https://rancher.com/ logo
Title
f

flat-ice-58483

07/10/2022, 8:58 AM
Hi. Are there any good guides on setting up Let's Encrypt with k3s (running on k3os)?
w

worried-businessperson-13284

07/10/2022, 9:48 PM
f

flat-ice-58483

07/11/2022, 7:35 AM
Thanks. Looks quite advanced. Was thinking more about something like https://k3s.rocks/https-cert-manager-letsencrypt/
w

worried-businessperson-13284

07/11/2022, 7:50 AM
yeah, I'm using DNS01 challenges so I can get a wildcard cert
f

flat-ice-58483

07/12/2022, 4:59 PM
I'm thinking about doing the same. So I need something like you have at the end. Didn't even know about encryptedData, that looks handy. I guess. Wouldn't it be the same to manually store env vars in k3s? It's not like they would be used locally anyway
w

worried-businessperson-13284

07/12/2022, 6:29 PM
the encryptedData is from Sealed Secrets
I commit the encrypted "sealed secret" to git, apply it and the Sealed Secrets operator creates a decrypted k8s secret
I'm using a gitops approach, everything gets committed to git then applied (I'm using ArgoCD)
f

flat-ice-58483

07/12/2022, 6:36 PM
Yes I understand the basics of them, and say for development it sounds very nice, but it's not like I would test the cert stuff locally, or?
w

worried-businessperson-13284

07/12/2022, 6:36 PM
not sure what you mean
f

flat-ice-58483

07/12/2022, 6:37 PM
The keys, could they not be environment variables in the cluster? I'm new to this
w

worried-businessperson-13284

07/12/2022, 6:38 PM
so env vars can be stored in a configmap or a secret. either way, if I commit them in clear text in git then everyone on the internet can see them
f

flat-ice-58483

07/12/2022, 6:39 PM
Why commit them, can't secrets be set on the cluster?
You have to set a key to decrypt them on the cluster anyway, or do you not?
w

worried-businessperson-13284

07/12/2022, 6:39 PM
core principle of gitops is everything gets committed before being applied
yes, I have the Sealed Secrets master key stored in a password mgr
when I rebuild the cluster I create that manually
f

flat-ice-58483

07/12/2022, 6:40 PM
Hmm. So instead of commiting an environment key, which would require the value to be stored on the cluster, you commit a encoded value, which require a decode key on the cluster?
w

worried-businessperson-13284

07/12/2022, 6:41 PM
yup, the Sealed Secrets operator handles it automatically
f

flat-ice-58483

07/12/2022, 6:42 PM
So from the git point of view, it's not that much different, right? It's a kind of placeholder, which won't work without some manual value on the cluster
w

worried-businessperson-13284

07/12/2022, 6:42 PM
yup
there's other approaches, like Hashicorp Vault
or SOPS
f

flat-ice-58483

07/12/2022, 6:43 PM
The big benefit though, is for development. Where you could have same value on dev, as in prod, and you prevent developers from throwing secrets around in variables. Similar to Azure KeyVault, or AWS Key Management Service. Which is really great. But I'm not going to use my DNS keys for dev, that was what I meant
w

worried-businessperson-13284

07/12/2022, 6:44 PM
fairy nuff
f

flat-ice-58483

07/12/2022, 6:47 PM
A benefit of having environment variables as placeholders is that sharing the whole setup to others might be smoother, or sharing to other deploys. I'm not sure how that would work. Again, new to this. Argo CD looks nice. I've been pondering about how to deploy my own stuff. Since I use GitHub I've been considering GitHub Actions + ghcr, but without making my images public I would need to auth ghcr, and it becomes silly complicated
Public images isn't a big deal though, as they won't have anything secret in them, beside already public code. Perhaps it's just fine
w

worried-businessperson-13284

07/12/2022, 6:50 PM
yup, depends on what your objectives are. I'm building a homelab to self host a bunch of stuff
f

flat-ice-58483

07/12/2022, 6:52 PM
Same ish here. Not much "lab" though. But I don't mind having GitHub build things for me. Wonder how that is for private repos, where everything is private, and suddenly the image is public. Can it be easily found by some search. Private doesn't mean secret though, just don't want others to see my most horrendous stuff
w

worried-businessperson-13284

07/12/2022, 6:52 PM
I think you can have a private image too
just need to provide the container runtime with creds or put them in a registry proxy
or only publish to your local registry
f

flat-ice-58483

07/12/2022, 6:53 PM
Yeah, need creds
I've done this before. Just not in k3s
w

worried-businessperson-13284

07/12/2022, 6:54 PM
👍
f

flat-ice-58483

07/12/2022, 6:54 PM
Thanks a bunch for the info. Time to see if I can deploy some stuff 🙂
w

worried-businessperson-13284

07/12/2022, 6:55 PM
np. best of luck!
the k8s-at-home project has lots of great repos to crib off
👍 1