SSL + Let's Encrypt in Kubernetes with Cert-manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

cool awesome okay yeah let's just wait like five minutes so everyone can join okay can you see my screen i can see your screen okay cool all right there you go all right all right everyone so i'm just gonna wait like a couple of minutes so we're still like five minutes away so let's just give it five minutes so everyone can join to live stream or hear the channel of the call and we can get started okay hey bob hello how are you we're almost ready we're live already we'll just wait for people to join um this is the time that if we were in a live event uh we start networking oh i know that's the that's one of the biggest challenges right now is yeah is that um the sas starter and another program i went through was good because it it's had like breakout rooms where you can meet people and it was targeted for that but you don't get you don't get the just you know hey how are your conversation yeah yeah that's sad you might need to look into the breaker room dance in the future yeah um those platforms cost money though yeah and i don't know there there might be minimums on there that make it less affordable when you have a smaller dirt yeah i need to see that i mean i think zoom has to break our room but i need to see uh i mean that yeah i do have one i can share with you later okay sounds good all right so i think we can just get started i mean we try one minute so yeah it's not gonna hurt all right all right everyone uh in the call and people join on the in the youtube video um before we get started uh i mean this is a community based event and uh we love to share uh knowledge and love so i want to just quick shout out to the florida yes um meet up and uh please uh go and subscribe also to his channel um the leader day is tamiya montero we actually ended in the same leadership community here in palm beach so show some love go join the meetup and sign subscribe for the youtube channel as well okay so this is the community so let's let's help each other and with that being said so we're going to start with uh with the topic that we have on hand which is uh we're going to be talking about about lesser ssl less encrypt kubernetes and server manager there's a lot to cover so i'm gonna just get started um right away because we got a lot of concept to cover so let's get started the uh first thing on hand say who am i i'm here ramirez uh ceo of kwembi um i'm basically uh uh passionate about everything related with cloud native coordinators i'm a certified administrator i'm a part of the team that i curate exam and of course i'm a i'm a speaker at the euro um on the cncf three things that uh that you can know about me is that i love to share knowledge something that we i'm doing right now i also like to play soccer with my with my friends and travel the world with my favorite person which is my wife so those are the three things that you need to know about me and today we got the agenda which is gonna be four topics that we're gonna cover including demo and first we're going to talk about ssl tls why what is it what we needed uh acme what that is uh and less encrypt of course which is part of the the title and an instant monitor so those are the three main topics that we're going to cover as a concept and then we're going to do a demo so you guys can tile that thing together in your hand okay the first thing is what is ssl so ssl pretty easy i'm not going to read all that paragraph you can go and look it up for yourself but in in a nutshell ssl is the standard secure uh it's a secure socket layer that is how we encrypt and we establish a secure connection between two points in this case will be your your browser your the server that's how we communicate it also could be between um services so that's it in a nutshell so you can go and explore your own little more behind it um talk today is not specifically about ssl but i want you to just get an idea of what that means it's just a secure layer that we established between two points all right so with that said now what is tls well you just told me that ssl angel is for establishing secure connections and then you tell me now about tls well tls is just in in in few words it's just an upgrade that was done to sell now it's a little more secure it includes all the type of um of uh options for uh encryption which includes ecc rsa and dsa encryption so just to summarize it don't don't get too bothered about what it really is and the the nitty-gritty stuff about tls but just keep in mind that tls is just an upgrade that was done to ssl so you can always say ssl slash tls it's not going to hurt anyone but in that way you can understand that they all kind of work in the same bucket it's just securing two points a connection between two points but of course we need to make it more confusing so what the heck is https um so https is the the acronym is this hypertext transfer protocol uh secure so it's basically every website is http if you look at your browser this one has just another s which all it means is secure right and that's how your browser identifier oh this is a secure connection it's a delay of the browser right so that's kind of what it is so don't get too to hang up on that one however you need to understand that you should be browsing always https websites was i mute sorry i uh i had like some background noise i have to mute everyone and i needed you to sorry about that no it's okay my bad what part was i mute uh and here in the https or oh before that no this this like really happened like five seconds ago oh okay i just wanted to make sure that i didn't have to go back to the whole device but anyways good good um so that's what https is for now so how has the cell on tls works and and i know some of you out there will say hey you know well but ssl and tls does not perform the same way i know i know but like i said before i'm going to keep it simple i'm always going to say ssl slash tls so people that at least know ssl understand the relationship between the two they're just an upgrade but here is the how tls itself work so just a quick uh recap of the graphics here it's just it's a startup synchronization first at the tcp level which is the better connection the transfer control