<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
    <channel>
      <title>Alek&#x27;s Blog - envoy</title>
      <link>https://blog.none.at</link>
      <description>Production notes on Kubernetes, OpenShift, and OVHcloud: observability, log archiving, service mesh, LLM inference, and digital sovereignty.</description>
      <generator>Zola</generator>
      <language>en</language>
      <atom:link href="https://blog.none.at/tags/envoy/rss.xml" rel="self" type="application/rss+xml"/>
      <lastBuildDate>Mon, 13 Jul 2026 00:00:00 +0000</lastBuildDate>
      <item>
          <title>Istio AuthorizationPolicy &amp; HTTP&#x2F;2 Coalescing</title>
          <pubDate>Mon, 13 Jul 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-07-13-istio-authorizationpolicy-http2-coalescing/</link>
          <guid>https://blog.none.at/blog/2026/2026-07-13-istio-authorizationpolicy-http2-coalescing/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-07-13-istio-authorizationpolicy-http2-coalescing/">&lt;p&gt;Isolating an admin surface behind its own hostname and an IP-restricted
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; &lt;code&gt;AuthorizationPolicy&lt;&#x2F;code&gt; sounds like a Tuesday-afternoon change: add a
second &lt;code&gt;HTTPRoute&lt;&#x2F;code&gt;, add a &lt;code&gt;DENY&lt;&#x2F;code&gt; policy with an allowlist, done. Two non-obvious Envoy behaviors
turned it into a two-day debugging exercise instead — one in how &lt;code&gt;AuthorizationPolicy&lt;&#x2F;code&gt; resolves
“the client’s IP,” and one in how browsers reuse HTTP&#x2F;2 connections across hostnames that share a
certificate. Neither is specific to Keycloak or to this particular setup; both apply to any Istio
or Envoy Gateway API ingress sitting behind a cloud load balancer with a shared wildcard
certificate.&lt;&#x2F;p&gt;
&lt;p&gt;This post walks through both bugs, how they were root-caused, and the fix for each — so the next
person hitting either symptom can skip straight to the cause.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>SigNoz on OVH MKS: Access Log Reports with Vector and ClickHouse</title>
          <pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-05-18-signoz-on-ovh-usecase-access-logs/</link>
          <guid>https://blog.none.at/blog/2026/2026-05-18-signoz-on-ovh-usecase-access-logs/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-05-18-signoz-on-ovh-usecase-access-logs/">&lt;p&gt;Posts &lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-16-signoz-on-ovh-infrastructure&#x2F;&quot;&gt;1&lt;&#x2F;a&gt; and &lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-16-signoz-on-ovh-metrics-traces-logs&#x2F;&quot;&gt;2&lt;&#x2F;a&gt; of this series set up the SigNoz observability stack on OVH MKS and demonstrated metrics, traces, and Kubernetes pod log collection. This post adds a practical use case: structured Envoy access log collection via Vector, archiving to OVH Object Storage in Combined Log Format, and monthly HTML reports via awffull — accessible at &lt;code&gt;https:&#x2F;&#x2F;reports.&amp;lt;your-domain&amp;gt;&lt;&#x2F;code&gt; through the existing Istio gateway.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>ClickHouse Use Case: Vector, Istio, nginx, Java on OVH MKS</title>
          <pubDate>Thu, 14 May 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-05-14-es-os-loki-quickwit-clickhouse-usecases/</link>
          <guid>https://blog.none.at/blog/2026/2026-05-14-es-os-loki-quickwit-clickhouse-usecases/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-05-14-es-os-loki-quickwit-clickhouse-usecases/">&lt;p&gt;The first four parts of this series compared Elasticsearch, OpenSearch, Loki, Quickwit, and
ClickHouse across storage models, operations, security, and UX. This part shows what a
concrete production setup looks like when the decision has been made: &lt;strong&gt;ClickHouse&lt;&#x2F;strong&gt; as the
