Kubernetes on houdeshell.devhttps://houdeshell.dev/tags/kubernetes/Recent content in Kubernetes on houdeshell.devHugo -- gohugo.ioen-us© CRHSat, 04 Apr 2026 00:00:00 +0000Software that I <span style='color:var(--accent-bright);font-size:1.3em'>❤</span>https://houdeshell.dev/software/Mon, 01 Jun 2020 00:00:00 +0000https://houdeshell.dev/software/<p>I bounce between Mac, Windows, and Linux daily — and honestly, the tools matter more than the OS at this point. Great software is great software, and I&rsquo;ve been lucky enough to build a career on top of things that other people built well.</p> <p>This is the stuff I actually reach for. Not a &ldquo;best of&rdquo; list, not sponsored, not comprehensive. Just software that makes me better at what I do — or at least makes the work more fun.</p> <style> .sw-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(280px, 1fr)); gap: 16px; margin: 1.5em 0; } .sw-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 1.2em; transition: border-color 0.2s ease, box-shadow 0.2s ease; } .sw-card:hover { border-color: var(--accent); box-shadow: 0 0 16px rgba(57, 255, 110, 0.08); } .sw-card h3 { margin: 0 0 0.3em !important; font-size: 1em !important; border: none !important; padding: 0 !important; } .sw-card h3 a { text-decoration: none; } .sw-card p { margin: 0; font-size: 0.85em; color: var(--text-secondary); line-height: 1.5; } .sw-card .sw-tag { display: inline-block; font-size: 0.7em; color: var(--accent); border: 1px solid var(--accent); border-radius: 3px; padding: 1px 6px; margin-bottom: 0.5em; opacity: 0.7; } </style> <h1 id="software-development">Software Development</h1> <div class="sw-grid"> <div class="sw-card"> <span class="sw-tag">IDE</span> <h3 id="jetbrains-rider"><a href="https://www.jetbrains.com/rider/"target="_blank" rel="noopener noreferrer">JetBrains Rider</a></h3> <p>Cross-platform .NET IDE. Fast, smart, and doesn&rsquo;t need Visual Studio&rsquo;s weight to get the job done.</p> </div> <div class="sw-card"> <span class="sw-tag">IDE</span> <h3 id="visual-studio"><a href="https://visualstudio.microsoft.com/"target="_blank" rel="noopener noreferrer">Visual Studio</a></h3> <p>The OG. Heavy, but when you need the full .NET debugging experience, nothing else comes close.</p> </div> <div class="sw-card"> <span class="sw-tag">editor</span> <h3 id="vs-code"><a href="https://code.visualstudio.com/"target="_blank" rel="noopener noreferrer">VS Code</a></h3> <p>Extension ecosystem is unmatched. Somehow Electron done right.</p> </div> <div class="sw-card"> <span class="sw-tag">editor</span> <h3 id="neovim"><a href="https://neovim.io/"target="_blank" rel="noopener noreferrer">Neovim</a></h3> <p>Vim reborn. Lua config, LSP native, and a plugin ecosystem that won&rsquo;t quit. <code>:wq</code> is a lifestyle.</p> </div> <div class="sw-card"> <span class="sw-tag">AI</span> <h3 id="claude-code"><a href="https://docs.anthropic.com/en/docs/claude-code"target="_blank" rel="noopener noreferrer">Claude Code</a></h3> <p>AI pair programmer in your terminal. It&rsquo;s writing this page right now.</p> </div> <div class="sw-card"> <span class="sw-tag">version control</span> <h3 id="git"><a href="https://git-scm.com/"target="_blank" rel="noopener noreferrer">Git</a></h3> <p>The version control system that won. Love it or hate it, you can&rsquo;t ship without it.</p> </div> <div class="sw-card"> <span class="sw-tag">version control</span> <h3 id="lazygit"><a href="https://github.com/jesseduffield/lazygit"target="_blank" rel="noopener noreferrer">lazygit</a></h3> <p>Terminal UI for git that makes interactive rebases feel like cheating.</p> </div> <div class="sw-card"> <span class="sw-tag">JSON</span> <h3 id="jq"><a href="https://jqlang.github.io/jq/"target="_blank" rel="noopener noreferrer">jq</a></h3> <p><code>sed</code> for JSON. Once you learn the syntax, you&rsquo;ll pipe everything through it.</p> </div> <div class="sw-card"> <span class="sw-tag">database</span> <h3 id="jetbrains-datagrip"><a href="https://www.jetbrains.com/datagrip/"target="_blank" rel="noopener noreferrer">JetBrains DataGrip</a></h3> <p>SQL IDE that actually understands your schema. Autocomplete that works across joins.</p> </div> <div class="sw-card"> <span class="sw-tag">database</span> <h3 id="dbeaver"><a href="https://dbeaver.io/"target="_blank" rel="noopener noreferrer">DBeaver</a></h3> <p>Universal database tool that actually works. Connect to anything, query everything.</p> </div> <div class="sw-card"> <span class="sw-tag">database</span> <h3 id="ssms"><a href="https://learn.microsoft.com/en-us/sql/ssms/"target="_blank" rel="noopener noreferrer">SSMS</a></h3> <p>Microsoft SQL Management Studio. If you&rsquo;re in SQL Server land, you already know.</p> </div> <div class="sw-card"> <span class="sw-tag">database</span> <h3 id="postgresql"><a href="https://www.postgresql.org/"target="_blank" rel="noopener noreferrer">PostgreSQL</a></h3> <p>The database that keeps getting better. Extensions, JSON support, and rock-solid reliability.</p> </div> <div class="sw-card"> <span class="sw-tag">containers</span> <h3 id="docker"><a href="https://www.docker.com/"target="_blank" rel="noopener noreferrer">Docker</a></h3> <p>&ldquo;Works on my machine&rdquo; became &ldquo;works on every machine.&rdquo; Changed how we ship software.</p> </div> </div> <h1 id="infrastructure">Infrastructure</h1> <div class="sw-grid"> <div class="sw-card"> <span class="sw-tag">orchestration</span> <h3 id="kubernetes"><a href="https://kubernetes.io/"target="_blank" rel="noopener noreferrer">Kubernetes</a></h3> <p>Container orchestration that makes you mass produce YAML for a living.</p> </div> <div class="sw-card"> <span class="sw-tag">orchestration</span> <h3 id="k3s"><a href="https://k3s.io/"target="_blank" rel="noopener noreferrer">K3s</a></h3> <p>All of Kubernetes in a single binary. Perfect for homelab, edge, and production deployments.</p> </div> <div class="sw-card"> <span class="sw-tag">IaC</span> <h3 id="terraform--opentofu"><a href="https://www.terraform.io/"target="_blank" rel="noopener noreferrer">Terraform</a> / <a href="https://opentofu.org/"target="_blank" rel="noopener noreferrer">OpenTofu</a></h3> <p>Infrastructure as code. OpenTofu if you prefer the open-source fork without the license drama.</p> </div> <div class="sw-card"> <span class="sw-tag">networking</span> <h3 id="tailscale"><a href="https://tailscale.com/"target="_blank" rel="noopener noreferrer">Tailscale</a></h3> <p>WireGuard-based mesh VPN that just works. Connect everything without opening a single port.</p> </div> <div class="sw-card"> <span class="sw-tag">observability</span> <h3 id="grafana"><a href="https://grafana.com/"target="_blank" rel="noopener noreferrer">Grafana</a></h3> <p>Dashboards for everything. Pairs with Prometheus, Loki, Tempo — the whole observability stack.</p> </div> <div class="sw-card"> <span class="sw-tag">Kubernetes</span> <h3 id="k9s"><a href="https://k9scli.io/"target="_blank" rel="noopener noreferrer">k9s</a></h3> <p>Terminal UI for Kubernetes. Makes cluster management feel like a video game. Way faster than raw <code>kubectl</code>.</p> </div> <div class="sw-card"> <span class="sw-tag">Kubernetes</span> <h3 id="lens"><a href="https://k8slens.dev/"target="_blank" rel="noopener noreferrer">Lens</a></h3> <p>The Kubernetes IDE. When you want to point and click your way through a cluster without shame.</p> </div> <div class="sw-card"> <span class="sw-tag">it's complicated</span> <h3 id="cloudflare"><a href="https://www.cloudflare.com/"target="_blank" rel="noopener noreferrer">Cloudflare</a></h3> <p>You love them. You hate them. Your DNS is already there. Their edge network is everywhere, their pricing is unbeatable, and their product sprawl is terrifying. Stockholm syndrome as a service.