Use cert-manager with Let's Encrypt® Certificates Tutorial: Automatic Browser-Trusted HTTPS

No video

Use cert-manager with Let's Encrypt® Certificates Tutorial: Automatic Browser-Trusted HTTPS

Рет қаралды 29,944

kubucation

Күн бұрын

Пікірлер: 51

@kubucation 6 жыл бұрын

It seems the microphone gain was a little high this time, sorry for the slightly worse audio quality today.

@dipeti 2 жыл бұрын

I cannot express how grateful I am for you having shared this for free on YT. Would love to buy you a coffee or a bratwurst for your efforts.

@takkerutube 5 жыл бұрын

Excellent video on automating certificates in K8's. Probably the best out there. Thank you very much for taking time to do this video. Keep up your amazing work!

@TheEbbemonster 2 жыл бұрын

Great work! Even in 2022 it is a great video. Sure I had to update some versions, and some of the ACME stuff has changes, but I got it all up and running :)

@rishabhsingh6049 3 жыл бұрын

Not only the topic was covered well, and gave a clarity on how different resources interact when working with cert-manager, but, there was so much learning in the way you went about the demo. Use of aliases, shell configuration, working with the vim, using various commands more efficiently, etc was the highlight for me. Really shows you have given some good amount of time and thought in developing these skills. Do you have any such video where you explained about the configurations you have done with your shell?

@newshatavakoli5960 4 жыл бұрын

This video was right to the point, just right amount of explanation, not too much, not too little. Thank you so much.

@prashantantil6692 Жыл бұрын

I have also done the similar setup but I cannot find the 'RenewalScheduled' when described the certificate resource.

@paweoczady8353 6 жыл бұрын

Great tutorial! Many thanks for that stuff :)

@sureshkachwa716 2 жыл бұрын

In my case, I have cert-manager,ingress controller, ing svc, a cluster issuer for k8s cluster deployed and no certifcate.yaml still certificate is been created for all the NS's and not sure for which domain, does certificate get's created for the domain you map an A record with your LB public ip?

@duclee9x 2 жыл бұрын

Great tutorial, but could you please explain me how to point domain to the cluster?

@the_superb_owl 4 жыл бұрын

This is the most complete tutorial I've found so far, but I'm still unable to follow. I'm not sure how to get the setup you have at the beginning and things like the ingress yaml are never fully displayed. I checked earlier videos and couldn't get the same setup you have here. Is there a text version of this tutorial anywhere?

@the_superb_owl 4 жыл бұрын

I eventually (very eventually) figured things out. I vote for a bit more explaining on initial setup for people that are a bit newer to k8s, and a github repo with working yamls linked in the description would be ideal.

@iliyastrakovich 6 жыл бұрын

Thank you very much! Excellent explanation.

@BernardoGarcia19 5 жыл бұрын

Great video @kubucation. I have a doubt. Finally are you using the youtube-lets-encrypt-tls or the secrets tls.key and tls.crt created before in the previous videos. Or do I need perform both steps? This means, create my own tls.key and tls.crt and store them in a secret, and after , when you are creating the certificate resource, in the "issuerRef" parameter, that secret is other secret which will be created and inside it will be the key.tls and the certificate that provide letsencrypt? The https functionality only do you get it when remove staging and enter production?

@amitkadosh8444 4 жыл бұрын

@kubucation, very good explaination !! do you have the console output or the "history" of the commands you typed ? thank you !

@VIPULKAM1 Ай бұрын

Are the steps same for AWS eks as well?

@pulco50 4 жыл бұрын

Thanks, it helps me. Even tho it's a little bit out of date.

@abhijitdasgupta2599 4 жыл бұрын

Hi , Are you having any video of configuration between Cert-Manager and Vault.

@VijayKumarP-wv8vw Жыл бұрын

DO we need to create secrets or it will create automatically

@petersonfs 4 жыл бұрын

Its possible to create a certificate with dynamic host? My service expose and IP address for the customers configuring their domains point to our services. At the mean time i want to provide a certificate for each domain using our service, to increase security. At the momento we have 5k domains point to our services. Could you help me? Thanks!

@devopswithprasanna 5 жыл бұрын

Very helpful one ... Thanks

@puneetsaini9613 4 жыл бұрын

Hi kubucation Is it possible to use third party service as an issuer. For example there is a service called abc, make a rest api call to it gives you the certificate. Is it possible to setup the same using this service. If yes can you please share example yaml files for it

@yomaru_1999 4 жыл бұрын

good video, very useful

@sayevil9330 4 жыл бұрын

Great tutorial, but could you please provide the yaml files in the video?

