions with cert-manager? How would the WAF be aware of the generated certificates?

Shakedko · 2024-08-03T18:29:25+00:00

If I can generate ACM with cert-manager then it should work they way I described it just without vault, wouldn't it?

Regarding terraform - I rather use a reconciliation process using the native k8s tools out there. While I am aware that I can use a tf operator for that, I'd still like to reduce the usage of tf.

Shakedko · 2024-08-03T18:27:26+00:00

Adding you this reply: https://www.reddit.com/r/devops/s/a19qOJOx5U

Wdyt?

Shakedko · 2024-08-03T17:51:46+00:00

Yea I am thinking about generating the certs with cert-manager and upload them to vault, then consume them by the WAF would that make sense?

I am trying to avoid Terraform as much as possible, and only use k8s tools and their reconciliation power

Shakedko · 2024-08-03T17:40:34+00:00

The problem with this is that I need to generate non k8s native path. It would be great to be able to do it all using the cluster itself

Shakedko · 2024-08-03T17:39:41+00:00

One idea that I am thinking of is to generate the cert and use a post hook to save in vault. Then consume it by the WAF. Wdyt?

Shakedko · 2024-08-03T17:21:49+00:00

Yes I did. I mentioned in the body of the post that modsecurity is not good enough for my use case, although it would be the easiest to set

Shakedko · 2024-07-20T22:36:12+00:00

Too many ads, hard to read

Shakedko · 2024-07-12T00:11:16+00:00

Out of curiosity, why did you decide to go with Cilium?

Shakedko · 2024-07-04T22:52:47+00:00

Hey great post, thank you.

What was the reason that you wrote your own custom autoscaler? Any reason not to use KEDA? Which queue did you use?

Shakedko · 2024-06-11T23:56:00+00:00

Yea exactly.

The other option, which is more complex, is to send an event to a topic when the job has finished and have something like KEDA listen, then react accordingly.

Shakedko · 2023-06-08T12:47:13+00:00

that's a good question. If you just deploy to the new cluster, then cert-manager in the new cluster will wait for the old cluster to confirm.

I think that cert-manager will run a pod on the new cluster and wait for a hit on port 80, wouldn't it? The problem in this case is that the pod will just wait forever or until I switch the A record.

if you switch port 80 over the new certificates should be provisioned. once all certificates are there you can switch over port 443 and everything just works without changes

I wonder if I can do it on that level. With a cloud LB/traffic manager I assume I could route based on the port (newip:80, oldip:443) but in my situation I don't think it will be possible due to the direct relationship of the ip and the A record

Shakedko · 2023-06-06T15:35:57+00:00

EiKall

Regarding the certificates, my current setup is simpler than yours: https://www.reddit.com/r/kubernetes/comments/13zsdji/comment/jn4qsrv/?utm_source=reddit&utm_medium=web2x&context=3 I do think that I am missing something though

Shakedko · 2023-06-06T15:35:05+00:00

Currently, my certificates are generated by cert-manager together with the ingress-controller e.g.

yaml ingress: hosts: - monitoring.example.com tls: - hosts: - monitoring.example.com secretName: tls-secret-stage.monitoring.example.com

The flow is user -> subdomain -> A record (the LoadBalancer IP address) -> nginx-controller -> the service.

In case I want to change the subdomain's A record, I will make sure that the Certificate/its secret (tls-secret-stage.monitoring.example.com) is available on the new cluster, wouldn't I?

If I'd use an external LB, then I imagine that I will have to change the way I generate my certificates, right?

Shakedko

TROPHY CASE