</p> </div> </div> <h1 id="shell--terminal">Shell &amp; Terminal</h1> <div class="sw-grid"> <div class="sw-card"> <span class="sw-tag">shell</span> <h3 id="bash"><a href="https://www.gnu.org/software/bash/"target="_blank" rel="noopener noreferrer">Bash</a></h3> <p>The shell that&rsquo;s been there since before you were born. Simple, portable, everywhere.</p> </div> <div class="sw-card"> <span class="sw-tag">shell</span> <h3 id="zsh"><a href="https://www.zsh.org/"target="_blank" rel="noopener noreferrer">Zsh</a></h3> <p>Bash&rsquo;s cooler sibling. Tab completion, globbing, and plugin support that actually makes the terminal enjoyable.</p> </div> <div class="sw-card"> <span class="sw-tag">prompt</span> <h3 id="starship"><a href="https://github.com/starship/starship"target="_blank" rel="noopener noreferrer">Starship</a></h3> <p>Cross-shell prompt written in Rust. Fast, pretty, and infinitely configurable.</p> </div> <div class="sw-card"> <span class="sw-tag">multiplexer</span> <h3 id="tmux"><a href="https://github.com/tmux/tmux"target="_blank" rel="noopener noreferrer">tmux</a></h3> <p>Terminal multiplexer. SSH into a box, detach, come back tomorrow. Your session is still there.</p> </div> <div class="sw-card"> <span class="sw-tag">coreutils</span> <h3 id="eza"><a href="https://github.com/eza-community/eza"target="_blank" rel="noopener noreferrer">eza</a></h3> <p>Modern replacement for <code>ls</code>. Colors, git status, and tree view out of the box. Written in Rust, obviously.</p> </div> </div> <h1 id="utilities--apps">Utilities / Apps</h1> <div class="sw-grid"> <div class="sw-card"> <span class="sw-tag">macOS</span> <h3 id="alttab"><a href="https://alt-tab-macos.netlify.app/"target="_blank" rel="noopener noreferrer">AltTab</a></h3> <p>Why does macOS think a minimized window is an inactive window and not let you switch to it? This fixes that.</p> </div> </div>Abouthttps://houdeshell.dev/about/Sat, 11 Apr 2020 00:00:00 +0000https://houdeshell.dev/about/<div class="hero-card" style="margin-bottom:2em"> <div class="hero-accent"></div> <div class="hero-content"> <p class="hero-greeting">whoami</p> <p class="hero-name">Chris <span class="hero-hl">Houdeshell</span></p> <p class="hero-tagline">bit herder. pointer wrecker. yaml apologist.</p> <div class="hero-divider"></div> <p class="hero-currently"><span class="hero-label">stack:</span> dotnet, postgres, k8s, azure, too-much-sql</p> <p class="hero-currently"><span class="hero-label">location:</span> State College, PA</p> <p class="hero-currently"><span class="hero-label">coffee intake:</span> dangerously high</p> <div class="hero-links"> <a href="https://github.com/choudeshell">github</a> <span class="hero-sep">/</span> <a href="https://www.linkedin.com/in/choudeshell/">linkedin</a> <span class="hero-sep">/</span> <a href="https://sessionize.com/choudeshell/">talks</a> <span class="hero-sep">/</span> <a href="mailto:chris@houdeshell.dev">email</a> </div> </div> </div> <p>I&rsquo;m a bit herder, a pointer wrecker, and HTTP is my best friend. <code>0xA3</code> &amp; <code>0x7C</code> are also my friends, but not <code>0x08</code>.</p> <p>I spend my days somewhere between writing code and making sure other people can write better code. I love distributed systems, low-level embedded devices, and anything that has a <code>content-type</code>. I also have an unhealthy relationship with YAML, but that&rsquo;s a Kubernetes problem.</p> <h2 id="the-day-job">The day job</h2> <p>During the day, I lead engineering and operations at <a href="https://www.energycap.com"target="_blank" rel="noopener noreferrer">EnergyCAP</a> — a SaaS platform that helps organizations track utility spend, energy consumption, and sustainability goals across massive building portfolios. We&rsquo;re talking <strong>$100B+ in utility bill spend</strong> tracked across <strong>350,000+ sites</strong>. Government, education, healthcare, commercial real estate — if it has a meter, we probably manage it.</p> <p>I started here as a developer in 2009 and have been building ever since — through senior roles, into leadership, and eventually into the VP seat where I get to shape both the tech and the teams behind it. Some days that means architecture decisions. Most days it means removing blockers so smart people can do their best work. And yes, sometimes it&rsquo;s just meetings about meetings.</p> <p>My philosophy is simple: <strong>technology should serve people</strong>. Build teams where people feel safe to be wrong, give them the tools to be great, and get out of the way.</p> <div class="about-section"> <h3 id="things-i-geek-out-about">Things I geek out about</h3> <p>Distributed systems, container orchestration, database performance tuning, developer tooling, process dumps, leadership that doesn&rsquo;t suck, making engineers&rsquo; lives better, and the eternal quest for a perfect terminal setup.</p> </div> <h2 id="i-also-talk-at-things">I also talk at things</h2> <p>I like getting on stage and nerding out about the things I&rsquo;ve learned the hard way. My talks tend to fall into a few buckets — and yes, I have strong opinions about all of them.</p> <h3 id="ai--the-developer-experience">AI &amp; the developer experience</h3> <p>The AI wave hit and I leaned in. I&rsquo;ve talked about using LLMs as debugging partners, building RAG pipelines that actually know your business context, and the ethical lines we should be drawing as we hand more work to machines.</p> <ul class="talk-list"> <li>My Rubber Duck is a Large Language Model</li> <li>Unleashing the Power of the AI Wizards: Retrieval-Augmented Generation Spells</li> </ul> <h3 id="kubernetes--cloud-native">Kubernetes &amp; cloud native</h3> <p>I was late to the Kubernetes party — and I&rsquo;ll tell you all about it. From lightweight K3s workshops to navigating the 900+ services in the CNCF landscape, to making the case that cloud-native principles work even when you&rsquo;re not in the cloud.</p> <ul class="talk-list"> <li>Kubernetes Chronicles: Late to the Party, Big on Adventure!</li> <li>K3s — Half the Size, Twice as Awesome (workshop)</li> <li>Orchestrating Machine Learning Workloads with Kubernetes</li> <li>Exploring the Cloud Native Landscape</li> <li>Cloud Native is Only for the Cloud, Right?</li> <li>Nomad — Orchestration Doesn't Start with a K</li> </ul> <h3 id="performance--databases">Performance &amp; databases</h3> <p>I&rsquo;ve spent an unreasonable amount of time staring at query plans. These talks cover squeezing performance out of SQL Server, using DMVs like cheat codes, and that one time we took a 10-hour process down to 10 minutes.</p> <ul class="talk-list"> <li>ReArchitecting Data: 10 Hours to 10 Minutes</li> <li>Mastering SQL Server Performance Optimization (workshop)</li> <li>SQL Server DMVs That Give Me Superpowers</li> <li>Achieving Continuous High Performance with Query Store</li> <li>Practical High Performance: C# Edition</li> <li>Intrinsics in .NET: Start Somewhere</li> </ul> <h3 id="production-war-stories--leadership">Production war stories &amp; leadership</h3> <p>Production breaks. Systems fail. The interesting part is what you do next. I also talk about the human side — what I&rsquo;ve learned (and gotten wrong) leading engineering teams.</p> <ul class="talk-list"> <li>Bug Squashing with Process Dumps</li> <li>Recovery by Design: A Postmortem Adventure</li> <li>Joining the Cloud: Our Journey</li> <li>TIL as a CTO</li> </ul> <h3 id="the-wildcard">The wildcard</h3> <p>Sometimes you just want to build something fun with your hands.</p> <ul class="talk-list"> <li>Paper Circuits: Origami for a New Generation</li> </ul> <h2 id="lets-talk">Let&rsquo;s talk</h2> <p>I drink a bit too much coffee while rambling on about technology. If you&rsquo;re willing to have a conversation — I&rsquo;m ready to buy you a cup.