protocol that established between them and then it starts the tls we should start with the first request it does the acknowledgement all that so um i just want to kind of like uh like uh clear something up here uh that usually you can uh misunderstood or or misuse it's like well when you're using secure connections it makes the websites lower and connections lowers well as you can see here 110 milliseconds right so it's not really that slow for the internet that we have nowadays uh there's a lot of ways that you can make it faster but it's not gonna be no one's gonna notice believe me um there might be some specific system that might need to have a really really low latency that could be some cases where you might want to do uh some specific um work on the tlsi and i don't want to get too deep on that but just just keep in mind that it's not that bad i mean we won't notice it all right we won't notice it's right um the computer might but not us but it's not slow right and this is kind of the process that the system uh the uh the uh the system does when they're doing a tls connection so it's always a tcp engagement first and then happens the tls on top of this tcp right so that's kind of how it works so the kit version of tls ssl all that is this simple just always teach your kids or anyone your family to make sure that your browser is always with the green uh log and and that's that's about it so that's the kids version of secure connections tls ssl just keep that in mind that's the key version right but of course i had to give you the whole explanation and and and tell you all this technology before getting here so you you cannot see the uh the reason why uh the kids version is the best one um so now let's get more into what is lesson print so let's encrypt it's a free and automated open source um certificate authority right so what they do is they automatically provision certificates that you can use to then create your own secure certificates um this is actually based in multiple protocols one of them is called acme which is the one that uh you can see on your right um and acme is uh you can see the link there and you and once i share this um presentation you can go ahead and and look more into that it's a proposal for stan a uh it's a standard proposal proposal for how encryption happens and this is where let's include basically basing his own system in um this is kind of how it works so it's a stylish multiple um challenge per se so just to give you a uh a summarized version what it does is first when you have your ip server you just make a request before this is not about the website you just make a request it just verified that the ip belongs to that domain in an automatic efficient way and then creates a certificate authority and that's what it gives you to provision your ssl that you will see your green check mark and i will show you that in the demo it's going to be easier to understand so just very bear with me that uh that's how it works so it does every verification first with your server your ip and make sure that you really own that it does it with multiple type of um challenges one of them could be either http one which is just making sure that that specific url you can you own it and it's pointing to the right ip or it can be done at the dns level which in that case you can plug it in with a godaddy with uh google dns with aws router 53 whatever you have that they support you can just plug that in and he will know that that domain belongs to you hence he can just provision as many certificates as you want i can and you can do wild cards and all that stuff um there is a lot of way that this happens um the most common one is using a tool called sir bot which is a tool that you can just use right now you can download and provision your own certificates um there's other tools that can be used they say gold libraries these are ros implementations php implementations you name it so there's a lot of clients that you can use for that so it's not only that one but that's the one most widely used is the one that everyone basically knows and and and is the most support but just keep in mind that you can use more tools to use less encrypt other than certain math all right so now what is there money so certain manner is a play in the cncf um right now they are in the sambus sandbox state which basically means that they are in the process of becoming a official project of the c the cloud native foundation uh however the beginnings it was created by just that um in order to uh create this way of using this search but uh how can i implement this in kubernetes how can we can i make secure connections using kubernetes um because one of the things that happened with this lesson group that i didn't mention is that um less encrypt has um a downside which is the certificates only are valid for 90 days meaning that every 90 days you need to go and renew your certificate so this can be done all right so you can make a reminder on your um calendar and say every 85 89 days i will just go and renew my certificate however that's not at all you know efficient because uh imagine that you now have to provision not one server two servers but it could be a hundred a thousand servers so that's not efficient so that's why they come up with this tool where they can basically can be done automatically so so mine is just gonna grab your information it's gonna do all the challenges and every 90 days or before the 90 days of expiration you just go grab the new certificate renews it and get it back into the system and you have to do one thing for that so that's really nice um that they come with this tool it started as a cute lego that was the first name and then it came became a certain manager um which is a little more complete tool um so of course ceremony does not only work with less encrypt just to mention that he also worked with hashicorp bolt banafi and all ones so you don't have to only use less encrypt we're going to use this let's encrypt in this demo today because it's the easiest and of course it's open source we are going to be doing a lot of open source stuff here but if you have your own certificate and you have a store in hashicorp for example that's fine you can just use it you can download your dessert or um commodore whatever