Cert Manager & External DNS | How to automate your DNS and TLS Certificates in Kubernetes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
let's automate the securing of our external endpoints [Music] so in this video we're going to be sort of sidestepping the certification path we've been going down up to now now the reason for that is because we're going to be installing cert manager and external DNS in this video because we need them basically I don't want to have to sell certificates manually and I don't want to have to keep logging into cloudflare like I did in the last video and setting up domains manually so external DNS will do that for us it supports a bunch of providers cloudflare and one of them that's the one I'm going to show you how to set up today and yeah I'm I don't have to set those things up manually so that's that's going to manage that for us and in terms of cert manager what that does is sets up TLS certificates for us and that allows us to have https websites running so yeah that's that's really useful it means we don't have to worry about setting that stuff up ourselves manually anymore we don't have to put certificates in secrets and Supply that to the Ingress it will just do it all for us we can also use cert manager for internal cluster communication over TLS as well but we're not going to be doing that in this video and to be honest I'm not sure if I'm going to show that at all I might do at some point we'll see but for this video we're just going to be setting them up so that we can use them going forward in future videos let's get into it we're going to start with external DNS because well that's the thing that I have up on the page now which you can see so with that in mind let's move forward with it we're going to go through external DNS then cert manager now let's just read this bit in a broader sense external DNS allows you to control DNS records dynamically five kubernetes resources in a DNS provider agnostic way what does that mean it means that I know automatically create update and delete records within cloudflare for example in my case because that's where my domain is hosted it's basically it you know there's not much more to it than that so yeah let's get that set up again I'm using cloudflare as you probably saw in the last video these are all the ones it supports all of these right here okay so you've got a bunch of stuff available to you find the one that you use if you do use one and follow through setting it up if you don't have a domain well you might be able to get away with using something like Dynamic DNS I mean you've got dyn here is that Dynamic DNS I don't think it is yeah it is there you go so maybe you could use that yeah have a little look around see if there's one that supports the one you've got if not then you might just have to watch the video and not do anything just kind of take it in absorb it like a sponge so yeah that's that moving along Okay so we've got the instructions down here we've got deploy into a cluster all running locally I will not run locally because we're on a kubernetes cluster so let's do that we are going to deploy to a cluster and I'm going to be using cloudflare pick the one that suits you in theory you should be able to use the the guide I'm doing here in the way that you need but using yours there won't be much difference between it so yeah just have a little read through yours and try and follow through if you can so in our case we need a cloudflare DNS Zone which I already have so that's fine and we need some cloudflare credentials if you don't have a cloudflare DNS Zone just sign up to cloudflare point your name servers over to cloudflare to the ones it provides and hey Presto you've got a cloudflare DNS zone so you need to add your domain obviously but yeah it's it's as simple as that I mean my registrar is Google as you can see here and I just literally log into there pointed them over to the DNS servers their cloudflare gave me when I set the domain up and that that was it it's managed via cloudflare after that it is that easy DNS is surprisingly easy Once you know how it works anyway I digress we need a few bits from cloudflare now to actually set things up so it says here that you know the API exposes the entire cloudflow infrastructure which is fine but we don't want the entire infrastructure we just want a little bit of it now if you do want the entire one you can use the API key and email which will give you full access basically to your account the the API token approach this one gives you restricted access you can restrict the access that it's got you can restrict who has access to that token via IPS and things like that so you could do it to all zones if you want I won't be I will be using a token that specifies a particular host but if you are doing its War zones you can even filter external DNS to that so maybe you've got multiple domains that are being managed and you'll want One external DNS on each cluster that manages different domains in that one cloudflare account and rather than setting up a bunch of tokens per external DNS you're just going to set up a Zone wide and all zones one and then you can filter it via the Zone ID filter that is totally legit you can do that but I won't be I will be restricting it down because I'm a firm believer in least privileged because that's how you get the best out of security or the best security I should say so let's jump over to cloudflare and create these tokens so in here we'll see a Zone ID down here I'm going to make a note of that and then I'm going to scroll down a bit and we'll see this