#cert-manager — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cert-manager, aggregated by home.social.
-
cert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
Как сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
-
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Oh wow! I had some weird stuff in the GatewayAPI config for HTTP to HTTPS redirect which was blocking ACME.
Now I have CertManager correctly issuing certificates from my private StepCA, using the http01 solver behind GatewayAPI! Blog coming (eventually). 🎉
#HomeLab #GatewayAPI #Kubernetes #CertManager #StepCA #TalosLinux
-
A lesson learned for #cilium and #certmanager on #kubernetes
One shall never forget all necessary http routes and most importantly the enableGatewayAPI flag.
This one also helped: https://kubito.dev/posts/gateway-api-cert-manager/
-
I spent probably a weeks worth of hours learning more #kubernetes so I could save $60 a month.
I have a nice 3 node kube cluster with a 2 node #keepalived #haproxy TCP load balancer. All on #ARM VPS.
Haproxy ingress
#ExternalDNS operator
#CertManager
#RookCeph
#ArgoCD
#KeyCloak
#ValKey
#Mastodon
#CloudNativePG #Postgresql -
openDesk läuft ausschließlich auf Kubernetes und nutzt über 35 Helm-Charts für den produktiven Betrieb. Voraussetzungen: K8s >=1.24, Ingress-NGINX, cert-manager, Helm, Helmfile, RWO-Volumes & externe Dienste wie Redis, Postfix & Co.
Details: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/docs/requirements.md
#Kubernetes #Helm #DevOps #OpenSource #openDesk #GovTech #CloudNative #Ingress #certManager #DigitalSovereignty -
I'm going to be at #kubecon. At the maintainers summit beforehand, at the contribfest, and at the #headlamp project pavilion.
Contribfest session: https://kccnceu2025.sched.com/event/1td0n
I'm looking forward to connecting with folks working on different projects. People have been quite busy building out Headlamp Kubernetes UIs for ecosystem tooling and standards like #gatewayapi #prometheus #keda #flux #minikube #backstage #inspektorgadget #flagger and #certmanager
-
Those who've been reading my toots, might have picked up on the fact that I'm building a #kubernetes cluster from scratch (yes, I like pain). After figuring out #cri_o #calico #certmanager #metallb #traefik and #cloudnativepg I finally deployed my first actual application: #nextcloud ! Wueeh! Extremely stocked! Now I need to figure out how I rope in my ZFS box for persistence, and then I'm ready for a deployment in testing! #k8s #selfhosting
-
Managed to migrate my first #Truecharts app from #TrueNAS to #Talos.
Do this only if you need another hobby. It is definitely nothing like the comfort the TrueNAS App Catalogue and UI provided.
But i like #Kubernetes and so it is fine for me, to play around with #CertManager, #RenovateBot, #FluxCD and #VolSync. Just have to compare resource consumption now 😅
-
#CertManager can now be rolled out with GOP. We're planning to extend the support to automatically provision #TLS certs via #letsencrypt / #ACME for all tools with a single parameter 🚀
This release also contains contributions of our new maintainer Thomas Michael. Welcome to the team 🥳
-
Isn't there a decent alternative to #certmanager in #kubernetes ?
I need a tool that support #powerdns api.
kube-lego sadly is deprecated -
So I've managed to finally get #Traefik working with #CertManager.
It took lots of frustration, a sidequest around attempting replace Traefik with the #Cilium Gateway API implementation, to lots of annoyance and frustration, broken iptables, but we finally got back to pretty much where we started and things started to fall in place from here.
So the good news is by separating certificates from Traefik, we can now get Traefik doing HA. Why you ask? Just cause.
-
I had the rare opportunity to need to send a physical mail, a form. There used to be a SAM machine near my place where you can print out a stamp but they removed it recently.
I search for the nearest SAM machines near me, Google Maps showed the nearest one and along with the business info, included is the URL https://mysam.sg.
#singpost #mysam #tls #ssl #iis #letsencrypt #certmanager #eol
-
Ha, funktioniert: LoadBalancer für #dovecot wird automatisch erzeugt, automatisch in DNS eingetragen und automatisch ein TLS-Zertifikat erzeugt. Langsam nimmt mein Mail-auf-Kubernetes-Setup Form an.
-
I've just merged a huge PR to my #Orked (O-tomated RKE Distribution - GREAT NAME I KNOW) that makes it easier than ever for anyone to set up a production-ready #RKE2 #Kubernetes cluster in their #homelab.
With this collection of scripts, all you need to do is just provision the nodes required, including a login/management node, and run the scripts right from the login node to configure all of the other nodes to make up the cluster. This setup includes:
- Configuring the Login node with any required or essential dependencies (such as #Helm, #Docker, #k9s, #kubens, #kubectx, etc.)
- Setup passwordless #SSH access from the Login node to the rest of the Kubernetes nodes
- Update thehostsfile for strictly necessary name resolution on the Login node and between the Kubernetes nodes
- Necessary, best practice configurations for all of the Kubernetes nodes including networking configuration, disabling unnecessary services, disabling swap, loading required modules, etc.
- Installation and configuration of RKE2 on all the Kubernetes nodes and joining them together as a cluster
- Installation and configuration of #Longhorn storage, including formatting/configuring their virtual disks on the Worker nodes
- Deployment and configuration of #MetalLB as the cluster's load-balancer
- Deployment and configuration of #Ingress #NGINX as the ingress controller and reverse proxy for the cluster - this helps manage external access to the services in the cluster
- Setup and configuration of #cert-manager to obtain and renew #LetsEncrypt certs automatically - supports both #DNS and HTTP validation with #Cloudflare
- Installation and configuration of #csi-driver-smb which adds support for integrating your external SMB storage to the Kubernetes cluster
Besides these, there are also some other helper scripts to make certain related tasks easy such as a script to set a unique static IP address and hostname, and another to toggle #SELinux enforcement to on or off - should you need to turn it off (temporarily).
If you already have an existing RKE2 cluster, there's a step-by-step guide on how you could use it to easily configure and join additional nodes to your cluster if you're planning on expanding.
Orked currently expects and supports #RockyLinux 8+ (should also support any other #RHEL distros such as #AlmaLinux), but I am planning to improve the project over time by adding more #Linux distros, #IPv6 support, and possibly even #K3s for a more lightweight #RaspberryPi cluster for example.
I've used this exact setup to deploy and manage vital services to hundreds of unique clients/organisations that I've become obsessed with sharing it to everyone and making it easier to get started. If this is something that interests you, feel free to check it out!
If you're wondering what to deploy on a Kubernetes cluster - feel free to also check out my #mika helm chart repo 🥳
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/charts