you're using right now and put in your hashimoto um and that's fine it works as well and and then you only have one source of true that you can just keep renewing uh instead of having to to worry about uh let's encrypt so that's kind of like what's in my is for and how it works it works like this as you can see some mine is in the center uh and then we have the different type of let's call it uh uh provisioners so the provisions are less encrypt that actually does include have two apis have the production api which has some limits you can only make some requests every every now and then um and then you have the station api which is not going to give you a super secure uh certificate in india you won't see the green log but it's going to give you like a how work so you can test all your system before you go to production uh which is nice and then once you move to production then just they will provision the real certificate with everything that you need um but also as you can see here you can have bolt and ben affi and then certain money is the one that actually talks to your internal uh kubernetes using crds and these ui these are certificates and issuers i'm gonna show you a couple of those examples in demo but just to talk about it a little bit uh issuers are the ones that connect less same manager with the actual provisioner of the certificate he just managed that connection and then the certificate is the one that talks to the issuer and say okay i need now a certificate for this either a specific domain or i need a certificate for a certificate for this wild card domain so regardless of what you need the certificate is the one handling that and of and at the end uh what if the certificate does it just keep uh in sync to any secrets um i don't know if you i mean um in in in how works uh inside q and a's when you want to um i'm sorry when you want to create certificates there is a specific secret in q and a's that i'm going to show you uh how it looks like that they are specific for certificates so in this case uh what's the same i would do is just keep them in sync so when a new certificate comes in it's just going to replace the old certificate in the secret remove that and put the new one and you will have to do it so that's kind of how ceremony works in kind of kind of summarized way of course it's a little more complex system but this is like the summarized version of how it works so um i don't know you you guys can stop me at any time if there's a question either in the youtube channel or the here in the in the chat so feel free to stop me if i'm going too fast i want to make sure that uh you all have uh you know um all the information and questions answered during this time okay so i think we got to the demo time uh the presentation was quite fast um so let's let's kind of like describe what we're going to be doing on the on this uh demo and uh and then we we're just gonna jump into the demo right away so the first thing that we're gonna do is install the same manager then we're gonna deploy an application without ssl so you guys can see how it looks like uh right after we're gonna create uh an issuer and there's two type of issuers the name space level issuer and the cluster uh level issuer i'm gonna explain what those twos are for and when you can use use them um and what uh what scenarios and uh of course they're both gonna be type of acne issuers and of course at the end we need to enable us a sale so we can deploy an application and see actually the uh the green locker all right so uh any questions before we're good all right all right so let me then change my sharing screen to the there's no questions on youtube too so go ahead angel all right thank you so let me know where you can see my screen and let me know please if this is a good size i'm sometimes just don't know uh if it's good is it good let me see uh the youtube hasn't caught up on this one yeah i just want to make sure that well okay i just want to make sure that the size is good because sometimes it's just hard to read um so i want to you know if i have to make it bigger and make it bigger it's fine all right so all right this is just a repo which i'm gonna upload later to the uh to the uh um foundation uh sorry to the meetup um uh repository and i'll share later yes uh yeah i see sat here is asking uh this is a giveaway yes i will update the meetup later with a link to this uh repo for sure yes i'm gonna share it so here we got the some of the requirements that uh that i want to just uh share with you guys before we get started um of course there's some stuff that i did already just to make sure that we don't waste too much time in things that are not related to the specific all the time so first we did the i i'm using digital ocean and uh full disclaimer they're not a sponsor of this channel or anything like that it's just full simplicity uh just keep that in mind so i don't want to i want people to think that i will uh promoting digital ocean or anything like that um so once i did that what i i did is just create it um i log into the heat solution using dcli which i'm sharing all the commands that i'm using so you guys can follow along if you have an account there um i created cluster which i didn't specify any type of properties it's just the simplest plain cluster you can find there so that's why you can see here the the code that i run and uh just to verify that let's just run a quick check and just just see kubernetes cto current context and right now we got yep the d o and yc1 south florida so we're good that means that we are in the right cluster and we are in the right context so we are in the goose in a good place another predicate that i i did prior to the uh to the meetup is i install engines english controller same thing it doesn't have to be in nginx in your controller it could be any all the ingress controller that you want it's not really the point of the talk but i um i just installed this one be for simplicity just one thing that keep in mind um with any ingress controller that you installed in installation it was something that actually took me some time to find out because they don't quite put that on the augmentation that um you need to have some sort of like uh specific um annotations on the service in order to work uh i think