bit here with get your API token and I'm going to go ahead and click on that too and in here all I need to do is create a token so click create token I want to edit the Zone if we look here it says that we need read and edit well granted Zone read and edit DNS privileges well that's fine we can do that that's not a problem so we don't need the read Zone because it's kind of part and parcel of it so we've got Zone DNS edit and read comes as part of edit so that's fine if you try and add it it won't work and then the next part is the zone and obviously it mentions do in all zones but I won't be I will be doing just the one that I want I only have one anyway but to Future proof me moving forward as I add more domains inevitably I will restrict it to a Zone on top of that we can do client IP address filtering so I could put the IP address of my home network the external IP address in here and it would only allow requests from the IP address to authorize against this token or be authorized to use this token I'm not going to do that because my ISP likes to change my external IP address from time to time and finally you can set a start and end date if you want again I'm not going to be doing that but if you wanted to have even more confidence in your tokens to make sure that you know you're recycling them every now and again or renewing them every now and again you could set an end date but you'd have to thank you top I've actually written out you could have like a master token that renews those token for you and you could just do it via an API if you wanted to but then you've got the problem with the master token being compromised et cetera Etc so again whatever's best for you I'm going to stick with what I've got here oh one more thing I'm just going to edit this to external DNS and we'll click continue to summary and that is it now there's a token here you can't see it but I promise you it's there and there's a Code command here for you to test that token to make sure it works so I'll take a copy of that and then we'll go back to view API tokens and I will create one more because I'm going to need one for cert manager too so I might as well do it while I'm here same permissions I could just use the same token if I wanted to but as I've said before it's all about security so I'm not going to be doing that I'm going to have one token go I'm happy with that and we'll continue summary create the token and again you can't see the token but I can so I will paste that there and yeah okay cool right so that's half flare done we're ready to go for external DNS answer manager and okay let's move along so we've got a couple of options here to deploy external DNS we can do it without our back cluster yeah about our back which you know I don't I don't know why you would be doing that now so if you are stop and go and settle your cluster with our back unless you've got a very very good reason not to be doing it and then we've got this other one with our back enabled which is the one we're going to use so I'm going to copy that we'll jump over to the ID now and under here we'll create a new file called external DNS dot yaml in here I'm just going to pop all of that in there and then we're just going to quickly do a couple of things so I'm going to add a namespace first because I want it to sit in its own namespace and I'll also do that on the deployments and then I'll change this one here as well to be the same namespace and now I will explain surface account cluster roles cluster all bindings what did it do how does it work really quick Whistle Stop tour here because we're not going to be covering our back now we're going to do it in another video but let's just quickly tell you what's going on so this pod here needs to be able to read and list and look at services and also ingresses so I'm going to add that how do I allow this pod to be able to interact with my kubernetes server because we don't just want people to be able to deploy pods that can do stuff on the cluster right that would be silly that means I could set up a pod on your cluster if I got access to it and just do delete all pods and then I'm breaking your cluster so pods need to be restricted and the way we do that is we apply a surface account to it so we give it a service account name the Pod it's in the pods back because it's part of the deployment via service account name external DNS we then go ahead and create that service account there's no data or anything like that you can add image pool secrets and things like that to it but again not for right now so yeah we add that service account we then go ahead and create a cluster role or role if you want it to be limited to a namespace this needs to be cluster y because I want it to be able to manage the DNS records for all ingressors across the entire cluster so we allow this cluster role to get list and watch Services endpoints and pods get watch and list ingresses and list and watch nodes that's it that's what's going on here and then finally we need to bind this surface account to this role so that this service account can do this stuff or the Pod can do this stuff and the way we do that is without cholesterol binding or a roll binding again if you're doing it on a namespace level and the way we do it is we give it a name we say a roll ref while the roll ref is this one here and the service account or the subject is the service count and that's this one here that's it so this pod mounts this service account and this service account is bound to this role that is it that is our back in a nutshell obviously there's a lot more we can do here