feat(blog): create blog page and publish first 2 posts

[Aloui-Ikram]

Description

This PR adds a complete blog system to the Hugo website and publishes the first two posts.

What Was Done

• Created blog section entry point: website/content/blog/_index.md
• Added blog page templates:
  • website/layouts/blog/list.html
  • website/layouts/blog/single.html
• Added author data file: website/data/authors.yml
• Added blog images folder and assets: website/static/images/blog/
• Added blog workflow guide: website/README.md
• Updated blog rendering:
  • author name links to author GitHub/repository
  • tags are shown as plain text (not links)
• Disabled taxonomy pages generation (tags/categories) in website/hugo.toml

Published Posts

• website/content/blog/2026-03-23-k3s-reference-architecture.md
• website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md

Validation

• hugo --gc --minify passes
• hugo server -D runs successfully
• both posts are visible on /blog/

Summary by CodeRabbit

• New Features
  • Launched a new blog section with navigation links in the header and footer
  • Added comprehensive guides covering K3s reference architecture and Harbor Satellite deployment with SPIFFE/SPIRE authentication
  • Implemented responsive blog layout with post listings organized by publication year and author profile information

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a complete blog feature to the Hugo website, including templates for rendering blog post listings and individual articles, CSS styling for a K3s-style layout, author metadata management, navigation integration, and two initial blog posts documenting K3s reference architecture and Harbor Satellite deployment with SPIFFE/SPIRE.

Changes

Cohort / File(s)	Summary
Blog Configuration & Data website/hugo.toml, website/data/authors.yml, website/content/blog/_index.md	Hugo config to disable taxonomy rendering; added two author entries (harbor-team, aloui-ikram) with metadata; created blog landing page with title and description front matter.
Blog Templates website/layouts/blog/list.html, website/layouts/blog/single.html	Added Hugo templates for blog listing page (paginated posts grouped by year in sidebar) and individual post rendering (with author details, avatar/initials fallback, tags, and publication date).
Blog Content website/content/blog/2026-03-23-k3s-reference-architecture.md, website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md	Added two comprehensive blog posts: K3s reference architecture with Harbor Satellite and edge deployment workflow; Harbor Satellite + SPIFFE/SPIRE deployment tutorial with air-gap validation.
Styling & Navigation website/assets/css/main.css, website/layouts/partials/navbar.html, website/layouts/partials/footer.html	Added full set of K3s-style blog CSS classes (layout, sidebar, typography, pagination, responsive breakpoints); integrated blog links into navbar and footer navigation.
Blog Documentation website/README.md	Added end-to-end guide for creating and publishing blog posts, covering author metadata, image placement, front matter requirements, templates, local/production builds, and validation checklist.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• docs: K3s + Harbor Satellite end-to-end reference guide and architecture #345: The two new blog posts directly implement the requested K3s + Harbor Satellite reference architecture and SPIFFE/SPIRE end-to-end deployment guide.

Suggested labels

documentation

Suggested reviewers

• amands98
• bupd

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: creating a blog page system and publishing the first 2 blog posts, which aligns with all the file additions and changes in the changeset.
Description check	✅ Passed	The description provides comprehensive detail about what was done, published posts, and validation performed, exceeding the basic template requirements despite missing the 'Fixes:' section.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-blog-section

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (6)

website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md (1)

73-80: Consider using Harbor's default password for tutorial clarity.

Based on existing documentation patterns, Harbor tutorials typically use the default admin password Harbor12345 for simplicity. This makes examples copy-pasteable for users following along with a fresh Harbor install.

📝 Suggested update

 # 1) Login and get auth token
 TOKEN=$(curl -sk -X POST "https://localhost:9080/login" \
-  -d '{"username":"admin","password":"<HARBOR_PASSWORD>"}' | \
+  -d '{"username":"admin","password":"Harbor12345"}' | \
   grep -o '"token":"[^"]*"' | cut -d'"' -f4)

 # 2) Get nginx:alpine digest from Harbor
-DIGEST=$(curl -sk -u "admin:<HARBOR_PASSWORD>" \
+DIGEST=$(curl -sk -u "admin:Harbor12345" \
   "http://<YOUR_HARBOR_IP>/api/v2.0/projects/library/repositories/nginx/artifacts?q=tags%3Dalpine&page_size=1" | \
   grep -m1 '"digest":' | cut -d'"' -f4)

Based on learnings: "In Harbor Satellite quickstart documentation, prefer hardcoded default values (like 'Harbor12345' for passwords) over environment variable substitution for simplicity and clarity in tutorial examples."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md`
around lines 73 - 80, Replace the placeholder <HARBOR_PASSWORD> in the TOKEN and
DIGEST curl examples with the default Harbor admin password "Harbor12345" so the
tutorial is copy-pasteable for fresh installs; update the two occurrences
referenced by the TOKEN assignment (POST to /login) and the DIGEST assignment
(basic auth -u "admin:<HARBOR_PASSWORD>") to use "Harbor12345" exactly as the
example password string.

website/layouts/partials/footer.html (1)

8-8: Consider moving Blog link to a more appropriate section.

