Cert Manager Kubernetes Tutorial (Let's Encrypt & Nginx Ingress & ACME | 5 Examples

Cert Manager Kubernetes Tutorial (Let's Encrypt & Nginx Ingress & ACME | 5 Examples | YAML & HELM)

Рет қаралды 25,427

Anton Putra

Күн бұрын

Пікірлер: 84

@AntonPutra Жыл бұрын

🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com

@roberto_camp 2 жыл бұрын

Outstanding content, great pace and just the right level of detail. You always do a killer job.

@AntonPutra 2 жыл бұрын

Thanks Robert!

@dntwantgglplus Жыл бұрын

@@AntonPutra excellet video. thank you anton!

@PanchananaPanigrahi-tq9hv 6 ай бұрын

This video really demonstrates how intelligent you are.

@AntonPutra 6 ай бұрын

thanks ❤️

@janiel471 8 ай бұрын

Valuable for every minute with the right pace. Thank you so much❤❤❤

@AntonPutra 8 ай бұрын

thanks!

@LalitYadav-eo4hv 3 жыл бұрын

Thanks

@AntonPutra 3 жыл бұрын

Thank you Lalit!

@mikg898 3 жыл бұрын

You saved me! Been crying to solve the Pending Challenge issue

@AntonPutra 3 жыл бұрын

you're welcome🙂

@wotizit 2 жыл бұрын

Omg I have that same issue, gonna watch and try figuring it out

@patricklukeastrero4015 2 жыл бұрын

same same. been crying as well

@sumanta8504 3 жыл бұрын

Great content, one suggestion is please remove the background volume or make it low, it is actually annoying me. Thanks

@AntonPutra 3 жыл бұрын

Thanks, I already removed it from all new videos.

@techmiker Жыл бұрын

Brilliant video as ever! I'm coming to this late so I had to upgrade the version of Kubernetes and for some reason there was no "-o" flag on my base64 command so I used redirection (">" ) instead.

@AntonPutra Жыл бұрын

Thanks! Will update soon

@nikhilpatel4278 Жыл бұрын

This content is Brilliant Sir, thank you very much!

@AntonPutra Жыл бұрын

Thank you!

@AntonPutra Жыл бұрын

👉 How to Manage Secrets in Terraform - kzbin.info/www/bejne/aX-TpXqBrNt1mqM 👉 Terraform Tips & Tricks - kzbin.info/www/bejne/bYScZaKLid5lsJY 👉 ArgoCD Tutorial - kzbin.info/www/bejne/sHjRlZqafMZkisU

@sharhanalhassan499 2 жыл бұрын

Awesome!! A quick one. I created a certificate for my sub-domain which works well. Now I want to create another certificate for another deployment in another sub-domain. Do I still use the same ClusterIssuer, modify the initial certificate to have a different metadata/name, secretName, and dnsNames and deploy it? (That's what I tried and it didn't work). Or I need to create a whole new ClusterIssuer and different Certificate yml file for the new deployment Thanks for your quick reply to messages

@AntonPutra 2 жыл бұрын

You keep the ClusterIssuer and create additional yaml files for certificates if you use your own CA. If you use letsencrypt, you don't need to create certificate yaml files it's handled on ingress itself.

@DoinitaBordeianu 2 ай бұрын

Thanks a lot Anton for your great training. We do have OCP clusters on private IP address and use the private CA from Red Hat IdM FreeIPA. We are not sure which one of these examples is the most suitable for us. Would appreciate your suggestions. :)

@AntonPutra 2 ай бұрын

Well, you if you already have certificate, you can create kubernetes secrets with that cert and use it for https

@DoinitaBordeianu 2 ай бұрын

@@AntonPutra Thank you for your response Anton. I will be creating a clusterissuer and a certificate as part of the cert-manager operator process.

@isandozi 2 жыл бұрын

Thank you for sharing this. Do you have any guidance on how to renew an expired certificate?

@AntonPutra 2 жыл бұрын

If you use cert-manager to obtain certificate it will automatically renew it. What's your use case?

@isandozi 2 жыл бұрын

@@AntonPutra I have created a new certificate and secret, the certificate is in "Ready" state. However, when navigate to the site, I am getting a "Fake Certificate message". Any advice would be appreciated. I have looked at Ingress controllers, and all of that is accurate.