</p> <div class="about-terminal"> <span class="prompt">~</span> <span class="cmd">echo $CONTACT</span><br> <span class="output"> email: <a href="mailto:chris@houdeshell.dev">chris@houdeshell.dev</a><br> github: <a href="https://github.com/choudeshell">choudeshell</a><br> linkedin: <a href="https://www.linkedin.com/in/choudeshell/">choudeshell</a><br> twitter: <a href="https://twitter.com/choudeshell">@choudeshell</a><br> </span> </div>Kubernetes for Cloud Engineers: Automating TLS with cert-managerhttps://houdeshell.dev/post/2026-04-04_k8s-cert-manager/k8s-cert-manager/Sat, 04 Apr 2026 00:00:00 +0000https://houdeshell.dev/post/2026-04-04_k8s-cert-manager/k8s-cert-manager/<p><em>This is part two of a series for new operations and cloud engineers getting into Kubernetes. In <a href="https://houdeshell.dev/post/2026-04-04_k8s-tls-default-cert/k8s-tls-default-cert/">part one</a> we covered how to set default TLS certificates on your ingress controllers. That works, but it means you&rsquo;re managing certs by hand. Let&rsquo;s fix that.</em></p> <hr> <h2 id="why-cert-manager">Why cert-manager?</h2> <p>In the last post, we created TLS secrets manually. That&rsquo;s fine for getting started. It&rsquo;s not fine for production. Certificates expire. People forget to renew them. And then you&rsquo;re getting paged at 3am because your site is serving a browser warning.</p> <p><a href="https://cert-manager.io/"target="_blank" rel="noopener noreferrer">cert-manager</a> is a Kubernetes-native certificate management controller. It watches your cluster for resources that need certificates, talks to a Certificate Authority (usually Let&rsquo;s Encrypt), handles the challenge/response dance, stores the resulting cert as a Kubernetes secret, and renews it before it expires. All automatically. You configure it once and move on with your life.</p> <p>It&rsquo;s one of those tools that, once installed, you forget it&rsquo;s there. That&rsquo;s the highest compliment I can give infrastructure software.</p> <h2 id="installing-cert-manager">Installing cert-manager</h2> <p>Two options. Pick whichever matches your deployment style.</p> <h3 id="option-1-helm-recommended">Option 1: Helm (recommended)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm install cert-manager oci://quay.io/jetstack/charts/cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --version v1.20.0 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --namespace cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --create-namespace <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set crds.enabled<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># NAME: cert-manager</span> </span></span><span class="line"><span class="cl"><span class="c1"># NAMESPACE: cert-manager</span> </span></span><span class="line"><span class="cl"><span class="c1"># STATUS: deployed</span> </span></span></code></pre></div><h3 id="option-2-static-manifests">Option 2: Static manifests</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.0/cert-manager.yaml </span></span></code></pre></div><p>Both methods install the same thing: the cert-manager controller, webhook, cainjector, and six CRDs. Those CRDs are the building blocks you&rsquo;ll use for everything else.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify everything is running</span> </span></span><span class="line"><span class="cl">kubectl get pods -n cert-manager </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># NAME READY STATUS</span> </span></span><span class="line"><span class="cl"><span class="c1"># cert-manager-5c4b5f7b9-xk2lq 1/1 Running</span> </span></span><span class="line"><span class="cl"><span class="c1"># cert-manager-cainjector-7f694c-m8p 1/1 Running</span> </span></span><span class="line"><span class="cl"><span class="c1"># cert-manager-webhook-7cd8c8-9tn2f 1/1 Running</span> </span></span></code></pre></div><p>Three pods running. That&rsquo;s what you want to see.</p> <h2 id="issuers-telling-cert-manager-where-to-get-certificates">Issuers: telling cert-manager where to get certificates</h2> <p>cert-manager doesn&rsquo;t know anything about Let&rsquo;s Encrypt out of the box. You need to tell it where to go and how to prove you own your domains. That&rsquo;s what Issuers do.</p> <p>There are two flavors:</p> <ul> <li><strong>Issuer</strong> is namespace-scoped. It can only issue certs for resources in the same namespace.</li> <li><strong>ClusterIssuer</strong> is cluster-scoped. It works across all namespaces.</li> </ul> <p>For most setups, you want a ClusterIssuer. One config, whole cluster. If you have teams that need isolated certificate management per namespace, use an Issuer. But start simple.</p> <h2 id="staging-first-always">Staging first. Always.</h2> <p>Let&rsquo;s Encrypt has two environments: staging and production. They work identically, but staging issues certificates signed by a fake CA that browsers don&rsquo;t trust. The certificates themselves are structurally real. They just won&rsquo;t show a green lock.</p> <p>Why does this matter? Because Let&rsquo;s Encrypt production has <a href="https://letsencrypt.org/docs/rate-limits/"target="_blank" rel="noopener noreferrer">rate limits</a>. Tight ones. 50 certificates per registered domain per week. 5 duplicate certificates per week. If you mess up your config and keep retrying, you can lock yourself out for days.</p> <p>Staging has much more generous limits. So you should always get your pipeline working against staging first, then switch to production once you know everything is wired up correctly.</p> <h3 id="create-a-staging-clusterissuer">Create a staging ClusterIssuer</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># staging-issuer.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIssuer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acme</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l">https://acme-staging-v02.api.letsencrypt.org/directory</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">email</span><span class="p">:</span><span class="w"> </span><span class="l">you@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">privateKeySecretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-staging-account-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">solvers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">http01</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f staging-issuer.yaml </span></span><span class="line"><span class="cl"><span class="c1"># clusterissuer.cert-manager.io/letsencrypt-staging created</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check that it registered successfully</span> </span></span><span class="line"><span class="cl">kubectl get clusterissuer letsencrypt-staging </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># NAME READY AGE</span> </span></span><span class="line"><span class="cl"><span class="c1"># letsencrypt-staging True 30s</span> </span></span></code></pre></div><p><code>READY: True</code> means cert-manager registered an account with Let&rsquo;s Encrypt staging. If you see <code>False</code>, run <code>kubectl describe clusterissuer letsencrypt-staging</code> and read the events.</p> <h3 id="create-the-production-clusterissuer">Create the production ClusterIssuer</h3> <p>Same thing, different ACME server URL:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># production-issuer.