The Blog link is placed under "Documentation," but blog content is typically distinct from docs. Consider either moving it to the "Community" or "Project" section, or renaming the section to something broader like "Resources." This is a minor organizational nitpick.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/layouts/partials/footer.html` at line 8, The Blog link list item
(<li><a href="{{ "blog/" | relURL }}">Blog</a></li>) is currently inside the
"Documentation" section in the footer partial; either relocate that <li> into
the "Community" or "Project" section UL, or change the "Documentation" section
header to a broader label like "Resources" and keep the Blog link there—update
the corresponding section title or move the Blog <li> element within the same
footer partial to the desired section so the link sits under the appropriate
grouping.

website/layouts/blog/list.html (1)

2-2: Remove unused variable $root.

The variable $root is declared but never referenced in the template.

 {{ define "main" }}
-{{ $root := . }}
 {{ $allPosts := .RegularPages.ByDate.Reverse }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/layouts/blog/list.html` at line 2, Remove the unused template
variable declaration by deleting the line that defines $root (the "{{ $root := .
}}" assignment) from the template; ensure no other code references $root first,
and if you intended a root alias use it where needed (e.g., replace direct uses
of "." with "$root") or simply remove the declaration to eliminate the dead
variable.

website/README.md (2)

137-141: Caution: The cleanup command could delete unintended content.

rm -rf ../public is relative to the current directory and could be dangerous if a contributor runs it from an unexpected location. Consider providing a safer, more explicit path or adding a warning.

💡 Suggested improvement

 If needed, remove accidental root-level build artifacts:

 ```bash
+# Run this ONLY from the website/ directory
+cd website
 rm -rf ../public

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @website/README.md around lines 137 - 141, Replace the dangerous relative
cleanup command rm -rf ../public in README.md with a safer, explicit sequence:
require switching to the website directory first (e.g., instruct to run cd website), or use an explicit absolute path, and add a clear warning/prompt line
telling contributors to verify their current working directory before running
the removal; update the README section around the rm -rf ../public snippet to
include this safety note and the explicit directory change so accidental
deletions are avoided.

</details>

---

`104-104`: **Minor: Capitalize "GitHub" as a proper noun.**

The official name uses a capital "H".

```diff
- Author name can link to `repository` or `github`.
+ Author name can link to `repository` or `GitHub`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/README.md` at line 104, The README contains the lowercase token
"github" in the author/link text; update that token to the proper-cased "GitHub"
wherever it appears (e.g., the author link suggestion line referencing `github`)
so the platform name is capitalized correctly.

website/content/blog/2026-03-23-k3s-reference-architecture.md (1)

136-138: Avoid passing passwords as command-line arguments.

Credentials passed via -p <PASSWORD> are visible in shell history and process listings. Consider using --password-stdin or prompting interactively.

🛡️ Suggested improvement

 # Login and push the image to Central Harbor
-docker login -u admin -p <HARBOR_PASSWORD> <CENTRAL_HARBOR_IP>:80
+echo "<HARBOR_PASSWORD>" | docker login -u admin --password-stdin <CENTRAL_HARBOR_IP>:80
 docker push <CENTRAL_HARBOR_IP>:80/library/nginx:alpine

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/content/blog/2026-03-23-k3s-reference-architecture.md` around lines
136 - 138, The docker login command is insecure because it passes the password
via -p which exposes credentials; change the login flow to use docker login
--username admin --password-stdin (or prompt interactively) and pipe the
password into it (e.g., echo "<HARBOR_PASSWORD>" | docker login --username admin
--password-stdin <CENTRAL_HARBOR_IP>:80), leaving the docker push
<CENTRAL_HARBOR_IP>:80/library/nginx:alpine unchanged; ensure documentation
explains how to supply the password securely (environment variable or
interactive prompt) rather than embedding it on the command line.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/content/blog/2026-03-23-k3s-reference-architecture.md`:
- Around line 147-155: The heredoc currently uses "sudo cat <<EOF_K3S > ..."
which fails because the shell performs the redirection before sudo; replace that
heredoc redirection with "sudo tee ... <<EOF_K3S" so the write is performed with
elevated privileges (you can optionally silence tee's stdout by redirecting its
output). Update the block using the EOF_K3S heredoc identifier accordingly.

