Posts

Part 3 of a series on sizing a private AKS cluster: Part 1 — node pools and VM SKUs · Part 2 — ephemeral OS and a sizing table Parts 1 and 2 fixed three node pools, Ddsv5-class SKUs, and ephemeral OS sizes. I still had to answer: can a /26 subnet survive cluster autoscaler max on all pools, and what happens when Azure runs out of Intel VMs in a region? Networking choice: Azure CNI + Cilium + overlay I went with Azure CNI powered by Cilium in overlay mode: ...

Part 2 of a series on sizing a private AKS cluster: Part 1 — node pools and VM SKUs · Part 3 — Cilium overlay, IP math, and capacity In Part 1 I split the cluster into system, platform, and apps pools and picked D-family SKUs with a d for local temp disk. This post is the disk strategy, the full sizing table, and the Intel vs AMD vs v6 decisions that fed it. ...

Part 1 of a series on sizing a private AKS cluster: Part 2 — ephemeral OS and a sizing table · Part 3 — Cilium overlay, IP math, and capacity I needed to size a private AKS cluster from scratch: not just “how many nodes,” but which node pools, which Azure VM family, and which exact SKU for system components, platform charts, and application workloads. This post is what I settled on for pool topology and VM family/SKU naming. Parts 2 and 3 cover ephemeral OS disks and networking/capacity. ...

cert-manager is excellent at keeping TLS certificates fresh—until you build a small internal PKI on top of it. Then a quiet renewal of your root CA can take down webhooks, operators, and anything that still trusts an old ca.crt bundled next to a perfectly valid leaf certificate. I ran into this class of failure around External Secrets Operator and its validating webhook. The symptom was familiar: CrashLoopBackOff, logs stuck on certificate validation, cluster-wide inability to create ExternalSecret resources. The root cause was stranger: the CA had been renewed, but downstream secrets had not. ...

Context I had the need to allow Power BI to connect to a PostgreSQL database running in Kubernetes, fronted by Traefik using a TCP entrypoint. At first, I hoped to terminate TLS at Traefik, the same way you’d do for HTTPS traffic. But this turned out not to be possible with standard PostgreSQL clients (psql, libpq, psycopg, etc.). Here’s why. Why This Happens Unlike HTTPS, PostgreSQL does not start a TLS handshake immediately. Instead, a libpq/psql client first sends a special SSLRequest packet: ...

Vim extension in Cursor, Zed, or VS Code on macOS — arrow keys and held hjkl don’t repeat. macOS disables key repeat for some Electron apps by default. Fix: disable ApplePressAndHoldEnabled for the app (keeps accent popup off, enables key repeat). Get the app’s bundle ID: osascript -e 'id of app "Cursor"' # or "Zed" or "Visual Studio Code" Enable key repeat for that app: defaults write <BUNDLE_ID> ApplePressAndHoldEnabled -bool false Examples: ...

🧭 Why Build a Homelab? I recently completed the first phase of my cloud-native homelab — a Kubernetes cluster on AWS built from scratch with kubeadm, provisioned using Terraform, Packer, Ansible, and Cilium. This wasn’t just for fun (though it was). I designed this homelab as: A hands-on way to prepare for the CKA certification A platform to host real-world workloads later A personal sandbox to understand what’s happening under the hood, not just run kubectl apply ...

When you’re setting up a Kubernetes cluster using kubeadm, one of the first questions is: “How do I automate the init/join logic without hardcoding IPs or manually copying tokens?” In my AWS-based Kubernetes homelab, I wanted a fully automated, reproducible setup — including both control plane and worker nodes joining the cluster automatically as soon as they boot. This blog explains how I accomplished that using: EC2 instance tags and metadata ...

🛠️ How Rosetta Broke My Terraform Setup (and How I Fixed It on Apple Silicon) Everything was working fine — until it wasn’t. While setting up a Kubernetes homelab using Terraform inside a devbox environment on my M1 Mac (macOS 15.5, Apple Silicon), I started hitting this dreaded error: Error: Failed to load plugin schemas Error while loading schemas for plugin components: Failed to obtain provider schema: Could not load the schema for provider registry.terraform.io/hashicorp/aws: failed to instantiate provider "registry.terraform.io/hashicorp/aws" to obtain schema: timeout while waiting for plugin to start.. Re-running terraform validate or terraform plan produced the same issue, even though terraform init was succeeding. ...

Managing sensitive information in a Git repository can be challenging, but tools like git-crypt make it easier by encrypting specific files. When adding a new contributor to such a repository, the admin needs to ensure they have the necessary access to decrypt and work with these sensitive values. This tutorial aims to provide a detailed, step-by-step guide to help admins manage contributors effectively, as the official git-crypt repository provides only basic setup instructions. ...