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIssuer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acme</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l">https://acme-v02.api.letsencrypt.org/directory</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">email</span><span class="p">:</span><span class="w"> </span><span class="l">you@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">privateKeySecretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod-account-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">solvers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">http01</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span></code></pre></div><p>Use separate <code>privateKeySecretRef</code> names for staging and production. The ACME accounts are completely independent. You can&rsquo;t reuse keys between environments.</p> <h2 id="http-01-vs-dns-01-how-you-prove-domain-ownership">HTTP-01 vs DNS-01: how you prove domain ownership</h2> <p>When you request a certificate, Let&rsquo;s Encrypt needs proof that you actually own the domain. There are two ways to do this, and which one you pick depends on your setup.</p> <h3 id="http-01">HTTP-01</h3> <p>Let&rsquo;s Encrypt sends an HTTP request to <code>http://yourdomain.com/.well-known/acme-challenge/&lt;token&gt;</code>. cert-manager spins up a temporary pod and Ingress (or HTTPRoute) to serve the response. Once validated, the temp resources get cleaned up.</p> <p>This is the simpler option. It works if:</p> <ul> <li>Port 80 is publicly reachable on your cluster</li> <li>You don&rsquo;t need wildcard certificates</li> </ul> <p>It does not work if:</p> <ul> <li>You&rsquo;re behind a firewall with no public HTTP access</li> <li>You need <code>*.example.com</code> certs</li> </ul> <h3 id="dns-01">DNS-01</h3> <p>Instead of an HTTP request, Let&rsquo;s Encrypt checks for a specific TXT record at <code>_acme-challenge.yourdomain.com</code>. cert-manager talks to your DNS provider&rsquo;s API to create and clean up the record.</p> <p>This is the only way to get wildcard certificates. It&rsquo;s also the right choice for internal domains that aren&rsquo;t publicly accessible. The tradeoff is more setup. You need to give cert-manager API credentials for your DNS provider, and DNS propagation delays can slow things down.</p> <p><strong>Built-in DNS providers:</strong> Cloudflare, Route53, Google Cloud DNS, Azure DNS, DigitalOcean, Akamai, ACMEDNS, and RFC-2136. There are webhook extensions for 30+ more.</p> <h2 id="wiring-it-up-with-ingress">Wiring it up with Ingress</h2> <p>If you&rsquo;re using the traditional Ingress API, cert-manager makes this really clean. Add an annotation to your Ingress resource, include a <code>tls</code> block, and cert-manager handles the rest.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># my-app-ingress.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert-manager.io/cluster-issuer</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">app.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l">Prefix</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backend</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hosts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">app.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l">app-example-com-tls</span><span class="w"> </span></span></span></code></pre></div><p>That&rsquo;s it. cert-manager sees the annotation, reads the <code>tls</code> block, creates a Certificate resource, kicks off the ACME challenge, and stores the signed certificate in the <code>app-example-com-tls</code> secret. Your ingress controller picks up the secret and starts serving HTTPS.</p> <p>When the cert is 30 days from expiration, cert-manager renews it automatically.</p> <div class="k8s-callout"> <p><strong>Staging first, remember.</strong> Point the annotation at <code>letsencrypt-staging</code> until you see a valid (but untrusted) cert in your browser. Then swap it to <code>letsencrypt-prod</code>. You&rsquo;ll need to delete the old secret so cert-manager issues a fresh one from production.</p> </div> <p>Use <code>cert-manager.io/cluster-issuer</code> for ClusterIssuers and <code>cert-manager.io/issuer</code> for namespace-scoped Issuers. Mix them up and nothing will happen. No error, no cert. Just silence. Ask me how I know.</p> <h2 id="wiring-it-up-with-gateway-api">Wiring it up with Gateway API</h2> <p>If you followed the first post in this series, you know Gateway API is where things are heading. cert-manager supports it, but it needs a little extra configuration.</p> <h3 id="enable-gateway-api-support">Enable Gateway API support</h3> <p>Gateway API support is not on by default. You need to opt in.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade --install cert-manager oci://quay.io/jetstack/charts/cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --namespace cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set crds.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set config.enableGatewayAPI<span class="o">=</span><span class="nb">true</span> </span></span></code></pre></div><p>Make sure the Gateway API CRDs are installed in your cluster too:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply --server-side <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml </span></span></code></pre></div><p>If you installed the CRDs after cert-manager was already running, restart it so it picks them up:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl rollout restart deployment cert-manager -n cert-manager </span></span></code></pre></div><h3 id="annotate-your-gateway">Annotate your Gateway</h3> <p>The pattern is similar to Ingress. Add the annotation, reference a secret in the listener&rsquo;s <code>certificateRefs</code>, and cert-manager fills in the rest.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># gateway.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">gateway.networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert-manager.io/cluster-issuer</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gatewayClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listeners</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">app.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">Terminate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">certificateRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">app-example-com-tls</span><span class="w"> </span></span></span></code></pre></div><p>cert-manager sees the annotation and the listener config, creates a Certificate for <code>app.example.com</code>, and stores the result in the <code>app-example-com-tls</code> secret. The Gateway picks it up and starts terminating TLS.</p> <p>Three things must be true for cert-manager to act on a Gateway listener:</p> <ol> <li>The <code>hostname</code> is not empty</li> <li>The TLS <code>mode</code> is <code>Terminate</code> (not <code>Passthrough</code>)</li> <li>There&rsquo;s at least one entry in <code>certificateRefs</code></li> </ol> <p>Miss any of those and cert-manager quietly ignores the listener.</p> <h2 id="wildcard-certificates-with-dns-01">Wildcard certificates with DNS-01</h2> <p>This is where DNS-01 earns its keep. Let&rsquo;s say you want a single cert that covers <code>*.example.com</code> so every subdomain is automatically secured. HTTP-01 can&rsquo;t do this. Only DNS-01 can.</p> <p>I&rsquo;ll use Cloudflare as the DNS provider since it&rsquo;s common (and because I have a love/hate relationship with them that we&rsquo;ve already discussed on the <a href="https://houdeshell.dev/software/">software page</a>).</p> <h3 id="step-1-create-a-cloudflare-api-token">Step 1: Create a Cloudflare API token</h3> <p>In the Cloudflare dashboard, create an API token with these permissions:</p> <ul> <li><strong>Zone / DNS / Edit</strong></li> <li><strong>Zone / Zone / Read</strong></li> </ul> <p>Scope it to the zone you need. Don&rsquo;t use a global API key if you can avoid it.