but on the whole that is it we can also do this with users and other things as well but that's again for another video so back to external DNS we have a domain filter well I'm going to do it to Hudson hyphen files.uk I don't know if I actually technically need to do this we have a look back at the instructions it did say something about oh it's a Zone ID filter okay so there's nrd filter here this is optional because my token is mapped to a specific Zone I don't technically need this but I like to be for both in the way I do things because I can make sure that it is going to work but technically I don't need this if you're going for all zones then you do definitely need this to limit it to a Zone and that provide is cloudflare so that's fine Within and got cloudflare proxied and I'm trying to cycle if I actually want this on I mean it gives you DDOS protection and content delivery Network and yeah I'm going to leave that on because there is an annotation that allows you to enable it or disable it based on what the rule is here so if I disable it here I can always add The annotation to enable it on a specific Ingress alternatively I do have it I can tighten it off on a specific Ingress so we'll have a look at that we might or might not need to do that we'll see and then we've got this cloudflare DNS records per page figure out how many DNS records to fetch per request well I don't have that many but if you really wanted to you could do that one thing I am going to add though is there's a text or txt hyphen prefix command and or flag and that I'm going to set equal to k8s learning now what does this do this prefix says the txt record that gets created as part of external DNS creating records I'll explain that in just a second and what it does is it prefixes it so that it knows exactly which ones it's dealing with so for example if I didn't set this up there wouldn't be any prefix so okay let me just step back a little bit further so imagine I've got two clusters ones it's called Stadium one's core production and I use Hudson hyphenviles.uk for both of those clusters but on the staging cluster it's something.staging.hudson hyphenbars.uk on the production cluster it's just something.hudson hyperviles.uk I would want two external dns's one on each cluster but both managed in the Hodson hyphen viles.uk domain because all of them are under that root that top level domain so how would I do that without having them fighting over who manages which records while this is where the text prefix comes in so what I could do is I could have on this one staging and I could have on the production one production and then what happens is every record external DNS creates on for example the prod one there's a corresponding txt record that gets created that says this is a prod DNS record and I manage this particular record within it so if I create learning dot Hudson hyphenvales.uk in the production one there's learning.hudsonbars.uk set up then there is a txt record that says I've just set up learning dot Hudson hyperviles.uk and it prefixes that record with prod in staging it will do the same it's a learning.staging Hudson hyphenbars.uk create a txt record which is staging prefixed and then in there it would say I manage learning Dot staging.i from mars.ukes if not don't worry too much about it if you're literally going to have one external DNS managing it to be honest I don't actually need it this is just a habit more than anything so I'm just going to leave that as it is because I might have another cluster at some point that manages part of Hudson files and it makes sense to not have a conflict so again just kind of thinking ahead finally we need these Cloud flare API keys and emails but we're not using them we're using the token so I'm going to delete this and put token and I'll delete that and then I'll delete that and this is everything set up as I need to all I need to do is add my zone ID and my token which I will do now and then close this tab because obviously I don't want you seeing what's inside it's all secret so bear with me a second while I do that okay that's it now all we need to do is apply external DNS now before I do that though I just want to make sure that I've deleted the Ingress record because it will just try and create it so Cube CTL get in namespace learning and there's nothing in there okay that's cool so we can go back and apply that now and we'll just do that jump back over to the terminal qctl get po name DNS is that up and running yeah let's open running so that's great you can have a look at the logs in here if that is failing for any reason it'll just tell you it'll probably be a misconfiguration of the flags that are set or if it's working it will just it'll be off and running so the next thing we're going to do is we're actually going to jump back into the previous episode because I've still got all that stuff running um I have everything in there still the only thing I've done is deleted the Ingress resource so if we have a look at service and Ing we can see all of that stuff is still running so that's cool now let's take a look at this Ingress so this is the Ingress we left it with we have nothing actually done on it at the moment but we want to start adding things to it so we're going to add The annotation for external DNS so we'll do annotations and then what do we want for example DNS well I mean there's a bunch of options really let's take a look at external DNS here go down to the example we've got these here we can set a TTL for our record we can set the hostname if we're using it on a service which I'm not I'm using