@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
Updated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager, cloud-controller-manager, csi-smb-controller, kube-apiserver, kube-scheduler, rke2-snapshot-controller, csi-provisioner + -resizer, -snapshotter, yadda yadda.
Not sure what could be causing it just yet.
Okay, this is weird. The ACME HTTP01 validation with Cilium Gateway API, when 301 redirect from 80 to 443 is enabled, some times works, some times doesn't. Apparently it's a coin toss of whoever comes first: the application httproute or the acme solver httproute.
Does anyone have a *working* solution for that scenario?
What the scenario is: Cilium 1.18.1, Gateway API enabled, cert-manager 1.18.2 (numbers coincidence) with HTTP01 ACME solver. The certificate order is issued, the acme solver pod is created, but the ACME challenge gets redirected to HTTPS, so it never completes.
PS: No, I can't use DNS01 due to limitations on my DNS server.
EDIT: according to what I found in GitHub, the PR merged in Cilium *yesterday* might fix the problem. So I either need to wait, or be brave enough to try an unreleased code.
Oh wow! I had some weird stuff in the GatewayAPI config for HTTP to HTTPS redirect which was blocking ACME.
Now I have CertManager correctly issuing certificates from my private StepCA, using the http01 solver behind GatewayAPI! Blog coming (eventually). 🎉
#HomeLab #GatewayAPI #Kubernetes #CertManager #StepCA #TalosLinux
I tinkered with #arm64 #Docker #RaspberryPi #K3s #dyndns #FritzBox #pironman5 #certmanager #ingressnginx and got this https://janikvonrotz.k3s.raspberrypi.build/ running :coolmsn:
Solved: HTTP 525/526 CloudFlare Errors
A lesson learned for #cilium and #certmanager on #kubernetes
One shall never forget all necessary http routes and most importantly the enableGatewayAPI flag.
This one also helped: https://kubito.dev/posts/gateway-api-cert-manager/
It is now already Tuesday morning but everything is back online.
✅ #Pihole is back up so #DNS resolution works again and the rest of the family can use the internet!
✅ NFS provisioners can provide persistent volumes,
✅ #CertManager issues HTTPS certificates,
✅ #Unifi controller is back up to allow me to actually make changes to my network config (such as, say, change DNS settings when pihole is down... )
✅ #HomeAssistant automates away,
✅ #Nextcloud is seeing sunnier days,
✅ #Photoprism <3
When #certManager works, it's beautiful. It'd been working smoothly for YEARS without me needing to touch it.
Getting it to work though... !?
Well, let's just I'd forgotten how much "fun" that can be.
I spent probably a weeks worth of hours learning more #kubernetes so I could save $60 a month.
I have a nice 3 node kube cluster with a 2 node #keepalived #haproxy TCP load balancer. All on #ARM VPS.
Haproxy ingress
#ExternalDNS operator
#CertManager
#RookCeph
#ArgoCD
#KeyCloak
#ValKey
#Mastodon
#CloudNativePG #Postgresql
openDesk läuft ausschließlich auf Kubernetes und nutzt über 35 Helm-Charts für den produktiven Betrieb. Voraussetzungen: K8s >=1.24, Ingress-NGINX, cert-manager, Helm, Helmfile, RWO-Volumes & externe Dienste wie Redis, Postfix & Co.
Details: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/docs/requirements.md
#Kubernetes #Helm #DevOps #OpenSource #openDesk #GovTech #CloudNative #Ingress #certManager #DigitalSovereignty
I'm going to be at #kubecon. At the maintainers summit beforehand, at the contribfest, and at the #headlamp project pavilion.
Contribfest session: https://kccnceu2025.sched.com/event/1td0n
I'm looking forward to connecting with folks working on different projects. People have been quite busy building out Headlamp Kubernetes UIs for ecosystem tooling and standards like #gatewayapi #prometheus #keda #flux #minikube #backstage #inspektorgadget #flagger and #certmanager
Those who've been reading my toots, might have picked up on the fact that I'm building a #kubernetes cluster from scratch (yes, I like pain). After figuring out #cri_o #calico #certmanager #metallb #traefik and #cloudnativepg I finally deployed my first actual application: #nextcloud ! Wueeh! Extremely stocked! Now I need to figure out how I rope in my ZFS box for persistence, and then I'm ready for a deployment in testing! #k8s #selfhosting
Managed to migrate my first #Truecharts app from #TrueNAS to #Talos.
Do this only if you need another hobby. It is definitely nothing like the comfort the TrueNAS App Catalogue and UI provided.
But i like #Kubernetes and so it is fine for me, to play around with #CertManager, #RenovateBot, #FluxCD and #VolSync. Just have to compare resource consumption now 😅
#CertManager can now be rolled out with GOP. We're planning to extend the support to automatically provision #TLS certs via #letsencrypt / #ACME for all tools with a single parameter 🚀
This release also contains contributions of our new maintainer Thomas Michael. Welcome to the team 🥳
Isn't there a decent alternative to #certmanager in #kubernetes ?
I need a tool that support #powerdns api.
kube-lego sadly is deprecated
💻🧾 An alle #CertManager Profis:
Lassen sich mit der DNS-Challenge und #Webhook auf einem anderen Server, als auf dem die #Domain und Website gehostet ist, #Zertifikate für die Hauptdomain wie z.B. meinedomain.de erzeugen?
Hintergrund: mein #ejabberd läuft bei mir zuhause auf meiner Hauptdomain, für mein Domain-/Webhoster gibts aber keinen Webhook... Daher erwäge ich zu wechseln falls das möglich wäre...
Evtl. kann auch @CertManager, @netcup oder @team was dazu sagen 🤔
🔃🙏
