Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Jumping Off Cliffs

For quite a few years, I’ve had this desktop wallpaper that I really love. I don’t even remember where I got it or where it came from, so I can’t properly attribute it to anyone. I use this wallpaper from time to time when I want to be reminded to challenge myself, to learn new things, and to step outside of what is comfortable in order to explore the as-yet-unknown. Looking at this wallpaper on my desktop a little while ago, I realized that I may have started taking the inspirational phrase on this wallpaper for granted, instead of truly applying it to my life.

Here’s the wallpaper I’m talking about:

A person jumping off a cliff, with the text “We have to continually be jumping off cliffs and developing our wings on the way down”

To me, this phrase—illustrated so well by the wallpaper—means taking a leap into the unknown. It means putting yourself into a position where you are forced to grow and adapt in order to survive. It’s going to be scary, and possibly even a bit painful at times. In the end, though, you will emerge different than when you started.

It’s been a while since I did that, at least from a career perspective. Yes, I did change jobs a little over a year ago when I left VMware to go to Kong. If I’m honest with myself, though, Kong was the comfortable choice. (There’s nothing necessarily wrong with that, by the way.) I knew several of the people I’d be working with, the technology shift was incremental, and the job responsibilities were very familiar. In my opinion, the last “big shift” I made was joining Heptio in 2018.

It’s time for that to change. It’s time that I put myself in a position where I must change and grow in order to survive and flourish. It’s time to jump off a cliff and develop my wings on the way down. Starting next week, I am joining Pulumi on the Developer Relations team, working to help users be successful in putting Pulumi’s products and services to work solving their problems.

Why Pulumi? That’s a fair question!

  1. I believe there is real value in using a general-purpose programming language (as opposed to a domain-specific language, or DSL) for infrastructure-as-code use cases. Otherwise, we wouldn’t be seeing other projects like AWS CDK or CDK for Terraform.
  2. I belive that multi-cloud is real. Note that when I say “multi-cloud” I’m talking about using multiple cloud providers and services at an organizational level, not about spanning individual applications across multiple clouds. Organizations are going to naturally choose “best of breed” offerings, and that’s going to naturally lead them down the path of using multiple cloud providers and services.
  3. Put #1 and #2 together and you get Pulumi.

It doesn’t hurt that I’m a fan of Pulumi. I’ve been using it for several years; in fact, I even gave a presentation in 2020 at what I believe was Pulumi’s first-ever Cloud Engineering Summit. (See this GitHub repository for the presentation materials.) Over the last three years I’ve written about Pulumi several times here on the site (see here for a list of all the Pulumi-related articles I’ve published). I like using Pulumi, and I think that’s important.

Equally important—and pertinent to the title and introduction to this post—is that this is going to force me to grow and change. I’m looking forward to building out a new set of skills as I work with and among some amazing folks in the developer advocacy/developer relations space, and I anticipate that being immersed in general purpose programming languages like Golang all day long will force me to become more fluent and conversant in these languages. That, in turn, will draw me closer to a career goal I’ve had for a while of bolstering my programming/software development skills and experience. Finally, Pulumi has a broad number of providers for various services and platform; working with them will bring the opportunity to learn more about all these platforms and services. That’s three key areas of growth that I foresee, but I’m confident there will likely be more.

It is said that companies come and go, but people remain. Or, said another way, it’s the relationships you create over the years that really matter. I’ve been on some pretty amazing teams over the years, and my (former) team at Kong is one of them. I am excited about my new adventure at Pulumi—and looking forward to meeting the team I’ll be working with—but I will miss my team at Kong. I wish you all nothing but success!

As always, I remain available via Twitter (my DMs are open) and I am active in a number of different Slack communities (like the Pulumi Slack community, for example!). Please know that you are welcome to reach out to me anytime, and I look forward to continuing to serve the community.

Technology Short Take 158

Welcome to Technology Short Take #158! What do I have in store for you this time around? Well, you’ll have to read the whole article to find out for sure, but I have links to articles on…well, lots of different topics! DNS, BGP, hardware-based security, Kubernetes, Linux—they’re all in here. Hopefully I’ve managed to find something useful for someone.




