►
Description
Last week: https://everyonecancontribute.com/post/2021-02-10-cafe-16-kubernetes-deployments-to-hetzner-cloud-part-3/
- Demo repository: https://gitlab.com/ekeih/k3s-demo
- Twitter thread: https://twitter.com/dnsmichi/status/1362101461337985028
A
Okay,
we
are
live
now
back
to
english,
back
to
kubernetes
back
to
head
snack
cloud
deployments
back
to
magic,
stuff
maxwell
tell
us
today
in
step
four
or
part
4
of
the
workshop.
We
are
having
so
looking
forward
to
learn
something
new
today
and
max.
B
B
Last
week
we
deployed
the
cloud
controller
manager.
We
if
you
remember
this
one,
the
cloud
controller
manager
which
is
responsible
to
organize
all
the
ip
assigning
stuff
that
is
related
to
our
cloud
provider,
like
the
external
ips
and
the
external
ips
for
our
nodes
and
the
ip
addresses
for
load
balancer
services.
B
Yeah
that
would
also
an
option
yeah
yeah,
so
we
are
not
going
to
do
to
use
those
variables
now,
so
we
are
going
to
start
to
look
into
a
bit
of
another
direction.
B
We
one
thing
I
showed
you
last
time
was
that
in
the
end
we
had
a
load
balancer
in
this
list,
and
I
explained
if
we
would
expose
every
website
the
way
we
did
last
week.
Then
we
would
need
an
additional
load
balancer
for
every
website
we
expose
and
with
each
load
balancer
costing
around
six
euros
per
month.
This
adds
up
really
fast
like
for
10
websites.
You
suddenly
pay
60
euros
and
that's
not
really
nice
and
it's
possible
to
do
this
all
with
one
load
balancer.
B
So
kubernetes
has
a
concept.
It's
called
ingress
and
I'm
going
to
open
the
documentation
for
this.
So
in
the
upstream
kubernetes
documentation,
there's
a
yeah
there's.
This
is
the
overview
page
for
ingresses,
but
there
are
a
lot
of
more
stuff
documented
about
it,
and
the
whole
idea
of
the
ingress
resource
in
kubernetes
is
that
if
you
want
to
expose
a
website
on
a
specific
host
to
a
specific
path
with
some
configuration,
you
can
create
an
ingress
resource.
B
Just
like
you
create
a
pod
or
a
deployment
or
a
service
which
we
did
last
week.
You
can
create
an
ingress,
and
this
ingress
includes
configuration
for
yeah
for
the
endpoint
you
want
to
expose
and
then,
in
addition
to
this,
you
run
an
ingress
controller
in
your
cluster,
which
will
which
will
monitor
the
changes
in
those
ingress
objects
and,
according
to
those
configuration
in
those
ingress
objects,
it
will
configure
itself
to
serve
those
websites
to
the
public
and
you
are
free
to
choose
the
english
controller
you
want
to
so.
B
B
It's
yeah
it's
using
the
nginx
web
server
as
a
reverse
proxy
and
yeah
nginx
as
a
reverse
proxy
is
better
tested
for,
I
think
decades
now,
and
so
it's
one
option
to
use
which
we
will
do
today,
but
there
are
other
options
as
well.
For
example,
there's
traffic
there
is
an
engine,
an
ingress
controller
for
h,
a
proxy.
B
So
there
is
a
yeah
wide
variety
variety
of
inverse
controllers
and
yeah.
You
have
to
choose
what
suits
you
best
for
today
we
will
use
the
ingress
nginx
controller
and
it's
a
little
bit
tricky,
because
there
are
two
ingress
nginx
controllers.
One
is
developed
upstream
from
engine
x
itself
and
one
is
developed
by
the
kubernetes
project
and
I
think
the
more
common
one
is
the
one
from
kubernetes.
B
I
think,
especially
it's
the
older
one.
So
more
people
are
using
it
already
and
yeah
the
same
for
us.
We
will
use
the
ingress
nginx
controller,
there's
some
documentation.
How
to
deploy
it,
how
to
configure
it
and
yeah?
That's
what
we
will
do.
We
will
click
here
deployment
and
we
are
going
to
use
helm
to
install
it.
B
B
We
will
call
this
namespace
ingress.
So
now,
if
we
look
at
our
namespaces,
we
have
those
default
namespaces
which
exist
from
the
beginning,
and
then
we
have
the
new
one
ingress,
I'm
switching
to
it.
So
all
my
commands
now
default
to
this
namespace
and
then
yeah.
Let's
talk
a
little
bit
about
him.
Helm
is
a
package
manager
for
kubernetes.
B
So
if
we
there's
also
a
website
for
switch
it
to
yeah
to
do
the
full
life
cycle
of
your
containers
and
everything
and
the
last
few
times
we
used
for
just
yammer
files,
for
example
in
here
here
for
the
cloud
controller
manager,
we
just
did
something
like
cube,
ctl,
apply
and
then
provided
file,
and
then
in
this
fire
there
is
plain
yamada.
B
So
this
is
okay
in
the
beginning,
but
the
more
you
work
with
kubernetes
the
more
yummy
code.