</p> <h3 id="step-2-store-the-token-in-your-cluster">Step 2: Store the token in your cluster</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># The secret MUST be in the cert-manager namespace for ClusterIssuers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudflare-api-token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Opaque</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">stringData</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">api-token</span><span class="p">:</span><span class="w"> </span><span class="l">your-cloudflare-api-token-here</span><span class="w"> </span></span></span></code></pre></div><p>That namespace bit is important. When you use a ClusterIssuer, cert-manager looks for referenced secrets in the namespace where cert-manager itself is installed. Not the namespace of your Certificate. Not the namespace of your app. The cert-manager namespace. This trips up everyone at least once.</p> <h3 id="step-3-create-a-dns-01-clusterissuer">Step 3: Create a DNS-01 ClusterIssuer</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># dns-issuer.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIssuer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod-dns</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acme</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l">https://acme-v02.api.letsencrypt.org/directory</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">email</span><span class="p">:</span><span class="w"> </span><span class="l">you@example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">privateKeySecretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod-dns-account-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">solvers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">dns01</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cloudflare</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiTokenSecretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudflare-api-token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">api-token</span><span class="w"> </span></span></span></code></pre></div><h3 id="step-4-request-the-wildcard-cert">Step 4: Request the wildcard cert</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># wildcard-cert.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Certificate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-example-com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l">wildcard-example-com-tls</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">issuerRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod-dns</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterIssuer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dnsNames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">example.com</span><span class="w"> </span></span></span></code></pre></div><p>Include both <code>*.example.com</code> and <code>example.com</code> in the <code>dnsNames</code>. The wildcard only covers subdomains, not the bare domain itself.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f wildcard-cert.yaml </span></span><span class="line"><span class="cl"><span class="c1"># certificate.cert-manager.io/wildcard-example-com created</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Watch it work</span> </span></span><span class="line"><span class="cl">kubectl get certificate wildcard-example-com -w </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># NAME READY SECRET AGE</span> </span></span><span class="line"><span class="cl"><span class="c1"># wildcard-example-com False wildcard-example-com-tls 5s</span> </span></span><span class="line"><span class="cl"><span class="c1"># wildcard-example-com True wildcard-example-com-tls 47s</span> </span></span></code></pre></div><p>DNS-01 is slower than HTTP-01 because of DNS propagation. Give it a minute or two. If it takes more than five minutes, start troubleshooting (see below).</p> <h2 id="when-things-go-wrong">When things go wrong</h2> <p>They will. Here&rsquo;s how to figure out what happened.</p> <p>cert-manager has a chain of resources that it creates when processing a certificate request. Follow the chain from top to bottom:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. Is the Certificate ready?</span> </span></span><span class="line"><span class="cl">kubectl get certificates -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. What does the CertificateRequest say?</span> </span></span><span class="line"><span class="cl">kubectl get certificaterequest -A </span></span><span class="line"><span class="cl">kubectl describe certificaterequest &lt;name&gt; -n &lt;namespace&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. Is the Issuer healthy?</span> </span></span><span class="line"><span class="cl">kubectl get clusterissuer </span></span><span class="line"><span class="cl">kubectl describe clusterissuer &lt;name&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. For Let&#39;s Encrypt: check the ACME Order and Challenge</span> </span></span><span class="line"><span class="cl">kubectl get orders -A </span></span><span class="line"><span class="cl">kubectl get challenges -A </span></span><span class="line"><span class="cl">kubectl describe challenge &lt;name&gt; -n &lt;namespace&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. Check the cert-manager logs</span> </span></span><span class="line"><span class="cl">kubectl logs -n cert-manager deployment/cert-manager --tail<span class="o">=</span><span class="m">100</span> </span></span></code></pre></div><p>Most problems fall into a handful of categories:</p> <p><strong>Challenge not reachable (HTTP-01).</strong> Port 80 isn&rsquo;t open, or the temporary solver Ingress isn&rsquo;t being picked up by your controller. Check that <code>ingressClassName</code> in your solver config matches your actual ingress controller.</p> <p><strong>DNS propagation timeout (DNS-01).</strong> The TXT record was created but Let&rsquo;s Encrypt can&rsquo;t see it yet. If your cluster&rsquo;s DNS resolver is slow, you can point cert-manager at public resolvers:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade cert-manager oci://quay.io/jetstack/charts/cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --namespace cert-manager <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set <span class="s1">&#39;extraArgs={--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=1.1.1.1:53\,9.9.9.9:53}&#39;</span> </span></span></code></pre></div><p><strong>Secret in the wrong namespace.</strong> The number one DNS-01 headache. ClusterIssuers look for API token secrets in the cert-manager namespace. Not your app namespace. Not default.</p> <p><strong>Rate limited.</strong> You hit Let&rsquo;s Encrypt production limits. Switch back to staging, wait for the rate limit window to pass (usually 7 days), fix whatever caused the excessive requests, and try again.</p> <p><strong>Issuer not ready.</strong> <code>kubectl describe clusterissuer</code> will tell you why. Usually it&rsquo;s a bad email address, an unreachable ACME server, or a malformed <code>privateKeySecretRef</code>.</p> <p><strong>Nothing happens at all.</strong> Check the annotation name. <code>cert-manager.io/cluster-issuer</code> is not the same as <code>cert-manager.io/issuer</code>. Using the wrong one for your Issuer type produces zero errors and zero certificates. It&rsquo;s the most frustrating failure mode because there&rsquo;s nothing in the logs.</p> <h2 id="a-note-on-certificate-lifetimes">A note on certificate lifetimes</h2> <p>Let&rsquo;s Encrypt has been shortening certificate lifetimes. They started at 90 days, moved to 64, and are now pushing toward 45-day certificates. This doesn&rsquo;t matter much if you&rsquo;re using cert-manager because it handles renewal automatically (default is 30 days before expiration). But it does mean that if cert-manager breaks and you don&rsquo;t notice, you have less runway before things go red.