►
Description
Last week: https://everyonecancontribute.com/post/2021-02-10-cafe-16-kubernetes-deployments-to-hetzner-cloud-part-3/
- Demo repository: https://gitlab.com/ekeih/k3s-demo
- Twitter thread: https://twitter.com/dnsmichi/status/1362101461337985028
A
B
B
Last
week
we
deployed
the
cloud
controller
manager.
We
if
you
remember
this
one,
the
cloud
controller
manager
which
is
responsible
to
organize
all
the
ip
assigning
stuff
that
is
related
to
our
cloud
provider,
like
the
external
ips
and
the
external
ips
for
our
nodes
and
the
ip
addresses
for
load
balancer
services.
B
We
one
thing
I
showed
you
last
time
was
that
in
the
end
we
had
a
load
balancer
in
this
list,
and
I
explained
if
we
would
expose
every
website
the
way
we
did
last
week.
Then
we
would
need
an
additional
load
balancer
for
every
website
we
expose
and
with
each
load
balancer
costing
around
six
euros
per
month.
This
adds
up
really
fast
like
for
10
websites.
You
suddenly
pay
60
euros
and
that's
not
really
nice
and
it's
possible
to
do
this
all
with
one
load
balancer.
B
So
kubernetes
has
a
concept.
It's
called
ingress
and
I'm
going
to
open
the
documentation
for
this.
So
in
the
upstream
kubernetes
documentation,
there's
a
yeah
there's.
This
is
the
overview
page
for
ingresses,
but
there
are
a
lot
of
more
stuff
documented
about
it,
and
the
whole
idea
of
the
ingress
resource
in
kubernetes
is
that
if
you
want
to
expose
a
website
on
a
specific
host
to
a
specific
path
with
some
configuration,
you
can
create
an
ingress
resource.
B
Just
like
you
create
a
pod
or
a
deployment
or
a
service
which
we
did
last
week.
You
can
create
an
ingress,
and
this
ingress
includes
configuration
for
yeah
for
the
endpoint
you
want
to
expose
and
then,
in
addition
to
this,
you
run
an
ingress
controller
in
your
cluster,
which
will
which
will
monitor
the
changes
in
those
ingress
objects
and,
according
to
those
configuration
in
those
ingress
objects,
it
will
configure
itself
to
serve
those
websites
to
the
public
and
you
are
free
to
choose
the
english
controller
you
want
to
so.
B
B
It's
yeah
it's
using
the
nginx
web
server
as
a
reverse
proxy
and
yeah
nginx
as
a
reverse
proxy
is
better
tested
for,
I
think
decades
now,
and
so
it's
one
option
to
use
which
we
will
do
today,
but
there
are
other
options
as
well.
For
example,
there's
traffic
there
is
an
engine,
an
ingress
controller
for
h,
a
proxy.
B
So
there
is
a
yeah
wide
variety
variety
of
inverse
controllers
and
yeah.
You
have
to
choose
what
suits
you
best
for
today
we
will
use
the
ingress
nginx
controller
and
it's
a
little
bit
tricky,
because
there
are
two
ingress
nginx
controllers.
One
is
developed
upstream
from
engine
x
itself
and
one
is
developed
by
the
kubernetes
project
and
I
think
the
more
common
one
is
the
one
from
kubernetes.
B
I
think,
especially
it's
the
older
one.
So
more
people
are
using
it
already
and
yeah
the
same
for
us.
We
will
use
the
ingress
nginx
controller,
there's
some
documentation.
How
to
deploy
it,
how
to
configure
it
and
yeah?
That's
what
we
will
do.
We
will
click
here
deployment
and
we
are
going
to
use
helm
to
install
it.
B
B
We
will
call
this
namespace
ingress.
So
now,
if
we
look
at
our
namespaces,
we
have
those
default
namespaces
which
exist
from
the
beginning,
and
then
we
have
the
new
one
ingress,
I'm
switching
to
it.
So
all
my
commands
now
default
to
this
namespace
and
then
yeah.
Let's
talk
a
little
bit
about
him.
Helm
is
a
package
manager
for
kubernetes.
B
So
this
is
okay
in
the
beginning,
but
the
more
you
work
with
kubernetes
the
more
yummy
code.
