Just a math guy lost in the IT world

Mirecloud — Production Engineering How I Replaced Kubernetes Static Credentials with Zero Trust OIDC — A Real Production Story From admin.conf sprawl to Keycloak SSO , group-based RBAC , and centralized audit logging on bare metal. Every step, every trap, every fix. Emmanuel Catin • March 2026 • 15 min read Kubernetes Keycloak OIDC Zero Trust RBAC Security DevOps Bare Metal Table of Contents 1. The Problem with Static Credentials 2. Architecture Overview 3. Authentication Flow 4. JWT Token Anatomy 5. Phase 1 — Keycloak Configuration 6. Phase 2 — Kubernetes API Server 7. Phase 3 — RBAC Authorization 8. Phase 4 — Developer Workstation Setup 9. Phase 5 — Headless Server (SSH Tunnel) 10. Phase 6 — Audit Logging & Grafana 11. Troubleshooting Reference 12. End-to-End Checklist 13. Key T...

MireCloud Home Lab · DevOps ExternalDNS on Kubernetes Automatic Sync with BIND via RFC2136 How to fully automate DNS management in a bare-metal Kubernetes homelab using Cilium, BIND, and HashiCorp Vault. 📅 February 22, 2026 ⏱ ~10 min read 🔧 ExternalDNS v0.20.0 ☸ Kubernetes v1.34 Kubernetes v1.34 ExternalDNS v0.20.0 Cilium Gateway API BIND (RFC2136) TSIG / HMAC-SHA256 HashiCorp Vault External Secrets Operator ArgoCD (GitOps) cert-manager When you run a Kubernetes homelab with multiple exposed services — Grafana, Keycloak, ArgoCD, PgAdmin — you quickly find yourself maintaining DNS entries in BIND manually . It's repetitive, prone to errors, and breaks the GitOps flow. The solution is ExternalDNS . This controller monitors your Services, Ingresses, and HTTPRoutes in real-time, automatically pushing DNS updates to BIND as soon as a route is created. No mo...

MireCloud Series · Homelab OIDC the Hard Way: Integrating Grafana with Keycloak (Part 3) Eliminating password databases: OpenID Connect, front-channel vs. back-channel, role mapping, and the end of local authentication. 📅 Homelab Series ⏱ ~10 min read 🔧 Grafana & Keycloak OIDC ☸ Kubernetes Kubernetes Grafana Keycloak OpenID Connect (OIDC) HashiCorp Vault Cilium Gateway API Overview Parts 1 and 2 built the foundation: Vault manages all credentials, External Secrets Operator bridges them into Kubernetes, cert-manager automates TLS, and Keycloak runs as a production-grade identity provider. Part 3 is where that infrastructure proves its value: integrating Grafana with Keycloak via OpenID Connect to eliminate Grafana's native login form entirely. By the end, there is no Grafana password database. No local admin account. Every login redirects t...

MireCloud Series · Homelab SSO the Hard Way: Deploying Keycloak on Bare-Metal Kubernetes (Part 2) Production-grade identity infrastructure: Vault secrets, clustered Keycloak, Gateway API, and zero credentials in Git. 📅 Homelab Series ⏱ ~10 min read 🔧 Keycloak OIDC ☸ Kubernetes Kubernetes Keycloak PostgreSQL HashiCorp Vault External Secrets Operator Cilium Gateway API cert-manager ArgoCD Overview Part 1 established the foundation: HashiCorp Vault as the single source of truth for credentials, External Secrets Operator bridging Vault into Kubernetes-native Secrets, cert-manager automating TLS certificate lifecycle, and ArgoCD deploying everything declaratively from Git. Part 2 builds the identity layer on top of that foundation: Keycloak — an open-source identity and access management solution deployed as a production-grade, 2-replica cluster ...