It seems the microphone gain was a little high this time, sorry for the slightly worse audio quality today.
@dipeti2 жыл бұрын
I cannot express how grateful I am for you having shared this for free on YT. Would love to buy you a coffee or a bratwurst for your efforts.
@takkerutube5 жыл бұрын
Excellent video on automating certificates in K8's. Probably the best out there. Thank you very much for taking time to do this video. Keep up your amazing work!
@TheEbbemonster2 жыл бұрын
Great work! Even in 2022 it is a great video. Sure I had to update some versions, and some of the ACME stuff has changes, but I got it all up and running :)
@rishabhsingh60493 жыл бұрын
Not only the topic was covered well, and gave a clarity on how different resources interact when working with cert-manager, but, there was so much learning in the way you went about the demo. Use of aliases, shell configuration, working with the vim, using various commands more efficiently, etc was the highlight for me. Really shows you have given some good amount of time and thought in developing these skills. Do you have any such video where you explained about the configurations you have done with your shell?
@newshatavakoli59604 жыл бұрын
This video was right to the point, just right amount of explanation, not too much, not too little. Thank you so much.
@prashantantil6692 Жыл бұрын
I have also done the similar setup but I cannot find the 'RenewalScheduled' when described the certificate resource.
@paweoczady83536 жыл бұрын
Great tutorial! Many thanks for that stuff :)
@sureshkachwa7162 жыл бұрын
In my case, I have cert-manager,ingress controller, ing svc, a cluster issuer for k8s cluster deployed and no certifcate.yaml still certificate is been created for all the NS's and not sure for which domain, does certificate get's created for the domain you map an A record with your LB public ip?
@duclee9x2 жыл бұрын
Great tutorial, but could you please explain me how to point domain to the cluster?
@the_superb_owl4 жыл бұрын
This is the most complete tutorial I've found so far, but I'm still unable to follow. I'm not sure how to get the setup you have at the beginning and things like the ingress yaml are never fully displayed. I checked earlier videos and couldn't get the same setup you have here. Is there a text version of this tutorial anywhere?
@the_superb_owl4 жыл бұрын
I eventually (very eventually) figured things out. I vote for a bit more explaining on initial setup for people that are a bit newer to k8s, and a github repo with working yamls linked in the description would be ideal.
@iliyastrakovich6 жыл бұрын
Thank you very much! Excellent explanation.
@BernardoGarcia195 жыл бұрын
Great video @kubucation. I have a doubt. Finally are you using the youtube-lets-encrypt-tls or the secrets tls.key and tls.crt created before in the previous videos. Or do I need perform both steps? This means, create my own tls.key and tls.crt and store them in a secret, and after , when you are creating the certificate resource, in the "issuerRef" parameter, that secret is other secret which will be created and inside it will be the key.tls and the certificate that provide letsencrypt? The https functionality only do you get it when remove staging and enter production?
@amitkadosh84444 жыл бұрын
@kubucation, very good explaination !! do you have the console output or the "history" of the commands you typed ? thank you !
@VIPULKAM1Ай бұрын
Are the steps same for AWS eks as well?
@pulco504 жыл бұрын
Thanks, it helps me. Even tho it's a little bit out of date.
@abhijitdasgupta25994 жыл бұрын
Hi , Are you having any video of configuration between Cert-Manager and Vault.
@VijayKumarP-wv8vw Жыл бұрын
DO we need to create secrets or it will create automatically
@petersonfs4 жыл бұрын
Its possible to create a certificate with dynamic host? My service expose and IP address for the customers configuring their domains point to our services. At the mean time i want to provide a certificate for each domain using our service, to increase security. At the momento we have 5k domains point to our services. Could you help me? Thanks!
@devopswithprasanna5 жыл бұрын
Very helpful one ... Thanks
@puneetsaini96134 жыл бұрын
Hi kubucation Is it possible to use third party service as an issuer. For example there is a service called abc, make a rest api call to it gives you the certificate. Is it possible to setup the same using this service. If yes can you please share example yaml files for it
@yomaru_19994 жыл бұрын
good video, very useful
@sayevil93304 жыл бұрын
Great tutorial, but could you please provide the yaml files in the video?
@ychetankumarsarma6 жыл бұрын
@kubucation thanks for the awesome video. Can we use a wildcard in a certificate? I have two hosts say xyz.something.com and abc.something.com. Can I use *.something.com in acme config domains?
