Month: February 2026

Setting up MijnBureau on Kubernetes

See also: Setting up a Harbor proxy to help with docker rate limits

helmfile/environments/demo/mijnbureau.yaml.gotmpl

global:
  domain: "mijnbureau.rabevcqhguoovcu.xyz"
  resourcePreset: "small"
  hostname:
    keycloak: "id"

application:
  grist:
    enabled: true
  ollama:
    enabled: true
  keycloak:
    enabled: true
  chat:
    enabled: true

secret: # Store these securely in an encrypted file
  keycloak:
    adminUser: admin
    adminPassword: mypassword

authentication:
  oidc:
    issuer: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau"
    authorization_endpoint: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/auth"
    token_endpoint: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/token"
    introspection_endpoint: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/token/introspect"
    userinfo_endpoint: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/userinfo"
    end_session_endpoint: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/logout"
    jwks_uri: "https://id.mijnbureau.rabevcqhguoovcu.xyz/realms/mijnbureau/protocol/openid-connect/certs"


user:
  - email: [email protected]
    username: johndoe
    firstname: John
    lastname: Doe
    password: myStrongPassword123
  - email: [email protected]
    username: janedoe
    firstname: Jane
    lastname: Doe
    password: myStrongPassword123


cluster:
  ingress:
    type: nginx
    className: ~
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod


tls:
  keycloak:
    - hosts:
        - keycloak.mijnbureau.rabevcqhguoovcu.xyz

Setting up a Harbor proxy to help with docker rate limits

A lot of k8s projects have pull=always which quickly makes you reach your ratelimits if any issuers occur. Harbor has a nice proxy cache feature to help with this

https://goharbor.io/docs/2.14.0/administration/configure-proxy-cache

It doesn’t seem to deal with cert-manager nicely out of the box, so we need to set the annotation manually:

Assuming you already have an nginx ingress setup and a clusterissuer

kubectl create ns harbor
helm -n harbor install harby harbor/harbor  \
 --set expose.type=ingress   --set expose.ingress.className=nginx   \
 --set expose.ingress.hosts.core=harbor.mijnbureau.rabevcqhguoovcu.xyz   \
 --set expose.tls.enabled=true   \
 --set expose.tls.certSource=secret \
 --set expose.ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \
  --set expose.tls.secret.secretName=harby-harbor-ingress

Go to the web UI with admin:Harbor12345 and set up an endpoint for dockerhub. Then, create a project and link it to that dockerhub endpoint. Do not forget to change the password for the admin user!

Now, you can use the proxy!

docker pull harbor.mijnbureau.rabevcqhguoovcu.xyz/dockerproxy/node:24