it on an Ingress I'll quickly explain that actually so if you're using it on a service you can't set a hostname anywhere so you have to set it here this will allow works on DNS to go right this here maps to the IP that gets created as part of the load balancer that's fine but I don't need that I need it for an Ingress so actually I don't need anything here technically not in a production environment that sits in the cloud or something like that but if you remember we have this problem I have an external IP and that external IP hits my router gets mapped through to my Intel Nook which was originally running an nginx reverse proxy but has been now been upgraded to use ha proxy instead I won't be going through that now because it's not relevant but all I've done is switch over to h a proxy so that I can do SSL password on that and it's just it's a nicer system to use on the whole and yeah that's basically it but the problem is if I use my Ingress without an annotation it's just going to set it up to the IP that is found in the Ingress external IP section if you remember we had the address part and it had my node IP I don't want that to be my IP so what I need to do is say yeah but I need a cname record so how do I do that well thankfully there's a way of doing it so let's just jump down here to FAQ we'll do a search for cname and it'll say here this this is kind of irrelevant but it does work for us anyway so if we set the target to a hostname here then a cname record will be creating a step in this is the hostname specified in the Ingress objects annotation must already exist which it does we have that set up within cloudflare and it points to an external IP it's an a record so it's just going to see your name over to that so that's that's all I need so I can just grab that to Target jump over to the IDE and we can do this which our brains really need to stop doing that and then we can do Hudson hyphen vials.uk and that's it now this will get created as a cname record over to this and that is external DNS so let's just go ahead and apply that I was going to do it after I've done search manager but it makes no difference we can do it now and to be honest sometimes I hit an issue with search manager where there's a race condition you create it and then search manager next to node DNS try and create the same record at the same time and there's there's a bit of a fight so just to avoid that for the sake of ease of this video we're just going to apply it now so do qctl so I'll do Cube detail apply F 21 and Ingress there we go so we're going to just apply this as it is and the record should just create created in cloudflare so let's go and take a look and jump over to cloudflare and have a look what's going on over there so let's just jump back over here yeah and there it is learning and it's proxied now it might not appear straight away I think the loop runs on external DNS every minute so it might just take a minute to come up but yeah there it is right there if it has failed have a look at the logs it will tell you why it's failed and there's those two txt records so for some reason it's got learning learning and learning C name learning and oh I know why because I did KS learning is the prefix learning's the record and then here it's just saying it's a c name record that's learning if we actually look at this you can see it says Heritage it's Central DNS the owner is equal to default external database resource Ingress learning web so yeah it's even got the path if you like to the actual resource so we it knows that it's responsible for it and this is why external DNS won't just go deleting records and that's it for the cloudflare and external DNS side of things let's jump over to search manager now and take a look at that cert manager what does cert manager do it generates certificates for results that's basically what it is it can do self-signed it can work with Acme Vol van nfe never heard of that one but yeah that's basically what it does it generates certificates course saves us having to use openssl save it into a secret or you know cloudflare SSL or whatever it might be you would use to generate certificates saving it in a secret telling the Ingress to use that secret and then having to make sure we renew them we don't have to do any of that because cert manager just manages it all for us how does it do it well let's install it and find out we're using Cube CTL applied there's a bunch of different methods that are supported he'll miss an interesting one that we're going to look at later but it's not for today so we'll take a look at qutl apply I'm not really going to teach you that much of the film right okay so Helm is a package manager and it allows us to template things out so we can set up a template we can then pass a load of variables into that template and it means that we can generate different manifest based on what we want to actually deploy so yeah it's really powerful it's really good highly rate using it moving forward but for now we are not using it not part CK or cks so we'll look at it later this is one of the extra things I mean external DNS and certain manager are extra things too but I feel like we're going to need them moving forward because I don't have to keep manually creating all this stuff so yes let's let's take a look so to do it all we need to do is apply this so we'll just paste that in and off we go we'll get a load of stuff deployed and that is it so we've got a bunch of custom resource definitions and if we just do qctl get NS we'll see cert manager namespace and if we just do get parts in namespace