You
write
and
it's
hard
to
reuse
this
code,
because
every
deploy,
5
difference,
you
can
see.
There's
quite
a
bit
of
boiler,
helm
uses
the
github
repository
check
out
the
hem
chart,
parts
or
helm,
or
something
like
that,
and
here
we
have
a
hem
chart
for
ingress
engine
x
and
a
minute
ago
I
said
we
are
going
to
template
jana
files.
So
maybe
let's
look
in
the
templates
directory.
B
Now
it
looks
similar
to
the
yaml
file
we
had
last
week.
There's
also
there's
a
kind
there's
metadata
labels
and
down
here
search.
We
also
have
the
containers
in
our
pot,
and
but
in
addition
to
this
planar
code,
you
have
all
those
curly
brackets
and
each
time
you
see
a
double
curly
bracket.
That's
a
part
of
the
go
templating
language
which
tells
help
of
the
templating
engine.
B
B
Yeah
then,
for
the
labels
there's
one
variable,
including
the
labels,
and
then
then
this
variable
is
reused
across
the
chart
and
yeah.
This
makes
it
quite
easy
to
only
provide
templated
based
on
this
so
times
values
we
can
see,
though
quickly
those
are
the
settings
you
can
apply
to
a
hem
chart
available
depends
on
the
hand
chart
some
are
more
common,
for
example,
and
it's
because
often
we
don't
need
to
so
we
only
have
to
change
one
or
two
variables.
B
B
B
And
then
it
does
not
directly
install
it
in
our
cluster;
instead,
it
will
print
the
rendered
template
to
us
and
that's
quite
a
lot.
So
maybe,
let's
pipe
this
into
less,
and
then
we
see
now
that
there
are
instead
of
this
variable,
there's
a
bunch
of
labels
and
they
are
the
same
across
the
whole
yeah
output,
and
here
we
have
a
bunch
of
rules.
What
our
controller
is
allowed
to
do
then
here
we
have
a
service,
that's
something
we
already
know
right.
B
B
All
right,
so
that's
what
ham
does
it
renders
all
this
yummy
code
and
then
it
applies
this
to
the
cluster
and
our
install
command
is
done
by
now,
which
is
nice.
It
gives
us
some
help,
output
which
we
can
ignore
for
now,
then
we
can
see
that
now
we
have
pots
in
our
cluster
right.
Actually,
we
have
one
in
this
namespace
and
we
can
also
check
for
services.
B
Then
we
can
see
we
have
two
new
services.
One
is
the
controller
itself
and
one
is
controller
admission
which
we
will
completely
ignore.
Maybe
I
don't
know
in
a
few
months
when
we
are
very
comfortable
with
kubernetes,
then
we
can
talk
about
admission
controllers,
but
for
now
it's
only
for
us.
It's
interesting
this
controller
and
yeah.
That's
the
same
kind
of
service
which
we
created
last
week
by
running
something
like
cube:
ctl,
xposed,
simple
engine
x,
type,
load,
balancer,
something
like
this.
B
So
let's
do
a
describe
on
the
service
and
just
like
last
week
it
tells
us
that
there
is
some
annotation
missing
so
now.
Last
week
we
did
cubectl
edit
service
and
then
modified
it
on
the
fly.
But
now
we
are
using
the
same
chart
and
we
don't
want
to
change
it
after
the
installation.
We
want
to
configure
it
from
the
beginning,
so
what
we
can
do
is
to
override
those
values.
B
B
C
B
Is
I
don't
have
to
open
this
in
vi?
We
have
visual
code
here
right.
So
let's
open
this
here.
This
makes
copy
and
pasting
a
little
bit
easier.
So
we
define
the
controller
key
in
there
we
have
service
and
then
we
have
annotations
and
the
annotation
we
did
last
week
was
this
one.
Lo
balancer
had
snack
cloud
location
feinstein
one
because
our
kubernetes
cluster
is
also
running
in
feinstein.
B
B
B
B
C
B
B
B
B
B
C
C
B
B
B
B
B
B
I
I
kind
of
I'm
kind
of
waiting
until
it
is
an
official
feature,
because
I
think
everyone
who
uses
helm
is
using
hamdiff,
but
I'm
not
sure
if
they
plan
to
include
it
or
not
and
yeah.