@kubucation6 жыл бұрын
It wasn’t possible when I recorded the video, but I believe it is now because cert-manager is now compatible with the ACME API v2. However, I believe this requires a DNS-based challenge rather than the HTTP01 challenge.
@ychetankumarsarma6 жыл бұрын
kubucation thanks for your reply. Yes, that's what I figured out. But again, thanks for this awesome video.
@cynikalX5 жыл бұрын
do you have a blog post or anything in github perhaps about your vim environment and the yaml linter? my vim is set up to put 6 spaces for indentation on yaml files for some reason and rather than try to debug/customize it, would love to see a nice vim set up such as yours..
@cynikalX5 жыл бұрын
Nevermind, see someone else asked the same thing and the answer is github.com/etiennedi/dotfiles yay :-)
@SyntoxicTechTipps6 жыл бұрын
Super Video, aber ich hätte da noch eine kleine Frage: Läuft der Pod (nginx, der für die Zertifikate gestartet wird) die ganze Zeit weiter, oder wird er nur dann gestartet, wenn er gebraucht wird.
@kubucation6 жыл бұрын
Thanks! I'll allow myself to translate/rephrase your question so that all the international viewers can benefit from it: "Does the nginx pod started for the HTTP01 challenge stay or is it only started when needed?" - It looks like both the additional pod and the additional ingress rule are only there while the challenge is ongoing. As soon as the challenge was completed successfully, both of them are removed automatically. I'm not entirely sure how the renewing works, whether the keypair we received is enough for the second go or whether we need to complete the challenge again. If it's the latter, I assume they'd just get spun up again.
@SyntoxicTechTipps6 жыл бұрын
kubucation thanks, i wasn't shure wheter the pods remain active or not. It would need some compute power to keep it running
@kubucation6 жыл бұрын
Yeah, now that I think more about it, it would be quite bad if they stuck around on a bigger cluster. That would basically mean you'd have at least one extra pod per application. As in actual resources, it would probably consume quite little. CPU should be close to nothing if no traffic is incoming, a certain amount of Memory will definitely stay, though. (This is similar to how serverless solutions such as kubeless work, by the way) Even worse would be if the pod also has resourceRequests specified - I don't know if they do. Because then the pod would reserve resource - whether they're used or not - taking those allocatable resources away from other pods. In addition to that the number of pods per node is also limited. In older versions this limit was relatively low, I think. So yeah, this kind of cleanup really is quite beneficial.
@sharatbhaskar80013 жыл бұрын
can we use letsencrypt certificate for production app?
@kubucation3 жыл бұрын
Sure. Probably more of a business/compliance decision. From a tech perspective there’s nothing in the way. I’ve definitely used let’s encrypt certs in prod - but not every company might be happy with that.
@ovidiuviper4 жыл бұрын
Hi, how would you fix the following issue in the http-01 challenge? Waiting for http-01 challenge propagation: presented key () did not match expected
@kubucation4 жыл бұрын
This github issue might be helpful for you: github.com/jetstack/cert-manager/issues/681, also note the last post about the slack channel - or maybe try StackOverflow. My guess would be somethings is set up differently from the expected config, possibly around the ingress config.
@xetra11554 жыл бұрын
what terminal are you using :)
@kubucation4 жыл бұрын
Iterm2 with zsh and tmux.
@Hujino264 жыл бұрын
what is ur plugin for suggestion ? (kzfaq.info/get/bejne/m9pzaMdh29awink.html)
@MarvinBlum5 жыл бұрын
Can I tip you?
@kubucation5 жыл бұрын
Haha. Thanks a lot! No need, though, subscribe if you like (and haven't yet) and possibly spread the word. That's all the tipping I need :)
@MarvinBlum5 жыл бұрын
@@kubucation Thank you very much! Your video was really helpful and saved me a lot of time :) I subscribed.
@kubucation5 жыл бұрын
@@MarvinBlum Happy to hear that, if you have ideas/requests for new videos, just let me know and I'll see what I can do.
@MarvinBlum5 жыл бұрын
@@kubucation Do you have any resources on how to setup ACME DNS using the cert manager?
@kubucation5 жыл бұрын
@@MarvinBlum Hey, sorry for the late reply. Unfortunately I don't. DNS challenges are required for wildcard certs, aren't they? But it should be pretty straight forward, my initial research before I recorded that video was based on the official docs, so there should be plenty in there on how to use the DNS challenges.