Just to clarify, every EVERY videos from Mr.Dempers are clear and intuitive even for both newbie and intermediate k8s users. I like the way you edit the video, your speech are continuous and delay exactly on time. Your voice are clear, the illustration from images are straightforward. Step by step guiding are totally insane for such low-level users. It worth every second watching your channel even on holiday. Thanks to your project. I jumped to K8s Intermediate level really fast.
Well thank you ALOT for this! you dont even know how many hours i was on this subject, now i can have this configuration and make it work in my cluster, many guides just forgets to mention the nginx ingress, thanks for the clear instructions!
And all of a sudden the mist of magic around kubernetes/ingress/docker begins to disappear. Thank you Marcel, please keep going! It's absolutely helpful watching your videos.
Thanks! The only issue I ran into is the permission for binding port 80 & 443 on ec2 instance where kind cluster running. I had to assign setcap for kubectl. It works!
Hey Marcel, the best video explaining this subject. I've done everything working perfectly then stopped work because got expired. Now I'm trying to find out how to renew.
Thank you so much for this tutorial. You have explained all the concepts so well. I already had everything setup and just required the tls to be setup. It is done now.
MetalLB works well for LoadBalacner services on on-site clusters (not sure about in KinD though...) The other method if ingresses are involved is to use the "cert-manager.io/cluster-issuer" or "cert-manager.io/issuer" annotations. With that, cert-manager will create the Certificate object as well.
This is what I was looking for complete SSL in k8s and there are dozens of places which give some information but not complete and very well explained. You did a great job. This is awesome. It really helped me. As always Thanks and wish you a very happy new year 🥳
Marcel you are the top one! Your content is always really clear, enjoyable and to the point. At time I get lost with som cli command you use but hey, that makes me a better dev. So once again thank you very much for the effort you put in it. I'm now finally getting into cert management for my cluster on Azure and this was a great deep intro to it.Now I just need to translate it to Terraform lol 😅 A big hug from Italy
Thank you for your great tutorial. It was very educational and helped me to learn a lot of topics. However I do have a problem with installing and using cert-manager with the GKE autopilot cluster. The cert manager installs but the webhook doesn't work. Tried with Helm too. Not avail. Is there anything to recommend, please?
Very nice tutorial thank you. I am wondering if I can use it... How to use the cert-manager when you have an external load balancer? I have a three node rancher cluster with an external nginx load balancer? It's not possible since cert-manager does not expose the secrets right?
Is it important to have domain name? Or we can also do it by editing /etc/hosts file and set up temp domain? Why because I am doing it on minikube and I have done issuer.yml and it's just showing "Issuing certificate as Secret does not exist" and not creating extra ingresses which will be created after updating ingress.yml with tls: and annotations: Please let me know... Thanks
I love all the videos I watched from you. Basically, you make sooo valueable guides! I wish your channel had 1M subs and more views because damn, your content is awesome!
Hi, I tried this in a kubeadm cluster in cloud vms, when i deploy nginx controller, i can access it. but after that when i try to expose a service using a nginx object it returns 302 in a loop
i have multiple applications running in multiple namespaces. Currently i am coping the secret yaml file to all the namespaces. I also have ingress rules in namespace. How to manage the secret file accross the namespace?
what kind of challenge will be raised by cert-manager and if the challenge fails, then secret wont get created. isnt it.? what are those cases where the challenge will not complete. please explain. Thanks in advance!
Video Request (If possible): Comparision between K8s, MicroK8s, K3s etc ? What is the difference between docker and containerd, services wise (under the hood)?
Is this also going to work in a situation where port 80 and 443 is forwarded to my Synology NAS? my Kubernetes cluster is running on a server. In the past, I spun up an Nginx container to secure my environment with a certificate from let's encrypt, but it never worked because the port was forwarded to my NAS.
when I check describe my certificate it seems like>>>>> Issuing certificate as Secret does not exist Do you have any idea showing this? Could you pleae help me on this?
Maan if all those kubernetes commands you ran worked for me as well as they do for you, I would be 5 years younger :D... thanks for the content, great explanation!