It
shows
that
what
it
would
change
so,
for
example,
in
the
controller
deployment
it
will
increase
the
replica
count
to
two
and
down
here.
It
will
add
those
annotations
to
the
service
and
down
here.
It
will
also
create
something
called
a
pot
disruption
budget.
B
So
that's
interesting
because
we
didn't
tell
it
to
do
anything
with
a
pot
disruption
budget
right.
We
only
did
those
changes
so
in
the
chart
somewhere,
there
is
some
template
which
checks
the
amount
of
replicas
and,
if
it's
more
than
one,
then
it
creates
a
pot
disruption
budget.
That's
what
I
guess.
So,
let's
look
into
the
chart
again.
B
B
C
C
Okay,
so
we're
starting
first
within
with
an
if
and
for
first
braces.
I
currently
condition
the
first
true
value
of
an
or
and
the
second
condition
of
the
braces.
Currently
the
second
value
and
these
boost
values
will
be
compared
and
afterwards,
after
that,
a
final
boolean
result
will
come
out
so
and
in
the
first
one
it's
an
end,
so
it
will
be
conducted
if,
when
auto
station
enabled
is,
has
a
value
to
a
and
end
greater
than
also.
C
C
C
A
C
Probably
some
background
about
for
templating
is
that
currently
the
whole
template
language
uses
go
template
because
also
help
is
written
in
dolan
and
they're
using
this
split
function.
Library,
as
extension
to
do
some
more
advanced
features
because
door
template
doesn't
have
an
or
something
like
that.
You
can
use
a
range
you
can
use
an
if,
but
nothing
like
like
comparison
operators
or
something
like
that.
So
this
is
the
reason
why
it's
working
currently
yeah.
But
let's
come
to
a
topic.
What
the
pot
description
budget
does
probably.
B
If
we
look
at
our
div
here,
there's
a
bunch
of
labels
which
we
can
ignore
and
then
it
says
min
available
min
available
one,
and
this
tells
kubernetes
every
pot
which
matches
those
rules
from
those
pots.
There
always
has
to
be
one
available,
always
that's
a
strict
condition.
We
tell
kubernetes
to
take
care
of.
So
if
kubernetes,
for
some
reason,
decides
to
reschedule
some
of
those
ports
to
different
nodes
when
it
wants
to
change
stuff
and
then
it
will
always
make
sure
not
to
kill
too
many
of
those
at
once.
B
B
This,
of
course,
only
works
for
cases
where
kubernetes
does
this
as
an
active
choice
like
we
are
draining
a
node,
which
means
we
remove
all
running
pots
from
a
node,
then
kubernetes
can
do
this
as
an
active
decision
to
terminate
all
pots
on
this
node.
If,
instead
this
node
just
crashes,
then
those
parts
are
gone.
So
kubernetes
can't
guarantee
the
availability
of
at
least
one
pot
in
this
case,
but
for
all
automatic
scheduling
for
everything,
qrinatus
will
yeah.
B
B
C
And
most
of
the
other
case
that
can
happen
is
like
when
you
have
a
lot
of
parts
running
on
one
node
in
juveniles,
and
currently
the
node
runs
out
of
memory
or
out
of
dist.
So
typically,
then,
an
event
in
juventus
will
happen
that
chords
that
the
pot
that's
evicted
automatically
to
a
new
node,
because
that
comes
from
the
quality
of
servers
and
with
setting
a
port
disruption
budget.
B
And
those
kinds
of
things
about
kubernetes
are
those
topics
you
need
to
learn.
As
for
the
day
two
operation
like
it's
easy
to
get
started
to
deploy
a
few
things,
but
then
you
need
stuff,
like
pot
disruption
budgets,
to
really
tell
kubernetes
what
to
do
to
be
sure
that
it
does
what
you
want
all
right.
So
we
should.
We
displayed
our
diff
now,
let's
really
upgrade.
C
B
Okay,
for
me,
it
always
reads
like
humanities.
As
I
mean,
the
domain
is
probably
something
different,
but
in
this
case
I
read
it
like
this
all
right.