You
write
and
it's
hard
to
reuse
this
code,
because
every
deploy,
5
difference,
you
can
see.
There's
quite
a
bit
of
boiler,
helm
uses
the
github
repository
check
out
the
hem
chart,
parts
or
helm,
or
something
like
that,
and
here
we
have
a
hem
chart
for
ingress
engine
x
and
a
minute
ago
I
said
we
are
going
to
template
jana
files.
So
maybe
let's
look
in
the
templates
directory.
B
Now
it
looks
similar
to
the
yaml
file
we
had
last
week.
There's
also
there's
a
kind
there's
metadata
labels
and
down
here
search.
We
also
have
the
containers
in
our
pot,
and
but
in
addition
to
this
planar
code,
you
have
all
those
curly
brackets
and
each
time
you
see
a
double
curly
bracket.
That's
a
part
of
the
go
templating
language
which
tells
help
of
the
templating
engine.
B
B
Yeah
then,
for
the
labels
there's
one
variable,
including
the
labels,
and
then
then
this
variable
is
reused
across
the
chart
and
yeah.
This
makes
it
quite
easy
to
only
provide
templated
based
on
this
so
times
values
we
can
see,
though
quickly
those
are
the
settings
you
can
apply
to
a
hem
chart
available
depends
on
the
hand
chart
some
are
more
common,
for
example,
and
it's
because
often
we
don't
need
to
so
we
only
have
to
change
one
or
two
variables.
B
B
B
And
then
it
does
not
directly
install
it
in
our
cluster;
instead,
it
will
print
the
rendered
template
to
us
and
that's
quite
a
lot.
So
maybe,
let's
pipe
this
into
less,
and
then
we
see
now
that
there
are
instead
of
this
variable,
there's
a
bunch
of
labels
and
they
are
the
same
across
the
whole
yeah
output,
and
here
we
have
a
bunch
of
rules.
What
our
controller
is
allowed
to
do
then
here
we
have
a
service,
that's
something
we
already
know
right.
B
B
All
right,
so
that's
what
ham
does
it
renders
all
this
yummy
code
and
then
it
applies
this
to
the
cluster
and
our
install
command
is
done
by
now,
which
is
nice.
It
gives
us
some
help,
output
which
we
can
ignore
for
now,
then
we
can
see
that
now
we
have
pots
in
our
cluster
right.
Actually,
we
have
one
in
this
namespace
and
we
can
also
check
for
services.
B
Then
we
can
see
we
have
two
new
services.
One
is
the
controller
itself
and
one
is
controller
admission
which
we
will
completely
ignore.
Maybe
I
don't
know
in
a
few
months
when
we
are
very
comfortable
with
kubernetes,
then
we
can
talk
about
admission
controllers,
but
for
now
it's
only
for
us.
It's
interesting
this
controller
and
yeah.
That's
the
same
kind
of
service
which
we
created
last
week
by
running
something
like
cube:
ctl,
xposed,
simple
engine
x,
type,
load,
balancer,
something
like
this.
B
So
let's
do
a
describe
on
the
service
and
just
like
last
week
it
tells
us
that
there
is
some
annotation
missing
so
now.
Last
week
we
did
cubectl
edit
service
and
then
modified
it
on
the
fly.
But
now
we
are
using
the
same
chart
and
we
don't
want
to
change
it
after
the
installation.
We
want
to
configure
it
from
the
beginning,
so
what
we
can
do
is
to
override
those
values.
B
B
C
B
Is
I
don't
have
to
open
this
in
vi?
We
have
visual
code
here
right.
So
let's
open
this
here.
This
makes
copy
and
pasting
a
little
bit
easier.
So
we
define
the
controller
key
in
there
we
have
service
and
then
we
have
annotations
and
the
annotation
we
did
last
week
was
this
one.
Lo
balancer
had
snack
cloud
location
feinstein
one
because
our
kubernetes
cluster
is
also
running
in
feinstein.
B
B
B
B
C
B
All
right,
yeah,
yeah
and
for
heads
now
we
have
to
look
at
a
bit
in
this
source
code
or
not
directly
in
the
source
code.
It's
a
co
code
of
the
it's
the
documentation
of
the
source
code.
That's
right!.
B
And
here
we
have
an
explanation:
what
annotations
exist,
and
one
of
those,
for
example,
is
the
name
and
yeah.
What
we
will
also
set
is,
I
think,
disable
private
ingress
and
use
private
ip.
So
this
one
we
will
disable
and
this
one
we
will
enable.
B
B
C
No
sometimes
oh,
no
you're
right,
it's
respectful,
you
would
set
it
in
perspective.
B
C
B
Cool,
so
if
we
create
a
new
one,
we
can
select
the
protocol.
We
can
even
terminate
ssl
directly
at
the
load
button.
B
B
B
B
B
You
have
to
install
it
first
as
a
plugin
yeah.
B
I
I
kind
of
I'm
kind
of
waiting
until
it
is
an
official
feature,
because
I
think
everyone
who
uses
helm
is
using
hamdiff,
but
I'm
not
sure
if
they
plan
to
include
it
or
not
and
yeah.