Thanks so much for this. If I am using EKS cluster and route 53 manages my DNS, there is no IP address issued when I set the kubernetes service type as load balancer, instead a NLB is created on AWS, and the NLB endpoint shows under the external IP colunm. Can I use this NLB endpoint in place of the IP address and map it to my custom domain name and still have the certificate issued to my domain and have it working properly?
What if we need a wild card certificate, for different Namespaces different certificate will be created based on the host name and that too with HTTP01 challenge
Never mind, I was able to find my error and wiith the content of this amazing video I'm created a successful SSL using let's encrpyt. Looking forward to more vidoes DevOps Guy
Have not explored this yet, but I think what you are after is mTLD (mutual TLS) between internal APIs. Might need to explore mTL with cert manager (if possible) or other tools
Great Content, thats exactly im a looking for. But its normal the Acme responde slow down about 30 minutes? -> Waiting on certificate issuance from order..
It sounds a bit fishy to me that it takes so long. I know there might be rate limiting on the production endpoint. There is good troubleshooting docs here to debug orders\challenges. cert-manager.io/docs/faq/acme/ If you're still stuck, I'd report an issue on the cert-manager GitHub repo, or chat to the folks in the kubernetes slack channel, they're very friendly and helpful
@@MarcelDempers everything its fine, when im troubleshooting kubectl get challenges im receive a response that my other ingress causing a conflict,(im using a baremetal) an metalLb, when i remove that ingress, works like a charm! thanks man!
Just to clarify, every EVERY videos from Mr.Dempers are clear and intuitive even for both newbie and intermediate k8s users.
I like the way you edit the video, your speech are continuous and delay exactly on time. Your voice are clear, the illustration from images are straightforward.
Step by step guiding are totally insane for such low-level users. It worth every second watching your channel even on holiday.
Thanks to your project. I jumped to K8s Intermediate level really fast.
Thank you for the kind words 🙏🏼
You are sir, the reason why I am watching work related videos at holidays. Really interesting, informational and cool edited content. Keep it up!
Struggled with this when i was starting out with k8s. This would be very helpful for beginners.
I know it's big words, but IMO you are creating the best DevOps channel on YT. Thanks for your hard work!
Thank you for the kind words 🙏🏽
I now have my first app properly deployed with k8s, using cert-manager to rotate certificates, in great part thanks to this video!
Well thank you ALOT for this! you dont even know how many hours i was on this subject, now i can have this configuration and make it work in my cluster, many guides just forgets to mention the nginx ingress, thanks for the clear instructions!
Thanks to you, I finnaly combined the results of 10+h of googling and resolve the certificates issuing
And all of a sudden the mist of magic around kubernetes/ingress/docker begins to disappear. Thank you Marcel, please keep going! It's absolutely helpful watching your videos.
These videos really are fantastic. They bring so much clarity to an otherwise mystical system...
GM sir, through your guided video I am able to learn kubernetes and how secret it is. Thank you 🙏 for the teachings sir you are DHA 🌳 groot.
the only place I could find my answer! Thanks a lot! Subscribing now
I think this is EXACTLY what I needed to see to learn how to cert my cluster.
Thank you!
Thank you so much dude. Had to complete a Test assignment for an interview and it helped. :)
Thank you for the step by step how-to Marcel. I was able to install a multi-domain certificate into my kubernete cluster. You are my hero sir.
Thank you for taking the time to create such thoroughly informative videos. It is appreciated more than you know!
Thanks! The only issue I ran into is the permission for binding port 80 & 443 on ec2 instance where kind cluster running. I had to assign setcap for kubectl. It works!
way too underrated channel, while all the channels should be like this
One of the best tutorial videos I've ever seen. Def subbed. Def going back through your catalog. Might even push a tweet out about it!
Thanks, Marcel.
Thank you so much for all your tutorials, they're incredibly useful, well made and clear
Hey Marcel, the best video explaining this subject. I've done everything working perfectly then stopped work because got expired. Now I'm trying to find out how to renew.
Thank you so much for this tutorial. You have explained all the concepts so well. I already had everything setup and just required the tls to be setup. It is done now.
You read my mind :). Exactly what I was looking for... Great content and wonderful presentation. Keep it up!
Wow! 😊 Thanks Marcel! Thats the best tutorial out there.
every video of yours I have watched has been so incredibly helpful. thank you.
MetalLB works well for LoadBalacner services on on-site clusters (not sure about in KinD though...)