@ychetankumarsarma 6 жыл бұрын

@kubucation thanks for the awesome video. Can we use a wildcard in a certificate? I have two hosts say xyz.something.com and abc.something.com. Can I use *.something.com in acme config domains?

@kubucation 6 жыл бұрын

It wasn’t possible when I recorded the video, but I believe it is now because cert-manager is now compatible with the ACME API v2. However, I believe this requires a DNS-based challenge rather than the HTTP01 challenge.

@ychetankumarsarma 6 жыл бұрын

kubucation thanks for your reply. Yes, that's what I figured out. But again, thanks for this awesome video.

@cynikalX 5 жыл бұрын

do you have a blog post or anything in github perhaps about your vim environment and the yaml linter? my vim is set up to put 6 spaces for indentation on yaml files for some reason and rather than try to debug/customize it, would love to see a nice vim set up such as yours..

@cynikalX 5 жыл бұрын

Nevermind, see someone else asked the same thing and the answer is github.com/etiennedi/dotfiles yay :-)

@SyntoxicTechTipps 6 жыл бұрын

Super Video, aber ich hätte da noch eine kleine Frage: Läuft der Pod (nginx, der für die Zertifikate gestartet wird) die ganze Zeit weiter, oder wird er nur dann gestartet, wenn er gebraucht wird.

@kubucation 6 жыл бұрын

Thanks! I'll allow myself to translate/rephrase your question so that all the international viewers can benefit from it: "Does the nginx pod started for the HTTP01 challenge stay or is it only started when needed?" - It looks like both the additional pod and the additional ingress rule are only there while the challenge is ongoing. As soon as the challenge was completed successfully, both of them are removed automatically. I'm not entirely sure how the renewing works, whether the keypair we received is enough for the second go or whether we need to complete the challenge again. If it's the latter, I assume they'd just get spun up again.

@SyntoxicTechTipps 6 жыл бұрын

kubucation thanks, i wasn't shure wheter the pods remain active or not. It would need some compute power to keep it running

@kubucation 6 жыл бұрын

Yeah, now that I think more about it, it would be quite bad if they stuck around on a bigger cluster. That would basically mean you'd have at least one extra pod per application. As in actual resources, it would probably consume quite little. CPU should be close to nothing if no traffic is incoming, a certain amount of Memory will definitely stay, though. (This is similar to how serverless solutions such as kubeless work, by the way) Even worse would be if the pod also has resourceRequests specified - I don't know if they do. Because then the pod would reserve resource - whether they're used or not - taking those allocatable resources away from other pods. In addition to that the number of pods per node is also limited. In older versions this limit was relatively low, I think. So yeah, this kind of cleanup really is quite beneficial.

@sharatbhaskar8001 3 жыл бұрын

can we use letsencrypt certificate for production app?

@kubucation 3 жыл бұрын

Sure. Probably more of a business/compliance decision. From a tech perspective there’s nothing in the way. I’ve definitely used let’s encrypt certs in prod - but not every company might be happy with that.

@ovidiuviper 4 жыл бұрын

Hi, how would you fix the following issue in the http-01 challenge? Waiting for http-01 challenge propagation: presented key () did not match expected

@kubucation 4 жыл бұрын

This github issue might be helpful for you: github.com/jetstack/cert-manager/issues/681, also note the last post about the slack channel - or maybe try StackOverflow. My guess would be somethings is set up differently from the expected config, possibly around the ingress config.

@xetra1155 4 жыл бұрын

what terminal are you using :)

@kubucation 4 жыл бұрын

Iterm2 with zsh and tmux.

@Hujino26 4 жыл бұрын

what is ur plugin for suggestion ? (kzfaq.info/get/bejne/m9pzaMdh29awink.html)

@MarvinBlum 5 жыл бұрын

Can I tip you?

@kubucation 5 жыл бұрын

Haha. Thanks a lot! No need, though, subscribe if you like (and haven't yet) and possibly spread the word. That's all the tipping I need :)

@MarvinBlum 5 жыл бұрын

@@kubucation Thank you very much! Your video was really helpful and saved me a lot of time :) I subscribed.

@kubucation 5 жыл бұрын

@@MarvinBlum Happy to hear that, if you have ideas/requests for new videos, just let me know and I'll see what I can do.

@MarvinBlum 5 жыл бұрын

@@kubucation Do you have any resources on how to setup ACME DNS using the cert manager?

@kubucation 5 жыл бұрын

@@MarvinBlum Hey, sorry for the late reply. Unfortunately I don't. DNS challenges are required for wildcard certs, aren't they? But it should be pretty straight forward, my initial research before I recorded that video was based on the official docs, so there should be plenty in there on how to use the DNS challenges.