engine x does have that in the uh in the qct apply file when you do that one however if you use helm there is some annotation that you need to set so you might need to do something like controller and then service and the annotations if i know mistakens um and then you need to add uh i think is uh what is it i have it right i have somewhere here so i all find it but it's it's kind of like a weird annotation i think i can find it over here i'm going to show you real quick because this is interesting and and important otherwise you you guys will not be able to follow along um qctl and then uh in the engineering controller in svc all right any time there you go okay so if i describe the svc that we have you will notice that there is some specific annotation here there you go this one serving veda question the old answer blah blah blah protocol true so this annotation uh you need to add it here otherwise it won't work so keep just that in mind i think is this is the way that you can do it on hell but i can i can confirm that for you guys later and upload it but definitely you need this and i think you also need the host name we'll find out if it doesn't work because i i do have an example that they needed the hostname so we'll find out but this is definitely something that you need all right so that's about it on on this side those are the prerequisites that i that i uh um i run prior to this so let's go ahead and start literally with this manner so the first thing that we need with certain monitor is just create the namespace add the repo and then we're gonna install it with home so let's do that real quick um let's just create a repo uh real quick this part i'm gonna do a little quick because i want to make sure that uh um we spend more time on the actual file so let me just do this i'm just adding the repo i'm just updating the repo so i get the latest information and here is the actual installer so all right so just to talk about this line just for a second so all i'm doing here is i'm saying helm install the same manager i'm going to call it this way it is the repo i wanted this specific name space and i want this version make sure with certain manager that you specify a version always um something that i had in in in the past is that i didn't specify the version of the same manager and i just installed x version and uh they do make some heavy change sometime so just keep that in mind that uh that you do that sorry i have my third row um so just keep that in mind that you always specified the version that's that's a good pricey practice anyways but especially with them and now we're just going to set a flag call and start crds true um so you there's multiple ways that you can install cermae you will see on the website this is the one that i found the easiest and this one includes also the crd so all these certificates crds all these issuers it just get installed right away alongside with the um with the core so let's install that and while that is installing let me just take a look at what is next and here is how we're going to verify that the installation is good all right so let's just give it a second and this is actually a good time to ask questions if you have one uh i think i need to move my face because it's kind of there you go let me just move it over here because kind of getting in the middle all right so helm said that everything is good and we're gonna check that so okay sorry so we got here the uh all the parts that are running in the certain manner here um just a quick thing the this is just a certain monitor uh actual system the one that i kind of do all the work there's a couple more let's just not worry about those right now there's a little more um i'll say we will need more time to actually dig in every single one of those just keep in mind that these are the three main parts that are running inside the ceremony we're mostly going to be working on this one for uh today the other ones we can just have another talk about them and what they do and how we can work with them um so they say that everything is running so that means that we're good to go now where's the first thing that we're gonna be doing is well let's check it out the the uh the first step that we said we're gonna deploy an application so we're gonna upload an application i have one called eco and i'm gonna show real quick what it does so it's a deployment let me just hide this so we don't have a big uh all right so it's a deployment pretty simple it doesn't do much all it does it just shows on the website hello world that's all it does and we're gonna just deploy and see what we can get of course we cannot deploy uh this without playing a service which is simple as well it's just you know using an 8080 80 and we're gonna deploy an ingress but if you notice i have an ingress that won't have uh ssl uh set up and then we're gonna set up another one which does have ssl okay for now let's just keep it simple all right so what i'm gonna do i'm just going to first give cto uh apply and i'm i'm gonna drop it right on the default name space so it's not much here to do uh so um the file is gonna be am i where oh i need to get into the folder angle so let's get inside the folder inside the chapter six uh and there you go we go okay so let's do qctl apply and now let's apply the uh eco and we're gonna first deployment let's do it we got a deployment and now let's do the the service we got the service and it just confirmed that we got both so we we are good to go so we got the pod is running we got the service it's there it doesn't have an external ip because we're going to be using controllers and in your controller now let's do cube cto apply and then eco let's do the english controller but the one the ingress but the one without the ssl let's do that so we got the uh ingress it might take a couple minutes to actually deploy but let's just give it a second so first let's do this all right and let me just double check what's the uh okay so it's supposed to reply to eco so let's try that out so first let's do a crawl and see but we got it hello world there you go so that means that we are we actually have a hello world scenario so so you guys don't feel that i'm lying to you uh let's do in the browser so we got in the browser hello there you go now