It
shows
that
what
it
would
change
so,
for
example,
in
the
controller
deployment
it
will
increase
the
replica
count
to
two
and
down
here.
It
will
add
those
annotations
to
the
service
and
down
here.
It
will
also
create
something
called
a
pot
disruption
budget.
B
So
that's
interesting
because
we
didn't
tell
it
to
do
anything
with
a
pot
disruption
budget
right.
We
only
did
those
changes
so
in
the
chart
somewhere,
there
is
some
template
which
checks
the
amount
of
replicas
and,
if
it's
more
than
one,
then
it
creates
a
pot
disruption
budget.
That's
what
I
guess.
So,
let's
look
into
the
chart
again.
B
B
B
C
C
Okay,
so
we're
starting
first
within
with
an
if
and
for
first
braces.
I
currently
condition
the
first
true
value
of
an
or
and
the
second
condition
of
the
braces.
Currently
the
second
value
and
these
boost
values
will
be
compared
and
afterwards,
after
that,
a
final
boolean
result
will
come
out
so
and
in
the
first
one
it's
an
end,
so
it
will
be
conducted
if,
when
auto
station
enabled
is,
has
a
value
to
a
and
end
greater
than
also.
C
It's
also
first
the
end,
and
it's
greater
than
so.
It
first
would
check
for
minimal
replicas.
That's
are
greater
than
one
so
that
you
have
at
least
defined
for
auto,
stating
a
minimal,
valuable
set
of
replicas,
and
then
it
will
check
also
if
auto
station
is
enabled.
C
Yeah,
if
you
google,
much
probably
to
go,
I
use
look
for
spec
functions.
C
C
Runway
spr,
ig,
yeah
yeah,
that's
true!
This
is
currently
the
template
in
language
that
uses
helm
and
these
are
built-in
functions
by
respect
language,
template
and
there's
an
or
for
that
reason.
A
Because,
from
from
a
user
perspective,
this
is
like,
I
break
my
fingers
when
typing
that.
A
Yeah
from
from
from
a
computer's
perspective
or
like
the
the
small
pocket
edition
of
your
calculator
back
in
school,
it
makes
sense
it's
easier
to
integrate.
Yeah,
mostly.
C
Probably
some
background
about
for
templating
is
that
currently
the
whole
template
language
uses
go
template
because
also
help
is
written
in
dolan
and
they're
using
this
split
function.
Library,
as
extension
to
do
some
more
advanced
features
because
door
template
doesn't
have
an
or
something
like
that.
You
can
use
a
range
you
can
use
an
if,
but
nothing
like
like
comparison
operators
or
something
like
that.
So
this
is
the
reason
why
it's
working
currently
yeah.
But
let's
come
to
a
topic.
What
the
pot
description
budget
does
probably.
B
If
we
look
at
our
div
here,
there's
a
bunch
of
labels
which
we
can
ignore
and
then
it
says
min
available
min
available
one,
and
this
tells
kubernetes
every
pot
which
matches
those
rules
from
those
pots.
There
always
has
to
be
one
available,
always
that's
a
strict
condition.
We
tell
kubernetes
to
take
care
of.
So
if
kubernetes,
for
some
reason,
decides
to
reschedule
some
of
those
ports
to
different
nodes
when
it
wants
to
change
stuff
and
then
it
will
always
make
sure
not
to
kill
too
many
of
those
at
once.
B
B
This,
of
course,
only
works
for
cases
where
kubernetes
does
this
as
an
active
choice
like
we
are
draining
a
node,
which
means
we
remove
all
running
pots
from
a
node,
then
kubernetes
can
do
this
as
an
active
decision
to
terminate
all
pots
on
this
node.
If,
instead
this
node
just
crashes,
then
those
parts
are
gone.
So
kubernetes
can't
guarantee
the
availability
of
at
least
one
pot
in
this
case,
but
for
all
automatic
scheduling
for
everything,
qrinatus
will
yeah.
B
B
C
And
most
of
the
other
case
that
can
happen
is
like
when
you
have
a
lot
of
parts
running
on
one
node
in
juveniles,
and
currently
the
node
runs
out
of
memory
or
out
of
dist.
So
typically,
then,
an
event
in
juventus
will
happen
that
chords
that
the
pot
that's
evicted
automatically
to
a
new
node,
because
that
comes
from
the
quality
of
servers
and
with
setting
a
port
disruption
budget.
B
And
those
kinds
of
things
about
kubernetes
are
those
topics
you
need
to
learn.
As
for
the
day
two
operation
like
it's
easy
to
get
started
to
deploy
a
few
things,
but
then
you
need
stuff,
like
pot
disruption
budgets,
to
really
tell
kubernetes
what
to
do
to
be
sure
that
it
does
what
you
want
all
right.
So
we
should.
We
displayed
our
diff
now,
let's
really
upgrade.
C
There's
also
a
cruise
site
that
was
founded
by
hanging
yard
drops
where
two
anything's
failure
stories
are
listed
when
people
get
outages
in
germany.
This
is
kate
s.
C
No
f
or
something
different
from
the
symbol:
okay,.
B
Okay,
for
me,
it
always
reads
like
humanities.