In `@website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md`:
- Around line 119-122: Update the container stop command to use the actual
container names from the compose: replace the incorrect `harbor` reference with
`satellite` so the command becomes `docker stop satellite ground-control`,
ensuring it targets the satellite and ground-control containers as defined in
the docker-compose; look for the snippet containing the `docker stop harbor
ground-control` line in the blog content and update it to use `satellite` and
`ground-control`.

In `@website/data/authors.yml`:
- Line 13: The LinkedIn avatar URL in authors.yml (avatar key for the author)
uses an expiring CDN link; download and commit the avatar image into the repo's
static images for blog authors (use a stable filename like aloui-ikram.jpg) and
update the avatar value in authors.yml to point to that committed local image
path so the site serves a permanent copy.

---

Nitpick comments:
In `@website/content/blog/2026-03-23-k3s-reference-architecture.md`:
- Around line 136-138: The docker login command is insecure because it passes
the password via -p which exposes credentials; change the login flow to use
docker login --username admin --password-stdin (or prompt interactively) and
pipe the password into it (e.g., echo "<HARBOR_PASSWORD>" | docker login
--username admin --password-stdin <CENTRAL_HARBOR_IP>:80), leaving the docker
push <CENTRAL_HARBOR_IP>:80/library/nginx:alpine unchanged; ensure documentation
explains how to supply the password securely (environment variable or
interactive prompt) rather than embedding it on the command line.

In `@website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md`:
- Around line 73-80: Replace the placeholder <HARBOR_PASSWORD> in the TOKEN and
DIGEST curl examples with the default Harbor admin password "Harbor12345" so the
tutorial is copy-pasteable for fresh installs; update the two occurrences
referenced by the TOKEN assignment (POST to /login) and the DIGEST assignment
(basic auth -u "admin:<HARBOR_PASSWORD>") to use "Harbor12345" exactly as the
example password string.

In `@website/layouts/blog/list.html`:
- Line 2: Remove the unused template variable declaration by deleting the line
that defines $root (the "{{ $root := . }}" assignment) from the template; ensure
no other code references $root first, and if you intended a root alias use it
where needed (e.g., replace direct uses of "." with "$root") or simply remove
the declaration to eliminate the dead variable.

In `@website/layouts/partials/footer.html`:
- Line 8: The Blog link list item (<li><a href="{{ "blog/" | relURL
}}">Blog</a></li>) is currently inside the "Documentation" section in the footer
partial; either relocate that <li> into the "Community" or "Project" section UL,
or change the "Documentation" section header to a broader label like "Resources"
and keep the Blog link there—update the corresponding section title or move the
Blog <li> element within the same footer partial to the desired section so the
link sits under the appropriate grouping.

In `@website/README.md`:
- Around line 137-141: Replace the dangerous relative cleanup command `rm -rf
../public` in README.md with a safer, explicit sequence: require switching to
the website directory first (e.g., instruct to run `cd website`), or use an
explicit absolute path, and add a clear warning/prompt line telling contributors
to verify their current working directory before running the removal; update the
README section around the `rm -rf ../public` snippet to include this safety note
and the explicit directory change so accidental deletions are avoided.
- Line 104: The README contains the lowercase token "github" in the author/link
text; update that token to the proper-cased "GitHub" wherever it appears (e.g.,
the author link suggestion line referencing `github`) so the platform name is
capitalized correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 413e0774-ac6f-4c04-83aa-0fe4b4fb1ff3

📥 Commits

Reviewing files that changed from the base of the PR and between 66a312f and 681c2c9.

⛔ Files ignored due to path filters (2)

• website/static/images/blog/architecture-overview.png is excluded by !**/*.png
• website/static/images/blog/spiffe-security-model.png is excluded by !**/*.png

📒 Files selected for processing (11)

• website/README.md
• website/assets/css/main.css
• website/content/blog/2026-03-23-k3s-reference-architecture.md
• website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md
• website/content/blog/_index.md
• website/data/authors.yml
• website/hugo.toml
• website/layouts/blog/list.html
• website/layouts/blog/single.html
• website/layouts/partials/footer.html
• website/layouts/partials/navbar.html

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The sudo cat <<EOF pattern won't work as expected.

Shell redirection (>) is evaluated before sudo runs, so writing to /etc/rancher/k3s/registries.yaml will fail with permission denied. Use sudo tee instead.