So
let's
check
our
service
again,
and
it
now
has
a
public
ip
address
available,
which
is
nice,
because
now
we
set
this
location
and
now
our
cloud
controller
manager
was
able
to
create
it,
and
if
we
do
keep
ctl
describe.
B
B
One
of
them
was
that
we
wanted
to
set
a
name,
let's
go
to
the
dashboard
and
display
all
balances,
and
now
we
see
this
name
is
used
here.
It's
now
called
ingress,
which
is
more
readable
than
just
a
bunch
of
numbers
and
yeah.
It's
still
those
his
checks.
The
heads
now
now
send
some
tcp
connections
to
our
ingress
controller
and
if
those
are
successful,
then
it
changes
to
green
here
which
just
happened
now,
so
we
set
two
more
annotations.
B
If
we
don't
use
it,
then
the
load
balancer
will
send
the
traffic
to
the
public
ip
addresses
of
our
nodes,
which
is
okay.
It's
not
it's
not
bad,
it's
okay,
but
what
we
can
do
is
to
use
the
internal
ip
addresses,
because
our
load
balancer
also
has
a
private
ip
address
here,
and
we
all
have
this
in
our
private
network,
which
we
created
with
terraform
in
the
beginning.
B
And
if
you
do
it
like
this,
then
you
are
able
to
apply
a
little
bit
more
strict
firewalling
on
your
public
ip
addresses,
for
example,
because
the
those
nodes
don't
need
to
be
accessible
from
the
public
ip
address
anymore.
Now,
because
the
traffic
goes
through
the
internal
network,
all
right
yeah.
So,
oh
here
we
can
see
as
well.
B
B
C
B
B
There's
one
additional
option
passed
to
our
actual
english
controller,
which
basically
configures
the
default
backend
for
our
reverse
proxy
and
then
further
down.
We
create
a
service
account
again,
which
we
will
ignore.
Niklas
today
asked
me
via
chat
if
we
can
do
a
little
bit
of
a
session
about
service
accounts
and
permissions
in
the
cluster,
and
I
think
we
should
definitely
do
this
at
some
point,
maybe
next
week
or
another
one.
B
I
guess
we
will
talk
about
this
after
the
stream
a
bit
and
then
we
see
this
new
deployment.
It's
ingress
in
the
next
default
backend,
it's
a
deployment
again
all
our
labels,
but
it's
sorry
here
our
container
and
it
now
uses
a
different
image
than
the
controller
it
uses.
This
default
backend
image,
so
yeah.
B
B
B
This
one,
for
example,
is
one
of
the
new
ones
and
when
this
one
is
ready,
it
starts
terminating
the
old
ones
and,
for
example,
in
this
situation
right
now,
our
pot
disruption
budget
is
also
there
to
ensure
that
always
one
of
them
is
available,
but
I
think
kubernetes
in
this
case
kubernetes
would
also
do
this
without
support
disruption
budget.
I
think,
but
it
definitely
doesn't
hurt.
A
B
A
B
Those
are
the
two
controllers:
that's
a
nginx
reverse
proxy
and
it's
quite
the
standard
configuration
to
just
take
traffic
and
forward
it
to
some
backend,
and
in
addition
to
that,
we
want
to
forward
all
traffic
that
is,
does
not
match
a
better
backend
to
be
forwarded
to
this
default.
Backend
and
the
home
chart
allows
us
to
achieve
this
by
just
setting
default
backend
to
true,
then
the
chart
will
take
care
of
sorry
of
creating
this
additional
pot
and
to
configure
those
reverse
proxies
to
forward
the
traffic
there
by
default.
C
So
it's
54
page,
it
could
be
also
the
maintenance
page
or
something
like
that.
So
if
the
url
is
not
matched
it's
like,
probably
it
makes
more
sense.
If
you
go
to
the
browser
and
currently
now
refresh
the
site-
and
you
can
see
the
difference
right
now
and
we
got
not
in
form
four,
we
get
another
result
of
a
default
backend.
A
Yeah,
I
think
I
misunderstood
reverse
proxy.
It
totally
makes
sense
if,
if
we
describe
it
more
like
pulling
up
a
running
404
error
message
or
like
a
maintenance
mode
website,
then
you
have
something
upfront
and
in
the
back
end
it
doesn't
matter
which
type
of
of
port
is
running.
