Photo by Daniel Cheung on Unsplash

In this demo, we show how to migrate a sample MySQL database to PostgreSQL in k8s using a pgloader job. The overall processes are:

  1. ‘helm install’ a MySQL db and a PostgreSQL db in a k8s cluster (GKE).
  2. Load a simple employee data set to MySQL db.
  3. Create a pgloader…


Photo by Alan Hardman on Unsplash

After the Habor/docker troubleshooting, I finally figured out how to make a python web app push to my k8s ingress.

The first part, I created a hello world flask app, built a docker image, tagged the image, then pushed the image to harbor registry.

Once the image is in…


Photo by HONG LIN on Unsplash

Recently, I switch the container registry from docker hub to harbor and encountered “x509: certificate signed by unknown issuer error” using Docker Desktop and Harbor private registry. This article is about how I resolved this issue in my Docker desktop on Mac and my home lab k8s containerd.

In my…


Photo by Atish Sewmangel on Unsplash

My Terraform/Ansible script doesn’t work anymore after I turned on GCP OS Login. I didn’t know what OS Login means and just turned it on. Then I spent a couple of hours figuring out if it is caused by my custom image (OEL7). It turns out it is not. OS…


Photo by James Pond on Unsplash

In an “enterprise” context, it is common to block users from pulling images from public container registries. Harbor is a private registry for k8s providing many security features, such as content signing and vulnerability scanning. For more info on why harbor in your k8s env, visit the harbor website. …


Photo by Daniel Cheung on Unsplash

Long story short, I left my 8-year job and moved to a startup company. As such, I lost my company-sponsored GCP account as my lab. So I picked up my home lab equipment and made my first baremetal K8S cluster at home. This is what I have learned so far.


Photo by Will Porada on Unsplash

This article is the last part of pg_hba.conf explained. Note that pg_hba.conf is only for authentication. Most auth-methods make sure the client and the postmaster’s data exchange in this period secured, for example, ldap with tls, krb, pam_sss, scram-sha-256. In other words, the password is secure in transition.
What about…


Photo by Daniel Cheung on Unsplash

In this part, I explain the pam authentication in pg_hba.conf. PAM stands for “pluggable authentication modules.” PAM supports four types of services, auth, account, password, and session, but Postgresql pam only supports two services; auth and account. In the last part, we installed ipa-client on pg-master. ipa-client should setup sssd/krb/ldap/pki…


Photo by Alphacolor on Unsplash

In part1, we understand the basic rules of pg_hba.conf. Let’s review the entry I put in the pg_hba.conf in part1. It was:

host      all     all     192.168.20.0/24      scram-sha-256

Translation: All clients (users) connecting from 192.168.20.0/24 subnet try to access ALL databases will use scram-sha-256 password. From a dba perspective, this entry…


Photo by Daniel Cheung on Unsplash

This article attempts to demystify how to configure pg_hba.conf and integrate “enterprise systems” for different use cases.

The GCE env I demo contains three VMS, ipa-server, pg-master, and pg-client (you can git clone and deploy the same environment from my GitHub repo https://github.com/vmware-ysung/pg_hba_explained). FreeIPA is like “MS Active Directory.” …

Yuwei Sung

A data nerd started from data center field engineer to cloud database reliability engineer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store