just keep put attention to like is it it's not secure of course we haven't done any https no tls no ssl nothing here so just plain website i want to show you real quick what i did on on digitalocean so all i did is just put the this dns here and all i did is just copy the uh the ip from the english contour and i'm basically pulling everything that is dev that here to that aster i mean wild card dev all the way here um so please try to not do a video as eso type right now um so we can actually finish this talk i know you some some of you might have some ideas but don't do it um so that's pretty much it so and if you want to know how i got the ip for the intercontroller all you have to do is just get the inner controller next and then do get and then the service and that should give you the low balancer ip right here that's it okay good to go so we got the one step down which is deploying an application with no ssl step two instead two is going to be a little more like like a reading less actually practicing because it doesn't i don't want to spend too much time on this one it's more to show you multiple ways that you can actually um deploy uh as a certificate so here this is an example how we're gonna create a self-signed certificate so what is a cell science certificate uh a self-science certificate is like you create your own certificate authority just like whatever you want to call it i don't know angel certificate uh company and it's self-signed of course it's not going to be secure no one will care about that certificate because you're not an entity that is you know approved or or recognized by the browsers however you can use a self-signed certificate internally like if you are heading into your pc and that kind of communications those are the ones that you basically could create because you don't care about having an official certificate from uh a specific company you can use just a self-signed certificate just keep it secure so no one knows it um and that's how you communicate secure between two layers so just because it's self signed doesn't mean that it's not secure it just means that the browser wouldn't know who they are but internally tcp connections they're just fine they don't care all they care about is like do i know you yes can we just acknowledge and start the connection yes you're good to go that's kind of like the self-signed certificate um uh talk because sometimes they people think like oh it's not secure it is secure it's just not specifically the way the browser will understand it so it's pretty simple i'm just creating an image space i'm creating an issuer and this is a way to introduce an issue an issue is just a an object that is going to hold the information of why am i going to issue what is the type of certificate that i'm going to give you in this case it's self-signed there's not much else to do here of course in this object if you go to the website you can create you can i think you can specify things like the uh company name or something like that um i believe but we're not gonna do that right here because um we don't we don't care too much about this one it's just an example so if you do an empty object what it's gonna do is just gonna create it whatever random information then we're going to create the certificate so the certificate is going to use the issuer to then create the keeping sync the uh the secrets before i run this i want to show you something so you guys see what it looks like so i'm gonna show you all the um naming space that i have so i have no name space called certain manager dash test so there's nothing here the first thing that we're gonna be doing then it's going to create execute that file so apply minus f as a file and we're going to create a self-site scientifically so it's going to give me a name space that's going to give me an issuer and a certificate now what that means is that now i have a way for me to say so i want to see all the issuers in the name of space uh certain manager test and you will see that this one called self sign and the and and the uh status ready is true and let's see what that means so instead of doing the get let's do now a describe with the describe we can see more information about the certificate in this case um while it's giving us all the object uh the entire object is also gonna give us more stuff like okay it is ready it is true the type all this stuff that all the events that are happening in this case it basically did nothing because it's a self sign so everything happens inside the cluster so there's not much to do here but you you will compare when we show the other one that is going to be more events so that's the certificate if we want to see now all right so i want to see in the same name space because we are in the same manner in space if we want to see now all the certificates let's just say describe certificates and now let's see we got one called self science certificate and here you will see more information so in the issuer there was not much to see because it's basically self-signed so there's not much to do however here is a certificate you will see that is more information is saying okay cool for this self-signed deaf laura kawasu scio we're gonna have some of these conditions so the certificate is ready and has no expression at all but if you see in the events it started with first the certification specific issue then it created a new request it stored the private key which i'm going to show you what that means and then is issuing the certificate as a secret and he's telling you does not exist this is actually very cool because this is first is checking do i have already a secret assigned to this certificate if i don't i'm going to create it but if i do i'm going to just up renew it so this is actually very important because that this is how he keeps track of like what do i have and what do i have to renew so this is pretty pretty cool and last but not least i'm gonna show you in the same name space um now what is a secret um let's see you get i can type and now you see that we have two secrets and this one was created two minutes ago literally and in this secret we're gonna see let's try secrets and let's describe this one now we're gonna see that we have a ca right which is the certificate authority and this is the