Authenticating OAuth2 Proxy to Entra ID Using Kubernetes Workload Identity

January 7, 2026 - Patrick Kerwood

In this post, I’ll demonstrate how to configure an Azure App Registration with federated credentials and configure OAuth2 Proxy to use Kubernetes-issued workload identity tokens to authenticate itself during an OpenID Connect login flow.

Read More

Installing the Crossplane AzureAD Provider with Federated Credentials

January 4, 2026 - Patrick Kerwood

Workload Identity Federation is rapidly becoming the modern standard for authenticating workloads. In this post, I will configure the Crossplane AzureAD provider to use a Kubernetes-issued service account token to authenticate to Azure, eliminating the need for long-lived secrets.

Read More

Simplifying Azure Authentication from Kubernetes with Workload Identity Federation

December 30, 2025 - Patrick Kerwood

In this blog post, I’ll walk you through an example of creating an Azure App Registration with a Federated Credential that trusts tokens issued by my Kubernetes cluster. I’ll then exchange that token for an Azure token and use it to make an API call to retrieve information about my own user.

Read More

Secure Your Caddy File Server with Keycloak

December 29, 2025 - Patrick Kerwood

In a previous post, I showed how to set up a simple HTTP file server using Caddy with Basic Authentication. In this post, I replace Basic Auth with GoGatekeeper as an authentication proxy and demonstrate how to implement path-based authorization using Keycloak roles assigned via group membership.

Read More

Setting up Workload Identity Federation between Kubernetes and Google Cloud.

November 11, 2025 - Patrick Kerwood

In this blog post, I’ll show how to set up Workload Identity Federation between a non-GKE Kubernetes cluster and Google Cloud Platform. This setup allows an application running in Kubernetes to use its Kubernetes service account to impersonate a Google service account and access cloud resources.

Read More

Setting up Workload Identity Federation between Keycloak and Google Cloud.

November 4, 2025 - Patrick Kerwood

In this blog post, I’ll demonstrate how to set up a Workload Identity Federation between Keycloak and Google Cloud Platform, allowing a Keycloak client to impersonate a Google service account to create a Cloud Storage bucket.

Read More

Setting Up Keycloak SAML Federation with Azure Entra ID

October 10, 2025 - Patrick Kerwood

In this guide, we’ll walk through setting up federated authentication between Azure Entra ID and Keycloak using SAML 2.0. By the end, you’ll have Entra ID as an identity provider and Keycloak properly configured to consume claims and group memberships.

Read More

Setting Up Keycloak with Docker Compose

September 24, 2025 - Patrick Kerwood

In this post, I’ll guide you through installing Keycloak with Docker Compose, with or without an SQL backend, and configuring it using my default Traefik setup. We’ll set up a dedicated URL for a realm and add a redirect from the realm’s root URL to its admin console.

Read More

Setting Up an HA VPN Between Google Cloud and CentOS 9 with strongSwan and BIRD

September 14, 2025 - Patrick Kerwood

In this guide, I’ll walk through setting up a site-to-site VPN between Google Cloud and a CentOS 9 VM hosted on DigitalOcean. We’ll use strongSwan to establish the IPsec tunnel, and the BIRD Internet Routing Daemon to peer with a Google Cloud Router and exchange routes dynamically using BGP.

Read More

Using Caddy as a Simple HTTP File Server

August 18, 2025 - Patrick Kerwood

Looking for a simple way to serve files over HTTP? In this guide, I'll walk through setting up a file server using Caddy, a modern web server written in Go. With minimal configuration, built-in directory browsing, and optional basic authentication, Caddy makes it easy to share files.

Read More

Single Sign-On with OAuth2 Proxy and Traefik Using Azure Entra ID

May 19, 2025 - Patrick Kerwood

Secure your application with OAuth2 Proxy and Microsoft Entra ID. In this post, I’ll walk you through configuring OAuth2 Proxy to authenticate users via Entra ID, both as a reverse proxy in front of your application and as a forward authentication provider using Traefik.

Read More

Running a Terraform Workflow in GitHub with Slack Notifications

March 11, 2025 - Patrick Kerwood

Automating infrastructure deployments using Terraform and GitHub Actions is a common practice. In this post, we’ll walk through setting up a Terraform workflow in GitHub that runs a Terraform Plan and sends a Slack notification with the diff whenever there are changes detected.

Read More

Traefik v3 Configuration with Let's Encrypt

March 5, 2025 - Patrick Kerwood

In this post, we’ll walk through setting up Traefik as an application proxy with Docker Compose, including automatic provisioning of Let's Encrypt TLS certificates via HTTP and DNS validation.