As
I
mean,
the
domain
is
probably
something
different,
but
in
this
case
I
read
it
like
this
all
right.
So
let's
check
our
service
again,
and
it
now
has
a
public
ip
address
available,
which
is
nice,
because
now
we
set
this
location
and
now
our
cloud
controller
manager
was
able
to
create
it,
and
if
we
do
keep
ctl
describe.
B
B
One
of
them
was
that
we
wanted
to
set
a
name,
let's
go
to
the
dashboard
and
display
all
balances,
and
now
we
see
this
name
is
used
here.
It's
now
called
ingress,
which
is
more
readable
than
just
a
bunch
of
numbers
and
yeah.
It's
still
those
his
checks.
The
heads
now
now
send
some
tcp
connections
to
our
ingress
controller
and
if
those
are
successful,
then
it
changes
to
green
here
which
just
happened
now,
so
we
set
two
more
annotations.
B
If
we
don't
use
it,
then
the
load
balancer
will
send
the
traffic
to
the
public
ip
addresses
of
our
nodes,
which
is
okay.
It's
not
it's
not
bad,
it's
okay,
but
what
we
can
do
is
to
use
the
internal
ip
addresses,
because
our
load
balancer
also
has
a
private
ip
address
here,
and
we
all
have
this
in
our
private
network,
which
we
created
with
terraform
in
the
beginning.
B
B
And
if
you
do
it
like
this,
then
you
are
able
to
apply
a
little
bit
more
strict
firewalling
on
your
public
ip
addresses,
for
example,
because
the
those
nodes
don't
need
to
be
accessible
from
the
public
ip
address
anymore.
Now,
because
the
traffic
goes
through
the
internal
network,
all
right
yeah.
So,
oh
here
we
can
see
as
well.
B
B
C
B
B
There's
one
additional
option
passed
to
our
actual
english
controller,
which
basically
configures
the
default
backend
for
our
reverse
proxy
and
then
further
down.
We
create
a
service
account
again,
which
we
will
ignore.
Niklas
today
asked
me
via
chat
if
we
can
do
a
little
bit
of
a
session
about
service
accounts
and
permissions
in
the
cluster,
and
I
think
we
should
definitely
do
this
at
some
point,
maybe
next
week
or
another
one.
B
I
guess
we
will
talk
about
this
after
the
stream
a
bit
and
then
we
see
this
new
deployment.
It's
ingress
in
the
next
default
backend,
it's
a
deployment
again
all
our
labels,
but
it's
sorry
here
our
container
and
it
now
uses
a
different
image
than
the
controller
it
uses.
This
default
backend
image,
so
yeah.
B
B
B
Which,
to
my
surprise,
is
yeah:
no,
it's
all
right
it
we
are
now
seeing.
We
are
now
seeing
kind
of
the
rollover
of
our
deployment,
because
we
changed
the
configuration
of
our
ingress
controller
and
it
can't
change
this
in
place.
So
it's
creating
new
pots
with
this
new
configuration.
B
This
one,
for
example,
is
one
of
the
new
ones
and
when
this
one
is
ready,
it
starts
terminating
the
old
ones
and,
for
example,
in
this
situation
right
now,
our
pot
disruption
budget
is
also
there
to
ensure
that
always
one
of
them
is
available,
but
I
think
kubernetes
in
this
case
kubernetes
would
also
do
this
without
support
disruption
budget.
I
think,
but
it
definitely
doesn't
hurt.
A
B
The
goal
is
to
have
now
two
ingenix
ingress
controllers.
Therefore,
we
set
the
replica
count
to
two.
A
B
Those
are
the
two
controllers:
that's
a
nginx
reverse
proxy
and
it's
quite
the
standard
configuration
to
just
take
traffic
and
forward
it
to
some
backend,
and
in
addition
to
that,
we
want
to
forward
all
traffic
that
is,
does
not
match
a
better
backend
to
be
forwarded
to
this
default.
Backend
and
the
home
chart
allows
us
to
achieve
this
by
just
setting
default
backend
to
true,
then
the
chart
will
take
care
of
sorry
of
creating
this
additional
pot
and
to
configure
those
reverse
proxies
to
forward
the
traffic
there
by
default.
A
C
So
it's
54
page,
it
could
be
also
the
maintenance
page
or
something
like
that.
So
if
the
url
is
not
matched
it's
like,
probably
it
makes
more
sense.
If
you
go
to
the
browser
and
currently
now
refresh
the
site-
and
you
can
see
the
difference
right
now
and
we
got
not
in
form
four,
we
get
another
result
of
a
default
backend.
A
Yeah,
I
think
I
misunderstood
reverse
proxy.
It
totally
makes
sense
if,
if
we
describe
it
more
like
pulling
up
a
running
404
error
message
or
like
a
maintenance
mode
website,
then
you
have
something
upfront
and
in
the
back
end
it
doesn't
matter
which
type
of
of
port
is
running.
You
always
have
something
visible
and
your
users
will
see.
Oh,
they
have
a
maintenance
window
planned
or
something
else
yeah.
