Howdy 馃憢

I’m Simon; an SRE by day, and quite often by night too. I’m fascinated by technology, cars and photography (although not necessarily in that order).

Update: Using BGP to integrate Cilium with OPNsense

A little while back, I wrote a short piece on integrating Cilium with OPNsense using BGP. With more recent releases of Cilium, the team have introduced the Cilium BGP Control Plane (currently as a beta feature). This reworking of the BGP integration replaces the old MetalLB-based control plane and as such the older feature must first be disabled. To enable the new feature, you can either pass an argument to Cilium:...

January 14, 2024 路 3 min 路 Simon Weald

Troubleshooting Network Traffic with CRI-O and Kubernetes

Running immutable infra is the holy grail for many people, however there are times when you鈥檒l need to get down in the weeds in order to troubleshoot issues. Let鈥檚 imagine a scenario; you need to verify that a pod is receiving traffic, but the image is built FROM scratch. As scratch containers are as minimal as possible, there鈥檚 no shell in the image, so there鈥檚 no way you can exec into it and hope to do anything remotely useful....

December 18, 2021 路 3 min 路 Simon Weald

Allowing DNS lookups with Hashicorp Consul + ACLs enabled

I鈥檝e recently been experimenting with Hashicorp鈥檚 Consul in my home infrastructure because I want to use it to provide service discovery and automatic DNS provisioning when I create Proxmox instances with Terraform. Consul is a bit of a hefty beast to get to grips with and getting DNS lookups working when you have ACLs enabled can be a little tricky - it鈥檚 taken me a day or two of going round in circles to figure this one out....

September 9, 2021 路 2 min 路 Simon Weald

Using BGP to integrate Cilium with OPNsense

Update: Cilium now has a new BGP integration so things have changed a little; see this post for more details. If (like me) you happen to follow the development of the Cilium CNI plugin for Kubernetes then you鈥檒l have seen the recent 1.10 release which included many shiny features. One exciting addition is the ability to announce Service IPs via BGP. Running Kubernetes in a homelab environment quickly highlights that there are some aspects which are a little lacking when compared to the integration you get from the cloud provider offerings....

May 31, 2021 路 5 min 路 Simon Weald

Securing SSH with the Vault SSH backend and GitHub authentication

This blog is going to be about using Hashicorp鈥檚 Vault to issue short-lived certificates to use with SSH. Most guides have you using a username & password to authenticate with Vault, but I鈥檝e chosen to delegate that to GitHub instead. I鈥檓 assuming you already have a Vault server running - I won鈥檛 be covering that in the course of this blog. You鈥檒l also need a sufficiently-privileged Vault token, and jq installed on the machine you wish to SSH from....

May 30, 2020 路 7 min 路 Simon Weald

Thanos and Prometheus without Kubernetes

Running Thanos without Kubernetes If you鈥檝e been around the cloud-native world for a while, you鈥檒l no doubt be familiar with (and quite likely already be using) Prometheus. You may however not have heard of Thanos. Put simply, Thanos takes Prometheus and makes it even more awesome. In their own words, the high-level description of Thanos is the following: Thanos is a set of components that can be composed into a highly available metric system with unlimited storage capacity, which can be added seamlessly on top of existing Prometheus deployments....

March 11, 2019 路 6 min 路 Simon Weald

Terraform S3 remote state with Minio and Docker

Storing Terraform鈥檚 remote state in Minio Whilst AWS鈥檚 free S3 tier is almost certainly sufficient to store Terraform鈥檚 remote state, it may be the case that you have a requirement to keep the data on-site, or alternatively if you鈥檙e using Terraform in an air-gapped environment then you have no choice but to self-host. Enter Minio. If you鈥檝e not used it before, the TLDR is that Minio provides an S3-compatible API in a single binary....

February 27, 2019 路 3 min 路 Simon Weald

Wildcard LetsEncrypt renewal with Ansible and Memset

Obtaining a wildcard LetsEncrypt cert with Ansible Earlier this year, LetsEncrypt made their wildcard x509 certificates available to the general public. Whilst this is a massive step forward over individual certificates for each domain, it does come with the overhead of having to distribute the wildcard certificate to the (possibly many) places you would use it. Ignoring that issue for now, I wrote a quick Ansible playbook which uses the dns-01 challenge method and my Memset DNS management modules (available in Ansible 2....

August 7, 2018 路 3 min 路 Simon Weald

Ansible module development gotchas

Lessons I learnt whilst developing modules Having now spent quite some time working on my initial Ansible modules for Memset, I鈥檝e assembled some handy hints on areas which tripped me up at various times in my journey. It should be noted that this post is written from the point of view of someone who is not a developer and is therefore not as au fait with some of the processes mentioned as others may be....

June 27, 2018 路 5 min 路 Simon Weald

Over-engineering my website with Kubernetes

A solution in need of a problem Like all good sysadmins, my personal website has been a 鈥榗oming soon鈥 splash page for quite some time. According to the Wayback Machine, it鈥檚 been this way since some time in 2014. As I鈥檓 sure many can sympathise with, there are always far more interesting and shiny things to be experimenting with than building a website. One of the interesting things I like to experiment with is Kubernetes (as should be apparent from the tag cloud)....

March 18, 2018 路 2 min 路 Simon Weald