Brilliant video as ever! I'm coming to this late so I had to upgrade the version of Kubernetes and for some reason there was no "-o" flag on my base64 command so I used redirection (">" ) instead.
@@AntonPutra yeah thanks for the suggestion, i having jenkins job setup to launch EKS using terraform as per ur video, later i setup monitoring job for prometheus and Grafana, now in last 2 videos i am bit stuck on the manually when we are creating policy and OpenID configuration that part i am trying to automate, let’s see if i can make it. Also 1 more question do i need to edit namespace manually while setting up ingress like u did it in previous video? Anyways I really liked ur videos informative and clears all the concepts.
@@LalitYadav-eo4hv Thanks, I have a plan for a video that combine EKS creating from scratch including OpenID connect provider interraform to automate/simplify. By default prometheus only select service monitors objects in its own namespace. You don't need to add label to namespace manually, you can simply specify in the helm or yaml to deploy "Service Moniotr" object to monitor Ningx ingress in "monitoring" ns where you have Prometheus
@@LalitYadav-eo4hv Best and the cheapeast way to store metrics for the long term is S3 compatible storage. I have plan to create video to use Thanos, since we've been using it in prod for over a year now. other option is cortext. It's gonna be way cheaper then any database.
Great tutorial. The only problem I have (My cluster is GCP so GKE and domain in Route53) is that when I create the ingress for my app in its namespace (for example go-app in app namespace) the ingress doesn't have an ADDRESS, it appears empty so I don't know if this is something expected or not but it's bugging me ^^' EDIT: I found the problem, at least in GKE, you should comment: spec: ## ingressClassName: external-nginx and Use annotations in the metadata with ingress.class: "external-nginx" In this way, my ingress got the external IP from the ingress controller :)
I had a similar issue with GCP as well, I had to add additional argument in controller deployemt --publish-service=$(POD_NAMESPACE)/external-ingress-nginx-controller external-ingress-nginx-controller -> name of the container and deployment
HI Anton, thank you ! i had quick question which is out of context . I have been trying to setup onprem k8s cluster using kubeadm on ubuntu severs (through Oracle virtual box) . getting issue while deploying network plugin(Calico in my case) .. pod is not spinning up , here is below the events i found. same issue across other os flavor (centos) too. Could you pls help me with the resolution ? fyi .. i have choosen MAC Address policy as Generate new MAC addresses for all network adapters while creating VM through Oracle virtual box. am i missing something here ? Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 36s default-scheduler Successfully assigned kube-system/calico-node-b8r5j to osboxes Warning FailedMount 4s (x7 over 35s) kubelet MountVolume.SetUp failed for volume "bpffs" : hostPath type check failed: /sys/fs/bpf is not a directory
Awesome!! A quick one. I created a certificate for my sub-domain which works well. Now I want to create another certificate for another deployment in another sub-domain. Do I still use the same ClusterIssuer, modify the initial certificate to have a different metadata/name, secretName, and dnsNames and deploy it? (That's what I tried and it didn't work). Or I need to create a whole new ClusterIssuer and different Certificate yml file for the new deployment Thanks for your quick reply to messages
You keep the ClusterIssuer and create additional yaml files for certificates if you use your own CA. If you use letsencrypt, you don't need to create certificate yaml files it's handled on ingress itself.
How about wild card certificate for k8s ingress and domain being in Godaddy, is it possible to get wildcard cert? As far as I know Godaddy doesn't support DNS01 challenge and this is must for wild card cert, any suggestions?
@@AntonPutra I have created a new certificate and secret, the certificate is in "Ready" state. However, when navigate to the site, I am getting a "Fake Certificate message". Any advice would be appreciated. I have looked at Ingress controllers, and all of that is accurate.
@@AntonPutra thanks for answering ..It would be great if you can spend this combining terraform with ansible :) .... greetings from Peru .. thank you !!
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
Outstanding content, great pace and just the right level of detail. You always do a killer job.
Thanks Robert!
@@AntonPutra excellet video. thank you anton!
Valuable for every minute with the right pace. Thank you so much❤❤❤
thanks!
This video really demonstrates how intelligent you are.
thanks ❤️
👉 How to Manage Secrets in Terraform - th-cam.com/video/3N0tGKwvBdA/w-d-xo.html
👉 Terraform Tips & Tricks - th-cam.com/video/7S94oUTy2z4/w-d-xo.html
👉 ArgoCD Tutorial - th-cam.com/video/zGndgdGa1Tc/w-d-xo.html
This content is Brilliant Sir, thank you very much!