A
I
I
did
that
for
for
this
course
as
well
like
putting
an
engine
x
proxy
up
front,
because
when
you're
building
the
docker
image
users
would
say,
hey
the
website
is
down.
No,
the
website
is
not
down.
B
B
And
last
time,
the
next
step
was
this
that
it
went
to
our
servers,
but
this
time
instead,
I
know
it
kind
of
I
think
it
kind
of
goes
to
our
first
service,
the
contr,
the
load,
balancer
service
and
the
service
is
implemented
in
ip
tables.
Again.
So
that's
why
I
put
it
in
brackets,
because
it's
not
something
that
really
exists
from
there.
B
It
goes
to
our
ingress
controller,
so
one
of
those
two
parts
and
then
the
inverse
controller
forwards
this
again
to
our
default
backend,
port
and
there's
a
little
bit
more
in
between,
like
this
service,
ensures
that
at
first
it
has
to
go
to
the
correct,
correct
node,
where
actually
an
ingest
controller
is
running
and
the
same
happens
kind
of
happens
over
here,
because
there's
also
the
service
for
the
default
backend
and
yeah.
Then
it
could
be
that
it
goes
to
the
node
that
runs
the
default
backend
port.
B
B
B
B
And
maybe,
let's
not
sure,
let's
look
for
default
backend,
maybe
it's
no!
It's
not!
Yes,
we
can
probably
search
for
this
ip
address.
We
had
over.
B
B
C
Yeah
yeah,
probably
it
depends
on
what
what
you
want
to
see.
Probably
so,
do
you
know
of
it
to
a
tube
tail.
B
B
So
let's
look
into
those
logs
and
now
we
get
the
locks
of
both
controller
ports.
At
the
same
time
and
interesting,
I
think
the
logging
for
the
default
backend
is
disabled
by
default.
So
I
think.
B
Yeah,
okay,
but
you
can
check
those.
B
And
I
think
the
default
backend
itself
is
also
logging,
nothing
all
right.
In
a
few
minutes
we
will
deploy
an
additional
backend
and
then
I
think
we
will
see
some
lock
queries
and
then
we
can
back
to
can
come
back
to
this.
So
as
a
first
thing
now,
I
will
create
a
dns
entry
for
this
ip
address.
Give
me
a
second.
D
A
Any
news
news
time:
next
week
we
have
gitlab
3.9
on
monday.
A
Yeah
we
could
do
that.
I
only
used
the
one
click
installer,
but
it
would
be
interesting
to
combine
the
knowledge
of
what
we've
learned
thus
far
and
maybe
yeah,
but
I
think
now
we
need
to
learn
about
users
in
our
pack.
A
C
D
C
A
B
I
think
very
long,
that's
not
the
problem
yeah
yeah,
if
we
should
wrap
it
up
sooner
than
just.
Let
me
know.
A
No,
I
I
just
want
to
like
getting
things
done.
What
else
is
missing
for
like
understanding
the
ingress
controller?
I
think
I
get
it
now.
I
just
need
to
like
redo
it
on
my
own.
B
Yeah,
so
the
next
step,
now
that
we
have
a
dns
entry
for
it,
I
now
have
a
dns
record
for
wildcard.
Everyone
can
contribute
dot
for
lli.com
to
forward
to
this
ip
address
right
now.
It
tells
us
it's
insecure
because
we
don't
have
a
certificate
yet,
so
the
next
step
would
be
to
set
up
cert
manager
to
yeah
get
an
automated
ssl
certificate
from
let's
encrypt.
A
It
sounds
like
two
minutes
that.
B
I
I
will
just
go
ahead
right
all
right,
so
top
manager
there's
also
a
nice
documentation,
page
for
site
manager,
which
I
will
skip
a
little
bit
now.
But
if
you
want
to
check
it
out,
just
look
up
sitemanager.io
and
it's
the
standard
software
to
manage
ssl
certificates
in
kubernetes.
B
B
B
Okay,
all
right
thanks
and
the
server
doesn't
have
a
resource
type
certificate.
So
what
we
are
going
to
do
is
extend
the
api
of
kubernetes
and
let's
just
accept
this.
For
now
we
just
applied
some
magic
jammer
files,
and
now
we
can
query
certificates.
B
B
B
B
C
Also,
there's
currently
also
a
second
new
free,
ssl
acme
that
you
can
get
so
there's
also
zero
ssr.
B
Oh
nice,
I
didn't
know
this
all
right
so
for
let's
encrypt,
we
need
something
called
an
issuer
and
which
is
kind
of
the
account
or
let's
we
will
create
kind
of.
Let's
encrypt
account
to
to
ask
for
a
certificate,
and
now
this
is
new
one
of
the
crds
we
just
applied
it's
a
api
version,
cert
manager
version
one
now
and
kind
cluster
issuer.
B
We
will
give
it
a
name.
Let's
encrypt,
we
will
have
to
provide
an
email
address
30
days
before
the
certificate
expires.
Let's
encrypt
will
write
me
an
email
about
it.
We
will
have
to
define
to
what
server
we
want
to
talk
to.
In
this
case,
it's
the
production
signing
server
of
let's
encrypt,
and
we
have
to
tell
how
our
challenges
are
solved.