</p> <p>Monitor your certificates. At minimum, set up an alert on cert-manager pod health. Ideally, also alert on certificates that haven&rsquo;t renewed within their expected window.</p> <h2 id="wrapping-up">Wrapping up</h2> <p>Here&rsquo;s the workflow once everything is configured:</p> <ol> <li>Deploy an Ingress or Gateway with the cert-manager annotation</li> <li>cert-manager creates a Certificate resource</li> <li>cert-manager talks to Let&rsquo;s Encrypt, completes the challenge</li> <li>The signed certificate lands in a Kubernetes secret</li> <li>Your ingress controller or gateway picks it up</li> <li>cert-manager renews it before expiration</li> </ol> <p>No cron jobs. No manual <code>certbot renew</code>. No calendar reminders. Just certificates that work.</p> <p>If you&rsquo;re running through this series from the beginning, you now have default TLS certs on your ingress controllers and automated certificate management with Let&rsquo;s Encrypt. That&rsquo;s a solid foundation.</p> <p>Next up in this series: <strong>DNS automation with external-dns.</strong> Because if cert-manager removes the manual work from certificates, external-dns does the same thing for DNS records.</p>Kubernetes for Cloud Engineers: Default TLS Certificateshttps://houdeshell.dev/post/2026-04-04_k8s-tls-default-cert/k8s-tls-default-cert/Sat, 04 Apr 2026 00:00:00 +0000https://houdeshell.dev/post/2026-04-04_k8s-tls-default-cert/k8s-tls-default-cert/<p><em>This is the first post in a series for new operations and cloud engineers getting started with Kubernetes. Whether you&rsquo;re running K3s on a Raspberry Pi, EKS in AWS, AKS in Azure, or anything in between — the concepts are the same. Let&rsquo;s get into it.</em></p> <hr> <h2 id="the-problem">The problem</h2> <p>You&rsquo;ve got a Kubernetes cluster. You&rsquo;ve got an ingress controller routing traffic. You hit your app over HTTPS and&hellip; you get a browser warning about an untrusted self-signed certificate. Or worse, you&rsquo;ve got ten services and you&rsquo;re copy-pasting the same TLS secret into every single Ingress resource.</p> <p>The fix: <strong>set a default TLS certificate</strong> on your ingress controller. One cert to rule them all. Any request that doesn&rsquo;t match a more specific TLS config falls back to this default. Clean, simple, done.</p> <p>Every controller does this slightly differently. Let&rsquo;s walk through each one.</p> <hr> <h2 id="first--create-your-tls-secret">First — create your TLS secret</h2> <p>This part is the same regardless of which controller you&rsquo;re running. You need a Kubernetes TLS secret containing your certificate and private key.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Create the TLS secret from your cert and key files</span> </span></span><span class="line"><span class="cl">kubectl create secret tls default-tls <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --cert<span class="o">=</span>tls.crt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --key<span class="o">=</span>tls.key <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -n default </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># secret/default-tls created</span> </span></span></code></pre></div><p>Your cert file should contain the full chain: leaf → intermediate → root. If you&rsquo;re using cert-manager or Let&rsquo;s Encrypt, this is handled for you. If you&rsquo;re doing it by hand — get the order right or you&rsquo;ll be debugging trust chain errors at 2am.</p> <hr> <h2 id="ingress-controllers-legacy-ingress-api">Ingress Controllers (Legacy Ingress API)</h2> <div class="k8s-callout warning"> <p><strong>Heads up: Ingress NGINX is retired.</strong> The <code>kubernetes/ingress-nginx</code> project — the one most of us grew up on — officially reached end-of-life on <strong>March 24, 2026</strong>. The repository is now read-only. No more releases, no bug fixes, <strong>no security patches</strong>. Your existing deployments won&rsquo;t break overnight, but you&rsquo;re flying without a safety net.</p> <p>The Kubernetes Steering Committee and Security Response Committee issued a <a href="https://kubernetes.io/blog/2026/01/29/ingress-nginx-statement/"target="_blank" rel="noopener noreferrer">joint statement</a> in January 2026 urging migration. The recommended path forward is <strong>Gateway API</strong>, which has been GA since October 2023 and now has 20+ conformant implementations.</p> <p>If you&rsquo;re starting fresh — skip to the <a href="#gateway-api">Gateway API section</a> below. If you&rsquo;re migrating, check out <code>ingress2gateway</code> — the official migration tool that now supports 30+ annotation conversions.</p> <p><strong>Note:</strong> NGINX Inc.&rsquo;s commercial ingress controller (F5/NGINX) is a completely separate codebase and remains actively maintained. Don&rsquo;t confuse the two.</p> </div> <h3 id="ingress-nginx-kubernetesingress-nginx">Ingress NGINX (kubernetes/ingress-nginx)</h3> <p>Even though it&rsquo;s retired, you&rsquo;ll encounter this in the wild for a while. The default cert is set via a controller argument.</p> <p><strong>With Helm:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">controller</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraArgs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-ssl-certificate</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;default/default-tls&#34;</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade ingress-nginx ingress-nginx/ingress-nginx <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -f values.yaml <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -n ingress-nginx </span></span></code></pre></div><p><strong>Without Helm</strong> — patch the controller deployment directly:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Add to the container args in the ingress-nginx-controller Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/nginx-ingress-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">default-ssl-certificate=default/default-tls</span><span class="w"> </span></span></span></code></pre></div><p>The format is <code>namespace/secret-name</code>. Without this flag, NGINX generates a self-signed certificate for the catch-all server — that&rsquo;s the browser warning you&rsquo;re seeing.</p> <p><strong>Gotcha:</strong> If your Ingress resource has a <code>tls:</code> section but no <code>secretName</code>, NGINX uses this default cert and forces an HTTPS redirect. If the <code>tls:</code> section is missing entirely, it still serves the default cert but does <em>not</em> redirect. Use <code>force-ssl-redirect: &quot;true&quot;</code> in the ConfigMap if you want to enforce HTTPS everywhere.</p> <hr> <h3 id="haproxy-ingress">HAProxy Ingress</h3> <p>There are two HAProxy ingress projects — the community <a href="https://haproxy-ingress.github.io/"target="_blank" rel="noopener noreferrer">haproxy-ingress</a> and the one from <a href="https://github.com/haproxytech/kubernetes-ingress"target="_blank" rel="noopener noreferrer">HAProxy Technologies</a>. Both support the same flag pattern.</p> <p><strong>With Helm (HAProxy Technologies):</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">controller</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">defaultTLSSecret</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretNamespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span><span class="l">default-tls</span><span class="w"> </span></span></span></code></pre></div><p><strong>With controller args (both projects):</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">--default-ssl-certificate=default/default-tls </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade haproxy-ingress haproxytech/kubernetes-ingress <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set controller.defaultTLSSecret.secretNamespace<span class="o">=</span>default <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --set controller.defaultTLSSecret.secret<span class="o">=</span>default-tls <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -n haproxy-ingress </span></span></code></pre></div><p>Without a default cert configured, both HAProxy implementations generate a self-signed fake certificate — same story as NGINX.