🐛 Proposed fix

 ```bash
 sudo mkdir -p /etc/rancher/k3s
-sudo cat <<EOF_K3S > /etc/rancher/k3s/registries.yaml
+sudo tee /etc/rancher/k3s/registries.yaml > /dev/null <<EOF_K3S
 mirrors:
   "docker.io":
     endpoint:
       - "http://127.0.0.1:5050"
 EOF_K3S

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @website/content/blog/2026-03-23-k3s-reference-architecture.md around lines
147 - 155, The heredoc currently uses "sudo cat <<EOF_K3S > ..." which fails
because the shell performs the redirection before sudo; replace that heredoc
redirection with "sudo tee ... <<EOF_K3S" so the write is performed with
elevated privileges (you can optionally silence tee's stdout by redirecting its
output). Update the block using the EOF_K3S heredoc identifier accordingly.

</details>

<!-- fingerprinting:phantom:poseidon:ocelot -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check what container naming conventions are used in the setup scripts
echo "=== Checking Ground Control setup script ==="
fd -t f 'setup.sh' deploy/quickstart --exec grep -l 'docker\|container' {} \; 2>/dev/null | head -5 | xargs -I{} sh -c 'echo "--- {} ---" && grep -E "(docker|container_name)" {} | head -10'

echo ""
echo "=== Checking for docker-compose files ==="
fd -e yml -e yaml . deploy/quickstart --exec grep -l 'container_name' {} \; 2>/dev/null | head -5 | xargs -I{} sh -c 'echo "--- {} ---" && grep "container_name" {}'

Repository: container-registry/harbor-satellite

Length of output: 4447

---

Update container names to match deployment.

The command docker stop harbor ground-control uses incorrect container names. Based on the docker-compose configurations, the satellite container is named satellite (not harbor), while ground-control is correct. Update to docker stop satellite ground-control.

Current snippet

docker stop harbor ground-control
# Expected: central side is unavailable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/content/blog/2026-03-26-deploying-harbor-satellite-spiffe-spire.md`
around lines 119 - 122, Update the container stop command to use the actual
container names from the compose: replace the incorrect `harbor` reference with
`satellite` so the command becomes `docker stop satellite ground-control`,
ensuring it targets the satellite and ground-control containers as defined in
the docker-compose; look for the snippet containing the `docker stop harbor
ground-control` line in the blog content and update it to use `satellite` and
`ground-control`.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avatar URL may expire or become unavailable.

The LinkedIn CDN URL contains an expiry parameter (e=1775692800) and beta versioning that may cause the image to break in the future. Consider hosting the avatar locally in website/static/images/blog/ for long-term reliability.

📷 Suggested fix

1. Save the avatar image to website/static/images/blog/authors/aloui-ikram.jpg
2. Update the avatar URL:

-  avatar: https://media.licdn.com/dms/image/v2/D4D03AQH8ytxhT5OyHw/profile-displayphoto-scale_400_400/B4DZx0_I.SKYAo-/0/1771489235692?e=1775692800&v=beta&t=0Uy1yy1cbltfaWYGIkuhmxUSdVd7GJx6UQ2BZIYUkrI
+  avatar: /images/blog/authors/aloui-ikram.jpg

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/data/authors.yml` at line 13, The LinkedIn avatar URL in authors.yml
(avatar key for the author) uses an expiring CDN link; download and commit the
avatar image into the repo's static images for blog authors (use a stable
filename like aloui-ikram.jpg) and update the avatar value in authors.yml to
point to that committed local image path so the site serves a permanent copy.

[cubic-dev-ai]

1 issue found across 13 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="website/data/authors.yml">

<violation number="1" location="website/data/authors.yml:13">
P2: Use a stable avatar URL (or a local static image path) instead of a tokenized LinkedIn CDN link, which is likely to expire and break the author image.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Use a stable avatar URL (or a local static image path) instead of a tokenized LinkedIn CDN link, which is likely to expire and break the author image.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At website/data/authors.yml, line 13:

<comment>Use a stable avatar URL (or a local static image path) instead of a tokenized LinkedIn CDN link, which is likely to expire and break the author image.</comment>

<file context>
@@ -0,0 +1,13 @@
+  role: Contributor
+  repository: https://github.com/Aloui-Ikram
+  github: https://github.com/Aloui-Ikram
+  avatar: https://media.licdn.com/dms/image/v2/D4D03AQH8ytxhT5OyHw/profile-displayphoto-scale_400_400/B4DZx0_I.SKYAo-/0/1771489235692?e=1775692800&v=beta&t=0Uy1yy1cbltfaWYGIkuhmxUSdVd7GJx6UQ2BZIYUkrI
</file context>