B
Basically,
let's
encrypt
will
give
us
a
string,
a
random
string
and
we
will
serve
this
string
from
our
domain
and
then,
let's
encrypt
will
believe
that
we
control
this
domain
and
give
us
our
certificate
and
all
those
things
are
done
by
sub
manager
all
right.
So
we
have
this
issuer.
D
C
C
I
don't
know
I
posted
also
the
link
to
the
I've,
seen
literally
where
everything
is
explained,
how
we
whole
stuff
or
flap.
C
Let's
encrypt
it's
working,
so
it's
a
protocol,
it's
called
acme
and
when
you
go,
for
example,
to
the
http
challenge
going
down
a
little
bit,
so
this
for
my
referred
to
in
between
four
yeah
and
currently,
when
you
currently
see
years
before
it
works
so
literally,
like
you
said,
yeah
token
will
be
generated
by
the
acme
server
and
the
acme
server
afterwards
tries
to
do
an
http
request
to
the
requesting
server.
So
when
you
go
down
a
little
bit,
it
will
use
a
specific
path.
C
C
This
is
how
it
works
on
a
detailed
level,
mostly
yeah,
and
it's
a
really
really
interesting
paper.
So
probably
it's
not
the
paper.
It's
like.
There
are
a
lot
of
other
tools,
also
on
premise
environments.
You
can
also
use
these
acme
projector
to
automate
your
whole
ssl
insurance.
If
you
go
to
a
self-signed
way,
mostly.
B
Yeah,
nice
things
yeah,
so
I
think
about
an
hour
ago
in
the
beginning
I
mentioned
the
concept
of
an
ingress
controller
and
of
ingress
objects
in
our
cluster.
So
now
it's
now
we
have
a
running
inverse
controller.
We
have
a
running
cert
manager
now
it's
finally
time
to
create
an
ingress
to
expose
something
from
our
cluster,
and
for
this
I
want
to
deploy
a
bit
of
a
hello
world
application.
B
This
right
so
at
first
we
have
a
service.
We
are
not
using
a
load
balancer
service
because
we
don't
want
a
load
balancer
our
load
balancer
is
our
nginx.
Invest
controller.
Just
want
an
internal
service
for
this,
then
we
have
this
deployment
which
uses
the
hello
humanities
image,
and
we
can
provide
a
custom
message,
for
example,.
C
C
C
Okay,
yeah,
really
we
don't
use
an
open
answer.
That
means
when
we
would
use
for
type
load
balancer,
it
would
mean
that
we,
like
we
saw
before
already
that
really
opens
on
hexa
will
be
created,
but
currently
we
want
to
root
a
low
brain
scene
only
internally
in
which
we
need
this
cluster.
C
So
for
that
case
he
will
ask
the
service
that
has
a
stable
ip
address.
So
when
you
check
it
literally,
you
can
see
it
will
every
time
users
like
much
already
outsourced
print
before
it
will
use
for
10
43
20
78,
instead
of
going
to
all
the
pot
ip
address.
So
when
you
or
white
we
would
also
see
the
internal
appearances.
I
think
by
that
keeps
you
tall
reports
that
should
be
also
yeah.
You
can
see
so
it
doesn't
use
the
42
ip
addresses.
It
will
use
directly.
C
The
ingress
will
use
only
the
43
ip
address
space,
and
it's
also
important
that
separate
spaces
plus
ips
are
in
a
separate
space
like
the
pod
ip
address
spaces.
B
Yeah,
that's
a
crazy
part.
You
can
change
almost
all
things
and
yeah.
C
Yeah,
like
what
we
currently
see
is
that
journey.
This
is
not
a
tour
that
you're
using
it's
more
like
a
framework
for
building
something.
So
it's
like.
We
can
build
our
own
platform
that
we
want
to
have
and
use
it
for
our
use
case.
Instead
of
that,
we
used
to
sum
products,
and
you
can
extend
it
like
you
want.
So,
like
writing
your
own
custom,
cds
and
writing
your
own
controllers
for
special
workloads
that
you
have
everything
is
in
place
for
that
out
of
the
box
mostly,
but
you
need
to
do
it
so
for.
A
Me
for
me
to
to
learn
the
customized
message
has
a
load
balancer,
we
don't
use
that,
and
the
cluster
ap
address
from
hetzner
is
what
we
exposed
earlier.
C
Now
we
exposed
earlier
the
local
answer,
so
that's
the
real
ip
address.
So
when
you
checking
the
ingress
again
yeah,
it
makes
more
sense.
So
you
see
well,
the
type
is
different
so
and
at
class
ip
doesn't
have
an
external
ip
address.
D
A
But
what
the
load
balancer
type.
C
Yeah
yeah,
that's
the
reason
so
because
we
are
you
can
see.
The
events
is
mostly
important
because,
when
we're
using
a
juvenile
service
like
law,
balancer,
the
controller
takes
this
service
and
asked
hetzner
to
spin
up
us
a
real
low
against
the
api.
So
a
class
ip
doesn't
do
this
at
all
it
only
it's
only
there.
So
there
are
no
events
when
we
would
probably
check
the.