@AntonPutra 2 жыл бұрын

@@isandozi it's because you used staging environment of letsencrypt. You just need to update url to use the "production" env.

@isandozi 2 жыл бұрын

@@AntonPutra is this in the clusterIssuer?

@isandozi 2 жыл бұрын

I'm unable to see the production url environment on Let's Encrypt. Do you still have it?

@LalitYadav-eo4hv 3 жыл бұрын

Awesome video very informative, going to try today. Is there any way we can automate IAM part? I will try that but worth watching video. Thank u Anton

@AntonPutra 3 жыл бұрын

Usually, IAM is part of the terraform code, what do you mean by automate?

@LalitYadav-eo4hv 3 жыл бұрын

@@AntonPutra yeah thanks for the suggestion, i having jenkins job setup to launch EKS using terraform as per ur video, later i setup monitoring job for prometheus and Grafana, now in last 2 videos i am bit stuck on the manually when we are creating policy and OpenID configuration that part i am trying to automate, let’s see if i can make it. Also 1 more question do i need to edit namespace manually while setting up ingress like u did it in previous video? Anyways I really liked ur videos informative and clears all the concepts.

@LalitYadav-eo4hv 3 жыл бұрын

I was wondering if u r going for another video where we can store the prometheus metrics data to some DB like dynamo to capture historical metrics

@AntonPutra 3 жыл бұрын

@@LalitYadav-eo4hv Thanks, I have a plan for a video that combine EKS creating from scratch including OpenID connect provider interraform to automate/simplify. By default prometheus only select service monitors objects in its own namespace. You don't need to add label to namespace manually, you can simply specify in the helm or yaml to deploy "Service Moniotr" object to monitor Ningx ingress in "monitoring" ns where you have Prometheus

@AntonPutra 3 жыл бұрын

@@LalitYadav-eo4hv Best and the cheapeast way to store metrics for the long term is S3 compatible storage. I have plan to create video to use Thanos, since we've been using it in prod for over a year now. other option is cortext. It's gonna be way cheaper then any database.

@El18Cucuy 3 жыл бұрын

Спасибо

@AntonPutra 3 жыл бұрын

You're welcome :)

@s_dee_13 2 жыл бұрын

How would you go about doing full end-to-end ecryption instead of terminating at the ingress

@AntonPutra 2 жыл бұрын

just create a service of the type LoadBalancer, then implement logic to terminate tls in your application (use nlb - network load balancer)

@arunreddy3844 7 ай бұрын

HI Anton, thank you ! i had quick question which is out of context . I have been trying to setup onprem k8s cluster using kubeadm on ubuntu severs (through Oracle virtual box) . getting issue while deploying network plugin(Calico in my case) .. pod is not spinning up , here is below the events i found. same issue across other os flavor (centos) too. Could you pls help me with the resolution ? fyi .. i have choosen MAC Address policy as Generate new MAC addresses for all network adapters while creating VM through Oracle virtual box. am i missing something here ? Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 36s default-scheduler Successfully assigned kube-system/calico-node-b8r5j to osboxes Warning FailedMount 4s (x7 over 35s) kubelet MountVolume.SetUp failed for volume "bpffs" : hostPath type check failed: /sys/fs/bpf is not a directory