Thank you!
Brilliant video as ever! I'm coming to this late so I had to upgrade the version of Kubernetes and for some reason there was no "-o" flag on my base64 command so I used redirection (">" ) instead.
Thanks! Will update soon
You saved me! Been crying to solve the Pending Challenge issue
you're welcome🙂
Omg I have that same issue, gonna watch and try figuring it out
same same. been crying as well
Great content, one suggestion is please remove the background volume or make it low, it is actually annoying me. Thanks
Thanks, I already removed it from all new videos.
Спасибо
You're welcome :)
Thanks
Thank you Lalit!
Super
Thanks
good job
Thanks Кирилл :)
The voice is so sharp for my ears.
Make it a bit dull.
Remove the music you don't need it.
Thanks for feedback, no more music lol
@@AntonPutra :( I don't know why, they are being assholes!
Awesome video very informative, going to try today. Is there any way we can automate IAM part? I will try that but worth watching video. Thank u Anton
Usually, IAM is part of the terraform code, what do you mean by automate?
@@AntonPutra yeah thanks for the suggestion, i having jenkins job setup to launch EKS using terraform as per ur video, later i setup monitoring job for prometheus and Grafana, now in last 2 videos i am bit stuck on the manually when we are creating policy and OpenID configuration that part i am trying to automate, let’s see if i can make it. Also 1 more question do i need to edit namespace manually while setting up ingress like u did it in previous video? Anyways I really liked ur videos informative and clears all the concepts.
I was wondering if u r going for another video where we can store the prometheus metrics data to some DB like dynamo to capture historical metrics
@@LalitYadav-eo4hv Thanks, I have a plan for a video that combine EKS creating from scratch including OpenID connect provider interraform to automate/simplify. By default prometheus only select service monitors objects in its own namespace. You don't need to add label to namespace manually, you can simply specify in the helm or yaml to deploy "Service Moniotr" object to monitor Ningx ingress in "monitoring" ns where you have Prometheus
@@LalitYadav-eo4hv Best and the cheapeast way to store metrics for the long term is S3 compatible storage. I have plan to create video to use Thanos, since we've been using it in prod for over a year now. other option is cortext. It's gonna be way cheaper then any database.
Great tutorial. The only problem I have (My cluster is GCP so GKE and domain in Route53) is that when I create the ingress for my app in its namespace (for example go-app in app namespace) the ingress doesn't have an ADDRESS, it appears empty so I don't know if this is something expected or not but it's bugging me ^^'
EDIT: I found the problem, at least in GKE, you should comment:
spec:
## ingressClassName: external-nginx
and Use annotations in the metadata with ingress.class: "external-nginx"
In this way, my ingress got the external IP from the ingress controller :)
I had a similar issue with GCP as well, I had to add additional argument in controller deployemt
--publish-service=$(POD_NAMESPACE)/external-ingress-nginx-controller
external-ingress-nginx-controller -> name of the container and deployment
How would you go about doing full end-to-end ecryption instead of terminating at the ingress
just create a service of the type LoadBalancer, then implement logic to terminate tls in your application (use nlb - network load balancer)
HI Anton, thank you ! i had quick question which is out of context . I have been trying to setup onprem k8s cluster using kubeadm on ubuntu severs (through Oracle virtual box) . getting issue while deploying network plugin(Calico in my case) .. pod is not spinning up , here is below the events i found. same issue across other os flavor (centos) too. Could you pls help me with the resolution ? fyi .. i have choosen MAC Address policy as Generate new MAC addresses for all network adapters while creating VM through Oracle virtual box. am i missing something here ?
