Kubernetes on johanneskueber.com

Bare-Metal LoadBalancer Services on Talos with Cilium L2 Announcements

Mon, 01 Jun 2026 00:00:00 +0000

This article documents how to replace MetalLB with Cilium’s built-in L2 announcement feature, including the IPAM pool, the announcement policy, the supporting Cilium values, and what to verify on the wire.

1. MetalLB’s role

On a bare-metal cluster, a Service of type: LoadBalancer is meaningless until something assigns it an external IP and answers ARP for that IP on the local segment. The classic answer is MetalLB in L2 mode: a controller allocates an IP from a pool; a speaker DaemonSet replies to ARP requests, advertising via gratuitous ARP after leader election.

Per-PVC Encryption with Longhorn and CSI Secret Templates

Thu, 28 May 2026 00:00:00 +0000

This article documents how to configure a Longhorn StorageClass that encrypts every PVC with its own per-volume key, derived through CSI’s secret-template parameters, and how to provision the matching secrets so the keys are scoped to the application namespace.

1. What encryption Longhorn actually does

Longhorn 1.4+ supports LUKS encryption at the block device layer. When a PVC’s StorageClass declares encrypted: "true", Longhorn calls cryptsetup luksFormat on the underlying replica devices using a passphrase pulled from a Kubernetes Secret. The PVC is then exposed to the consuming Pod as an unencrypted filesystem — the kernel handles the encryption transparently through the device-mapper layer.

Signed Dependency Updates with Renovate and Gitea

Tue, 26 May 2026 00:00:00 +0000

Keeping dependencies up to date is one of those chores that is easy to neglect and expensive to ignore. Renovate solves it nicely: it scans my repositories, opens pull requests for outdated dependencies, and - if I let it - merges them on its own. On a self-hosted Gitea instance with branch protection, however, there is a catch. If I require signed commits on my protected branches, an unsigned bot commit is simply rejected. So before automating anything, Renovate needs an identity and a signing key, and its commits need to show up as Verified.

Running a rootless NetBird Routing Peer Inside Kubernetes

Mon, 25 May 2026 00:00:00 +0000

This article documents how to run a NetBird client inside a Kubernetes cluster as a routing peer — rootless, with an in-memory state volume, a shell-based readiness probe, and dropped capabilities — so that remote mesh members can reach cluster-internal services over the encrypted overlay, without exposing kernel WireGuard and without making the cluster a peer of every workload.

1. Why a NetBird peer in the cluster

NetBird is a WireGuard-based identity mesh. Each peer holds keys, exchanges them via the management plane, and routes encrypted traffic to other peers. The default deployment runs the client on a host (Linux VM, MacBook, etc.) and uses the host’s kernel WireGuard.

Envoy Gateway Configuration to Reach SSL Labs A+

Thu, 14 May 2026 00:00:00 +0000

This article documents the Envoy Gateway configuration required to achieve an A+ rating on Qualys SSL Labs, with the rationale for each setting.

1. TLS security background

Before any application data flows over https://, the TLS session completes two steps:

Authentication. The server presents an X.509 certificate signed by a trusted Certificate Authority.
Key agreement and encryption. Client and server negotiate a session key via a cipher suite (key exchange, signature, bulk cipher, MAC) and encrypt the channel.

Weaknesses in this chain enable specific attack classes:

Intel iGPU passthrough with Proxmox and Talos

Sat, 11 Oct 2025 21:06:26 +0000

iGPU Passthrough with Proxmox and Talos

To use the GPU of the host system in K8s, it needs to be made aware of its existence. As I use VMs in Proxmox to run my Talos Cluster, there is an additional step to consider: passthrough of the hardware into the VM. The idea is the following:

Disable usage of GPU on the Proxmox Host - done via IOMMU and VFIO
Passthrough of the GPU into a Talos Worker Node - done via hostpci
Activation of GPU drivers in Talos - done via talhelper
GPU management in the cluster - done via Intel GPU Plugin
Usage of GPU in a deployment - by requesting the resource

There are quite some steps and all of them are specific to your environment. Different host system? Different steps. Different Cluster Software? You need to adept. Different GPU? You need other drivers and management. So please look out for the pitfalls and only copy and paste if you run proxmox with talos and have an Intel iGPU.

Use Longhorn with Talos 1.10 and userVolumes

Tue, 17 Jun 2025 07:06:26 +0000

When building a cluster, especially in a homelab, local storage is needed for application data. Especially for databases fast read and write is required. Offloading the workload to a NAS most of the time is slower. The solution I use is to provision on-node storage with Longhorn. Longhorn acts as a CSI and offers on-node storage, replication, backups and more.

As I am currently building a Talos cluster I need to integrate the longhorn CSI into the setup. This is not as straigt forward as with K3s oder K8s, as Talos has tighter security constraints and also needs additional plugins to handle SCSI - the underlying file system protocol used by longhorn. On top I am using Talhelper to allow a GitOps style usage of talosctl. The main advantage is the encryption of secrets used by talos config files with SOPS - something that I already use for Tofu and fluxCD.

Enable hardware acceleration for Jellyfin in Kubernetes - AMD Edition

Mon, 24 Jun 2024 07:06:26 +0000

Jellyfin is an open-source media server software that allows users to manage and stream their personal collection of movies, TV shows, music, and other media files. It is designed as an alternative to proprietary media server solutions like Plex and Emby, offering similar functionality but without any licensing costs or restrictions.

Jellyfin is running in my bare-metal kubernetes cluster. However, running the container without additional configuraion only gives Jellyfin access to the CPU for decoding video streams. If a GPU is available it would be better to use the GPU as it - most of the time - also has hardware acceleration for well-known codecs and in addition it takes some work off the CPU. In my case, the Athlon 3000G has an on-board Vega 3 graphics chip. Now the only thing left to do is to give Jellyfin access to the GPU.

Migrating data between baserow instances

Wed, 19 Jun 2024 07:06:26 +0000

Baserow is an open-source alternative to tools like Airtable and Google Sheets. It allows users to create databases and manage data in a user-friendly, spreadsheet-like interface. With Baserow, you can store, share, and collaborate on data with your team, all while maintaining full control over your data as it’s self-hosted. It offers features like row-level permissions, different field types, views (like table, gallery, kanban), and more. It also provides APIs for developers to build custom apps or integrations.