Skip to main content

Posts

Tutorial

Introducing my Homelab Part-4

MireCloud Home Lab · DevOps ExternalDNS on Kubernetes Automatic Sync with BIND via RFC2136 How to fully automate DNS management in a bare-metal Kubernetes homelab using Cilium, BIND, and HashiCorp Vault. 📅 February 22, 2026 ⏱ ~10 min read 🔧 ExternalDNS v0.20.0 ☸ Kubernetes v1.34 Kubernetes v1.34 ExternalDNS v0.20.0 Cilium Gateway API BIND (RFC2136) TSIG / HMAC-SHA256 HashiCorp Vault External Secrets Operator ArgoCD (GitOps) cert-manager When you run a Kubernetes homelab with multiple exposed services — Grafana, Keycloak, ArgoCD, PgAdmin — you quickly find yourself maintaining DNS entries in BIND manually . It's repetitive, prone to errors, and breaks the GitOps flow. The solution is ExternalDNS . This controller monitors your Services, Ingresses, and HTTPRoutes in real-time, automatically pushing DNS updates to BIND as soon as a route is created. No mo...
Recent posts

Introducing my homelab part-2

MireCloud Series · Homelab SSO the Hard Way: Deploying Keycloak on Bare-Metal Kubernetes (Part 2) Production-grade identity infrastructure: Vault secrets, clustered Keycloak, Gateway API, and zero credentials in Git. 📅 Homelab Series ⏱ ~10 min read 🔧 Keycloak OIDC ☸ Kubernetes Kubernetes Keycloak PostgreSQL HashiCorp Vault External Secrets Operator Cilium Gateway API cert-manager ArgoCD Overview Part 1 established the foundation: HashiCorp Vault as the single source of truth for credentials, External Secrets Operator bridging Vault into Kubernetes-native Secrets, cert-manager automating TLS certificate lifecycle, and ArgoCD deploying everything declaratively from Git. Part 2 builds the identity layer on top of that foundation: Keycloak — an open-source identity and access management solution deployed as a production-grade, 2-replica cluster ...

Introducing my HomeLab Part-3

PIDC the Hard Way: Integrating Grafana with Keycloak via OIDC (Part 3) Eliminating password databases: OpenID Connect, front-channel vs. back-channel, role mapping, and the end of local authentication. Overview Parts 1 and 2 built the foundation: Vault manages all credentials, External Secrets Operator bridges them into Kubernetes, cert-manager automates TLS, and Keycloak runs as a production-grade identity provider with clustered session state. Part 3 is where that infrastructure proves its value: integrating Grafana with Keycloak via OpenID Connect to eliminate Grafana's native login form entirely. By the end, there is no Grafana password database. No local admin account. Every login redirects to Keycl...

Introducing my homeLab Part-1

MireCloud Series — Part 1 I Was kubectl apply -ing Everything. Here's How I Stopped. Building MireCloud — the right way, from the ground up. EC Emmanuel Catin Senior Platform Engineer · CKA Vault ESO cert-manager ArgoCD Cilium I have a confession. For months, my homelab was held together with notes, memory, and hope. Keycloak was running. Grafana was up. GitLab was accessible. But if you asked me why something worked, half the time the honest answer was: "because I ran some commands six weeks ago and I haven't touched it since." Passwords lived in a notes file. Certificates were generated once with OpenSSL and forgotten until they expired. Secrets were committed to Git — sometimes as plaintext, sometimes base64-encoded, which is the same thing with extra steps. Every rebuild started ...