Cloud Computing/Cloud Management

Operating Systems/Applications




Career/Soft Skills

  • I don’t remember how this article got in front of me, but I wanted to share it here because I know that job burnout is real. If this article helps even one person, then it will be worth including it here.
  • I appreciated this post on learning a technical subject. A lot of this resonated with me; I’d be curious to know if readers feel the same way.

And that’s a wrap! Thanks for reading, and feel free to reach out to me if you have any feedback, corrections (mistakes do creep in from time to time!), suggestions for improvement, or links you think I should include in the next Technology Short Take. You can reach me on Twitter, or find me in any number of Slack communities (the Kubernetes Slack community is one I frequently visit, among others).

Revisiting X.509 Certificates in Kubeconfig Files

In 2018, I wrote an article on examining X.509 certificates embedded in Kubeconfig files. In that article, I showed one way of extracting client certificate data from a Kubeconfig file and looking at the properties of the client certificate data. While there’s nothing technically wrong with that article, since then I’ve found another tool that makes the process a tad easier. In this post, I’ll revisit the topic of examining embedded X.509v3 certificates in Kubeconfig files.

The tool that I’ve found is yq, which is an incredibly useful tool when it comes to parsing YAML (much in the same way that jq is an incredibly useful tool when it comes to parsing JSON). I should probably write some sort of introductory post on yq.

In any case, you can use yq to replace the grep plus awk combo outlined in my earlier article on examining certificate data in Kubeconfig files. Instead, to pull out only the client certificate data, just use this yq command (you did know that Kubeconfig files are YAML, right?):

yq '.users[0].user.client-certificate-data' < ~./kube/config

(Of course, this command assumes your Kubeconfig file is named config in the ~/.kube directory; adjust the command as necessary based on your specific environment.)

The .users[0] portion of the yq command refers to the first user in the list of users in the referenced Kubeconfig file. If there’s more than one and you’re interested in seeing client certificate data for a different user, you’ll need to adjust that index.

From there, you can decode the Base64-encoded content and then pipe it to OpenSSL, just as described in the other post, to get a look at the actual certificate encoded within the Kubeconfig file. Here’s the full command:

yq '.users[0].user.client-certificate-data' < ~/.kube/config | base64 -D | openssl x509 -text

(Note that this command is for macOS; I believe you’ll need to use a base64 -d on GNU/Linux systems.)

I hope this is helpful to someone. Feel free to reach out to me on Twitter if you have any questions or any feedback. You can also find me in a number of different Slack communities, and you’re welcome to contact me there as well.

Posts from the Past, August 2022

I thought I might start highlighting some older posts here on the site through a semi-regular “Posts from the Past” series. I’ll start with posts published in the month of August through the years. Here’s hoping you find something that is useful (or perhaps entertaining, at least)!

August 2021

Last year, I had a couple of posts that I think are still relevant today. First, I talked about using Pulumi with Go to create a VPC Peering relationship on AWS. Second, I showed readers how to have Wireguard interfaces start automatically (using launchd) on macOS.

August 2020

I didn’t write too much in August 2020; my wife and I took a big road trip around the US to visit family and such. However, I did publish a post on some behavior changes in version 0.5.5 of the Cluster API tool clusterawsadm.

August 2019

This was a busy month for the blog! In addition to two Technology Short Takes, I also published posts on converting Kubernetes to an HA control plane, reconstructing the kubeadm join command (in the event you didn’t write down the output of kubeadm init), and one introducing Cluster API.

August 2018

In August 2018 I showed how to use (abuse?) Heptio Ark (now called Velero) to quickly populate new namespaces.

August 2017

How about a quick reference to some common AWS CLI commands?

August 2015

August 2016 was a slow month (or I was busy with VMworld, probably the latter), so looking back at 2015 I find a post on using Docker Machine with Vagrant. I still insist that Docker Machine was a hugely overlooked utility, but that’s water under the bridge now.

August 2014

This month I was exploring this new thing called CoreOS, and had three posts published on the topic (one on CoreOS itself, one on etcd, and one on Fleet and Docker).

August 2013

In August 2013 I mused, “Would it be possible to build your own network virtualization solution?”