You
always
have
something
visible
and
your
users
will
see.
Oh,
they
have
a
maintenance
window
planned
or
something
else
yeah.
A
B
B
And
last
time,
the
next
step
was
this
that
it
went
to
our
servers,
but
this
time
instead,
I
know
it
kind
of
I
think
it
kind
of
goes
to
our
first
service,
the
contr,
the
load,
balancer
service
and
the
service
is
implemented
in
ip
tables.
Again.
So
that's
why
I
put
it
in
brackets,
because
it's
not
something
that
really
exists
from
there.
B
It
goes
to
our
ingress
controller,
so
one
of
those
two
parts
and
then
the
inverse
controller
forwards
this
again
to
our
default
backend,
port
and
there's
a
little
bit
more
in
between,
like
this
service,
ensures
that
at
first
it
has
to
go
to
the
correct,
correct
node,
where
actually
an
ingest
controller
is
running
and
the
same
happens
kind
of
happens
over
here,
because
there's
also
the
service
for
the
default
backend
and
yeah.
Then
it
could
be
that
it
goes
to
the
node
that
runs
the
default
backend
port.
B
B
B
B
B
B
C
B
B
B
And
I
think
the
default
backend
itself
is
also
logging,
nothing
all
right.
In
a
few
minutes
we
will
deploy
an
additional
backend
and
then
I
think
we
will
see
some
lock
queries
and
then
we
can
back
to
can
come
back
to
this.
So
as
a
first
thing
now,
I
will
create
a
dns
entry
for
this
ip
address.
Give
me
a
second.
D
A
A
C
D
C
B
A
B
Yeah,
so
the
next
step,
now
that
we
have
a
dns
entry
for
it,
I
now
have
a
dns
record
for
wildcard.
Everyone
can
contribute
dot
for
lli.com
to
forward
to
this
ip
address
right
now.
It
tells
us
it's
insecure
because
we
don't
have
a
certificate
yet,
so
the
next
step
would
be
to
set
up
cert
manager
to
yeah
get
an
automated
ssl
certificate
from
let's
encrypt.
B
B
B
B
B
B
B
B
C
B
Oh
nice,
I
didn't
know
this
all
right
so
for
let's
encrypt,
we
need
something
called
an
issuer
and
which
is
kind
of
the
account
or
let's
we
will
create
kind
of.
Let's
encrypt
account
to
to
ask
for
a
certificate,
and
now
this
is
new
one
of
the
crds
we
just
applied
it's
a
api
version,
cert
manager
version
one
now
and
kind
cluster
issuer.
B
We
will
give
it
a
name.
Let's
encrypt,
we
will
have
to
provide
an
email
address
30
days
before
the
certificate
expires.
Let's
encrypt
will
write
me
an
email
about
it.
We
will
have
to
define
to
what
server
we
want
to
talk
to.
In
this
case,
it's
the
production
signing
server
of
let's
encrypt,
and
we
have
to
tell
how
our
challenges
are
solved.
B
D
C
C
Let's
encrypt
it's
working,
so
it's
a
protocol,
it's
called
acme
and
when
you
go,
for
example,
to
the
http
challenge
going
down
a
little
bit,
so
this
for
my
referred
to
in
between
four
yeah
and
currently,
when
you
currently
see
years
before
it
works
so
literally,
like
you
said,
yeah
token
will
be
generated
by
the
acme
server
and
the
acme
server
afterwards
tries
to
do
an
http
request
to
the
requesting
server.
So
when
you
go
down
a
little
bit,
it
will
use
a
specific
path.
C
This
is
how
it
works
on
a
detailed
level,
mostly
yeah,
and
it's
a
really
really
interesting
paper.
So
probably
it's
not
the
paper.
It's
like.
There
are
a
lot
of
other
tools,
also
on
premise
environments.
You
can
also
use
these
acme
projector
to
automate
your
whole
ssl
insurance.
If
you
go
to
a
self-signed
way,
mostly.
B
Yeah,
nice
things
yeah,
so
I
think
about
an
hour
ago
in
the
beginning
I
mentioned
the
concept
of
an
ingress
controller
and
of
ingress
objects
in
our
cluster.
So
now
it's
now
we
have
a
running
inverse
controller.
