Istio vs. Envoy Gateway: Gateway API on Kubernetes
Comparing Istio and Envoy Gateway as Gateway API implementations: mTLS, egress, Cilium, managed cloud specifics (AKS, GKE, OVH MKS), and real client IP.
Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service
How to wire envoyproxy/ratelimit as a self-hosted service into Envoy Gateway v1.7 using EnvoyPatchPolicy — three xDS patches, namespace-admin self-service, and the pitfalls to avoid.
haproxy-spoe-rs: Deployment
Deploying the haproxy-spoe-rs SPOA agent in production — container image, podman-compose, Kubernetes, HAProxy configuration, health checking, logging, and systemd.
haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy
Building a HAProxy Stream Processing Offload Agent (SPOA) library in Rust — zero-dependency async design, mpsc write batching, 95.9% test coverage, and 2.8–4.9× higher throughput than the Go reference implementation.
Running pdns_recursor as a root-independent validating resolver
How to configure PowerDNS Recursor 5.4 to resolve directly against TLD name servers without depending on the root name servers at runtime, using a local root.zone file loaded via zonetocaches — including DNSSEC validation, trust anchor setup, and the race condition that prevents it from working without a hint file.
Running a validating DNS recursor from the root zone with Hickory DNS
How to run Hickory DNS as a full recursive resolver starting from the root zone, with DNSSEC validation, TLS-encrypted upstream connections, Happy Eyeballs, and Prometheus metrics — including all configuration options added in the recurser-from-root-zone branch.
vigil-log-relay: Kubernetes Log Collection Without a DaemonSet
vigil-log-relay streams logs from Kubernetes pods, HTTP endpoints, or Unix sockets and forwards them as ndjson to any TCP-capable log collector. No DaemonSet, no node-level access, no filesystem mounts — just a single binary with a namespace-scoped ServiceAccount.
vigil-rs: A Rust Service Supervisor for Containers
vigil-rs is a PID 1 / container init daemon written in Rust. It supervises multiple processes, runs health checks, fires HTTP(S) alerts on state transitions, and exposes a REST API over a Unix socket with native zombie-reaping and per-service stop signals.
How does SNI Routing work in HAProxy
Learn how HAProxy container uses TLS Server Name Indication (SNI) to route encrypted TCP connections without decrypting them — enabling multiple services like Nextcloud and XMPP to share port 443.
mergelog-rs: Rewriting a Year-2000 C Tool in Rust — and Making It 2.26× Faster
A Rust rewrite of mergelog 4.5, a C tool from 2000 that merges Apache log files chronologically. Six optimizations — a k-way heap merge, a hand-rolled CLF parser, String buffer reuse, mimalloc, 4 MiB read buffers with SIMD newline search, and zstd support — took the Rust binary from slower than the original to 2.26× faster.