Read More

Confluence Updater

February 2, 2025 - Patrick Kerwood

If you prefer keeping your documentation in Git, love writing in Markdown, but need to publish it in Confluence, Confluence Updater is the perfect solution. This tool allows you to set up a CI/CD pipeline that automatically converts Markdown to HTML and uploads it to Confluence Cloud whenever changes are made.

Read More

Using multiple SSH keys for Github

December 26, 2024 - Patrick Kerwood

If you use GitHub, you likely rely on an SSH key to clone repositories and sign commits. However, when working with a GitHub Enterprise-managed account, you must set up a separate SSH key because the same key cannot be shared across different accounts. This guide will show you how to create and configure a new SSH key for a second account. Additionally, you'll learn how to configure Git to automatically apply specific settings for repositories that match certain URL patterns.

Read More

Setting up Workload Identity Federation in Google Cloud for Github pipelines

June 6, 2024 - Patrick Kerwood

Setting up authentication for pushing images to Google Artifact Registry from a Github pipeline is usually done by creating a static, forever valid, credential file for at service account, which will probably never be rotated. An alternative to that is to use Workload Identity Federation to exchange a Github issued JWT token with a Google token and use that for authentication.

Read More

Creating a bash script with commandline arguments

May 5, 2024 - Patrick Kerwood

When creating a good bash script for others to use, it's important to create a good user experience. Creating good usage arguments makes all the differnce and really makes your script look proffesional instead of just a list of commands bunced together in a file.

Read More

Local Development With Mirrord

November 30, 2023 - Patrick Kerwood

With Mirrord you can intercept traffic for your pods in your Kubernetes cluster, which allows you to develop your application locally as if it was deployed in your cluster. Utilizing the pods network, environment or even the filesystem. In this post I will be writing some examples that I personally use.

Read More

Creating Kubernetes CRDs with Rust

June 19, 2023 - Patrick Kerwood

You can extend Kubernetes with your own custom objects, but before you can do that you will need create a Custom Resource Definition so that Kubernetes knows what the object is allowed to look like. In this post I will create a very simple Kubernetes CRD for a Book kind using Rust and kube-rs.

Read More

Setup Google Cloud Workload Identity in GKE

June 6, 2023 - Patrick Kerwood

Using a Google service account in your GKE cluster is easy, just create the credential file, apply it as a secret and it's ready for use. But now you have a long lived credential that, if compromised, can be used from anywhere any time. Instead you can use a Kubernetes service account and Google Workload Identity to authenticate to Google Cloud. No need for credential files anymore.

Read More

Signing a Certificate with a CA

April 14, 2023 - Patrick Kerwood

In this post I will use OpenSSL to create a Certificate Authority key pair, a certificate private key with a Certificate Signing Request with Subject Alternate Names and lastly I will sign the CSR with the CA.

Read More

Creating Azure App Registrations with Terraform

July 26, 2022 - Patrick Kerwood

In this blog post I will introduce a Terraform script I have created for managing Azure App Registrations. The code supports two different kinds of App Registrations, one for user logins with groups assignments and one for services which includes adding App Roles and API Permissions.

Read More

Setting up i3 on Fedora

February 12, 2022 - Patrick Kerwood

I finally decided to give the i3wm a go after postponing it for years. This post is my i3 setup with Polybar and other supporting applications.

Read More

Setting up Netbox with Pomerium

October 29, 2021 - Patrick Kerwood

This post is a how-to on setting up Netbox with Docker Compose. In this example I will put Pomerium in front of the WebUI to be able to use Azure an Identity Provider and utilize Netbox's remote auth feature to auto create users that Pomerium grants access to.

Read More

Setting up a UniFi Controller

October 21, 2021 - Patrick Kerwood

This is a Docker Compose configuration example on deploying a UniFi Controller.

Read More

Power cycling a HP server from Discord

August 28, 2021 - Patrick Kerwood

My son has a HP Proliant G8 at a remote location that he uses for his Minecraft servers, it's a bit of a beast and consumes quite some power. I wanted to turn it off each night but needed to figure out an easy way for him to turn it on again. For that I used Discord and HP's Integrated Lights Out.

Read More

Setting up Minio

August 28, 2021 - Patrick Kerwood

This is a Docker Compose configuration example on deploying MinIO object storage.

Read More

Install global NPM packages locally

July 3, 2021 - Patrick Kerwood

Here's a quick how-to on installing NPM global packages locally without sudo.