server manager we'll see all those things running and actually I had deprived this a while ago because I was just doing a bit of testing so it's not my first deployment of it but I promise that's all I've done I've not done anything else I was just checking a few things to make sure it worked before I did the video it's about the first time I've done a new prep work so you know go me okay so certain managers are from running now if we go ahead and jump back over to the documentation we need to look how to use it we've got configuration here we're going to be using Acme and there's an option between HTTP and DNS the first one DNS requires a CAA record to be added to your zone so you might have noticed that I had that in previous shots of my records and I'll put it at the bottom of the screen now for you anyway but basically that just allows let's encrypt to validate that you own the domain and the other one HTTP will spin up a pod create a service in an Ingress using the domain that you've supplied and then put a file inside that pod let's encrypt then validates that you own the domain by trying to access the token inside that file and that's it so yeah I mean if you want to have a look at this have a look at this by all means I set up the token earlier so I don't need to do this bit we've already set that bit up all I need to do is create a secret with it in now I could copy and paste that basically C4 encode my token and put it in there or I can just do it on the fly so I'm gonna go ahead and do that so let's have a look at what we type we do qctl namespace manager create Secrets generic that generic secret is going to be called cloudflare API token Secrets we'll grab that jump back over to the IDE paste that in and then we just need to do from literal and then I'm going to paste my token in so the token is API well the key is API token and the token is equal to I pasted it somewhere and there it is right there so I'm going to go ahead paste this in press enter and then see you back on the other side okay so that secret exists now and we can carry on I'm obviously not going to show you what I put in because that's got my token in I don't want you to have that token I could have showed you the tokens and deleted them after this video was done but I want to use them in future and I can't be bothered to keep recreating stuff so yeah you just can't see the command I've put it up on the screen so you can see it there how do we use this now okay so we have uh certificate created sorry our secret created and all we need now is an issuer now if we do issue us this is namespaced we probably want something that works cluster-wide like we did with external DNS and as a result I I'm going to use a cluster issuer instead so if I go to usage if I drop down tutorials maybe and let's see if it gives us an option for cluster issuer it doesn't look like it's going to it doesn't look like it's telling us about it off the bats so yes uh okay cool never mind let's just carry on with what I promise you there is a cluster issuer so I'm going to go back and go on Acme DNS and we will take a look at cloudflare again and I'm going to grab this issuer here and we'll modify it to work for us basically so we'll grab this and I will go and create a new file and it will be called cluster issuers Dot yaml and I'm going to put both in here I'm going to say both what I mean is there is for Acme if you've used let's encrypt before there is staging and production end points to hit now if you hit the staging endpoint you get a good amount of certificates generated for you the only thing is there they're not signed certificates it will just be as difficult it'll give you a one in the browser but it's a certificate that you can use for testing if you hit the prod one too many times in a short amount of time I can't remember the exact numbers I think it's like five or six times in within a week or something like that then you'll get limited you'll get rate limited and if you need enough certificate you'll have to wait until I think it's either a week or until the next Friday or something weird like that have a look at the docs of let's encrypts and it will tell you that but if you're doing some testing use staging first then when you're ready to actually roll it out switch to your production I'm not going to follow my advice and I'm going to use my production one straight away because I already know that this will work and I'm not going to be doing much more after this but just note that for you know future reference so now I've cleared that up we'll do let's encrypt prod and I'm going to change this to a cluster issuer and I'll do the same down there call this let's encrypt staging so that's that we've got that we've already got this cloudflare API token secret created we've got this API token key within it so that's working great what we need is this Acme bet now this is the little bit we need here so I'm going to grab that we've already got the solver that's fine we want this bit here so we'll grab that and we will drop that in there and then all we need to do is just change all this through so we'll do true that's Hudson hyphen vials.uk this is the staging URL so I'll grab that one and copy it down in a second and then here we're just gonna I'm just gonna name it the same as like some Crypt it's just a secret it's created that stores the details basically I'll grab that and we'll drop that in there I'll leave staging in that and I'll remove staging from here so you just remove that staging bit from the URL and it hits the production endpoint looking at it that's all fine just