difference between um self sign and all the certificates we have the ca right there we got the tls and we got the key so full self signs usually you have the ca literally right there um because you need to have all the bundle and this is how it gets created now pay attention to the type when i was saying about the secrets and kubernetes when you have multiple type of secrets you have the type of genetic secret which is just whatever information you want to just um uh store secure and that's another topic that i want to talk about that is not really secure but we'll talk about later then you have the tls and you have the raise three so the raise three is the one that you use for story information about how to talk to multiple it could be docker it could be gcr could be aws dcr whatever you have and then you have tls which is to store this type of information the ones that you that we showing here so just keep that in mind all right so that's it with the self assignment so not much here i like i say it's just reading and showing you how it works now let's get a little more into the one that we really want to talk about today which is the ones that we can use in the browser now for that we have the acme cluster issuer so i'm going to show you this real quick and then we will explore the other ones so the cluster issuer so if you notice in the self sign that we have here i create a issuer and then i specify a name space so in this one i'm just saying cluster issuer and i'm not specific space what's the difference none the only difference really between them is not about how they work is there's scope so in the issuer you only can issue certificates inside dynamic space and only work in diamond space this one it just doesn't care about name spacing they just work with any type of issuer any type of certificate any type of namespace when this is helpful well in multiple ways if you have multi-tenants and every tenant for example have vitamin space you don't want them to be able to see someone else's certificate for sure so that's why maybe having an issuer makes sense in those scenarios um when the cluster issuer makes sense well you're the only tenant and all your services are inside the cluster um so you might not need to make it a specific dynamic space however i will argue my personal opinion that you should always try to use issuer and not cluster issuers because issuers first it's already contained in one place and only one uh name space so by default it's a little more secure so there won't be a case where one information will go across the spaces and the other side of the coin because when you have anything that is close to wide permissions in kuwait netize you should be careful because having those type of permissions basically telling the coin is hey this service plus in this case certain manager when i create a cluster issuer have access wide access to my cluster even if even if it's just to watch naming spaces or secrets so unless you can verify and make sure that they don't have all the access that they don't really need i will avoid at all costs using cluster or anything that is close or white however we're gonna use it here right now it's just a an example but just keep that in mind uh that's a security tip uh so well we're just naming it doesn't really matter what the name is uh here i'm giving you this example of how we use acne uh so we're saying we're gonna use the protocol acme and the server is less encrypt this is how we tie things together so we're using protocol on acme less encrypt is the one that is gonna provide that service to me i'm gonna use the pro version api because i want to see the green lock here in this case um i'm specifying the preferred chain so this one they changed it recently you don't have to specify you can just leave it alone and it will give you the latest and greatest the one they have i like to be more specific and especially when i'm writing my my my channels on the kubernetes i want to make sure that i did there's no surprises um so here i'm just specifying i want to use this specific preferred chain you need you need to give it an email that email is the one that you will use to type to your account so you will create an account if that email is not there it will create an account titles certificates to this account and then once that's done for example you i delete the cluster and i create another one later even if i use the same email he will understand oh i i know this email i can just give you the certificate so that's kind of something that uh to give you my keep that in mind uh then we have the private uh key uh where i want to store this information so it's not about the certificate information it's about the information that list encrypt is going to give me to come to give us a configuration so um i there is going to be all the information related like renewals expiration time all the stuff can be stored there in my account so that's the private uh secret that you can see here now the resolvers is when we're actually going to be working um with the certificates so in this case we're going to be using http 01 and we're going to be using ingress and in this case like i said i i like to specify i want to use the nginx one why because you could have multiple http one resolvers you can have as many as you want and let's say that you have another one that is solving and using uh asian proxy and then you because you're running asian products and nginx both in the same cluster that's completely possible so there's nothing stopping you to doing that um i don't see a real benefit yet but you can do it so you can have multiple english control running but this is how you specify how it's going to resolve those challenges and how you're going to say okay now this is good a couple of things here um um i'm using a selector and say hey look for anything that is using this select this label so any ingress uh in my system in this case is a cluster issuer if it's an issue where i would look into everything inside the name space just keep that in mind but in this case i'm saying if you find in the whole cluster an ingress that has this label equals true then you basically use that as a link now you're gonna watch for that english so it's establishing a link via labels this is pretty nice