Read More

Creating a Flexget container

June 24, 2021 - Patrick Kerwood

Since there isn't an official container image for Flexget, here's a quick how-to on building one your self.

Read More

Setting up AdGuard Home

April 15, 2021 - Patrick Kerwood

Like Pi-hole, AdGuard Home is a network-level software for blocking ads and tracking. It operates as a DNS server that re-routes tracking domains to a "black hole", preventing your devices from connecting to those servers.

Read More

Automate public DNS entries with External DNS for Kubernetes

April 13, 2021 - Patrick Kerwood

With External DNS for Kubernetes you can automate the creation of DNS records based on an ingress resource. This is a great feature to have, especially in a dynamic development environment. You could have pipelines deploy feature branches which create ingress hostnames based on the branch name and let External DNS create DNS entries for them.

Read More

Pinniped, Kubernetes Single Sign-on with OpenID Connect

April 10, 2021 - Patrick Kerwood

In this tutorial I will setup Pinniped, a Single Sign-on solution from the VMware Tanzu project. Pinniped gives you a unified login experience across all your clusters, including on-premises and managed cloud environments.

Read More

Pomerium, Kubernetes Single Sign-on with OpenID Connect

April 4, 2021 - Patrick Kerwood

In this tutorial I will setup Pomerium as an authentication proxy, with OpenID Connect, for the Kubernetes API. Since Pomerium will be functioning as a proxy for the KubeAPI, you can do this on a managed as well as an unmanaged cluster.

Read More

Bare Metal Kubernetes install with Kubespray and Cilium

March 20, 2021 - Patrick Kerwood

In this post I will setup a bare metal Kubernetes cluster using Kubespray. At the same time I'll get rid of that pesky Kube Proxy and replace it with the eBPF based Cilium CNI. Since Docker is deprecated in Kubernetes v1.20 we will be installling Containerd or CRI-O instead. This setup is tested on CentOS 8 Stream and Redhat Enterprise Linux 8.4.

Read More

TMUX Configuration

March 3, 2021 - Patrick Kerwood

This post is just a quick tutorial on setting up TMUX with my default configration.

Read More

Configuring subinterfaces on CentOS

February 27, 2021 - Patrick Kerwood

In this post I will show you how to create subinterfaces on your CentOS server. It's easy and only takes a couple of minutes to setup, after that just trunk your VLAN's with 802.1q to the server.

Read More

Ansible Container

February 21, 2021 - Patrick Kerwood

When working with Ansible I really don't want to soil my laptop with Python. And why would I when running tasks inside a container is such as breeze. Combining that with aliases, you can run ansible commands as if it was installed locally.

Read More

Managing Snapshots with PowerCLI

February 20, 2021 - Patrick Kerwood

PowerCLI is a great tool to manage resources in VMware vCenter. It would be even better if it was a "real" CLI tool, instead of a Powershell module. I often use it for creating, restoring or deleting snapshots on multiple machines, usually when dealing with a cluster of some sort.

Read More

Installing NGINX Ingress with Helm on Digital Ocean

February 6, 2021 - Patrick Kerwood

This is a guide on installing a NGINX Ingress controller on a managed Digital Ocean Kubernetes cluster.

Read More

Installing NGINX Ingress with Helm on AKS

February 6, 2021 - Patrick Kerwood

This is a guide on installing a NGINX Ingress controller on Azure Kubernetes Service.

Read More

Creating a WireGuard VPN exit node

January 24, 2021 - Patrick Kerwood

In this how-to I'll create a WireGuard VPN exit node, which is NAT'ing connections for clients. I will give an example on using both iptables and firewalld and how to forward ports to a WireGuard client.

Read More

Creating a Kubernetes service account

January 8, 2021 - Patrick Kerwood

This is an example on how to create a service account in Kubernetes, with a couple of role bindings. I'll also show how to create a kubeconfig file to use the service account with kubectl.

Read More

Installing Cert Manager with Helm 3

January 6, 2021 - Patrick Kerwood

Here's a quick how-to on installing Cert Manager in your Kubernetes cluster and setting up Issuers with Let's Encrypt HTTP and DNS validation. With Helm 3 the installation process is a breeze.

Read More

OS Query Launcher

December 8, 2020 - Patrick Kerwood

This is a follow up on the "Kolide Fleet + OS Query" post. In the previous post we installed Fleet and enrolled a server manually, by installing OS Query and setting it up. In this post, we are going to create a package that includes everything. The package will be using gRPC instead of the REST.

