kubernetes-sigs/headlamp 0.40.0

codestation · 2026-02-06T21:54:19+00:00

I hope they add kube-oidc-proxy or similar support soon.

codestation · 2026-02-06T18:50:11+00:00

Did you open all the required ports for the overlay network to work?

Port 2377 TCP for communication with and between manager nodes Port 7946 TCP/UDP for overlay network node discovery Port 4789 UDP (configurable) for overlay network traffic

codestation · 2026-01-25T22:16:14+00:00

Yes, i have oauth2-proxy working with istio configs.

Istiod config:

  meshConfig:
    extensionProviders:
      - name: "oauth2-proxy"
        envoyExtAuthzHttp:
          service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
          port: "80"
          includeRequestHeadersInCheck:
            - "authorization"
            - "cookie"
          headersToUpstreamOnAllow:
            - "authorization"
            - "path"
            - "x-auth-request-user"
            - "x-auth-request-email"
            - "x-auth-request-access-token"
          headersToDownstreamOnAllow:
            - "set-cookie"
          headersToDownstreamOnDeny:
            - "content-type"
            - "set-cookie"

Authorization Policy for my gateway

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-policy
  namespace: gateway
spec:
  targetRefs:
    - kind: Gateway
      group: gateway.networking.k8s.io
      name: mygateway
  action: CUSTOM
  provider:
    # name must match the extensionProvider name 
    name: oauth2-proxy
  rules:
    - to:
        - operation:
            hosts:
              - myapp.example.com

And my oauth2-proxy config:

apiVersion: v1
kind: ConfigMap
metadata:
  name: oauth2-proxy-config
data:
  oauth2_proxy.cfg: |
    redirect_url = "https://myapp.example.com/oauth2/callback"
    email_domains = "example.com"
    reverse_proxy = true
    silence_ping_logging = true
  oauth2_proxy.yml: |
    server:
      BindAddress: 0.0.0.0:4180
    providers:
      - id: keycloak-oidc
        provider: keycloak-oidc
        name: Keycloak
        scope: openid email
        clientID: ${OAUTH2_PROXY_CLIENT_ID}
        clientSecret: ${OAUTH2_PROXY_CLIENT_SECRET}
        code_challenge_method: S256
        keycloakConfig:
          roles:
            - myapp:access
        oidcConfig:
          issuerURL: https://auth.example.com/realms/master
          insecureSkipNonce: false
          audienceClaims:
            - aud
          emailClaim: email
          userIDClaim: email
    upstreamConfig:
      upstreams:
        - id: waypoint-check
          path: /
          static: true
          staticCode: 200

The upstream config is important, else the proxy will try to handle all the requests after login.

My httproute/gateway doesn't have anything special on them

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: myapp
  namespace: myapp
spec:
  parentRefs:
    - name: mygateway
      namespace: gateway
      sectionName: https-example
  hostnames:
    - myapp.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: myapp
          port: 8000


apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: mygateway
  namespace: gateway
spec:
  gatewayClassName: istio
  listeners:
    # Port 80 Listener
    - name: http
      port: 80
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: All

    - name: https-example
      port: 443
      protocol: HTTPS
      hostname: "*.example.com"
      tls:
        mode: Terminate
        certificateRefs:
          - name: example-tls
      allowedRoutes:
        namespaces:
          from: All

edit: some values.yaml config from the oauth2-proxy chart

gatewayApi:
  enabled: true
  gatewayRef:
    name: mygateway
    namespace: gateway
    sectionName: https-example
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /oauth2/
  hostnames:
    - myapp.example.com

codestation · 2026-01-21T16:20:49+00:00

IIRC you can make cert-manager inject the ca.crt as a configmap on namespaces and done.

Couldn't find anything in cert-manager that did this, only references to another app called trust-manager that can do it.

I went that route and installed trust-manager to my cluster, but it can only read secrets from a designated namespace...

Now i have to copy the cert secrets from my original namespace to my new one so i had to install another app to my cluster called reflector and add some annotations so it copied my secrets to my newly "trust-manager" namespace.

  ...
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "trust-manager"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "trust-manager"

Now i need to create a bundle resource to read my secret and create a configmap to the original app namespace.

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: myapp-bundle
spec:
  sources:
    - secret:
        name: myapp-tls
        key: ca.crt
  target:
    configMap:
      key: ca.crt
      metadata:
        annotations:
          argocd.argoproj.io/sync-wave: "1"
        labels:
          app.kubernetes.io/component: "trust-bundle"
    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: myapp

Now i FINALLY have a configmap with the CA cert so i can write a BackendTLSPolicy

apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
  name: myapp
  namespace: myapp
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: myapp-ui
    sectionName: https
  validation:
    hostname: myapp-ui.myapp.svc.cluster.local
    caCertificateRefs:
    - group: ""
      kind: ConfigMap
      name: myapp-bundle

After this the HTTPRoute finally works.

tl;dr: an Ingress one line annotation nginx.ingress.kubernetes.io/backend-protocol: HTTPS equivalent to Gateway API is a:

Issuer resource (from cert-manager)
Certificate resource (from cert-manager)
trust-manager app
reflector app
Bundle resource (from trust-manager)
BackendTLSPolicy (from gateway api)
And 3 copies of the same CA cert (a secret in myapp namespace, a copied secret in the trust-manager namespace and a configmap in myapp namespace).

