Add new blog posts: Go profiling guide, Kubernetes ingress for external apps, and Qwen 2.5 Coder models guide.

Author: mattmattox

blog/content/post/golang-pprof-profiling-guide.md

@@ -0,0 +1,166 @@
+---
+title: "A Practical Guide to Profiling Go Applications with pprof"
+date: 2025-04-18T00:00:00-05:00
+draft: false
+tags: ["Golang", "Performance", "pprof", "Profiling", "Optimization"]
+categories:
+- Go Development
+- Performance Optimization
+author: "Matthew Mattox - mmattox@support.tools"
+description: "Learn how to effectively profile and optimize Go applications using pprof with practical examples and visualization techniques."
+more_link: "yes"
+url: "/golang-pprof-profiling-guide/"
+---
+
+Golang's built-in tooling is one of its greatest strengths for developers. While many appreciate `go fmt` for consistent code formatting and `go test` for testing, fewer developers leverage Go's powerful profiling capabilities. This guide demonstrates how to use pprof to identify performance bottlenecks in your Go applications.
+
+<!--more-->
+
+# Go Performance Profiling with pprof: A Practical Guide
+
+## What Makes pprof Valuable
+
+Go's official profiling tool, pprof, provides exceptional insights into your application's performance characteristics with minimal configuration. It offers:
+
+- CPU usage analysis
+- Memory allocation profiling
+- Blocking operation identification
+- Visual representation of performance data
+- Minimal runtime overhead
+
+Let's walk through profiling a real application: [dockertags](https://github.com/goodwithtech/dockertags), a tool for listing available Docker image tags.
+
+## Setting Up CPU Profiling in Your Application
+
+Adding profiling to your Go application requires only a few lines of code. Insert the following at the beginning of your `main()` function:
+
+```go
+func main() {
+    // Create CPU profile file
+    f, err := os.Create("cpu.pprof")
+    if err != nil {
+        log.Fatal(err)
+    }
+    
+    // Start CPU profiling
+    pprof.StartCPUProfile(f)
+    
+    // Ensure profiling stops when the function exits
+    defer pprof.StopCPUProfile()
+    
+    // Your existing application code continues here...
+}
+```
+
+This snippet creates a file named `cpu.pprof` that will store the CPU profiling data while your application runs.
+
+## Building and Running Your Profiled Application
+
+Once you've added the profiling code, build and run your application as usual:
+
+```bash
+# Build the application
+$ go build -o profiled-app ./cmd/myapp
+
+# Run the application with normal workload
+$ ./profiled-app [normal arguments]
+```
+
+After your application completes its work, you'll find a `cpu.pprof` file in your current directory. This file contains all the profiling data collected during execution.
+
+## Analyzing Profile Data
+
+There are two main approaches to analyzing the collected profile data: web-based visualization and command-line inspection.
+
+### Web-Based Visualization (Recommended)
+
+The web interface provides interactive flame graphs and visualization options that make performance bottlenecks immediately obvious:
+
+```bash
+$ go tool pprof -http=":8000" profiled-app ./cpu.pprof
+Serving web UI on http://localhost:8000
+```
+
+This command starts a local web server on port 8000. Open your browser and navigate to `http://localhost:8000` to explore the profile data.
+
+The web interface offers several visualization options:
+
+1. **Flame Graph**: The most intuitive view for understanding call hierarchies and CPU consumption
+2. **Graph**: Shows function relationships with proportional box sizes
+3. **Top**: Lists functions by resource consumption
+4. **Source**: Links profiling data to source code when available
+