</p> <p><strong>Note:</strong> HAProxy Technologies controller v1.11+ automatically enables QUIC (HTTP/3) when you set a default TLS cert. If you don&rsquo;t want that yet, add <code>--disable-quic</code>.</p> <hr> <h3 id="istio-ingress-gateway">Istio Ingress Gateway</h3> <p>Istio doesn&rsquo;t use the Kubernetes Ingress API at all. It has its own <code>Gateway</code> CRD (not the same as Gateway API — I know, the naming is painful).</p> <p><strong>Important:</strong> The TLS secret <strong>must live in the same namespace as the Istio ingress gateway pod</strong> — typically <code>istio-system</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl create secret tls default-tls <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --cert<span class="o">=</span>tls.crt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --key<span class="o">=</span>tls.key <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -n istio-system </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># secret/default-tls created</span> </span></span></code></pre></div><p>Then create the Gateway resource:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># istio-gateway.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.istio.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l">ingressgateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">servers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">SIMPLE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">credentialName</span><span class="p">:</span><span class="w"> </span><span class="l">default-tls</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*.example.com&#34;</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f istio-gateway.yaml </span></span><span class="line"><span class="cl"><span class="c1"># gateway.networking.istio.io/default-gateway created</span> </span></span></code></pre></div><p><strong>Gotchas:</strong></p> <ul> <li><code>credentialName</code> must exactly match the Kubernetes secret name. No <code>namespace/name</code> format here — it just looks in its own namespace.</li> <li>Istio doesn&rsquo;t have a single &ldquo;default certificate&rdquo; concept. You configure TLS per-server block on the Gateway. To make it act as a default, use a wildcard host like <code>*.example.com</code>.</li> <li>Wrong namespace is the #1 debugging headache. If TLS isn&rsquo;t working, check the secret namespace first.</li> </ul> <hr> <h2 id="gateway-api">Gateway API</h2> <p>Gateway API is the future. It&rsquo;s the Kubernetes-native standard from SIG-Network, GA since October 2023, and every major ingress controller is building an implementation. If you&rsquo;re starting fresh — start here.</p> <p>The big difference: there&rsquo;s no <code>--default-ssl-certificate</code> flag. TLS is configured <strong>declaratively</strong> on the Gateway resource itself, per-listener. Each HTTPS listener explicitly references a certificate via <code>certificateRefs</code>.</p> <h3 id="nginx-gateway-fabric">NGINX Gateway Fabric</h3> <p>NGINX Gateway Fabric is NGINX&rsquo;s Gateway API implementation — completely separate from the retired Ingress NGINX project.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># gateway.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">gateway.networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gatewayClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listeners</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">http</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">Terminate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">certificateRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-tls</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f gateway.yaml </span></span><span class="line"><span class="cl"><span class="c1"># gateway.gateway.networking.k8s.io/default-gateway created</span> </span></span></code></pre></div><p>Then attach your HTTPRoutes to the HTTPS listener:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># route.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">gateway.networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPRoute</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parentRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sectionName</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostnames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;app.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">backendRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span></code></pre></div><p><strong>With cert-manager</strong> — add an annotation and cert-manager handles the rest:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># gateway.yaml — cert-manager will create and manage the secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">gateway.networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert-manager.io/cluster-issuer</span><span class="p">:</span><span class="w"> </span><span class="l">letsencrypt-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gatewayClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listeners</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;app.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">Terminate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">certificateRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-tls</span><span class="w"> </span></span></span></code></pre></div><hr> <h3 id="haproxy-gateway-api">HAProxy (Gateway API)</h3> <p>The beauty of Gateway API is that it&rsquo;s a standard. The Gateway resource looks almost identical regardless of the underlying implementation — you just swap the <code>gatewayClassName</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># gateway.yaml — same pattern, different class</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">gateway.networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gatewayClassName</span><span class="p">:</span><span class="w"> </span><span class="l">haproxy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listeners</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">Terminate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">certificateRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-tls</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f gateway.yaml </span></span><span class="line"><span class="cl"><span class="c1"># gateway.gateway.networking.k8s.io/default-gateway created</span> </span></span></code></pre></div><p>That&rsquo;s it. Same spec. Same structure. The <code>gatewayClassName</code> tells Kubernetes which controller reconciles the resource. This is exactly why Gateway API is the future — you can swap implementations without rewriting your config.</p> <p><strong>Gotchas for both implementations:</strong></p> <ul> <li>Gateway API doesn&rsquo;t have a global &ldquo;default certificate&rdquo; flag. Each HTTPS listener must explicitly reference a cert via <code>certificateRefs</code>. To cover everything, use a wildcard hostname.</li> <li>The TLS secret must be in the <strong>same namespace</strong> as the Gateway by default. For cross-namespace references, create a <code>ReferenceGrant</code>.</li> <li>TLS modes: <code>Terminate</code> means the gateway decrypts traffic (most common). <code>Passthrough</code> forwards encrypted traffic as-is — use this with <code>TLSRoute</code>, not <code>HTTPRoute</code>.