Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
m
melodic-hamburger-23329
09/02/2022, 12:35 AMIs there some documentation/manual/etc. regarding certificate and key handling in k3s? There’s quite overwhelming amount of various keys and certs, and I’m just trying to figure out how everything works (also, how cert-manager / vault would fit the picture).
Also, I would like to know all possible configuration options regarding key and cert algorithms, cipher suites, etc. E.g., noticed that service account tokens are signed with RS256, but would like to use ES256 instead.
k
kind-nightfall-56861
09/02/2022, 7:27 AMI'm busy creating a blog on my portfolio on how to set up a raspberry pi cluster using k3s, where everything is described from flashing your SD-card to deploying your first .NET 6 webapp with automated TLS-certificates using Cert-Manager and Let's Encrypt.
Not sure if that would meet your requirements?
A lot of topics you're describing aren't handled, since the format is more of a hands-on, that I created for my own backup, but people requested me to publish it.
m
melodic-hamburger-23329
09/09/2022, 2:48 AM@kind-nightfall-56861 I’m not able to use Let’s Encrypt due to intranet policies. Is it possible to manage also k3s’s certificates using cert-manager? I would ideally want to centralize all certificate management.
k
kind-nightfall-56861
09/09/2022, 6:09 AMFrom what I understood, cert-manager is a form of orchestrator too manage certs, not an authority. Meaning that CM is not able to give you certs on its own, it needs a certifitate authority that hands out signed certificates, for example, Lets Encrypt
m
melodic-hamburger-23329
09/09/2022, 6:28 AMBasically I’m limited to self-signed certificates.
k
kind-nightfall-56861
09/09/2022, 6:54 AMm
melodic-hamburger-23329
09/12/2022, 3:29 AM@kind-nightfall-56861 Yes, I read that page. However, I’m trying to figure out how to use cert-manager for all certs - or if it’s even possible. Currently k3s issues it’s own certs, but I’m wondering if I can somehow configure cert-manager to issue the certs also for k3s (api server, kubelets, etc.). Should I just configure same self-generated CA for cert-manager and k3s (ref: https://kubernetes.io/docs/setup/best-practices/certificates/#single-root-ca https://github.com/k3s-io/k3s/issues/1868).
Kind of at lost how could/should I configure so that a single CA is used for all issued certs in my k3s setup (including k3s components, Traefik, etc.).
k
kind-nightfall-56861
09/12/2022, 5:43 AMOoh, I havent looked into that yet. I'm still using the 'insecure' certs from k3s, lmk when you find an answer
✅ 1