Envoy-Gateway on Fuchsbau

https://blogs.law.harvard.edu/tech/rss Envoy-Gateway on Fuchsbau https://this-is-fine.io/tags/envoy-gateway/ Recent content in Envoy-Gateway on Fuchsbau Envoy-Gateway on Fuchsbau https://this-is-fine.io/tags/envoy-gateway/ https://source.unsplash.com/2000x1322/?fox 1440 Hugo 0.125.4 de-DE Wed, 20 May 2026 22:26:11 UT Pocket ID as the Lab OIDC Provider (Zot Example) https://this-is-fine.io/posts/20251122-pocket-id-oidc-zot/ Sat, 22 Nov 2025 11:00:00 UT ff0x https://this-is-fine.io/posts/20251122-pocket-id-oidc-zot/ Pocket ID is a small OpenID Connect provider — enough for a homelab without Keycloak. The lab runs it at https://auth.this-is-fine.io with Flux and an HTTPRoute on Envoy Gateway. Below is how Zot uses native OpenID against that issuer. If you already run a homelab IdP, the interesting part is how little application code must change when the app speaks OIDC natively. Zot is a clear example: configure issuer URL, client ID, and redirect URIs, mount a secret, and the registry UI handles login without an OAuth sidecar in front of it. Infrastructure Envoy Gateway and the Move from Traefik to Gateway API https://this-is-fine.io/posts/20251122-envoy-gateway-headscale-routes/ Sat, 22 Nov 2025 08:00:00 UT ff0x https://this-is-fine.io/posts/20251122-envoy-gateway-headscale-routes/ The lab used to run Traefik with its own CRDs (IngressRoute, Middleware, and friends). Gateway API standardises routes; Envoy Gateway is the controller here — one Helm install, three shared Gateways, and per-app HTTPRoute resources instead of Traefik-only objects. Traefik is excellent at the edge, but its CRDs are controller-specific. Moving to Gateway API was less about feature envy and more about portability: the same HTTPRoute can be read by another implementation if you ever switch controllers. Envoy Gateway is the implementation here; the routes stay standard Kubernetes objects. Infrastructure Cluster-Wide Tailscale: Headscale, Tailnet DNS, and Cross-Cluster Routes https://this-is-fine.io/posts/20251121-tailscale-headscale-mesh/ Fri, 21 Nov 2025 09:00:00 UT ff0x https://this-is-fine.io/posts/20251121-tailscale-headscale-mesh/ Tailscale builds a WireGuard mesh with little configuration. Headscale is an open control server for the same clients — you run policy and issue keys yourself. The lab does not use the Tailscale Kubernetes operator; a handful of Deployments and DaemonSets do the job instead. The goal is one tailnet for laptops and nodes, with Kubernetes APIs and internal HTTP on *.tif.internal without putting those names on the public internet. Self-hosting the control plane means you own ACL files, preauth keys, and MagicDNS base domains. The trade-off is operational work: upgrades, backups, and policy edits are yours. For a multi-cluster lab that already runs GitOps everywhere else, that trade-off is acceptable. Infrastructure