A
C
Yeah
but
yeah,
that's
true
and
now
coming
to
a
big
important
point.
So
the
difference
between
the
service
load,
balancer
and
our
ingress
controller
is
a
service
level
benches
only
on
layer
four.
So
it's
only
tcp
ip.
It's
nothing
special.
But
if
you
want
to
do
an
http
request,
we're
going
in
the
aussie
layer
higher,
so
it
would
be
layer
7.
C
It
could
be
also
some
different
protocols.
It
doesn't
need
to
be
http,
but
on
that
then
we
want
to
serve
only
about,
for
example,
want
to
enter
in
url.
So
we
don't
need
to
enter
an
ip
address
and
all
the
stuff
and
that's
the
reason
why
we
have
a
low
for
after
the
lower
and
seven
ingress
controller,
mostly
so
because
we're
going
from
layer
four
to
layer,
seven
in
the
oc
model.
B
So
there
is
it's
a
one-to-one
connection
between
the
object
here
and
the
load
balancer
service
in
our
cluster
and
each
other
service
of
type
cluster
ip.
It's
also
kind
of
a
load
balancer,
but
it's
not
a
public
load.
Balancer,
it's
internal
in
the
cluster
like
behind
the
service,
could
be
several
pots.
C
D
C
So
really
what
you
can
see
here
now
we
can
see
if
the
same
service
currently
has
the
ip
address.
43
and
currently
the
servers
has
also
multiple
endpoints
and
these
the
real
ip
addresses
of
the
pods.
C
A
A
This
is
basically
is
a
management
management
demand
management
thing,
assigning
it
correctly
or
like
routing
the
traffic
correctly
actually
yeah.
A
B
All
right,
so
the
last
part
missing
now
is
the
connection
between
the
ingress
controller
and
our
new
service
right.
The
inverse
controller
is
not
aware
of
it
yet
so
we
go
back
to
our
demo
here
and
now
we
create
this
magical
ingress
object.
I
told
you
earlier
about
and
for
a
second
I
will
also
the
documentation
about
it
again.
B
If
you
ever
configured
web
server,
then
you
will
find
the
same
patterns
in
here
like
in
apache.
You
have
virtual
hosts
and
in
our
ingress
resource
we
have
a
host
which
is
very,
very
similar,
and
then
we
have
different,
for
example,
in
nginx.
I
think
it's
then
called
a
location.
C
C
So
that
means
that
we
need
to
write
it
down.
Yeah,
probably
we
can
deploy
it
now.
D
B
B
And
so
now
you
have
a
few
seconds
ago.
There
was
no
address
now
there
is
an
ip
address
and
if
we
look
in
our
ingress
namespace
at
the
services
again,
so
you
can
see
that
it's
exactly
the
same
ip
address
like
our
load
balancer
service,
it's
the
public
ip
address
of
our
headset
cloud
cloud
load
manager.
B
So
this
is
here
now
because
our
ingress
controller
now
picked
up
this
ingress
resource
and
used
it
to
configure
itself
and
also
wrote
back
to
it
that
it's
exposed
with
this
ip
address.
So
earlier
I
already
configured
a
dns
entry
to
this.
So
let's
look
in
the
browser
I
think
over
here.
It's
still
no
ssl.
Yet
so
there's
a
little
interesting
hack
in
chrome.
You
can
now
type
this
is
unsafe
and
then
it
reloads
and
completely
ignores
you
know.
Let
me
try
again
and
yeah.
B
It
completely
ignores
all
the
security
features
that
are
supposed
to
block
it
from
accessing
this
page.
So
now
we
can
see
this
demo
application
that
we
have
running
in
three
different
pots
still
without
https,
and
if
we
refresh
the
page
a
few
times,
we
can
see
that
the
pod
name
here
changes
so
each
time
our
traffic
hits
the
ingress
controller,
the
ingest
controller
decides
randomly,
which
back
end
is
used.
B
B
It
feels
a
little
bit
redundant,
but
this
one
is
for
the
web
server
configuration
and
this
is
for
the
ssl
configuration
we
have
to
do
it
in
both
places
and
then
we
also
add
an
annotation
that
annotation
is
necessary
for
the
sub
manager,
because
the
third
manager
will
also
monitor
all
the
ingress
objects,
and
if
it
sees
an
ingress
with
an
annotation
like
this,
then
it
will
use
the
cluster
issuer
with
this
name
to
create
an
ssl
certificate.
B
And
let's
apply
this
again
so
now
our
ingress
was
reconfigured
and
now
what
we
can
do
is
cube.
Cdl
get
pots,
and
now
we
see
there's
a
new
pot.
This
one
was
created
by
our
assert
manager
and
we
also
have
a
new
ingress
for
a
few
seconds.
No,
because
there's
this
ingress,
which
was
created
by
site
manager,
now
third
manager
created
this
ingress,
and
now
the
ingress
controller
again
will
pick
up
this
ingress
and
configure
itself
to
serve.
B
Okay,
now
it's
already
gone,
but
to
serve
this
port
yeah,
also
under
this
host
name
and
then,
let's
encrypt
queries,
our
domain
and
this
pod
answers
the
challenge
and
therefore
prove
proves
that
we
own
this
domain.