need to change that to stage in so we've got cluster issuer called let's encrypt prod it's not namespace so it doesn't need a namespace I've got my email address that we need to pass to Let's encrypt I've Got This Server here that's the endpoint we're going to hit let's encrypt I've got certificate to store the information in I've then got the solver for cloudflare with an API token secret reference same here but everything's staging let's go ahead and apply that so qttl apply F and we want 22 cluster issuers so we'll do that okay so that's then created and then we just need to make use of them so we just need to update our Ingress to make use of the cluster issuer set up the TLs section and that is it we are good to go so let's jump back over to the docs and we'll show you how to do that so let's have a look we need to do usage we can just have a look at introduction well we we could have a look at certificate resources you can create different because by itself there you go not issuer or cluster issuer so I told you the existence okay so yeah certificates we can create these manually if we want to but again quite bother you know it we've got it all being done for us so let's have a look at secure and engine X Ingress so we'll scroll down scroll down scroll down and take a look at this bit here so we've got an annotation here we've got a cluster issuer basically that we Define so we'll grab that and we will throw that into the Ingress we'll uncomment that we can leave it as let's encrypt station if we want but I'm not going to I'm going to use my prod one because as I say I already know it's going to work I have full confidence and then the other thing we need to do is set up the TLs section which is this so we'll grab that put it in line with the rules section so it's TLS you can define a bunch of hosts it will create certificates of all of them and yeah that's basically it so we'll just change this I'm going to change this to learning TLS and grass and also learning correctly that's that's it so basically what will happen is let's encrypt will pick up the domain which I'm just going to update and it will say okay I'm going to request certificate for this domain and I'm going to put the results into a certificate resource and then off the back of that certificate resource I will create a secret that the Ingress can consume that's all there is to it so let's go and have a look at this shall we so we'll do qctl namespace assert manager then we'll do the logs F and I'm just going to deploy set manager because that will just give me the the Pod locks anyway so I'm just going to drop down a few lines and we will go ahead and apply this or do Cube CTL apply F and then I will do 22 all right I'll do 21 sorry and then Ingress I'm just update it and let's watch so difficult must be reissued because it hasn't got one and it's going to recue the item etc etc that's cool that's already working so I'll do Cube CTL get set I'll do Inc search orders and certificate requests by the time I typed it out it'll probably already done it so I know it's still doing it so we've got these difficult requests that's been approved the ready state is false we've not gone order yet and the certificate is false so if we just keep an eye out on this I'm going to go ahead and grab that command up here and I will watch this and we'll run this Commando here just see what's going on sometimes you'll see this error here operation cannot be fulfilled on certificate because the object has been modified please apply changes to the latest version try again just ignore that that's don't worry about that it will automatically retry generally speaking you don't have to reapply anything it's a bit of a misleading error I would say so yeah we'll just give that a minute okay so it does look like something's not happening here so I'm going to go ahead and grab that information let's just describe it and see what's happening I might have missed something I don't think I have but I never presume I'm right about everything so let's take a look so referenced if you are not found did I specify an issue did I set them I thought I set them as cluster issuer oh is that is it a cluster issuer is that what I've done wrong here it's entirely possible that's what I've done wrong yeah it's because it's a cluster issuer see I made the mistake myself anyway so I'll just quickly apply that let's jump back over and see what's happening over here we'll see this okay so that doesn't match the requirement is going to retry and re-watch this that's true that's true the order is valid and the certificates true already see that's how quick it went through so yeah that was my bad I said that annotation there to issuer instead of cluster issuer after just telling you the issue is a namespaced and you need and The annotation matters its issuer or cluster if you are so it was my fault don't copy and paste because that's what happens so yeah anyway that's working now we've got certificate created if I jump over to the browser real quick I can now go to those domains so let's go and take a look and over here look we can see I've just gone to the domain and this certificate is valid it's secure and you can see here it's for learning.hudsonviles.uk generator buy let's encrypts approved by them and all that and this is now valid certificate on a website and this is live on the internet it won't be when you come to watch this video because I've probably taken it down by then but there it is and right there up and running so yeah that's that's that let's take a look at one more thing before we do anything else or before