Consolidation patterns that depend on good intentions decay fast. One PR at 5pm on a Friday that adds…
SPKI pinning is one of the few certificate-layer controls where the public-CA wildcard pattern from the rest of…
The whole consolidation story so far collapses toward one wildcard cert on a shared LB. For most services…
The default advice for new HTTPS services on GCP is “use a Global External ALB.” It’s usually right.…
On GKE, per-service Ingress plus per-service ManagedCertificate is the path of least resistance. It also scales badly: every…
Per-service ManagedCertificate attached to a per-service target HTTPS proxy is why you have 120 forwarding rules across 4…
A single wildcard cert covering every service on a shared LB is what turns cert sprawl from a…
Cert sprawl starts with DNS. If the zone you issue certs against isn’t locked down first, every cert…
Reproduce the per-service ManagedCertificate sprawl pattern on GKE Autopilot with three live services, real cost math, and the…
Some monitoring stacks make you pick between feature-rich and heavy. Prometheus plus Alertmanager plus Grafana is amazing, but…
Setting up a Kubernetes cluster from scratch on Ubuntu 26.04 requires one non-obvious change: configuring containerd for cgroup…
Standard Ansible runs when you tell it to. Event-Driven Ansible (EDA) flips that model: it watches for events…