The other method if ingresses are involved is to use the "cert-manager.io/cluster-issuer" or "cert-manager.io/issuer" annotations. With that, cert-manager will create the Certificate object as well.
Do you think you could make a video on how you make your videos? Really love your stuff!
Dude!!! You are a freakin legend! Thank you so much for the great content and resources in GIT
This is what I was looking for complete SSL in k8s and there are dozens of places which give some information but not complete and very well explained. You did a great job. This is awesome. It really helped me. As always Thanks and wish you a very happy new year 🥳
Thanks for the kind words 💪🏽
Happy new year 🎉🍻
Marcel you are the top one! Your content is always really clear, enjoyable and to the point. At time I get lost with som cli command you use but hey, that makes me a better dev. So once again thank you very much for the effort you put in it. I'm now finally getting into cert management for my cluster on Azure and this was a great deep intro to it.Now I just need to translate it to Terraform lol 😅 A big hug from Italy
We followed this and it was a breeze thanks to this awesome tutorial! Thanks 🙏🏻
Amazing video, really clearing up my headache of setting up SSL.
Great Video and Great Explanation. How can we generate the wildcard certificate using cert-manager and aws route53
using dns challenge method.
Thank you! I was just playing around with this on a kind environment when you dropped your video!
Helped me a lot even in 2022! Thank you very much!
Thank you for your great tutorial. It was very educational and helped me to learn a lot of topics. However I do have a problem with installing and using cert-manager with the GKE autopilot cluster. The cert manager installs but the webhook doesn't work. Tried with Helm too. Not avail. Is there anything to recommend, please?
Very nice tutorial thank you. I am wondering if I can use it... How to use the cert-manager when you have an external load balancer? I have a three node rancher cluster with an external nginx load balancer? It's not possible since cert-manager does not expose the secrets right?
Is it important to have domain name?
Or we can also do it by editing /etc/hosts file and set up temp domain?
Why because I am doing it on minikube and I have done issuer.yml and it's just showing "Issuing certificate as Secret does not exist"
and not creating extra ingresses which will be created after updating ingress.yml with tls: and annotations:
Please let me know...
Thanks
Can you do a video on how to install wildcard ssl on ks8
I love all the videos I watched from you.
Basically, you make sooo valueable guides! I wish your channel had 1M subs and more views because damn, your content is awesome!
thanks, do you have a video with eks + aws load balancer as ingress controller as example?
It is kind of way too easy now to be a programer now. Thank you! :)
More than great, you deserve millions of subscribers
Best explanation. Can u also do a tutorial of all things combined? Nginx, load balancing and ssl
Best video I have ever seen related to that topic
thanks for this video, i have one question, will certmanager will work with NLB in EKS with nginx or kong ingress controller ?
Really cool instructional video. I'm going to check out your example code and give it a try.
Hi, I tried this in a kubeadm cluster in cloud vms, when i deploy nginx controller, i can access it. but after that when i try to expose a service using a nginx object it returns 302 in a loop
i have multiple applications running in multiple namespaces. Currently i am coping the secret yaml file to all the namespaces. I also have ingress rules in namespace. How to manage the secret file accross the namespace?
Thanks for revealing the secrets - the best video on youtube - bless you.
what kind of challenge will be raised by cert-manager and if the challenge fails, then secret wont get created. isnt it.? what are those cases where the challenge will not complete. please explain. Thanks in advance!
Video Request (If possible): Comparision between K8s, MicroK8s, K3s etc ? What is the difference between docker and containerd, services wise (under the hood)?
Awesome explanation🥰. Thank you
Is this also going to work in a situation where port 80 and 443 is forwarded to my Synology NAS? my Kubernetes cluster is running on a server. In the past, I spun up an Nginx container to secure my environment with a certificate from let's encrypt, but it never worked because the port was forwarded to my NAS.
Great! how are certs renewed afterwards?
As usual the best video for the issue on youtube/world/universe. :-) - Keep up with this magnificent videos.
AMAZING CONTENT!!! I will love to see this integrated with Istio
For inside cluster communication, can we use cert-manager? any docs available please?
I absolutely love your videos man!!! Thank you so much
when I check describe my certificate it seems like>>>>> Issuing certificate as Secret does not exist
Do you have any idea showing this?