August 2011

Skipping back to August 2011, I contemplated (ranted about?) logical-link multiplexing. You know, I kind of enjoyed those “Thinking Out Loud” posts…maybe I should start doing those again.

August 2009

This was the month that my very first book, Mastering VMware vSphere 4, was finally released. Here’s my blog post on the release of the book.

I’m not sure that going back any farther makes much sense; before that it’s all technologies that have long since sailed into oblivion. There is one small post of note: it was in August 2005 that the very first public version of this site went live on Wordpress. Read about it here.

Here’s hoping you enjoyed this little trip back into the archives. Maybe you found something useful you can still put to use! (Probably not, but it’s possible!) In the event you’d like to browse older articles, you can find a complete list of every post ever published in the Site Archives.

Site Category Changes

This weekend I made a couple of small changes to the categories on the site, in an effort to make navigation a bit more intuitive. In the past, readers had expressed some confusion over the “Education” and “Explanation” categories, and—to be frank—their confusion was warranted. I also wasn’t clear on the distinction between those categories, so this post explains the changes I’ve made.

The following category changes are now in effect on the site:

  • First, the “Education” category has been completely removed. I try to make almost everything on this site educational in nature, so why have an “Education” category? This really only affects you if you’d subscribed to that category’s RSS feed. (Did you know that every category and every tag has its own RSS feed?)
  • A lot of the content from the “Education” category has been moved into the “Explanation” category. This is the category that will contain posts where I provide some level of explanation around a concept, technology, product, or project.
  • The “Tutorial” category also picked up some new articles from the now-eliminated “Education” category. The “Tutorial” category contains walkthroughs or step-by-step instructions for doing something. There’s most likely going to be explanation along the way, but the distinction between “Tutorial” and “Explanation” is that the latter won’t contain step-by-step instructions for anything.
  • I added a new “Introduction” category, where I’ll put introductory-type posts about some technology, product, or project. The amount of explanation provided will be less than a typical article in the “Explanation” category, where I’ll tend to go a bit deeper.

I hope that these organizational changes make sense to readers, and make it easier to find the content you’re seeking. If you have feedback—and all constructive feedback is more than welcome!—please feel free to contact me on Twitter or reach out to me on any one of a number of Slack communities. Thanks for reading!

Recent Posts

Using Default AWS Resources with Pulumi

Per the AWS documentation (although I’m sure there are exceptions), when you start using AWS you are given some automatically-created resources: a default VPC that contains public subnets in each availability zone in the region along with an Internet gateway and settings to enable DNS resolution. Most of the infrastructure-as-code tutorials that I’ve seen start with creating a VPC and subnets and gateway, but what if you wanted to use these default resources instead? I wasn’t really able to find a good walkthrough on how to do this, so this post provides some sample Go code you can use with Pulumi to identify these default AWS resources and use them.


Technology Short Take 157

Welcome to Technology Short Take 157! I hope that this collection of links I’ve gathered is useful to someone out there. In particular, the “Career/Soft Skills” section is a bit bigger than usual this time around, as is the “Security” section.


Network Programmability and Automation, Second Edition

In late 2015, I was lucky enough to be part of a small crew of authors who launched a new book project targeting “next-generation network engineering skills.” That book, Network Programmability and Automation, was published by O’Reilly and has garnered praise and accolades for tackling head-on the topics that network engineers should consider mastering as the field of network engineering continues to grow and evolve. I was excited about that announcement, and I’m even more excited to announce that the early release of the second edition of Network Programmability and Automation is now available!


Technology Short Take 156

Welcome to Technology Short Take #156! It’s been about a month since the last Technology Short Take, and in that time I’ve been gathering links that I wanted to share with my readers. (I still have quite the backlog of links to read!) Hopefully something I share here will prove useful to someone. Enjoy the links below, and enjoy your weekend!


Making Flatpak Firefox use Private Browsing by Default

In April 2021 I wrote a post on making Firefox use Private Browsing by default, in which I showed how to modify the GNOME desktop file so that Firefox would open private windows by default without restricting access to normal browsing windows and functionality. I’ve used that technique on all my Fedora-based systems since that time, until just recently. What happened recently, you ask? I switched to the Flatpak version of Firefox. Fortunately, with some minor tweaks, this technique works with the Flatpak version of Firefox as well. In this post, I’ll share with you the changes needed to make the Flatpak version of Firefox also use private browsing by default.