</li> <li>NGINX Gateway Fabric currently supports only a single <code>certificateRef</code> per listener. If you need multiple certs, create multiple listeners.</li> </ul> <hr> <h2 id="wrapping-up">Wrapping up</h2> <p>Here&rsquo;s the cheat sheet:</p> <table> <thead> <tr> <th>Controller</th> <th>Method</th> <th>Format</th> </tr> </thead> <tbody> <tr> <td>Ingress NGINX <em>(retired)</em></td> <td><code>--default-ssl-certificate</code></td> <td><code>namespace/secret</code></td> </tr> <tr> <td>HAProxy Ingress</td> <td><code>--default-ssl-certificate</code></td> <td><code>namespace/secret</code></td> </tr> <tr> <td>Istio</td> <td><code>credentialName</code> on Gateway server</td> <td>secret name (same namespace)</td> </tr> <tr> <td>Gateway API (any impl)</td> <td><code>certificateRefs</code> on listener</td> <td>secret reference</td> </tr> </tbody> </table> <p>If you&rsquo;re starting fresh — go straight to Gateway API. Pick an implementation (NGINX Gateway Fabric, HAProxy, Envoy Gateway, whatever fits your stack), define your Gateway with a TLS listener, and move on.</p> <p>If you&rsquo;re migrating from Ingress NGINX, take a breath. Your cluster won&rsquo;t explode tomorrow. But start planning the move. The <code>ingress2gateway</code> tool can automate most of the conversion, and the Gateway API spec is stable and well-documented.</p> <p>Next up in this series: <strong>cert-manager and automated TLS</strong> — because creating secrets by hand is so 2024.</p>Engineering Managers Should Make Engineers Betterhttps://houdeshell.dev/post/2026-03-07_em-help/em-help/Sat, 07 Mar 2026 00:00:00 +0000https://houdeshell.dev/post/2026-03-07_em-help/em-help/<p>During my regularly scheduled lurking on Hacker News, I came across <a href="https://newsletter.manager.dev/p/dont-become-an-engineering-manager"target="_blank" rel="noopener noreferrer">Don&rsquo;t Become an Engineering Manager</a>, making the case that senior engineers should stay IC. The ladder is flattening, Staff pays better, tech is moving too fast to step away. Probably right, but it bugs me.</p> <p>It treats the EM role like a career trade. A thing you optimize for or against. And when you look at it that way, sure, the math is shaky right now. But that skips the question I actually care about: what does a good engineering manager <em>do</em> for the engineers on their team?</p> <h3 id="the-actual-job">The actual job</h3> <p>The best EMs I&rsquo;ve worked with spend most of their time on the unglamorous stuff. Not &ldquo;shielding the team&rdquo; in the vague r/LinkedInLunatics way. The specific stuff. Why has the deploy pipeline been flaky for two weeks and nobody&rsquo;s fixed it? Two teams are about to build the same thing, so get them in a room. Product is asking for something unreasonable and the engineers are too polite to say so.</p> <p>None of that shows up on a career ladder. It barely shows up in performance reviews. But it&rsquo;s the difference between a team that ships and a team that fights its own org.</p> <h3 id="making-people-better">Making people better</h3> <p>The part of the job I care about most doesn&rsquo;t come up in any of these &ldquo;should you become an EM&rdquo; debates. Are the engineers on your team getting better? Not in the promotion-packet sense. Is the person who joined six months ago actually understanding the system now? Is the senior who&rsquo;s great at heads-down execution starting to think about what happens <em>after</em> they ship?</p> <p>That work is mostly invisible. It&rsquo;s a one-on-one that looks like a casual conversation. It&rsquo;s asking &ldquo;what would you do?&rdquo; instead of giving the answer. It&rsquo;s putting someone slightly past their comfort zone and making sure they don&rsquo;t eat it.</p> <h3 id="so-should-you-become-an-em">So should you become an EM?</h3> <p>If you care about people, and you want to make those people better engineers, then yes. Engineers need you.</p>On being 'wrong'...https://houdeshell.dev/post/2026-01-10_wrong/wrong/Sat, 10 Jan 2026 00:00:00 +0000https://houdeshell.dev/post/2026-01-10_wrong/wrong/<p>Every bug I’ve ever shipped happened because the system did exactly what I told it to, not what I meant. That gap — between what I intended and what I actually built — is where most of the interesting lessons live.</p> <p>Last week, on three separate occasions, sharp engineers held back their ideas in meetings because they were afraid of being wrong. I only heard those ideas afterward, in side conversations. Every single one of them would have moved the discussion forward, regardless of whether they turned out to be “right.”</p> <p>That stuck with me.</p> <p><del>Engineers</del> People who can say “I was wrong” out loud tend to work better together. They pull in feedback earlier, course-correct faster, and make fewer of the same mistakes twice. The teams I’ve seen do the best work aren’t the ones where everyone is right all the time — they’re the ones where nobody is penalized for being wrong.</p> <p>We don’t get to correctness by avoiding mistakes. We get there by making them, catching them, and iterating. Most of the progress I’ve seen in my career has really just been a series of well-aimed misses.</p> <p>So say the wrong thing. Propose the bad idea. You might be surprised how often “wrong” turns out to be the fastest way forward.</p>Let's Blog Againhttps://houdeshell.dev/post/houdeshell/Sat, 11 Apr 2020 00:00:00 +0000https://houdeshell.dev/post/houdeshell/<p><img loading="lazy" src="https://houdeshell.dev/static/images/eng_blogging.png" alt="Software Engineer Blogging"/></p> <p>Here’s the thing: most developers don’t blog. I haven&rsquo;t in a long time. And that’s a shame — because it’s one of the easiest ways to level up your skills, stand out, and open doors you didn’t even know were there.</p> <p>I’m not talking about some corporate PR thing or a perfectly polished tech journal. I mean your own little corner of the internet where you write about what you’ve learned, what’s broken, and how you fixed it.</p> <h3 id="you-learn-better-when-you-explain-things">You learn better when you explain things</h3> <p>The moment you try to write about a tricky bug or a new library, you realize all the gaps in your own understanding. Filling those gaps? That’s where the real learning happens.</p> <h3 id="its-proof-you-know-your-stuff">It’s proof you know your stuff</h3> <p>Anyone can say “I work with Docker.” But if you’ve got posts about container networking quirks or real-world deployment tips, people can <em>see</em> your expertise instead of just taking your word for it.</p> <h3 id="you-stand-out">You stand out</h3> <p>There are a lot of devs out there. Not many share their thinking publicly. Blogging makes you one of the people who contributes, not just consumes.</p> <h3 id="your-code-gets-a-backstory">Your code gets a backstory</h3> <p>GitHub shows <em>what</em> you built. Your blog can show <em>why</em> you built it that way — the trade-offs, the failed attempts, and the weird edge cases. That’s the stuff that’s interesting.</p> <h3 id="opportunities-find-you">Opportunities find you</h3> <p>A blog post you wrote in 2025 might get you a job lead in 2026. Seriously. The internet has a long memory.</p> <h3 id="you-get-better-at-communicating">You get better at communicating</h3> <p>Being able to explain complex ideas clearly is just as valuable as writing clean code. Blogging is practice you’ll feel in code reviews, design docs, and meetings.</p> <h3 id="you-see-your-own-growth">You see your own growth</h3> <p>Reading your old posts is like looking at old code — a little cringe, a lot of “wow, I’ve improved.” It’s motivating.</p> <h3 id="you-help-the-next-person">You help the next person</h3> <p>That dumb error message that cost you two hours? Write it up. Someone else will Google it tomorrow or use ChatGPT in 6 months.</p>