Use cert-manager with Let's Encrypt® Certificates Tutorial: Automatic Browser-Trusted HTTPS
Vložit
- čas přidán 20. 05. 2024
- Let's Encrypt® provides free browser-accepted TLS Certificates and an API to automate against. Luckily there's the amazing cert-manager tool, which we can use to do all the communication with Let's Encrypt's ACME API based on Kubernetes Resources. Learn how to fully automatically obtain and renew TLS certificates that will be shown as "Secure" in your favorite browser.
Let's Encrypt® is a trademark of the Internet Security Research Group. All rights reserved - Věda a technologie
It seems the microphone gain was a little high this time, sorry for the slightly worse audio quality today.
Excellent video on automating certificates in K8's. Probably the best out there. Thank you very much for taking time to do this video. Keep up your amazing work!
Great work! Even in 2022 it is a great video. Sure I had to update some versions, and some of the ACME stuff has changes, but I got it all up and running :)
This video was right to the point, just right amount of explanation, not too much, not too little. Thank you so much.
Not only the topic was covered well, and gave a clarity on how different resources interact when working with cert-manager,
but, there was so much learning in the way you went about the demo.
Use of aliases, shell configuration, working with the vim, using various commands more efficiently, etc was the highlight for me. Really shows you have given some good amount of time and thought in developing these skills.
Do you have any such video where you explained about the configurations you have done with your shell?
Great tutorial! Many thanks for that stuff :)
I cannot express how grateful I am for you having shared this for free on YT. Would love to buy you a coffee or a bratwurst for your efforts.
Thank you very much!
Excellent explanation.
Great video @kubucation. I have a doubt. Finally are you using the youtube-lets-encrypt-tls or the secrets tls.key and tls.crt created before in the previous videos. Or do I need perform both steps?
This means, create my own tls.key and tls.crt and store them in a secret, and after , when you are creating the certificate resource, in the "issuerRef" parameter, that secret is other secret which will be created and inside it will be the key.tls and the certificate that provide letsencrypt?
The https functionality only do you get it when remove staging and enter production?
@kubucation, very good explaination !!
do you have the console output or the "history" of the commands you typed ?
thank you !
Very helpful one ... Thanks
Thanks, it helps me. Even tho it's a little bit out of date.
good video, very useful
Hi , Are you having any video of configuration between Cert-Manager and Vault.
In my case, I have cert-manager,ingress controller, ing svc, a cluster issuer for k8s cluster deployed and no certifcate.yaml still certificate is been created for all the NS's and not sure for which domain, does certificate get's created for the domain you map an A record with your LB public ip?
Hi kubucation
Is it possible to use third party service as an issuer.
For example there is a service called abc, make a rest api call to it gives you the certificate. Is it possible to setup the same using this service. If yes can you please share example yaml files for it
I have also done the similar setup but I cannot find the 'RenewalScheduled' when described the certificate resource.
Its possible to create a certificate with dynamic host? My service expose and IP address for the customers configuring their domains point to our services. At the mean time i want to provide a certificate for each domain using our service, to increase security. At the momento we have 5k domains point to our services. Could you help me? Thanks!
do you have a blog post or anything in github perhaps about your vim environment and the yaml linter? my vim is set up to put 6 spaces for indentation on yaml files for some reason and rather than try to debug/customize it, would love to see a nice vim set up such as yours..
Nevermind, see someone else asked the same thing and the answer is github.com/etiennedi/dotfiles yay :-)
Great tutorial, but could you please explain me how to point domain to the cluster?
DO we need to create secrets or it will create automatically
Great tutorial, but could you please provide the yaml files in the video?
Super Video, aber ich hätte da noch eine kleine Frage:
Läuft der Pod (nginx, der für die Zertifikate gestartet wird) die ganze Zeit weiter, oder wird er nur dann gestartet, wenn er gebraucht wird.
Thanks! I'll allow myself to translate/rephrase your question so that all the international viewers can benefit from it: "Does the nginx pod started for the HTTP01 challenge stay or is it only started when needed?" - It looks like both the additional pod and the additional ingress rule are only there while the challenge is ongoing. As soon as the challenge was completed successfully, both of them are removed automatically. I'm not entirely sure how the renewing works, whether the keypair we received is enough for the second go or whether we need to complete the challenge again. If it's the latter, I assume they'd just get spun up again.
kubucation thanks, i wasn't shure wheter the pods remain active or not. It would need some compute power to keep it running
Yeah, now that I think more about it, it would be quite bad if they stuck around on a bigger cluster. That would basically mean you'd have at least one extra pod per application. As in actual resources, it would probably consume quite little. CPU should be close to nothing if no traffic is incoming, a certain amount of Memory will definitely stay, though. (This is similar to how serverless solutions such as kubeless work, by the way) Even worse would be if the pod also has resourceRequests specified - I don't know if they do. Because then the pod would reserve resource - whether they're used or not - taking those allocatable resources away from other pods. In addition to that the number of pods per node is also limited. In older versions this limit was relatively low, I think. So yeah, this kind of cleanup really is quite beneficial.
This is the most complete tutorial I've found so far, but I'm still unable to follow. I'm not sure how to get the setup you have at the beginning and things like the ingress yaml are never fully displayed. I checked earlier videos and couldn't get the same setup you have here. Is there a text version of this tutorial anywhere?
I eventually (very eventually) figured things out. I vote for a bit more explaining on initial setup for people that are a bit newer to k8s, and a github repo with working yamls linked in the description would be ideal.
@kubucation thanks for the awesome video. Can we use a wildcard in a certificate? I have two hosts say xyz.something.com and abc.something.com. Can I use *.something.com in acme config domains?
It wasn’t possible when I recorded the video, but I believe it is now because cert-manager is now compatible with the ACME API v2. However, I believe this requires a DNS-based challenge rather than the HTTP01 challenge.
kubucation thanks for your reply. Yes, that's what I figured out. But again, thanks for this awesome video.
Hi, how would you fix the following issue in the http-01 challenge? Waiting for http-01 challenge propagation: presented key () did not match expected
This github issue might be helpful for you: github.com/jetstack/cert-manager/issues/681, also note the last post about the slack channel - or maybe try StackOverflow. My guess would be somethings is set up differently from the expected config, possibly around the ingress config.
what terminal are you using :)
Iterm2 with zsh and tmux.
can we use letsencrypt certificate for production app?
Sure. Probably more of a business/compliance decision. From a tech perspective there’s nothing in the way. I’ve definitely used let’s encrypt certs in prod - but not every company might be happy with that.
what is ur plugin for suggestion ? (czcams.com/video/etC5d0vpLZE/video.html)
Can I tip you?
Haha. Thanks a lot! No need, though, subscribe if you like (and haven't yet) and possibly spread the word. That's all the tipping I need :)
@@kubucation Thank you very much! Your video was really helpful and saved me a lot of time :) I subscribed.
@@MarvinBlum Happy to hear that, if you have ideas/requests for new videos, just let me know and I'll see what I can do.
@@kubucation Do you have any resources on how to setup ACME DNS using the cert manager?
@@MarvinBlum Hey, sorry for the late reply. Unfortunately I don't. DNS challenges are required for wildcard certs, aren't they? But it should be pretty straight forward, my initial research before I recorded that video was based on the official docs, so there should be plenty in there on how to use the DNS challenges.