we call it a day because that is it that's everything I need to show you what I'm gonna do though is quickly show you the certificate itself so let's take a look at this so we'll do Cube CTL describe it's difficult there namespace learning and you can see in here there's nothing really fancy going off it's just specifies the DNS name the issue RF and all that so that's fine but then you've got this secret name here so let's grab that do Cube CTL get Secrets namespace learning that certificate there and we can see we've got that we'll outplot that as Jason will get the Json path sorry this Json path will be equal to dot data dot pls.crt I believe it is if I remember rightly let's see if I'm right and I think I need to put quotes around that that's how I put it as yaml first see what it is because I don't have to copy and paste all of this yeah it's tls.com so I don't know why that didn't work maybe I'm just being a bit silly here no it's not having it so what I'm actually going to do is I'll put it as Json I'm probably doing something silly there it's late if I'm honest it's very late so JQ oh and I'll just do the same thing so we're going to dot data dot tls.crt that should give us the a64 yeah now we can do base64 to code we can then pipe that into open SSL x509 and then we can do no out text so if we do that this will tell us that the details of certificate we can see the validity of it the issuer we can see the subject common name which is the domain a bunch of public key algae rhythms you know what let's just yeah here's all the certificate data right there so we can actually see that certificate exists within a secret and that's how we secure our endpoints and automate the creation of our endpoints and that's it that's everything set up and ready to go as I showed in the Ingress example there's a few annotations I've had to add that you probably won't if you're using the cloud for example now as I said it's one of those things where I'm I'm running this on bare metal so I need to add those extra annotations because I've got one external IP coming into my house and as a result I need to create cname records now if you need to do that then you can follow along and do it the same way if you're doing it in the cloud though and you just grabbing floating IPS like public IPS then you probably don't need to do that well you don't there's no probably about it you just don't need to do that there is a little bit of wiggle room in the way things work things you'll get a little bit loosey-goosey if you like in terms of the way you'll set it up in your side now it is worth mentioning though because we're doing this on VMS or bare metal as it were things work differently to the way they do in the cloud I think that's pretty obvious anyway and if you're actually doing this in the clouds you'll probably find some of this stuff easier to do or more straightforward to do or probably better documented because the idea is everything's Cloud native we're not doing Cloud native we're doing it bare metal biosoles or the equivalent of anyway so yeah you might find the translation to the cloud easier this is why I've not done it in the cloud as well because a cost me a lot of money to do a tutorial so it's like this in the cloud and B Because translating it from the cloud to bare metal is much harder than translating from bare metal to the cloud in my experience and in my opinion anyway that aside in the next video we will be looking at troubleshooting workloads so I'm going to deploy a couple of broken workloads and just show you some of the steps to go through troubleshoot in there and maybe finding out where an errors occurred dealing with you know incorrectly defined images and things like that so yeah we'll get into that one in the next one so I guess I'll see you over there [Music] foreign [Music]
Info
Channel: Drewbernetes
Views: 601
Rating: undefined out of 5
Keywords: Linux, Kubernetes, CKA, CKAD, CKS, Ingress, Ingress Controller, External DNS, Cert-Manager
Id: wrVlOt7W-sA
Channel Id: undefined
Length: 31min 18sec (1878 seconds)
Published: Sat Jul 22 2023
Related Videos
Troubleshooting Kubernetes Pod Errors | How to find them and fix them
Drewbernetes
92
External DNS for Kubernetes
Houssem Dellai
10K
External DNS with K8s | Jérôme Petazzoni LKE Workshop
Akamai Developer
9.4K
Cert-Manager Beyond Ingress – Exploring the Variety of Use Cases - Matthew Bates, Jetstack
CNCF [Cloud Native Computing Foundation]
4.7K
Cert Manager Kubernetes Tutorial (Let's Encrypt & Nginx Ingress & ACME | 5 Examples | YAML & HELM)
Anton Putra
23K
Free SSL Certs in Kubernetes! Cert Manager Tutorial
Christian Lempa
55K
(English) Terraform AWS EKS, Kubernetes Ingress, Automated DNS Entries in Route53
DevOps Gang
608
Cert Manager on Kubernetes with Helm | Jérôme Petazzoni LKE Workshop
Akamai Developer
11K
HomeLab SSL certificates for FREE with minimal effort
Perkelator
25K
Kubernetes Multi Cluster DNS with External DNS, CoreDNS and Etcd
Engineering with Morris
1.9K
Kubernetes Security - RBAC | Don't let people run loose with admin permissions on your cluster
Drewbernetes
102
Let's Encrypt SSL Certificates for Kubernetes with cert-manager
Engineering with Morris
9.1K
[ Kube 37.1 ] Set up Lets Encrypt in Kubernetes | Cert manager tutorial
Just me and Opensource
12K
Quickly deploy and configure Cert Manager and External DNS on AWS EKS using Terraform
Fabricio Mariani
1.8K
Kubernetes Security - Pod Security Standards | How to use them to enforce security contexts
Drewbernetes
519
BIND - named service for DNS
Steven Marcus
43K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.