I saw an article on HN today called Back to basics: Writing an application using Go and PostgreSQL. It is generally great, but makes a common mistake – creating an unnecessary mega-interface that serves no purpose but to make the code harder to read and maintain. I see people doing this all the time, and it’s wrong, so I wrote a very long rant on HN about it. HN said “that comment is too long”, so here’s the comment!

After many years of jrock.us being served over HTTPS, I finally remembered to enable HTTP Strict Transport Security. There was never any reason not to – all traffic to any website or app at jrock.us goes through my reverse proxy, and it’s served with a wildcard *.jrock.us certficiate. If it doesn’t go through my reverse proxy, that’s a bug, and should be fixed. Several days after making this change, I closed my GMail tab, and typed mail.

Like many people, I use cert-manager to automatically renew my website’s TLS certificates with Let’s Encrypt. Unlike many people, I don’t use an Ingress controller to get traffic into my cluster, I just have a few instances of Envoy that terminate TLS and route traffic to the appropriate backend. Cert-manager handles the mechanics of certificate renewal very efficiently; it runs a controller loop that checks all my Certificate objects for expiration, and when a certificate is close to expiring, it goes out and renews it.