uh actually prior versions there was a different way to do this you have to do like some crazy stuff in order to make it work this is actually one of the best features that i think they come out related uh lately just tighten those though via labels because now all you need to make sure that you label things in the way that you want it and that's it you don't have to worry about how many do i have or if i had to do anything manually so this is pretty cool and this is it this is just the issuer okay so without further ado i'm just gonna deploy the issuer and see how it looks like and then i'm going to show you how the process works so let's do a cube ctl mine no minus and i'm just going to apply and it's f and then let's do the uh anime clause issuer all right crossing fingers cool so now i'm gonna show you something really nice i'm gonna go to a certain monitor and i'm gonna say show me the logs of your pod and let's just watch the logs for a second um i know it might sound like oh this is a lot but actually you see here it say it found a cluster issuer so it's you already say oh there is a cluster issue it just got created right so now it's going to say well once it goes to a process let's just watch here for a second now it's going to start doing this a challenge actually i think it already did it kind of said here is this is the name of the issuer is ray of verifying because what it's going to be doing now it's going to say all right going to talk to less encrypt in the server and say i do have this domain whatever whatever whatever that i need to verify i need to know if this guy really owns it so this encrypt is gonna send an acme challenge to that uh domain is that domain is backup for an ip which is my digital ocean and then based on that this guy is going to receive that information and say well let me just see if this tied up together and then it's gonna do the whole cycle so one he verifies that this channel that started here from this point did the the round to less encrypt doesn't creep back to the to the server in the other way he can tie these two together and say yes this actually belongs to this ip right so this is a very very very uh you know uh summarized version of how it works but just to give an idea just doing a quick big round and making sure that this ip and these domains are together and belong together that i'm not trying to prove anything here um so we just need to give it a second and see um if it's done or not or if we have an error so uh what i'm gonna do now i'm just gonna leave this here and i'm gonna open another tab there you go let me load me again and now let's take a look at the close issues so i'm gonna describe cluster issuers and see if we got something different all right okay okay so as you can see here you just say the same information that we got prior to that but look at this the the the conditions right now it says the acme account was registered right so this we're good um oh actually that's why it was that fast because this was already erased so it didn't do it didn't have to do the whole saving information for my account because it already recognized my email so that was that's why it was very that easy right so first step that was good which is why that now explains why i didn't do a lot it just made a couple of requests on the same now when do we when are we going to see a lot is when we create a certificate so let's do that now uh i think it's this one there you go so now we're going to go and install the ingress sls and now let me explain this real quick before i get into this so i'm going to put this on the side because i don't want to lose sight of this real quick so if you look at here now i'm going to deploy the the version of the app that is ssl so and for that let's do something better so instead of having the exact same domain let me just uh one second um okay this is equal here blah blah blah and then let's do let's do eco ssl and then let's do eco ssl so why am i doing this because i want to keep both i want to keep the known ssl version and i want to keep this as a version so i can i can i can show you and compare so in this case i'm going to create another ingress right so pretty simple straightforward nothing fancy and same thing is the class engine x this is just the uh the uh the uh english controller i'm telling them hey by the way when you find this this this annotation is pretty cool i like it so when you make this a challenge and you actually find a link it did this ingress controller in place so just edit it right so it doesn't create more stuff more um uh headaches and i'm just adding a lot of annotation for the consent manager issuer that i'm specifying what issue do i want to use i don't have to do this because i already using labels here i think as you can see but i i mean this is kind of maybe a lcd for me but i do like to be specific so i'm specifying what cluster i want to use and specifying uh the way that they can connect i could do either or just keep that in mind because i mean maybe you want to just get rid of this and that's fine so or you can get rid of the labels if you don't like delay so either or i just use both um doesn't really matter for me and then here's the magic so i'm saying this english is going to be the type tls this is the host that i want to have for the tls version and this is a secret so this is important because this secret right here is the one that the certificate that is going to be created on the fly is going to basically use that secret name to create the secret that we're going to use to store the information and to prove that to you i'm going to go back here and once again if i do qctl and i think this is in default again in the following space i get secrets right so there's not secret called eco def whatever this none right so we'll create it on the fly so let's do that let's apply minus f and then let's do the uh eco and then let's do the uh ssl all right so it got created it got configured um did i say this yeah i did i did save it yeah oh i see what i see what happened all right so i messed up i messed up uh i changed everything but the name uh yeah so i'm gonna do this well let's let's leave it like that it doesn't matter right now uh we can we can always look into that later so here's what i want to show