Skip to main content

Posts

Tutorial

Introducing My Homelab Part-5

Mirecloud — Production Engineering How I Eradicated Static Kubernetes Credentials with Zero Trust OIDC From the nightmare of admin.conf to Keycloak SSO with centralized RBAC. A complete production architecture explained from A to Z. By Emmanuel Catin Kubernetes v1.34 Keycloak (Quarkus) Zero Trust kubelogin v1.35.2 Table of Contents 1. The Illusion of Security & The "Ghost" in the Machine 2. The Concept: Architecture & Authentication Flow 3. Phase 1 — Keycloak Configuration (The Easy Way) 4. Phase 2 — Mutating the Kubernetes API Server 5. Phase 3 — The RBAC Bridge (Authorization) 6. Phase 4 — The Developer Experience (Client Demo) 7. Knowledge Base: Troubleshooting 8. What's Next: Part 6 — Audit Logging & Observability 1. The Illusion of Security & The "Ghost" in the Machine ...
Post a Comment
Read more
Recent posts

Introducing my Homelab Part-4

MireCloud Home Lab · DevOps ExternalDNS on Kubernetes Automatic Sync with BIND via RFC2136 How to fully automate DNS management in a bare-metal Kubernetes homelab using Cilium, BIND, and HashiCorp Vault. 📅 February 22, 2026 ⏱ ~10 min read 🔧 ExternalDNS v0.20.0 ☸ Kubernetes v1.34 Kubernetes v1.34 ExternalDNS v0.20.0 Cilium Gateway API BIND (RFC2136) TSIG / HMAC-SHA256 HashiCorp Vault External Secrets Operator ArgoCD (GitOps) cert-manager When you run a Kubernetes homelab with multiple exposed services — Grafana, Keycloak, ArgoCD, PgAdmin — you quickly find yourself maintaining DNS entries in BIND manually . It's repetitive, prone to errors, and breaks the GitOps flow. The solution is ExternalDNS . This controller monitors your Services, Ingresses, and HTTPRoutes in real-time, automatically pushing DNS updates to BIND as soon as a route is created. No mo...
Post a Comment
Read more

Introducing my HomeLab Part-3

MireCloud Series · Homelab OIDC the Hard Way: Integrating Grafana with Keycloak (Part 3) Eliminating password databases: OpenID Connect, front-channel vs. back-channel, role mapping, and the end of local authentication. 📅 Homelab Series ⏱ ~10 min read 🔧 Grafana & Keycloak OIDC ☸ Kubernetes Kubernetes Grafana Keycloak OpenID Connect (OIDC) HashiCorp Vault Cilium Gateway API Overview Parts 1 and 2 built the foundation: Vault manages all credentials, External Secrets Operator bridges them into Kubernetes, cert-manager automates TLS, and Keycloak runs as a production-grade identity provider. Part 3 is where that infrastructure proves its value: integrating Grafana with Keycloak via OpenID Connect to eliminate Grafana's native login form entirely. By the end, there is no Grafana password database. No local admin account. Every login redirects t...
Post a Comment
Read more

Introducing my homelab part-2

MireCloud Series · Homelab SSO the Hard Way: Deploying Keycloak on Bare-Metal Kubernetes (Part 2) Production-grade identity infrastructure: Vault secrets, clustered Keycloak, Gateway API, and zero credentials in Git. 📅 Homelab Series ⏱ ~10 min read 🔧 Keycloak OIDC ☸ Kubernetes Kubernetes Keycloak PostgreSQL HashiCorp Vault External Secrets Operator Cilium Gateway API cert-manager ArgoCD Overview Part 1 established the foundation: HashiCorp Vault as the single source of truth for credentials, External Secrets Operator bridging Vault into Kubernetes-native Secrets, cert-manager automating TLS certificate lifecycle, and ArgoCD deploying everything declaratively from Git. Part 2 builds the identity layer on top of that foundation: Keycloak — an open-source identity and access management solution deployed as a production-grade, 2-replica cluster ...
Post a Comment
Read more