We
have
a
running
cert
manager
now
it's
finally
time
to
create
an
ingress
to
expose
something
from
our
cluster,
and
for
this
I
want
to
deploy
a
bit
of
a
hello
world
application.
B
This
right
so
at
first
we
have
a
service.
We
are
not
using
a
load
balancer
service
because
we
don't
want
a
load
balancer
our
load
balancer
is
our
nginx.
Invest
controller.
Just
want
an
internal
service
for
this,
then
we
have
this
deployment
which
uses
the
hello
humanities
image,
and
we
can
provide
a
custom
message,
for
example,.
C
C
C
So
for
that
case
he
will
ask
the
service
that
has
a
stable
ip
address.
So
when
you
check
it
literally,
you
can
see
it
will
every
time
users
like
much
already
outsourced
print
before
it
will
use
for
10
43
20
78,
instead
of
going
to
all
the
pot
ip
address.
So
when
you
or
white
we
would
also
see
the
internal
appearances.
I
think
by
that
keeps
you
tall
reports
that
should
be
also
yeah.
You
can
see
so
it
doesn't
use
the
42
ip
addresses.
It
will
use
directly.
C
Yeah,
like
what
we
currently
see
is
that
journey.
This
is
not
a
tour
that
you're
using
it's
more
like
a
framework
for
building
something.
So
it's
like.
We
can
build
our
own
platform
that
we
want
to
have
and
use
it
for
our
use
case.
Instead
of
that,
we
used
to
sum
products,
and
you
can
extend
it
like
you
want.
So,
like
writing
your
own
custom,
cds
and
writing
your
own
controllers
for
special
workloads
that
you
have
everything
is
in
place
for
that
out
of
the
box
mostly,
but
you
need
to
do
it
so
for.
C
D
C
Yeah
yeah,
that's
the
reason
so
because
we
are
you
can
see.
The
events
is
mostly
important
because,
when
we're
using
a
juvenile
service
like
law,
balancer,
the
controller
takes
this
service
and
asked
hetzner
to
spin
up
us
a
real
low
against
the
api.
So
a
class
ip
doesn't
do
this
at
all
it
only
it's
only
there.
So
there
are
no
events
when
we
would
probably
check
the.
A
C
Yeah
but
yeah,
that's
true
and
now
coming
to
a
big
important
point.
So
the
difference
between
the
service
load,
balancer
and
our
ingress
controller
is
a
service
level
benches
only
on
layer
four.
So
it's
only
tcp
ip.
It's
nothing
special.
But
if
you
want
to
do
an
http
request,
we're
going
in
the
aussie
layer
higher,
so
it
would
be
layer
7.
C
It
could
be
also
some
different
protocols.
It
doesn't
need
to
be
http,
but
on
that
then
we
want
to
serve
only
about,
for
example,
want
to
enter
in
url.
So
we
don't
need
to
enter
an
ip
address
and
all
the
stuff
and
that's
the
reason
why
we
have
a
low
for
after
the
lower
and
seven
ingress
controller,
mostly
so
because
we're
going
from
layer
four
to
layer,
seven
in
the
oc
model.
B
So
there
is
it's
a
one-to-one
connection
between
the
object
here
and
the
load
balancer
service
in
our
cluster
and
each
other
service
of
type
cluster
ip.
It's
also
kind
of
a
load
balancer,
but
it's
not
a
public
load.
Balancer,
it's
internal
in
the
cluster
like
behind
the
service,
could
be
several
pots.
C
D
C
C
A
A
B
All
right,
so
the
last
part
missing
now
is
the
connection
between
the
ingress
controller
and
our
new
service
right.
The
inverse
controller
is
not
aware
of
it
yet
so
we
go
back
to
our
demo
here
and
now
we
create
this
magical
ingress
object.
I
told
you
earlier
about
and
for
a
second
I
will
also
the
documentation
about
it
again.
B
C
D
B
B
And
so
now
you
have
a
few
seconds
ago.
There
was
no
address
now
there
is
an
ip
address
and
if
we
look
in
our
ingress
namespace
at
the
services
again,
so
you
can
see
that
it's
exactly
the
same
ip
address
like
our
load
balancer
service,
it's
the
public
ip
address
of
our
headset
cloud
cloud
load
manager.