log store, &lt;strong&gt;Vector&lt;&#x2F;strong&gt; as the ingestion agent, running on &lt;strong&gt;OVH Managed Kubernetes Service
(MKS)&lt;&#x2F;strong&gt; with &lt;strong&gt;OVH Object Storage&lt;&#x2F;strong&gt; as the cold tier.&lt;&#x2F;p&gt;
&lt;p&gt;This is Part 5 of a five-part series:&lt;&#x2F;p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Full guide:&lt;&#x2F;strong&gt; &lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-14-es-os-loki-quickwit-clickhouse-guide&#x2F;&quot;&gt;Elasticsearch vs. OpenSearch vs. Loki vs. Quickwit vs. ClickHouse: The Complete Guide&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-14-es-os-loki-quickwit-clickhouse&#x2F;&quot;&gt;Part 1&lt;&#x2F;a&gt; — storage models, compression, resource consumption, and SaaS options&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-14-es-os-loki-quickwit-clickhouse-operations&#x2F;&quot;&gt;Part 2&lt;&#x2F;a&gt; — cluster setup, Kubernetes operations, backup and disaster recovery&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-14-es-os-loki-quickwit-clickhouse-security&#x2F;&quot;&gt;Part 3&lt;&#x2F;a&gt; — encryption, RBAC, and WORM compliance&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;blog.none.at&#x2F;blog&#x2F;2026&#x2F;2026-05-14-es-os-loki-quickwit-clickhouse-ux&#x2F;&quot;&gt;Part 4&lt;&#x2F;a&gt; — UI layers, dashboards, alerting, and cold-tier query behaviour&lt;&#x2F;li&gt;
&lt;li&gt;Part 5 — this post&lt;&#x2F;li&gt;
&lt;&#x2F;ul&gt;</description>
      </item>
      <item>
          <title>Istio vs. Envoy Gateway: Gateway API on Kubernetes</title>
          <pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&quot;&gt;Envoy Gateway&lt;&#x2F;a&gt; implement the
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway-api.sigs.k8s.io&quot;&gt;Kubernetes Gateway API&lt;&#x2F;a&gt; and use Envoy as their data plane.
That is roughly where the similarity ends. Istio is a full service mesh that happens to
implement Gateway API; Envoy Gateway is a dedicated Gateway API controller with no mesh
ambitions. Choosing between them is mostly a question of scope.&lt;&#x2F;p&gt;
&lt;p&gt;This post starts with that comparison — architecture, mTLS, egress control, and resource
overhead — then broadens to cover &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;cilium.io&quot;&gt;Cilium&lt;&#x2F;a&gt; as a lighter alternative for
East-West security, how the choice plays out on managed Kubernetes offerings (AKS, GKE, and
OVH MKS including their cloud-native ingress and egress options), and finally how to get
the real client IP through a cloud load balancer to your application.&lt;&#x2F;p&gt;</description>
      </item>
      <item>
          <title>Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service</title>
          <pubDate>Sun, 19 Apr 2026 00:00:00 +0000</pubDate>
          <author>aleks</author>
          <link>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</link>
          <guid>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</guid>
          <description xml:base="https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/">&lt;p&gt;Global rate limiting in &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&#x2F;&quot;&gt;Envoy Gateway (EG)&lt;&#x2F;a&gt; can be set up in two ways:
the easy path (EG manages its own &lt;code&gt;envoy-ratelimit&lt;&#x2F;code&gt; container) and the flexible path
(you bring your own &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;envoyproxy&#x2F;ratelimit&quot;&gt;envoyproxy&#x2F;ratelimit&lt;&#x2F;a&gt; service).
This post covers the flexible path — &lt;strong&gt;Option B&lt;&#x2F;strong&gt; — and documents the three xDS patches
required to wire it up, the EG v1.7 breaking changes that affect the approach,
and a namespace-admin self-service deployment model.&lt;&#x2F;p&gt;</description>
      </item>
    </channel>
</rss>