+To access the flame graph, select "Flame Graph" from the "VIEW" dropdown in the interface header. The wider the function's bar in the graph, the more CPU time it consumed.
+
+### Command-Line Analysis
+
+For quick analysis or when working remotely, the command-line interface provides powerful inspection tools:
+
+```bash
+$ go tool pprof profiled-app cpu.pprof
+File: profiled-app
+Type: cpu
+Time: Apr 17, 2025 at 9:39pm (EST)
+Duration: 3.12s, Total samples = 85ms (2.72%)
+Entering interactive mode (type "help" for commands, "o" for options)
+(pprof)
+```
+
+The most useful commands include:
+
+- `top`: Displays functions consuming the most resources
+- `tree`: Shows the call hierarchy with resource consumption
+- `list [function]`: Shows line-by-line profiling data for a specific function
+- `web`: Generates a visual graph and opens it in your browser
+- `svg`: Outputs a visualization in SVG format
+
+Example `top` command output:
+
+```
+(pprof) top
+Showing nodes accounting for 85ms, 100% of 85ms total
+Showing top 10 nodes out of 42
+      flat  flat%   sum%        cum   cum%
+      52ms 61.18% 61.18%       52ms 61.18%  runtime.cgocall
+      23ms 27.06% 88.24%       23ms 27.06%  runtime.madvise
+      10ms 11.76%   100%       10ms 11.76%  crypto/elliptic.p256Sqr
+         0     0%   100%       10ms 11.76%  crypto/elliptic.(*p256Point).p256BaseMult
+         0     0%   100%       10ms 11.76%  crypto/elliptic.GenerateKey
+         0     0%   100%       52ms 61.18%  crypto/tls.(*Conn).Handshake
+```
+
+## Interpreting Profile Results
+
+When analyzing your profile data, look for:
+
+1. **Functions with high cumulative time**: These are functions that, including their children, consume significant resources.
+2. **Functions with high flat time**: These functions directly consume significant resources without accounting for called functions.
+3. **Unexpected CPU hotspots**: Areas where CPU usage is disproportionate to the expected workload.
+
+In our example application, we can see significant time spent in TLS handshakes and cryptographic operations, suggesting network security operations may be a bottleneck.
+
+## Beyond CPU Profiling
+
+While this guide focused on CPU profiling, pprof supports multiple profiling types:
+
+- **Memory profiling**: Add `defer profile.WriteHeapProfile(f)` to capture memory allocation patterns
+- **Block profiling**: Use `runtime.SetBlockProfileRate()` to profile goroutine blocking
+- **Mutex profiling**: Enable with `runtime.SetMutexProfileFraction()` to find lock contention
+
+## Practical Optimization Tips
+
+After identifying bottlenecks with pprof, consider these optimization strategies:
+
+1. **Reduce allocations**: Minimize garbage collection pressure by reusing objects
+2. **Parallelize CPU-bound operations**: Use goroutines for compute-intensive tasks
+3. **Buffer I/O operations**: Batch network and disk operations to reduce syscall overhead
+4. **Cache expensive computations**: Store results of functions that are called repeatedly
+5. **Use sync.Pool**: For frequently allocated and reclaimed objects
+
+## Conclusion
+
+Profiling is an essential practice for developing high-performance Go applications. With pprof's minimal setup requirements and powerful visualization capabilities, there's no reason not to integrate profiling into your development workflow.
+
+By regularly profiling your Go code, you can make data-driven optimization decisions that target actual bottlenecks rather than perceived ones. This approach leads to more efficient applications and a better understanding of your code's runtime characteristics.
+
+For more Go performance techniques, explore our other guides on benchmarking, concurrency patterns, and efficient data structures.