Git Difftool and Meld as a Flatpak

I’ve recently started migrating many of the applications on my Fedora 36 laptop to their Flatpak versions. For the most part, this has been pretty straightforward, although there isn’t really any method for migrating configuration and data. Today I ran into a problem with Meld, a graphical diff utility, and using it with the git difftool command. Below I’ll share how I worked around this problem.


Technology Short Take 155

Welcome to Technology Short Take #155, just in time for the 2022 Memorial Day holiday weekend! (Here in the US, at least.) I mean, don’t you want to spend this weekend catching up on some technology-related articles instead of cooking on the grill and gathering with friends and family? I certainly hope not! Still, for those who need a little technology fix over the weekend, hopefully I’ve included something useful in the list of articles below. Enjoy!


Fine-Tuning Control Plane Access with Cluster API

When Cluster API creates a workload cluster, it also creates a load balancing solution to handle traffic to the workload cluster’s control plane. This is necessary so that the control plane endpoint is decoupled from the underlying control plane nodes (which facilitates scaling the control plane, among other things). On AWS, this mean creating an ELB and a set of security groups. For flexibility, Cluster API provides a limited ability to customize this control plane load balancer. In this post, I’ll show you how to use this functionality to fine-tune access to a workload cluster’s control plane when using Cluster API with AWS.


Technology Short Take 154

Welcome to Technology Short Take #154! My link of links and articles from around the Internet is a bit light on networking and virtualization this time around, but heftier in the security, cloud, and OS/application sections. I hope that I’ve managed to include something that you’ll find useful. Enjoy the content!


Technology Short Take 153

Welcome to Technology Short Take #153! My personal and professional life has kept me busy over the last couple of months, so things have been quiet here on the blog. I’ve still been collecting links to share with you, though, and here’s the latest collection. I hope you’re able to find something useful here!


Technology Short Take 152

Welcome to Technology Short Take #152! Normally I’d publish a Technology Short Take in the morning on a Friday, but I really wanted to get this one out so I’m making it live late in the day on a Monday. Here’s hoping I’ve included some content below that you find useful!


Using cert-manager with Kuma for mTLS

When configuring mutual TLS (mTLS) on the open source Kuma service mesh, users have a couple of different options. They can use a “builtin” certificate authority (CA), in which Kuma itself will generate a CA certificate and key for use in creating service-specific mTLS certificates. Users also have the option of using a “provided” CA, in which they must supply a CA certificate and key for Kuma to use when creating service-specific mTLS certificates. Both of these options are described on this page in the Kuma documentation. In this post, I’d like to explore the use of cert-manager as a “provided” CA for mTLS on Kuma.


Follow Up: Bootstrapping Servers into Ansible

Seven years ago, I wrote a quick post on bootstrapping servers into Ansible. The basic gist of the post was that you can use variables on the Ansible command-line to specify hosts that aren’t part of your inventory or log in via a different user (useful if the host doesn’t yet have a dedicated Ansible user account because you want to use Ansible to create that account). Recently, though, I encountered a situation where this approach doesn’t work, and in this post I’ll describe the workaround.


Technology Short Take 151

Welcome to Technology Short Take #151, the first Technology Short Take of 2022. I hope everyone had a great holiday season and that 2022 is off to a wonderful start! I have a few more links than normal this time around, although I didn’t find articles in a couple categories. Don’t worry—I’ll keep my eyes peeled and my RSS reader ready to pull in new articles in those categories for next time. And now for the content!


Getting Certificate Details from HashiCorp Vault

It seems there are lots of tutorials on setting up a PKI (public key infrastructure) using HashiCorp Vault. What I’ve found missing from most of these tutorials, however, is how to get details on certificates issued by a Vault-driven PKI after the initial creation. For example, someone other than you issued a certificate, but now you need to get the details for said certificate. How is that done? In this post, I’ll show you a couple ways to get details on certificates issued and stored in HashiCorp Vault.


Older Posts

Find more posts by browsing the post categories, content tags, or site archives pages. Thanks for visiting!