Posts on Gerard Samuel

Securing Cilium's Gateway Api with cert-manager

Thu, 06 Feb 2025 11:17:51 -0500

In my Hashicorp Nomad cluster, I am using Traefik to proxy external connections to the running containers, and Traefik also terminates TLS connections. While it is perfectly okay to duplicate this role in Kubernetes, I decided to go another route and leverage Gateway API as the reverse proxy. To build upon my existing work with Gateway API, let me set up an HTTP/HTTPS proxy with redirection using Gateway API and secure it with cert-manager and a few friends.

Kubernetes BGP Connectivity with a UniFi router

Tue, 21 Jan 2025 18:24:57 -0500

In my previous article on building a Kubernetes cluster with Talos Linux, I used a Kubernetes Service of type NodePort to expose a workload to my homelab network. However, exposing workloads using NodePorts is not efficient or standard practice. In this article, I will document how I configured Cilium’s Gateway API as a basic reverse proxy and BGP Control Plane to inject routing paths into the routing table of a UniFi router for the reverse proxy IP address.

Getting started with Talos Linux on Proxmox

Fri, 27 Dec 2024 12:35:34 -0500

So far in my container journey, I have used stand-alone hosts with Podman and Hashicorp Nomad (again backed by Podman) for container orchestration. While these endeavors worked, they were not the most popular option for managing a containerized workload cluster. Enter Kubernetes. Some months ago, I successfully deployed RKE2 with Rancher, but the solution was not stable. For example, during host reboots, Pods may not come back in a healthy state. Recently, I learned about Talos Linux and decided to try it. This article documents my effort to set up a Talos cluster in Proxmox virtual machines.

Google Cloud Workload Identities with GitLab

Mon, 25 Nov 2024 13:20:59 -0500

Using JSON keys to authenticate with Google Cloud is highly frowned upon. Unless you have no other option, Google Cloud provides a more secure means of authenticating externally executed code. My use case is for authentication in GitLab pipelines so that I can automate tasks. Think Terraform jobs or updating the files for a website stored in a Google Cloud storage bucket. I will use Google Cloud’s Workload Identity Federation solution and the OIDC (Open ID Connect) protocol in this solution.

How to setup a self-managed Podman Gitlab Runner

Mon, 18 Nov 2024 20:24:17 -0500

I want to get my hands dirty with CI/CD. After looking around at cloud-hosted options such as Google Cloud Build and Azure DevOps/Pipelines, I decided to keep this process local by leveraging self-managed GitLab CI/CD pipelines. To run a GitLab pipeline, you need only a special configuration file, .gitlab-ci.yml, at the root of your GitLab project/repository and at least one or more compute resources to execute jobs. In this article, I will discuss how I set up a GitLab runner using Podman.

Google Cloud federation with Microsoft Entra ID - Part 2

Sat, 14 Sep 2024 13:23:00 -0500

In my previous article on Google Cloud federation and account provisioning with Microsoft Entra ID, I showed how to get started to configure it. This article constitutes the second part, utilizing SAML authentication to complete the solution. Once you complete the steps here, you will have a secure means of logging into Google Cloud with your Entra ID account.

Google Cloud federation with Microsoft Entra ID - Part 1

Sat, 07 Sep 2024 10:52:59 -0500

I wanted to use a single account to log into my Azure and Google Cloud environments and automatically provision “source of truth” accounts from Entra ID to Google Cloud Identity. This article will explain how I configured account provisioning of the identity federation solution between Microsoft Entra ID and Google Cloud Identity.

How to Setup a Proxmox Cluster

Fri, 02 Aug 2024 17:31:04 -0400

I needed a means of spinning up virtual machines to try out solutions such as Kubernetes or GitLab runners, etc, on a long-term basis. I did not want to incur the cost of running operating systems on Cloud Infrastructure. ESXi was definitely not happening, as Broadcom had muddied the waters at the time. At first, I tried Proxmox, and then I tried Suse Harvester. I contemplated XCP-ng. After weighing what I needed, I settled back to Proxmox VE.

How to Setup Hashicorp Consul

Sun, 28 Jul 2024 11:22:54 -0500

So what exactly is Hashicorp Consul? Here is what the Hashicorp has to say:

HashiCorp Consul is a service networking solution that enables teams to manage secure network connectivity between services and across on-prem and multi-cloud environments and runtimes. Consul offers service discovery, service mesh, traffic management, and automated updates to network infrastructure devices.

For the time being, I am targeting Consul’s service discovery features. In this article, I will show you how I went about this.

Configuring Hashicorp Vault

Sun, 21 Jul 2024 21:32:35 -0400

We have all been there. That newly installed application required confidential material to function. Where should that material be securely stored? Or, you just took over ownership of a system where the database credentials are stored in plain text! We all know (or should know) that protecting secrets is important. Just about anyone, intentional or not, could be a threat actor. Our trust and integrity depend on securing our secrets.

Getting Started With Smallstep

Sun, 14 Jul 2024 14:20:35 -0400

I needed to host an internal PKI (Private Key Infrastructure) to test a secrets management solution. Microsoft Windows PKI requires a complete Active Directory setup, which is overkill for what I needed. Plus, I wanted something open-source. Smallstep’s step-ca is open source and is a well-featured private key solution. This post will explain how I set it up using a Nitrokey HSM on a Raspberry Pi 4.

Google Document AI: Bulk Import and Results

Mon, 20 Nov 2023 15:51:08 -0400

Continuing from my last post on Document AI, I am going to show what the bulk import experience is like and a peek at the extracted data.

Google Document AI: How to Get Started

Wed, 18 Oct 2023 15:16:01 -0400

Document AI is a Google Cloud solution that imports structured data from unstructured or semi structured documents. The output can then be treated as first class data citizens for analysis with your other data sources to gain deeper insight from your “dark” document data. In this first post on Document AI, I will go over the initial steps to get started.