Hi there 👋

In this post, I will tell you about our journey when implementing a zero-trust network for securing service-to-service communication. Currently, all service communication in our company uses a private network and uses plain HTTP and TCP for transport, using this approach we can assume service communication is secure because we use a private network and no one can sniff our traffic. Actually, our assumption can make endanger our system because we trust the private network and allow all traffic when it comes from a private network....

As an Operation Engineer, I usually build a tool to make work easier, or for improving the current infrastructure. A few months back, I focus on building a proxy for securing service-to-service communication by leveraging mTLS, and I built it with Go. Because this proxy will become a critical service in our system, and the code will become bigger, I must make sure the proxy running properly for every code change, and not break existing features....

Back a few months ago, I have written about service discovery in Prometheus using Consul which is one of the tools built by Hashicorp, and now I will write again about tools built by Hashicorp for securing and storing sensitive data. The tool is named Vault, My company uses Vault for storing service credentials and for generating a certificate used for mTLS communication. Because Vault is a critical service for us, so we must make Vault high available because if Vault goes down, our service depends on Vault will go down too....

If you deploy HTTP or HTTPS-based applications to Kubernetes cluster and need to expose the application to the internet, you need an Ingress. An ingress is an API object that manages external access to services in your cluster, by using Ingress you can set up rules for routing traffic coming from the internet to your application, those rules are also called Ingress resource. You can create an Ingress resource easily with kubectl create ingress, but only just creating an Ingress resource is not enough, you need an Ingress Controller....

In the last post, I post about how to make Redis Active Replication using Dynomite, and after the replication works, I need a load balancer for pointing services to the Dynomite instance. The current architecture in my company is very dependant on Haproxy for TCP load balancing, but for now, I need a simple solution and minimize software installed on the server. In the current server, there are Nginx used to serve our PHP application, this PHP application will consume one of the Dynomite instances....