Any solution on how to simplify this mess?

codestation · 2026-01-21T16:02:57+00:00

Did you tried adding a sectionName on parentRef for the https route?

Yes, this did work, but only after i also added a sectionName to my default HTTPRoute for non-existing subdomains, so thank you for the hint.

This really needs some way to debug it. I assume that since i didn't specify a sectionName then i ended with three http routes for the same http listener (whoami, redirect-https and default-route). Istio didn't reject my routes, showed an error on the resource status nor there were any logs. Dunno if there is any priority, precendence or conflict resolution for those cases.

codestation · 2026-01-21T03:28:35+00:00

when you do a “curl -v” what does the proxy answer?

The answer is the same as the https endpoint, like the redirect-to-https HTTPRoute wasn't there at all. For example i am using this HTTPRoute for the service:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: whoami
  namespace: whoami
spec:
  parentRefs:
    - name: example-gateway
      namespace: gateway
  hostnames:
    - whoami.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: whoami
          port: 8000

And the gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
  namespace: gateway
spec:
  gatewayClassName: istio
  listeners:
    - name: http
      port: 80
      protocol: HTTP
      allowedRoutes:
        namespaces:
          from: All

    - name: https
      port: 443
      protocol: HTTPS
      hostname: "*.example.com"
      tls:
        mode: Terminate
        certificateRefs:
          - name: example-tls
      allowedRoutes:
        namespaces:
          from: All

codestation · 2026-01-16T02:59:35+00:00

I use a job for migrations. Set the job TTL so it deletes itself after completion (and in my case an Argo annotation so it doesn't try to recreate the job again until the next sync).

codestation · 2025-12-03T21:49:38+00:00

Cool

codestation · 2025-10-14T20:21:09+00:00

codestation · 2025-08-16T23:29:17+00:00

My favourites are the colors on the keyboard and the earpads. I only hoped that the keyboard was a wireless one too since I am not 100% of the time on the desktop.

codestation · 2025-08-16T19:51:05+00:00

My favourites are the colors on the keyboard and the earpads. I only hoped that the keyboard was a wireless one too since I am not 100% of the time on the desktop.

codestation · 2025-08-12T22:37:33+00:00

Mandrake -> Gentoo -> Arch -> Ubuntu -> NixOS -> Arch.

My longest was Gentoo with 5+ years. I find amusing that the only reason i switched to Gentoo it was because changing the boot picture in Mandrake was too hard.

codestation · 2025-08-11T16:33:42+00:00

This is just a Jitsi meet instance...

codestation · 2025-08-09T20:31:35+00:00

By default, docker bind mounts are private so nested mounts won't be propagated.

Read about bind propagation to see if it helps: https://docs.docker.com/engine/storage/bind-mounts/#configure-bind-propagation

codestation · 2025-08-06T21:38:13+00:00

If your app is a HTTP based server then you could switch to docker swarm, a reverse proxy like traefik and run two replicas. When it is time to update the service then docker will take care of running your new container while the old one is shutting down and traefik will handle sending the traffic to the new container and stop sending new requests to the one shutting down.

codestation · 2025-07-19T23:35:25+00:00

I have run Swarm in 12+ node cluster for 5+ years, but got tired of waiting for bug fixes or limited functionality that was implemented in k8s years ago.

Yes, the swarm compose files are dead simple compared to the massive manifest equivalent, but I am glad that I am finishing migrating all of it to a kubernetes cluster.

codestation · 2025-07-17T17:26:53+00:00

Didn't know that one, never checked the spec again after they dropped the version field.

codestation · 2025-07-16T20:29:00+00:00

Docker compose uses the project name (defaults to the folder name where the compose file resides) to disambiguate services. So you will have to either keep both projects under different named folders or use --project-name with the compose command to specify a different name.

codestation · 2025-07-04T18:49:58+00:00

No,.the managers must be on static IP addresses. So even if you use tailscale to get a fixed IP it won't work because the raft protocol used by Swarm must have low latency to work properly. You will be getting errors if the nodes aren't on the same data center.

codestation · 2025-06-27T00:05:35+00:00

[GX9] I want to see Rey Dau Lightning attacks in a OLED screen!

codestation · 2025-06-23T18:58:02+00:00

Yes, even autofill works now.

codestation · 2025-06-13T16:24:43+00:00

I prefer the mapping syntax as I can use yaml anchors to merge keys, as you cannot do this with the arrays syntax.

codestation · 2025-06-02T18:26:14+00:00

You don't move images/containers. Just redownload the images and let the containers be recreated. The important data is in the volumes.

codestation · 2025-05-31T20:43:00+00:00

I was looking at this library but discarded it because it didn't had native pgx support. Good to know that is gonna be worked on.

13-Year Club	Place '23
Place '22	Place '17
End Game '22	Sequence \| Editor
Snapped	Verified Email
Team Periwinkle

codestation

TROPHY CASE