B
So
this
is
here
now
because
our
ingress
controller
now
picked
up
this
ingress
resource
and
used
it
to
configure
itself
and
also
wrote
back
to
it
that
it's
exposed
with
this
ip
address.
So
earlier
I
already
configured
a
dns
entry
to
this.
So
let's
look
in
the
browser
I
think
over
here.
It's
still
no
ssl.
Yet
so
there's
a
little
interesting
hack
in
chrome.
You
can
now
type
this
is
unsafe
and
then
it
reloads
and
completely
ignores
you
know.
Let
me
try
again
and
yeah.
B
It
completely
ignores
all
the
security
features
that
are
supposed
to
block
it
from
accessing
this
page.
So
now
we
can
see
this
demo
application
that
we
have
running
in
three
different
pots
still
without
https,
and
if
we
refresh
the
page
a
few
times,
we
can
see
that
the
pod
name
here
changes
so
each
time
our
traffic
hits
the
ingress
controller,
the
ingest
controller
decides
randomly,
which
back
end
is
used.
B
B
And
let's
apply
this
again
so
now
our
ingress
was
reconfigured
and
now
what
we
can
do
is
cube.
Cdl
get
pots,
and
now
we
see
there's
a
new
pot.
This
one
was
created
by
our
assert
manager
and
we
also
have
a
new
ingress
for
a
few
seconds.
No,
because
there's
this
ingress,
which
was
created
by
site
manager,
now
third
manager
created
this
ingress,
and
now
the
ingress
controller
again
will
pick
up
this
ingress
and
configure
itself
to
serve.
A
D
D
B
B
B
B
So
the
nice
thing
now
that
we
have
this
ingress
controller
is
that
we
can
use
it
to
expose
as
many
http
websites
as
we
want.
So
all
we
need
to
do
is
create
additional
ingress.
For
example,
it
uses
a
little
bit
of
a
different
domain,
not
hello
instead
of
the
world
and
down
here
we
use
the
same
configuration
for
the
back
end,
but
if
you
have
more
complex
application
and
we
could
define-
I
don't
know-
the
admin
backend,
for
example,
is
running.
D
B
We
can,
for
example,
also
see
that
there
is
a
pending
certificate
request.
I
think
now
it's
done
yeah
now,
both
already
so,
for
example,
if
the
certificate
never
switches
to
true,
then
it
is
a
good
idea
to
check
the
certificate
request,
which
is
a
little
bit
off
yeah
under
the
hood
magic
of
third
manager.
B
It
also
has
a
valid
certificate,
and
now
we
can
do
this
with
as
many
domains
as
we
want,
and
this
is
very
nice,
because
if
we
operate
a
kubernetes
cluster
and
our
co-worker,
our
friends
want
to
publish
some
websites
in
it.
We
can
provide
them
with
one
single
inverse
controller,
which
is
all
running
behind
the
same
ip
address,
one
looper
and
software
cloud
provider,
and
then
the
ingus
controller
takes
care
of
sending
the
traffic
to
the
right,
backend
and
taking
care
of
all
the
certificates
with
sub
manager
yeah.
A
A
A
No,
it's
not
your
fault,
it's
I
think
it's
a
learning
curve.
I
think
I
didn't
understand
everything,
but
I
asked
a
lot
and
my
problem
or
my
like
blocking
point
with
kubernetes
always
was
it
was
too
much
and
I
didn't
have
time
for
10
hour
courses
or
lectures
and
I'm
learning
by
example
and
you're,
giving
me
like
the
best
examples
I
have
so
I
can
ask
you,
as
my
trainer,
my
personal
trainer,
so
I'm
very
thankful
for
for
all.
B
C
A
A
If
you
provide
me
with
the
account
you
can
just
indent
us
to
a
group
yeah,
I
can
add
you
to
a
group
and
then
you
can
like
we
are
working
on
the
gitlab
repository
or
the
github
group
and
on
the
headset
cloud
group,
and
I
think
it
should
be
should
be
fine,
and
we
can't
like
recreate
what
what
max
created
before
in
the
demo
and
yeah.
This
should
should
be
working.
If
I
haven't
done
this
by
friday,
nicholas
please
ping
me.