@AntonPutra 7 ай бұрын

I have a script, take a look how to provision on prem cluster ## Control Plane ### Preparing the hosts sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/control-plane-00/' /etc/hostname sudo sed -i 's/ubuntu/control-plane-00/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-00/' /etc/hostname sudo sed -i 's/ubuntu/node-00/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-01/' /etc/hostname sudo sed -i 's/ubuntu/node-01/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-02/' /etc/hostname sudo sed -i 's/ubuntu/node-02/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-03/' /etc/hostname sudo sed -i 's/ubuntu/node-03/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-04/' /etc/hostname sudo sed -i 's/ubuntu/node-04/' /etc/hosts sudo reboot sudo apt update && sudo apt -y upgrade sudo sed -i 's/ubuntu/node-05/' /etc/hostname sudo sed -i 's/ubuntu/node-05/' /etc/hosts sudo reboot ### Disable swap sudo swapoff -a sudo sed -i 's/\/swap.img/#\/swap.img/' /etc/fstab free -h ### Installing a container runtime (containerd) curl -L github.com/containerd/containerd/releases/download/v1.7.3/containerd-1.7.3-linux-amd64.tar.gz -o containerd-1.7.3-linux-amd64.tar.gz sudo tar Cxzvf /usr/local containerd-1.7.3-linux-amd64.tar.gz sudo curl -L raw.githubusercontent.com/containerd/containerd/main/containerd.service -o /lib/systemd/system/containerd.service sudo systemctl daemon-reload sudo systemctl enable --now containerd #### Installing runc curl -L github.com/opencontainers/runc/releases/download/v1.1.8/runc.amd64 -o runc.amd64 sudo install -m 755 runc.amd64 /usr/local/sbin/runc #### Installing CNI plugins curl -L github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz -o cni-plugins-linux-amd64-v1.3.0.tgz sudo mkdir -p /opt/cni/bin sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.3.0.tgz sudo mkdir /etc/containerd/ sudo sh -c 'containerd config default > /etc/containerd/config.toml' sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml sudo systemctl restart containerd stat -fc %T /sys/fs/cgroup/ ### Install and configure prerequisites cat

@arunreddy3844 7 ай бұрын

@@AntonPutra thank you Sir, will try and let you know .

@sangeetagujrani8810 2 жыл бұрын

Super

@AntonPutra 2 жыл бұрын

Thanks

@Яслежузатобой-щ7б 3 жыл бұрын

good job

@AntonPutra 3 жыл бұрын

Thanks Кирилл :)

@dangaiden 3 жыл бұрын

Great tutorial. The only problem I have (My cluster is GCP so GKE and domain in Route53) is that when I create the ingress for my app in its namespace (for example go-app in app namespace) the ingress doesn't have an ADDRESS, it appears empty so I don't know if this is something expected or not but it's bugging me ^^' EDIT: I found the problem, at least in GKE, you should comment: spec: ## ingressClassName: external-nginx and Use annotations in the metadata with ingress.class: "external-nginx" In this way, my ingress got the external IP from the ingress controller :)

@AntonPutra 3 жыл бұрын

I had a similar issue with GCP as well, I had to add additional argument in controller deployemt --publish-service=$(POD_NAMESPACE)/external-ingress-nginx-controller external-ingress-nginx-controller -> name of the container and deployment

@Alpha-kt6hc 2 жыл бұрын

The voice is so sharp for my ears. Make it a bit dull. Remove the music you don't need it.

@AntonPutra 2 жыл бұрын

Thanks for feedback, no more music lol

@nellyhernandez7087 2 жыл бұрын

@@AntonPutra :( I don't know why, they are being assholes!

@timeforchangethings 2 жыл бұрын

Which terminal did you using?

@AntonPutra 2 жыл бұрын

iterm2 + zshell

@timeforchangethings 2 жыл бұрын

@@AntonPutra i just installed & played with them now😂, anyway thanks 👍

@AntonPutra 2 жыл бұрын

@@timeforchangethings you're welcome :)

@sureshkachwa5345 3 жыл бұрын

How about wild card certificate for k8s ingress and domain being in Godaddy, is it possible to get wildcard cert? As far as I know Godaddy doesn't support DNS01 challenge and this is must for wild card cert, any suggestions?

@AntonPutra 3 жыл бұрын

You can setup your own DNS server to resolve challenges from Letsencrypt, take a look on this video - kzbin.info/www/bejne/jHuzl5eOg5KXicU

@sureshkachwa5345 3 жыл бұрын

@@AntonPutra Thanks for the info but how do we accomplish wild card SSL thing for kubernetes cluster? Moreover domain DNS is managed in Godaddy

@rocketbox9 3 жыл бұрын

for Terraform? :(

@AntonPutra 3 жыл бұрын

We usually using terraform only to provision K8s not to manage services within the cluster.

@rocketbox9 3 жыл бұрын

@@AntonPutra thanks for answering ..It would be great if you can spend this combining terraform with ansible :) .... greetings from Peru .. thank you !!