Could you pleae help me on this?
What the heck man? This video is amazing! I'm glad that I've found you 😊
Maan if all those kubernetes commands you ran worked for me as well as they do for you, I would be 5 years younger :D... thanks for the content, great explanation!
Works like a charm, thanks!
Amazing work, loved the way this was been explained, and thank you.
Amazing!!! It was great, I learned something! Thanks
You're the beast. Thank you for this.
This is too good kind sir 🤲🏾
Hello from Belarus, it was interesting to see wildcard certificates. Thanks =)
So clear explanation. appreciated.
Thank you. I like the style of explanation.
These tutorials are great. Thank you!
Thanks so much for this. If I am using EKS cluster and route 53 manages my DNS, there is no IP address issued when I set the kubernetes service type as load balancer, instead a NLB is created on AWS, and the NLB endpoint shows under the external IP colunm. Can I use this NLB endpoint in place of the IP address and map it to my custom domain name and still have the certificate issued to my domain and have it working properly?
Yes you could. You can map your domain to that as a CNAME record and should work
Oh great. Thanks so much @@MarcelDempers
you are really amazing, instructions are really clear!
You should create END-TO-END tutorial of setting up HA SSL VAULT with Consul :D
on k8s of course
What if we need a wild card certificate, for different Namespaces different certificate will be created based on the host name and that too with HTTP01 challenge
Very nice content, if you have to follow this with aws free tier account, what extra we need to do??
Great video Marcel !! Thanks for info
You saved my day. thank you so much 🎉❤
your videos are awesome. Thanks so much!
Thank you this helped me so much!
Thanks a lot, I got it set up! So this is called TLS termination in Nginx since behind Nginx only port 80 is used?
Yes you're right! TLS is offloaded by default unless passthrough is explicitly stated in the ingress annotation
if dns01 solver, what are the records needed to create on Cloudflare?
You have save my bacon once again sir. Thank you.
Do you have a video about MTLS ?
I'm trying to setup let's Encrypt for my linode Kubernetes cluster but I'm able to get the certificate to issue. Can you help?
Never mind, I was able to find my error and wiith the content of this amazing video I'm created a successful SSL using let's encrpyt. Looking forward to more vidoes DevOps Guy
another great video Marcel !! Thanks
I should have subscribed to this channel earlier. Awesome Content - Just Subscribed !!🔥
such an excellent video thanks Marcel :)
Great video. Very helpful. If I want my pods to communicate via REST API using https internally, will this be applicable?
Have not explored this yet, but I think what you are after is mTLD (mutual TLS) between internal APIs.
Might need to explore mTL with cert manager (if possible) or other tools
@@MarcelDempers I also watching your ISTIO video. Do you think it would be appropriate to use it?
Nobody talks about http2, seems like after ingress and ssl implementation there is no way to keep http2 connection.
a big red hart from Romania ❤
Simply brilliant.
Thanks a lot, that’s a really useful video.
Wish I had found this tutorial early.
Amazing work, thank you
Great explanation, however background music is bit annoying.
I'm going to try this!
MetalLB can give the LoadBalancer a external IP.
A.burton-Boston one the better videos , I like and subscribed ... excellent work.
Great Content, thats exactly im a looking for. But its normal the Acme responde slow down about 30 minutes? -> Waiting on certificate issuance from order..
It sounds a bit fishy to me that it takes so long. I know there might be rate limiting on the production endpoint.
There is good troubleshooting docs here to debug orders\challenges.
cert-manager.io/docs/faq/acme/
If you're still stuck, I'd report an issue on the cert-manager GitHub repo, or chat to the folks in the kubernetes slack channel, they're very friendly and helpful
@@MarcelDempers yeah, looks like a problem here. after waiting 8hours, nothing change. i trying do more stuffs and report to you thanks
@@MarcelDempers Strange that. when im apply the certificate.yml the K8s not create a secret, the secrete comes with 'opaque' -> thats normal?
@@MarcelDempers everything its fine, when im troubleshooting kubectl get challenges im receive a response that my other ingress causing a conflict,(im using a baremetal) an metalLb, when i remove that ingress, works like a charm! thanks man!
is this safe to implement both in prod and no prod?