Skip to content

kubernetes

Extending Our Tailscale Setup with a Terraform-Managed Bastion

originally posted at LinkedIn at Sept 06, 2025

In my previous post, I wrote about how we replaced a traditional VPN with Tailscale to connect engineers to Kubernetes services. That solved a big piece of the puzzle: cluster access was now simple, secure, and reliable.

But as always, not everything lives in Kubernetes. We still had private databases, legacy services, and tools running in our VPC that engineers needed to reach. That’s where a bastion came in.

Flying with Super Speed in the New Bastion Tunnel

The DevOps Odyssey, Part 4: Secrets, GitHub Auth, and Scaling Out

originally posted at LinkedIn at Aug 31, 2025

In Part 1, I bootstrapped a zero-click deployment pipeline on OCI with Terraform, Ansible, and Docker Compose — complete with HTTPS, DNS, and CI/CD.

Part 2 evolved that into a Kubernetes-native architecture, replacing Docker with K3s for a declarative control plane.

Part 3 brought in GitOps with Argo CD, letting the cluster manage itself from a single commit.

Now, in Part 4, I pushed the setup toward something that looks and feels much closer to production. Three key steps made that happen:

  1. Sealing secrets so I could finally commit them to Git safely.
  2. Adding GitHub authentication with Dex, making the Argo CD UI open (read-only) to anyone with a GitHub account.
  3. Expanding the cluster with a proper worker node — and replacing my ill-fated “master as NAT” shortcut with OCI’s managed NAT Gateway.

Autobot master cloned a worker self to prepare for the upcoming battle.

Reviving Doraemon: A Slack Bot’s Second Life in Kubernetes

originally posted at LinkedIn at Aug 16, 2025

Automation bots have evolved. What’s next?

Some projects stick with you. For me, it was a little Slack bot I hacked together at a previous job—something that could talk to our infrastructure and give quick answers without switching tools. I never learned what happened to it. Layoffs came. From what I later heard, it wasn’t adopted. It felt like watching a small idea I cared about slowly disappear.

Fast-forward to Flagler. I mentioned the bot almost off‑hand, unsure if anyone would care. My boss immediately supported the idea, and that gave me the energy to bring it back. This post is about reviving that project—this time with intent, care, and a proper home in Kubernetes.

Replatforming Airbyte: From Developer Laptop to EKS

originally posted at LinkedIn at July 25, 2025

In early-stage engineering teams, it's natural for tools to start out simple — often running on a single developer machine, just to get things moving. That’s how our Airbyte setup began: quick to spin up, good enough for testing connectors, and easy to iterate on.

But as our team grew and data pipelines became more embedded in how we operated, we knew it was time to treat Airbyte like real infrastructure. That meant moving beyond local environments and into a scalable, secure, and repeatable deployment.

We migrated Airbyte OSS to Amazon EKS, using Helm and AWS-native services like S3 and IAM Roles for Service Accounts (IRSA). Our goal wasn’t to fix something broken, but to build on what was working and make it production-ready—without sacrificing developer velocity.

This post shares how we did it, what we learned, and what you might want to consider if you’re operationalizing Airbyte (or any similar open-source tool) in a small but growing cloud-native team.

DevOps Clown sending laptop application to the Cloud

Swapping VPN for Tailscale: A Five-Day Internal Infra Upgrade

originally posted at LinkedIn at June 25, 2025

We recently started migrating away from our traditional VPN setup—and toward something simpler, faster, and cheaper: Tailscale.

This wasn’t a full rip-and-replace. In just five days, we moved a core set of internal Kubernetes services behind Tailscale, enough to start retiring our legacy VPN setup piece by piece.

The results?
✅ Smoother developer workflows
✅ Better access control
✅ Significant cost savings
✅ Self-serve onboarding
✅ Fewer support headaches

Enjoy Super Speeding in Private Network Tunnel

Automated TLS and DNS in Kubernetes with ExternalDNS, Ingress, and Let's Encrypt

Managing DNS and TLS certificates for Kubernetes applications can be tedious and error-prone. Thankfully, tools like ExternalDNS, Ingress, and Cert-Manager automate the entire process — from setting DNS records to provisioning Let's Encrypt certificates.

In this guide, we'll walk through how to:

  • Use ExternalDNS to automatically create DNS records.
  • Annotate Ingress resources to request a Let's Encrypt TLS cert.
  • Get HTTPS with minimal manual intervention.
  • Understand how these components interact.

Auto TLS and DNS with ExternalDNS, Ingress, and Let's Encrypt

Create erc public login

Amazon ECR Public allows users to store and access public container images. While ECR Public repositories are open to the public, access to pull or download images from these repositories may still require authentication.

While there are multiple reasons such as access control and security concern, the main benefit of getting an authentication token or login is to deal with rate limiting in my use case.

Helm Template Tips

Helm templates provide a powerful way to configure Kubernetes manifests dynamically. In this post, we’ll cover some useful tricks, including:

  • Handling optional maps

  • Setting default values

  • Using ternary expressions

  • Other useful Helm template functions

Helm Template Tips