you um okay so if i can do this i can do it okay what's going on why is not okay that was interesting all right so now let me show you that now you got you see more information scenes are blank um um lines so all this doing here and i know that it's hard to read so don't worry but if you can spot here doing a self check making sure that it's doing the the challenge um all that is just being done right now so it's just making sure that i do really own that ip and that ip can talk to that ingress and all that so there's so much check uh fail it looks like i'm gonna check it out why is failing and i believe if it doesn't work it's because then an annotation that i was missing about the host name so i'm pretty sure about it so uh we'll get that result no worries so but before that i'm gonna show you how it looks like on the actual certificate side so now we can see that we have in this name space a new certificate that we didn't have before and it's called eco and if we describe it um it's saying it's created a temporary certificate you create a new certificate request i store the new key and the temporary secret and the resource so what this is saying is that uh okay so i found a new certificate that i need to provision okay but while i'm doing that i'm to create a request and create like a fake one something like a temporary secret so i can keep using it i can right now go to my browser and and try to to get with the uh my estimate not found because i changed the uh the url so let's do ssl so you see it's actually saying now something different it's not telling me hey this i don't know who they are just telling you okay are you using a temporary certificate something that i don't trust as a browser so this is good it's basically doing what it's supposed to be doing is provisioning something you say random number uh while it's trying to do the uh the actual um you know validation which i'm we're gonna fix right now no worries um so that everybody's doing now the reason why i think it's failing and i think is because i can just go back in time let me go back sorry one second because i don't remember exactly uh i think it's this one no it's this one and no no no not that one is oh i know i just put it here um here no it's not happening give me one second guys sorry about that uh and now i can do it where is it i had it over here okay it is easier if we just lead the lotion question uh host name annotation and i believe this is the issue because of the issue with the load balancers that they have and is the host name the one that we need let me just search for it so we can close name annotation come on there you go found it all right so this is the annotation that i was missing which i believe is the issue why it's not working all right so and then we're gonna open this we're gonna we're gonna do some live editing don't do this at home um okay and then let's do qctl minus and english control engine x let's do it there you go and now let's go edit and we're gonna oh no no that was too much you're gonna edit service in this controller that's the one that we need to edit and then here we're going to go to annotations right here and then we're going to paste that in there and then we're going to put the actual hostname we should step that up [Music] we're going to save that it's gonna edit it and hopefully that will solve the issue so let's just look at the logs again if not what we need to do is just um just need to kind of like uh delete the certificate and create it again so let's check out the logs and see if that helps all right so deleting the pod doing that blah blah blah request echo found status last transaction cueing the item okay i think i think it did and i just try boom there you go that was the issue so now this is the the uh the uh success now we got of course i'm using brave so bass does not put this on green itself but this is kind of like the same approach now we have a green check mark here it says that it's uh is rg rook x1 is is given to this uh url it is trustable you see a certificate is valid uh the details everything that we have here is uh let's encrypt all the stuff that information that no one reads but believe me it's important and that's it so we really got a secure ssl uh website using let's encrypt with the protocol admin and serve monitor now the good thing about this is that i don't have to worry about renewals because certain money would do that for me and uh i think that's it i mean all questions comments you guys decide i think we're on time right yeah we actually right on time yes there's no questions on youtube okay shut it what's up oh i said no questions oh i i thought you said there was two questions um okay um any any question here in the chat anything in the comments or shall we just wrap up [Music] i think that's spicy so all right so yeah that was it um i appreciate one more time you guys uh the time uh hopefully i i provide you with value and uh i'll i'll keep doing this like i said uh we took like a two couple months uh out um because of the holidays and that kind of stuff and i was traveling so i couldn't really uh do this but we're gonna get back on track the plan for this year is to do it a couple of times a month instead of once a month so just stay alert that uh we want to do a couple of times a month uh like always we're looking for speakers if you have anything that you want to share about kubernetes and cloud native feel free you don't have to be an expert anything that you learn uh it will help someone that might not know so remember this is a community and we want to help everyone that we can so let me know uh if you you're interested in presenting anything that you can you know um i definitely i i would love to schedule uh for you to talk oh thank you paul um thank you for for joining so all right all right everyone thank you so much looking forward to the next stock then and uh we'll have some surprises here because we want to do our cool stuff so all right so happy tuesday and uh enjoy the rest of your night bye bye

Info

Channel: Cuemby

Views: 3,978

Rating: undefined out of 5

Keywords: SSL, Let's Encrypt, Cert Manager, Kubernetes, Cuemby, Angel Ramirez, South Florida

Id: HzxjsMrtIwc

Channel Id: undefined

Length: 65min 55sec (3955 seconds)

Published: Wed Feb 24 2021