Ramblings about Java, Spring Boot, Kubernetes, Docker and other developer things

Keycloak “Invalid redirect_uri” behind Caddy, Traefik, and k3s – a Debugging Journey When all you get after a Keycloak login is “Invalid parameter: redirect_uri”, the problem rarely lies with Keycloak itself. In my case, the investigation led through three proxy layers down to a SNAT rule in the Kubernetes network. This post documents the debugging path from error message to solution. Starting Point The application is a Spring Boot 3 web project connected to a self-hosted Keycloak via OAuth2/OIDC. The infrastructure looks like this: ...

This post documents how to set up a proper PKI for a homelab environment by importing an existing Caddy CA into HashiCorp Vault, and wiring it up with cert-manager on Kubernetes so that services automatically get trusted TLS certificates. Overview The trust chain we’re building: Caddy Root CA → Vault PKI → cert-manager → Kubernetes Secret (tls.crt / tls.key) Assumptions: Caddy is running as a reverse proxy and already has an internal CA Caddy is running outside the Kubernetes cluster on a dedicated host Vault is running outside the Kubernetes cluster (e.g. in Docker) cert-manager is installed in the Kubernetes cluster Internal domain is fritz.box, my public domain is dannihome.de Step 1: Locate Caddy’s CA Certificate and Key Caddy stores its internal CA here by default: ...

If you’re running a k3s cluster in your home network like me, you might run into a common problem: your pods can’t resolve local hostnames like keycloak.fritz.box or nas.fritz.box. That’s because CoreDNS inside the cluster doesn’t know about your local DNS server. In my case, I run a PiHole instance on a Raspberry Pi that handles DNS for my home network, including custom hostnames under the .fritz.box domain. Here’s how I made those hostnames available to all pods in my k3s cluster. ...

The goal is to replicate values from a Vault secret to K8S. There is a K8S operator called external-secrets (ESO) for this purpose. It can be deployed quite conveniently with Helm: helm repo add external-secrets https://charts.external-secrets.io helm install external-secrets external-secrets/external-secrets -n external-secrets --create-namespace Next, we should first create a test secret in Vault. vault kv put secret/foo my-value=mytopsecretvalue On to the manifests! The SecretStore: Connecting Kubernetes to Vault apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: vault-backend spec: provider: vault: server: "https://vault.myhomenet.lan" path: "secret" version: "v2" caBundle: "..." # Base64-encoded CA certificate, see explanation below auth: tokenSecretRef: name: "vault-token" key: "token" What’s happening here? ...

How to create volumes and deploy Postgresql and pgAdmin mkdir -p /disk1/postgres_data mkdir -p /disk2/postgres_backup chmod -R 777 /disk1/postgres_data chmod -R 777 /disk2/postgres_backup Docker Swarm deployment manifest version: "3.8" services: postgres: image: postgres:15 deploy: placement: constraints: - "node.hostname == swarmnode1" volumes: - /disk1/postgres_data:/var/lib/postgresql/data - /disk2/postgres_backup:/backup environment: POSTGRES_USER: myuser POSTGRES_PASSWORD: mypassword POSTGRES_DB: mydatabase networks: - my_network ports: - "5432:5432" pgadmin: image: dpage/pgadmin4 deploy: placement: constraints: - "node.hostname == swarmnode1" volumes: - pgadmin_data:/var/lib/pgadmin environment: PGADMIN_DEFAULT_EMAIL: admin@example.com PGADMIN_DEFAULT_PASSWORD: adminpassword ports: - "7676:80" networks: - my_network networks: my_network: driver: overlay volumes: pgadmin_data:

How to display server side field validation errors with Bootstrap and Thymeleaf <form action="#" th:action="@{/}" th:object="${myForm}" method="post"> <!-- 'myform' is the form object --> <!-- start row 1 --> <div class="form row"> <!-- col 1 --> <div class="col-lg-6"> <div class="form-group"> <label th:for="*{firstname}">First name</label> <input th:field="*{firstname}" type="text" class="form-control" th:classappend="${#fields.hasErrors('firstname')}? is-invalid" <!-- adds this class in case there is a field error--> placeholder="first name" aria-describedby="firstnameFeedback"> <!-- see server-side validation from Bootstrap docs --> <div id="firstnameFeedback" th:if="${#fields.hasErrors('firstname')}" th:errors="*{firstname}" class="invalid-feedback"> <!-- is initially not displayed --> </div> </div> (...)

This task was astonishingly hard to configure. In my K3S cluster I have a Traefik reverse proxy deployed. What I wanted to achieve was: Make my apps accessible from the internet Automate TLS certificate provision Protect apps with basic auth Step 1 involved opening http and https ports to my clusters master node IP address. Traefik was quite easily deployed through its Helm-Chart. This is my values.yaml. As Ionos is my domain hoster, I’m using their DNS challenge provider to generate Let’s Encrypt-Certificates: ...

A little stupid mistake of mine that cost me some time. My application context would not start due to java.lang.IllegalArgumentException: Not an managed type: class java.lang.Object My interface looked like this: public interface MyUserRepository<MyUser, Long> extends JpaRepository<MyUser, Long> The correct definition, omitting the generic duplication which causes the error: public interface MyUserRepository extends JpaRepository<MyUser, Long>

Cheat-Sheet for restoring deleted files from Git repo #Get a list of deleted files git log --diff-filter=D --summary | grep delete #Show commits where the deleted file was involved, copy latest commit hash to clipboard git log --all -- <PATH_TO_DELETED_FILE> #Restore it into the working copy with: (^ means the commit BEFORE the commit where file was deleted) git checkout <COMMIT-HASH>^ -- <PATH_TO_DELETED_FILE>

Cheat-Sheet to enable and use Minikube internal Docker registry Enable access to insecure registry On Docker host machine, create or edit /etc/docker/daemon.json: { "insecure-registries" : ["192.168.49.2:5000"] } Save and restart Docker. Delete an existing Minikube cluster: minikube stop && minikube delete Start minikube with insecure registry access enabled: minikube start --insecure-registry "10.0.0.0/24" Enable the registry addon: minikube addons enable registry Tag an existing image and push it to minikube registry: ...