Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
f
flat-ice-58483
07/10/2022, 8:58 AMHi. Are there any good guides on setting up Let's Encrypt with k3s (running on k3os)?
w
worried-businessperson-13284
07/10/2022, 9:48 PMI did this recently using cert-manager on k3os
https://github.com/deekue/homelab/tree/main/cluster-critical/cert-manager
f
flat-ice-58483
07/11/2022, 7:35 AMThanks. Looks quite advanced. Was thinking more about something like https://k3s.rocks/https-cert-manager-letsencrypt/
w
worried-businessperson-13284
07/11/2022, 7:50 AMyeah, I'm using DNS01 challenges so I can get a wildcard cert
f
flat-ice-58483
07/12/2022, 4:59 PMI'm thinking about doing the same. So I need something like you have at the end. Didn't even know about encryptedData, that looks handy. I guess. Wouldn't it be the same to manually store env vars in k3s? It's not like they would be used locally anyway
w
worried-businessperson-13284
07/12/2022, 6:29 PMthe encryptedData is from Sealed Secrets
I commit the encrypted "sealed secret" to git, apply it and the Sealed Secrets operator creates a decrypted k8s secret
I'm using a gitops approach, everything gets committed to git then applied (I'm using ArgoCD)
f
flat-ice-58483
07/12/2022, 6:36 PMYes I understand the basics of them, and say for development it sounds very nice, but it's not like I would test the cert stuff locally, or?
w
worried-businessperson-13284
07/12/2022, 6:36 PMnot sure what you mean
f
flat-ice-58483
07/12/2022, 6:37 PMThe keys, could they not be environment variables in the cluster? I'm new to this
w
worried-businessperson-13284
07/12/2022, 6:38 PMso env vars can be stored in a configmap or a secret.
either way, if I commit them in clear text in git then everyone on the internet can see them
f
flat-ice-58483
07/12/2022, 6:39 PMWhy commit them, can't secrets be set on the cluster?
You have to set a key to decrypt them on the cluster anyway, or do you not?
w
worried-businessperson-13284
07/12/2022, 6:39 PMcore principle of gitops is everything gets committed before being applied
yes, I have the Sealed Secrets master key stored in a password mgr
when I rebuild the cluster I create that manually
f
flat-ice-58483
07/12/2022, 6:40 PMHmm. So instead of commiting an environment key, which would require the value to be stored on the cluster, you commit a encoded value, which require a decode key on the cluster?
w
worried-businessperson-13284
07/12/2022, 6:41 PMyup, the Sealed Secrets operator handles it automatically
f
flat-ice-58483
07/12/2022, 6:42 PMSo from the git point of view, it's not that much different, right? It's a kind of placeholder, which won't work without some manual value on the cluster
w
worried-businessperson-13284
07/12/2022, 6:42 PMyup
there's other approaches, like Hashicorp Vault
or SOPS
f
flat-ice-58483
07/12/2022, 6:43 PMThe big benefit though, is for development. Where you could have same value on dev, as in prod, and you prevent developers from throwing secrets around in variables. Similar to Azure KeyVault, or AWS Key Management Service. Which is really great. But I'm not going to use my DNS keys for dev, that was what I meant
w
worried-businessperson-13284
07/12/2022, 6:44 PMfairy nuff
f
flat-ice-58483
07/12/2022, 6:47 PMA benefit of having environment variables as placeholders is that sharing the whole setup to others might be smoother, or sharing to other deploys. I'm not sure how that would work. Again, new to this.
Argo CD looks nice. I've been pondering about how to deploy my own stuff. Since I use GitHub I've been considering GitHub Actions + ghcr, but without making my images public I would need to auth ghcr, and it becomes silly complicated
Public images isn't a big deal though, as they won't have anything secret in them, beside already public code. Perhaps it's just fine
w
worried-businessperson-13284
07/12/2022, 6:50 PMyup, depends on what your objectives are.
I'm building a homelab to self host a bunch of stuff
f
flat-ice-58483
07/12/2022, 6:52 PMSame ish here. Not much "lab" though. But I don't mind having GitHub build things for me. Wonder how that is for private repos, where everything is private, and suddenly the image is public. Can it be easily found by some search. Private doesn't mean secret though, just don't want others to see my most horrendous stuff
w
worried-businessperson-13284
07/12/2022, 6:52 PMI think you can have a private image too
just need to provide the container runtime with creds or put them in a registry proxy
or only publish to your local registry
f
flat-ice-58483
07/12/2022, 6:53 PMYeah, need creds
I've done this before. Just not in k3s
w
worried-businessperson-13284
07/12/2022, 6:54 PM👍
f
flat-ice-58483
07/12/2022, 6:54 PMThanks a bunch for the info. Time to see if I can deploy some stuff 🙂
w
worried-businessperson-13284
07/12/2022, 6:55 PMnp. best of luck!
the k8s-at-home project has lots of great repos to crib off
👍 1