#certmanager — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #certmanager, aggregated by home.social.
-
病假给了我很多时间去搞homelab 今天把terraform module 加上了, ansible playbook也跑起来了,这边 tofu apply 然后 ansible-playbook 进行config. 还把tasks 整合进了 roles. 今天还读了一点production kubernetes 觉得受益匪浅! 非常棒的一本书!
病假后半段我状态好点了不再一整天都虚弱躺着了就开始不停思考, 我感觉自己把整个人生都分析和重构了一遍, 从财务规划到退休计划从职业发展到知识管理…
明天打算把这两步整合一下:provision a VM, install k3s, install Rancher, then let Rancher create/register another downstream cluster 顺便处理下cert-manager DNS-01 拿证书
-
病假给了我很多时间去搞homelab 今天把terraform module 加上了, ansible playbook也跑起来了,这边 tofu apply 然后 ansible-playbook 进行config. 还把tasks 整合进了 roles. 今天还读了一点production kubernetes 觉得受益匪浅! 非常棒的一本书!
病假后半段我状态好点了不再一整天都虚弱躺着了就开始不停思考, 我感觉自己把整个人生都分析和重构了一遍, 从财务规划到退休计划从职业发展到知识管理…
明天打算把这两步整合一下:provision a VM, install k3s, install Rancher, then let Rancher create/register another downstream cluster 顺便处理下cert-manager DNS-01 拿证书
-
cert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
-
cert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
-
cert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
-
cert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
need to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
As Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
-
Как сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
-
Как сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
-
Как сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
-
Как сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41 -
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
-
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
-
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
-
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
-
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,cloud-controller-manager,csi-smb-controller,kube-apiserver,kube-scheduler,rke2-snapshot-controller,csi-provisioner+-resizer,-snapshotter, yadda yadda.
Not sure what could be causing it just yet. -
Oh wow! I had some weird stuff in the GatewayAPI config for HTTP to HTTPS redirect which was blocking ACME.
Now I have CertManager correctly issuing certificates from my private StepCA, using the http01 solver behind GatewayAPI! Blog coming (eventually). 🎉
#HomeLab #GatewayAPI #Kubernetes #CertManager #StepCA #TalosLinux