Self signed Kubernetes SSL certificate // easy guide
Vložit
- čas přidán 16. 05. 2024
- In this video I will explain how to use local self-signed certificates for your bare-metal Kubernetes Clusters in your Home Lab. We'll use Cert-Manager and OpenSSL to create a Certificate Authority that is trusted in your local network. And then create a valid certificate for a demo project. #Kubernetes #Certmanager #SSL
Project Files: github.com/christianlempa/vid...
Teleport-*: goteleport.com/thedigitallife
Self-Signed Certificate Tutorial: • How to create a valid ...
Cert-Manager Tutorial: • Free SSL Certs in Kube...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
00:47 - Advertisement-*
01:27 - How HTTPS works in local networks
02:29 - What is Cert-Manager
04:00 - Create a Certificate Authority
05:34 - Create a ClusterIssuer
09:30 - Create a valid Certificate
11:41 - Recap and Outcome
________________
All links with "*" are affiliate links.
Thank you! Quick and precise.
Hey Christian, hopefully you have enjoyed your holidays!
Thanks for this video and good explanation! In my opinion all of your tutorials are really valuable. Keep on going this good work and as we can see, your community is growing and growing... :-)
Thank you so much! Yeah holidays were good :)
Sounds like a bit complicated, but your delivery is quite clear, and I would give it a try on my home lab! Thanks!
This is super awesome. Keep going !
Thanks! :)
Hi, thanks for the amazing contents! Could you also share the name of the tool that you use for drawing the diagram in markdown?
To everyone who wondered which tool was used to draw the ascii diagram @11:47 …
Not exactly sure which particular one did Christian use (would be nice to know), but such diagrams can be created with tools like ‘asciiflow’ and ‘asciio’
Thank you ! Best teacher
Thanks 🙏
The only certificate, that is self signed, is the certificate of the CA (as with every Root CA). So the rest of the certificates like the one for your nginx is a signed certificate - it’s signed by a non public CA but it is not self signed.
But despite of this detail your explanation is very useful for getting better view on certificates in common and on Kubernetes in particular.
Thanks mate! You're absolutely right, I often say that to make it clear the cert is signed by self-signed ca. Might be a bit lazy that's true 🤣
This video es super clear. Could you please tell us which software do you use to show the Architecture Diagram (from Powershell)?
Thx, bro! U are my hero)
You're welcome! Thank you :)
You can use kubectl create secret with -from-file flags to upload the contents. I haven’t tried it from windows though
Thanks! I'll try it
Hi, your tutorials helped me a lot. can you do a tutorial about hosting gristlabs/grist with portainer. please?
What an awesome guide and very clear on the steps, thanks for your time. I followed the steps but i end up with this error message "message: 'Error getting keypair for CA issuer: certificate is not a CA'" when creating the cluster issuer which isn't the case in your video. What am i missing? Thanks again for the time invested
Followed and subscribed. Thanks for your guidance.
Thanks! and welcome :)
LabCA is also an interesting one , it's actually a community build of Boulder , the same ACME CA backend used by Let's Encrypt
Thx great idea, I'll check it out
Hi Christian, I have weird question) How you did scheme on timeline 11:46 ?
HI , This tutorial is good . thanks lot for sharing info . when i try to install cert-manager using helm ... cert-manager helm status shown as pending-install and my kuberates version v1.23.3... can you share your suggestion on this
Hi, can you make a tutorial how to redirect IP address automatically to domain When using nginx proxy manager to manage containers reverse proxy.
This works but there is also the option of having certmanager automate creating the self signed certificate and secret.
How to manage windows server data real time backup i can purchase to servers
you can use stringData instead of data in your secret manifest and paste multiline pem certs instead of base64 string
This video give a super clear explanation about issuer and certificate.
Is it right to say that the benefits over let’s Encrypt certificate is to be more independent as we do not expose it to internet?
Thank you! And yeah absolutely, everything that you expose on the internet is a potential risk.
Thank you for the video.
I am trying to secure a mosquitto broker using k8s cluster and exposed with a loadbalancer, can this implementation be used to secure the mqtt connection?
You're welcome :) I'm not quire sure about mosquitto, haven't worked with it before
Great guide. I've followed it but made some changes. I created an intermediate certificate signed by my Active Directory root CA and uploaded the chain to cert-manager. It's working great. I wanted to change the certificate of Rancher and Portainer, but Helm installation automatically creates an Issuer for the namespace, so I don't know exactly how should I change them.
Nice work! Thank you!
diagram at 12:00, did you use some tool, or made it manually?
about base64 and secrets, just use stringData insead of data and put them straight into the secret, no need to encode them
I used asciiflow but it’s a lot manual work as well :P
Which VSC theme & font are you using?
I created my own theme the digital life and use the Hack Nerd Font
Tried this method, doesn't work. Had an issue with the RSA structure being too large after encoded. Just a heads up.
Use git-bash or WSL2 instead.
Shell theme is so cool.
Could someone please help me with the name of the theme
Thanks, mate, You find the settings for the Windows terminal and other stuff on GitHub in my dot files repo!
@@christianlempa Thanks buddy !
btw loved your content !!
how to base64 in powershell?
docker run -it bash XD
:D
SSL certificate problem: self signed certificate
Bro all we care about is whether or not an American style Kölsch counts as a REAL Kölsch.
Doing it under windows -> install wsl2 and use linux there 😂
SSL Certificate and Easy Guide should never be used in the same statement
Base64: from a stackOverflow answer this should be the solution and I also had to use certutils for importing a certificate to ADS in Windows Server 2012:
> Windows comes with certutil.exe (a tool to manipulate certificates) which can base64 encode and decode files.
> certutil -encode test.exe test.txt
> certutil -decode test.txt test.exe
Additional M$ has a documentation "Convert file to Base64 string format" with this one-liner:
> [convert]::ToBase64String((Get-Content -path "your_file_path" -Encoding byte))
How can I contact you +
i have tried using in windows using physical location it worked for me to convert self-signed certificate > cat C:\\Users\\username\\ca.crt | base64 -w 0
May be you can try like this for encoding with Base64 with Powershell
Encoding:
$Cert = ‘This is a secret'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Cert)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
Thx! Maybe I could put it in a script
Hi, you could break this down to:
[convert]::ToBase64String((Get-Content -path "ca.crt" -AsByteStream -Raw))
At least while using PowerShell 7.2.
For PowerShell 5.1 this won't work unfortunately.
But in my opinion using either Linux direct or via wsl is by far shorter and faster to type.
Best regards from Hamburg
In addition:
[convert]::ToBase64String((Get-Content -path "ca.crt" -Encoding byte))
Would be for PowerShell 5.1
You can try this for PowerShell Core:
[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(@(Get-Content ca.crt)))