Johannes Bornholdcert-manager is able to follow CNAMES, essentially making the handling of the acme challenges via DNS more flexible.
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01
SaustrupNumerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
Steffoneed to change my dns nameservers from porkbun's to a provider that's supported by cert-manager...
any recommendations?
(or i guess i could use this, but since porkbun's ui for managing dns records isn't very comfortable, it would probably be nice to switch)
Johannes KastlAs Hetzner is deprecating dns configuration via the dns-console, I migrated my domains to the new Cloud API. Last piece of the puzzle was to create new tokens and move from the old cert-manager-webhook-hetzner (by vadimkim) to the official chart maintained by Hetzner.
Migrated my 7 kubernetes clusters (k3s, rke2, OpenShift) without major hiccups, only had to do some cleanup due to old acme challenge entries being leftover after the migration (as cert-manager could not remove them without the new webhook and API token).
Only things left are the machines without k3s using lego.
#homelab #hetzner #certmanager #dns #hellyeah #kubernetes #k3s #rke2
HabrКак сделать релизы скучными: production baseline на Kubernetes и GitLab CI/CD
Монолит без тестов. Деплой только ночью. Пять минут гарантированного простоя на каждом релизе. Логи — в файле. О проблемах узнаём от клиента. Малый/средний бизнес МФО, без отдельного DevOps-инженера. “Специально обученный тимлид”, который знает, какие костыли подпирают систему. Рассказываю, как из этого получился production baseline: Kubernetes, GitLab CI/CD и наблюдаемость, после которых релизы стали скучными.
https://habr.com/ru/articles/1004956/
#cicd #yandexcloud #kubernetes #gitlab #prometheus #devops #certmanager #helm #logging #deployment
Simon Foster 🖖Effortlessly manage SSL certs with Let's Encrypt & Cert Manager in Kubernetes! 🌐🔒 https://www.funkysi1701.com/posts/2025/kubernetes-and-letsencrypt/ #Kubernetes #LetsEncrypt #SSL #CertManager #Helm #Cloudflare #DevOps #Security #Automation
Sam Lehman 
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
MikaUpdated #Orked, my collection of scripts to help set up a production-ready #RKE2 #Kubernetes cluster in your #homelab. This update brings general improvements to the scripts, improved documentation, #HAProxy load balancer support for load balancing multiple Master nodes, and upgraded all components including RKE2, #Longhorn, #Nginx Ingress, #Cert-manager, #MetalLB, #Rancher, etc. to their latest versions.
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41
I still hope someday to support more Kubernetes distributions like #k3s, but haven't gotten around to it. I've also been planning to support more #Linux distros as the base too, instead of only #RockyLinux/#RHEL, but that'll have to wait as well for now. Regardless, I am quite happy with how mature and stable these scripts have turned out to be. If you'd like to set up a cluster of your own, maybe check it out!
🔗 https://github.com/irfanhakim-as/orked
🔗 https://github.com/irfanhakim-as/orked/pull/41
Инструкция по настройке Удостоверяющего Центра (CA) на базе HashiCorp Vault и OpenSSL в Kubernetes
Эта инструкция представляет собой полное руководство по развертыванию отказоустойчивого кластера HashiCorp Vault в Kubernetes и настройке двухуровневой Public Key Infrastructure (PKI). Корневой сертификат и промежуточный CA создаются через OpenSSL, но промежуточный импортируется и настраивается в Vault для повседневного выпуска сертификатов. Инфраструктура интегрируется с cert-manager для автоматического управления жизненным циклом TLS-сертификатов.
Hmm my services are running fine as far as I can tell, but my #Rancher/#RKE2 #Kubernetes cluster is acting up - possibly #etcd related?
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,
Not sure what could be causing it just yet.
Biggest tell being how the control plane/API server not being the most responsive, and some essential pods failing/restarting including #cert-manager,
cloud-controller-manager, csi-smb-controller, kube-apiserver, kube-scheduler, rke2-snapshot-controller, csi-provisioner + -resizer, -snapshotter, yadda yadda.Not sure what could be causing it just yet.