Read More

VPN mesh with Nebula

November 29, 2020 - Patrick Kerwood

Nebula is a VPN mesh technology that Slack has created and later open sourced. It is absolutly great for creating an overlay networks between nodes in different locations, whether it's Azure, Amazon, on-prem or in your garage. Even if your nodes are behind a NAT or firewall, Nebula will sprinkle som magic and punch a hole in that sucker.

Read More

Fedora Workstation Setup

November 15, 2020 - Patrick Kerwood

A couple of years ago I installed Fedora on my laptop. And honestly I haven't looked back since, I absolutely love my Fedora desktop. This post is just a list of commands I use to install my applications after a fresh Fedora install, for my own deteriorating memory.

Read More

Setting up the Kube Prometheus Stack

November 14, 2020 - Patrick Kerwood

In this post I will show you how to install the Kube Prometheus Stack in your Kubernetes cluster, which will give you 20+ Grafana dashboards to let you know everything about whats going on in your cluster. This installation process is extremely simple with Helm 3. I will also add some Grafana configuration to enable OAuth2 logins.

Read More

Grafana Auth Proxy Authentication

November 8, 2020 - Patrick Kerwood

Instead of managing a local user database in Grafana, you can let a reverse proxy handle the authentication and Grafana will create a user based on that login. In this example I use Pomerium as the authenticating proxy.

Read More

Pomerium, Single Sign-on with OpenID Connect

November 5, 2020 - Patrick Kerwood

This tutorial is a how-to on setting up a Single Sign-on/OpenID Connect proxy with Pomerium, in front of your application using Docker Compose and Traefik.

Read More

Collecting Docker logs with Grafana Loki

October 28, 2020 - Patrick Kerwood

This is a tutorial using Docker Compose to setup Grafana with Loki and forwarding your logs from your running containers to Loki.

Read More

Converting and adding certificates to Kubernetes

October 20, 2020 - Patrick Kerwood

This is a quick tutorial on converting a PFX or PEM certificate to a key/crt pair and deploy it in Kubernetes as a TLS secret.

Read More

Setup Azure Kubernetes Service with Terraform

October 7, 2020 - Patrick Kerwood

In this tutorial we will create an AKS cluster including an Azure Container Registry and a public IP resource for the Ingress Controller with Terraform. There will also be a quick how-to on installing the NGINX Ingress Controller using the Public IP created.

Read More

Dump SQL DB from a container

September 14, 2020 - Patrick Kerwood

This is just two simple commands to backup and restore an active MySQL/MariaDB database running in a container.

Read More

Kolide Fleet + OS Query

September 11, 2020 - Patrick Kerwood

A Docker Compose configuration example and a short how-to on getting Kolide Fleet and osquery up and running using the Fleet REST API.

Read More

Local Container Registry

September 8, 2020 - Patrick Kerwood

This is a Docker Compose configuration on setting up a local container registry. It uses the official docker registry image and puts a simple WebUI in front with basic authentication.

Read More

PXE booting with Netboot

August 25, 2020 - Patrick Kerwood

Netboot gives you the opportunity to boot various operating system installers or utilities using iPXE. It will load a list of all your favorite Linux distros and will pull a fresh image of your choosing, from the internet to boot.

Read More

Traefik v2 Configuration with Let's Encrypt

July 20, 2020 - Patrick Kerwood

This is a Docker Compose configuration example with Traefik v2 including Let's Encrypt TLS/DNS validation.

Read More

Ubiquiti UAP commands

May 17, 2020 - Patrick Kerwood

Every once in a while I need to troubleshoot Ubiquiti UAP's. And since I rarely do so, I forget howto. This post is just a couple of commands for my own deteriorating memory.

Read More

Deploying Seafile with Docker

May 15, 2020 - Patrick Kerwood

A Docker Compose configuration example on deploying Seafile. In this example I'll deploy it in a Traefik proxy network and with the appropriate Traefik labels.

Read More

Traefik v1.7 Configuration with Let's Encrypt

April 24, 2020 - Patrick Kerwood

A Docker Compose configuration example with Traefik v1.7 including Let's Encrypt HTTP/DNS validation.

Read More

Creating a Droplet with Terraform

April 22, 2020 - Patrick Kerwood

This is a quick how-to on creating a virtual machine in Digital Ocean also known as a Droplet, with Terraform

Read More

Keycloak Gatekeeper - OpenID Connect

April 3, 2020 - Patrick Kerwood

In this guide I will deploy a Hello World application and a Keycloak Gatekeeper instance to add user authentication using OpenID Connect.

Read More

Previous 1234567 Next