blog/content/post/kubernetes-ingress-external-apps.md

@@ -0,0 +1,184 @@
+---
+title: "Kubernetes Ingress Hack: Managing Domain Names and TLS for External Applications"
+date: 2025-05-01T00:00:00-05:00
+draft: false
+tags: ["Kubernetes", "Ingress", "TLS", "External Services", "DevOps", "Cert-Manager"]
+categories:
+- Kubernetes
+- Security
+author: "Matthew Mattox - mmattox@support.tools"
+description: "Learn how to leverage Kubernetes Ingress controllers to provide domain names and automated TLS certificates for applications running outside your cluster."
+more_link: "yes"
+url: "/kubernetes-ingress-external-apps/"
+---
+
+Kubernetes excels at managing domains and TLS certificates for applications running inside the cluster, but what about your legacy applications, standalone Docker containers, or specialized hardware that lives outside Kubernetes? This practical guide demonstrates a clever technique to extend Kubernetes' powerful Ingress capabilities to any external application.
+
+<!--more-->
+
+# Extending Kubernetes Ingress to Non-Cluster Applications
+
+## The Challenge: Managing External Application Access
+
+While Kubernetes provides robust solutions for traffic routing, TLS certificate management, and domain configuration for workloads running inside the cluster, many organizations maintain a mix of infrastructure:
+
+- Legacy applications not suitable for containerization
+- Standalone services running on VMs or EC2 instances
+- Specialized hardware with custom requirements
+- Third-party services requiring secure access
+
+Without a centralized approach, teams face several challenges:
+
+1. Manual certificate management and renewal
+2. Inconsistent domain configuration across environments
+3. Complex DNS management
+4. Higher security risks from expired certificates or misconfigurations
+5. Operational overhead managing multiple ingress solutions
+
+## The Solution: Kubernetes as a Smart Proxy
+
+By leveraging Kubernetes' ability to define Services without selectors and manually specifying Endpoints, we can create a solution that:
+
+- Uses Kubernetes Ingress for routing to external applications
+- Leverages cert-manager for automatic TLS certificate provisioning
+- Centralizes domain management in your existing Kubernetes tooling
+- Requires zero modifications to the external applications
+
+## Implementation in Three Simple Steps
+
+### Step 1: Define a Service with Manual Endpoints
+
+Unlike typical Kubernetes Services that automatically discover pods via selectors, we'll create a Service without selectors and manually define the Endpoints:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-app-service
+  namespace: default
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: external-app-service
+  namespace: default
+subsets:
+  - addresses:
+      - ip: 10.240.0.129  # Your external application's IP address
+    ports:
+      - port: 8080        # The port your application listens on
+```
+
+This configuration tells Kubernetes where to find your external application and how to route traffic to it.
+
+### Step 2: Set Up Automated TLS Certificate Management
+
+Leverage cert-manager to automatically obtain and renew certificates from Let's Encrypt:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: external-app-cert
+  namespace: default
+spec:
+  secretName: external-app-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - external-app.yourdomain.com
+```
+
+This assumes you've already [installed cert-manager](https://cert-manager.io/docs/installation/) and configured a ClusterIssuer for Let's Encrypt.
+
+### Step 3: Configure the Ingress Resource
+
+Finally, create an Ingress resource to route traffic from your domain to the external service:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: external-app-ingress
+  namespace: default
+  annotations:
+    kubernetes.io/ingress.class: "nginx"  # Use your Ingress controller class
+spec:
+  tls:
+    - hosts:
+        - external-app.yourdomain.com
+      secretName: external-app-tls
+  rules:
+    - host: external-app.yourdomain.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external-app-service
+                port:
+                  number: 80
+```
+
+## How It Works: The Technical Details
+
+This solution creates a seamless bridge between Kubernetes and your external applications:
+
+1. **Traffic Flow**: External requests hit your Kubernetes Ingress controller
+2. **TLS Termination**: The Ingress controller handles TLS termination using the certificate from cert-manager
+3. **Routing**: Traffic is forwarded to the Service, which has no pod selectors
+4. **Service to Endpoint**: Since there are no matching pods, Kubernetes uses the manually defined Endpoints
+5. **Final Delivery**: Traffic reaches your external application with the correct host headers and paths
+
+## Advantages of This Approach
+
+Centralizing your ingress through Kubernetes provides several key benefits:
+
+1. **Unified Certificate Management**: All TLS certificates managed in one place
+2. **Automatic Renewal**: No more expired certificate emergencies
+3. **Consistent Configuration**: Same Ingress patterns for all applications
+4. **Easy Migration Path**: Simplifies eventual migration to containerized workloads
+5. **Existing Tooling**: Leverage familiar Kubernetes tools and monitoring
+6. **Security Standardization**: Consistent TLS configurations across all services
+
+## Practical Use Cases
+
+This technique proves valuable in numerous real-world scenarios:
+
+### Legacy Application Integration
+Connect mission-critical legacy applications to your modern infrastructure without modification.
+
+### Hybrid Cloud Management
+Maintain consistent access patterns across on-premises and cloud resources.
+
+### Hardware Appliance Access
+Provide secure access to specialized hardware devices through your standard Kubernetes gateway.
+
+### Development Environments
+Create consistent access to development tools that may run outside the cluster.
+
+### Third-Party Service Integration
+Provide a unified interface for accessing both internal and external services.
+
+## Implementation Considerations
+
+While this approach is powerful, keep these factors in mind:
+
+- **Network Connectivity**: Ensure your Kubernetes nodes can reach the external application IP
+- **Health Checks**: Consider implementing custom health checks for the external service
+- **Security**: Remember the traffic between Kubernetes and the external application is unencrypted unless you configure additional TLS
+- **IP Changes**: If your external application's IP changes, you'll need to update the Endpoints resource
+
+## Conclusion
+
+This Kubernetes ingress hack for external applications demonstrates the flexibility of Kubernetes as a platform. By treating Kubernetes as a smart proxy with automated certificate management, you can significantly simplify your overall architecture while maintaining robust security practices.
+
+Whether you're managing a hybrid infrastructure, transitioning to containers, or simply need to maintain legacy systems alongside modern applications, this approach provides a practical solution that leverages your existing Kubernetes investment.
+
+For complex environments, consider implementing this pattern with Helm charts or GitOps workflows to ensure consistent configuration and easy management across multiple external applications and environments.