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 36s default-scheduler Successfully assigned kube-system/calico-node-b8r5j to osboxes
Warning FailedMount 4s (x7 over 35s) kubelet MountVolume.SetUp failed for volume "bpffs" : hostPath type check failed: /sys/fs/bpf is not a directory
I have a script, take a look how to provision on prem cluster
## Control Plane
### Preparing the hosts
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/control-plane-00/' /etc/hostname
sudo sed -i 's/ubuntu/control-plane-00/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-00/' /etc/hostname
sudo sed -i 's/ubuntu/node-00/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-01/' /etc/hostname
sudo sed -i 's/ubuntu/node-01/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-02/' /etc/hostname
sudo sed -i 's/ubuntu/node-02/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-03/' /etc/hostname
sudo sed -i 's/ubuntu/node-03/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-04/' /etc/hostname
sudo sed -i 's/ubuntu/node-04/' /etc/hosts
sudo reboot
sudo apt update && sudo apt -y upgrade
sudo sed -i 's/ubuntu/node-05/' /etc/hostname
sudo sed -i 's/ubuntu/node-05/' /etc/hosts
sudo reboot
### Disable swap
sudo swapoff -a
sudo sed -i 's/\/swap.img/#\/swap.img/' /etc/fstab
free -h
### Installing a container runtime (containerd)
curl -L github.com/containerd/containerd/releases/download/v1.7.3/containerd-1.7.3-linux-amd64.tar.gz -o containerd-1.7.3-linux-amd64.tar.gz
sudo tar Cxzvf /usr/local containerd-1.7.3-linux-amd64.tar.gz
sudo curl -L raw.githubusercontent.com/containerd/containerd/main/containerd.service -o /lib/systemd/system/containerd.service
sudo systemctl daemon-reload
sudo systemctl enable --now containerd
#### Installing runc
curl -L github.com/opencontainers/runc/releases/download/v1.1.8/runc.amd64 -o runc.amd64
sudo install -m 755 runc.amd64 /usr/local/sbin/runc
#### Installing CNI plugins
curl -L github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz -o cni-plugins-linux-amd64-v1.3.0.tgz
sudo mkdir -p /opt/cni/bin
sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.3.0.tgz
sudo mkdir /etc/containerd/
sudo sh -c 'containerd config default > /etc/containerd/config.toml'
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd
stat -fc %T /sys/fs/cgroup/
### Install and configure prerequisites
cat
@@AntonPutra thank you Sir, will try and let you know .
Awesome!!
A quick one.
I created a certificate for my sub-domain which works well. Now I want to create another certificate for another deployment in another sub-domain. Do I still use the same ClusterIssuer, modify the initial certificate to have a different metadata/name, secretName, and dnsNames and deploy it? (That's what I tried and it didn't work). Or I need to create a whole new ClusterIssuer and different Certificate yml file for the new deployment
Thanks for your quick reply to messages
You keep the ClusterIssuer and create additional yaml files for certificates if you use your own CA. If you use letsencrypt, you don't need to create certificate yaml files it's handled on ingress itself.
How about wild card certificate for k8s ingress and domain being in Godaddy, is it possible to get wildcard cert? As far as I know Godaddy doesn't support DNS01 challenge and this is must for wild card cert, any suggestions?
You can setup your own DNS server to resolve challenges from Letsencrypt, take a look on this video - th-cam.com/video/VJPfdXN-dSc/w-d-xo.html
@@AntonPutra Thanks for the info but how do we accomplish wild card SSL thing for kubernetes cluster? Moreover domain DNS is managed in Godaddy
Thank you for sharing this. Do you have any guidance on how to renew an expired certificate?
If you use cert-manager to obtain certificate it will automatically renew it. What's your use case?
@@AntonPutra I have created a new certificate and secret, the certificate is in "Ready" state. However, when navigate to the site, I am getting a "Fake Certificate message". Any advice would be appreciated. I have looked at Ingress controllers, and all of that is accurate.
@@isandozi it's because you used staging environment of letsencrypt. You just need to update url to use the "production" env.
@@AntonPutra is this in the clusterIssuer?
I'm unable to see the production url environment on Let's Encrypt. Do you still have it?
Which terminal did you using?
iterm2 + zshell
@@AntonPutra i just installed & played with them now😂, anyway thanks 👍
@@timeforchangethings you're welcome :)
for Terraform? :(
We usually using terraform only to provision K8s not to manage services within the cluster.
@@AntonPutra
thanks for answering ..It would be great if you can spend this combining terraform with ansible :) .... greetings from Peru .. thank you !!
The background music is really annoying
noted! i no longer use it
please remove the annoying music, rate of speech is too fast for non native english speakers.
Sure, I don’t use music anymore in my latest videos and speed is slower
man I hate dev ops.
pick dev or ops then :)
@@AntonPutra man I need to get wildcard cert with with cert-manager hosting on aws cluster any resources you can point to?
i m getting propagation check failed" "error"="dial tcp 205.251.194.16:53: i/o timeout how to fix this ?