A
D
B
Yeah,
I
think
this
cert
manager
alone
justifies
to
replace
a
docker
compose
setup
with
a
single
node
k3s
setup,
just
because
you
get
the
kubernetes
api
and
all
this
stuff
based
almost
for
free.
D
A
I'm
running
the
everyone
can
contribute.dev
page,
and
this
is
a
docker
compose
whatever
thing
with,
let's
encrypt
and
it
doesn't
work,
and
you
got
me
an
idea,
thanks,
yeah.
B
B
B
B
So
the
nice
thing
now
that
we
have
this
ingress
controller
is
that
we
can
use
it
to
expose
as
many
http
websites
as
we
want.
So
all
we
need
to
do
is
create
additional
ingress.
For
example,
it
uses
a
little
bit
of
a
different
domain,
not
hello
instead
of
the
world
and
down
here
we
use
the
same
configuration
for
the
back
end,
but
if
you
have
more
complex
application
and
we
could
define-
I
don't
know-
the
admin
backend,
for
example,
is
running.
D
B
We
can,
for
example,
also
see
that
there
is
a
pending
certificate
request.
I
think
now
it's
done
yeah
now,
both
already
so,
for
example,
if
the
certificate
never
switches
to
true,
then
it
is
a
good
idea
to
check
the
certificate
request,
which
is
a
little
bit
off
yeah
under
the
hood
magic
of
third
manager.
B
It
also
has
a
valid
certificate,
and
now
we
can
do
this
with
as
many
domains
as
we
want,
and
this
is
very
nice,
because
if
we
operate
a
kubernetes
cluster
and
our
co-worker,
our
friends
want
to
publish
some
websites
in
it.
We
can
provide
them
with
one
single
inverse
controller,
which
is
all
running
behind
the
same
ip
address,
one
looper
and
software
cloud
provider,
and
then
the
ingus
controller
takes
care
of
sending
the
traffic
to
the
right,
backend
and
taking
care
of
all
the
certificates
with
sub
manager
yeah.
A
So
my
me-
or
I
want
to
build
now
or
whatever
I
don't-
probably
doesn't
matter
where
it
runs,
but
a
kubernetes
cluster
in
a
cloud
and
sponsor
the
everyone
can
contribute.dev
domain,
and
then
everyone
can
like
come
to
deploy
something
from
gitlab
to
to
this
thing.
This
would
be
interesting.
A
But
we
need
to
so
I
cannot
speak
english
today.
We
need
to
sign
off
for
today.
I
think
we
need
to.
We
need
to
find
the
finished
line
for
today.
A
No,
it's
not
your
fault,
it's
I
think
it's
a
learning
curve.
I
think
I
didn't
understand
everything,
but
I
asked
a
lot
and
my
problem
or
my
like
blocking
point
with
kubernetes
always
was
it
was
too
much
and
I
didn't
have
time
for
10
hour
courses
or
lectures
and
I'm
learning
by
example
and
you're,
giving
me
like
the
best
examples
I
have
so
I
can
ask
you,
as
my
trainer,
my
personal
trainer,
so
I'm
very
thankful
for
for
all.
B
Not
entire
issue,
I
guess
we
have
to
check
with
nicholas.
Maybe
he
just
wants
to
prepare
stuff
for
the
user
management
and
permissions
for
next
week.
C
I
can
do
so
should
we
we
can
use
data
for
that,
so
we
can
use
github
as
the
little
piece
I
can
login
into
the
cluster,
so
we
can
use
open
id.
I
can
also
explain
a
bit
how
open
id
is
working
and
then
we
would
use
stacks.
I
think
for
that,
but
I
will
figure
out
how
we
can
do.
A
I
want
to
create
a
hexner
group
in
my
account,
so
we
can
play
around
and
I
expand
everything
which
we
kind
of
do
and
find
a
way
to.
I
think
I
can
just
add
your
account.
A
If
you
provide
me
with
the
account
you
can
just
indent
us
to
a
group
yeah,
I
can
add
you
to
a
group
and
then
you
can
like
we
are
working
on
the
gitlab
repository
or
the
github
group
and
on
the
headset
cloud
group,
and
I
think
it
should
be
should
be
fine,
and
we
can't
like
recreate
what
what
max
created
before
in
the
demo
and
yeah.
This
should
should
be
working.
If
I
haven't
done
this
by
friday,
nicholas
please
ping
me.
C
B
Thing
of
time,
if
it
didn't
happen
under
saturday,
I
will
bring
nicholas
to
pinker.
A
Okay
and
who
else
michael
eisner
who's,
not
here
today,
will
ping
ping
someone
on
set
on
sunday,
okay,
yeah.
That's
this
great
anything
else.
C
A
You
use
a
management
next
week
and
then
afterwards
we
have
many
different
ideas.
We
are
looking
forward
to
that
next
week.
We
can
do
6
p.m.
Again,
if
it,
if
it's
possible
for
everyone.
C
A
Yeah
some
people-
and
I
know
where
I
at
so
I
will
like
use
my
google
map
zoom
and
in
stock.
You.