Exclusiva de Laboro. En el año 2025, el “sindicato” CC.OO. se ha levantado exactamente 358 subvenciones de dinero público que suman 52.675.568,13€. Para disimular, las han separado en nada menos que 43 chiringuitos diferentes, entre confederación, federaciones, uniones regionales, fundaciones, etc. Tenemos los datos desglosados de todos estos chiringuitos y ahora vosotros también los tenéis. Para eso los publicamos, porque todo esto se ha pagado con vuestro dinero, tanto si sois afiliados como si no. Próximamente también publicaremos las subvenciones que ha cobrado UGT. Puedes suscribirte gratis.
Leer más.
The closure of the Strait of Hormuz is not just another geopolitical shock. It is the beginning of a physical supply crisis that could transform the British economy and everyday life.
Oil, gas, fertiliser and food supplies are all under threat. This is not a banking crisis like 2008, and it is not a pandemic like 2020. This time, the problem is scarcity itself.
In this video, I explain why inflation caused by shortages cannot be solved with interest rate rises, why the Bank of England is going to use the wrong tools in this crisis unless it's told not to, and why rationing, price controls, and direct government intervention in the economy may become unavoidable.
I look at what this could mean for fuel prices, food supplies, mortgages, unemployment, social care, housing and the wider economy.
I also explain why banks could once again require public rescue, why governments may need to support strategic industries directly, and why conventional neoliberal assumptions may no longer work in conditions like these.
This is not an argument for panic. It is an argument for preparedness. Markets alone cannot manage a crisis created by shortages of essential goods. If governments fail to plan now, the social and economic consequences could be severe.
That's why wartime lessons from the past matter again. Rationing and price controls worked in WWII, and they might be needed now, when fairness will be essential to maintaining public trust during a period of major disruption.
The question is no longer whether the UK can afford to respond as I suggest is necessary. The question is whether it has the political courage to do so, because the real risk in this crisis is not that the government runs out of money. It is that it fails to use the powers it already has before events begin to spiral out of control.
ABOUT RICHARD MURPHY Richard Murphy is Emeritus Professor of Accounting Practice at Sheffield University Management School. He is director of Tax Research LLP and the author of the Funding the Future blog. His best-known book is ‘The Joy of Tax’.
Now that we've drained the aquifers of a stable society, the replacement form of "wealth" is a delusional credit-asset bubble that generates the illusion of "wealth."
Let's weave together two threads that look different: systemic unfairness and civilizational psychosis. As I often note, social species that organize themselves into hierarchies (i.e. primates, including humans) have an innate sensitivity to fairness, as this trait is essential to maintaining social stability, and therefore it has been selected as advantageous.
This sensitivity applies both to individual instances of unfairness / injustice and to systemic unfairness / injustice. If there is no redress when an individual is treated unfairly or abused, the social order is weakened. This is why early civilizations instituted legal codes and systems of redress as they expanded into nations / empires that needed bureaucracies to organize, manage and enforce the rules and responsibilities of every class.
If the mechanisms of redress have become empty shams, then the unfairness is systemic: it isn't just some individuals who have been treated unfairly--everyone is being exploited and treated differently from what the system claims is the operative set of values and rules.
When there's an external source of wealth to be exploited, the leadership has the luxury of becoming extractive and oppressive, because they have a source of wealth that's external to their own populace. Consider the progression from a society of systemic fairness to a society of systemic unfairness.
Consider a fledgling nation that was a society with high levels of social trust and cohesion generated by a dutiful leadership, social mobility and a system in which social pressures meant members of each social class had to respect the same set of social rules.
This structure is the essential foundation of a functional society and economy, for if the resident populace is immiserated by an unfair system, they respond by either fleeing the system (i.e. opting out or leaving), resisting the unfairness / exploitation or revolting against the status quo.
If the nation transitions into an expansionist empire, the leadership can jettison fairness / redress because it can extract wealth via conquest or exploiting new resources. The bureaucracy is co-opted / bought off via the spoils of conquest and corruption, and as the imperium expands, it has sufficient wealth to buy off the citizenry class with bread and circuses or equivalent largesse.
In other words, systemic unfairness--what we now call a rigged casino--is accepted as long as the key social classes feel they're getting ahead. The Roman state / empire is an example of these dynamics, but there are many others.
As long as there's enough external wealth flowing in to enable people to feel they're still getting ahead, social decay is tolerated as "the cost of progress." In other words, who needs fairness if I have a seat in the rigged casino?
But this structure is inherently unstable, both economically and socially. External sources of wealth / resources are eventually depleted, and the largesse diminishes asymmetrically: the wealthiest few at the top continue amassing fortunes, the bureaucrats are squeezed, and the lower classes are now being taxed to cover the decline of external wealth extraction.
The systemic unfairness that was tolerated is no longer tolerable once the majority are no longer getting ahead. This presents the leadership class reaping the lion's share of the wealth extraction with a problem: how to persuade the masses that 1) they're still getting ahead, even as they visibly lose ground, and 2) how to mask the
systemic unfairness, i.e. the rigged casino that stripmines the many to benefit the few.
The leadership's "solution" is civilizational psychosis: the founding mythology of the state--so inspirational and lofty--is heavily promoted, even as this mythology (super-abundance, democracy, etc.) no longer maps the real world.
This widening divide generates civilizational psychosis as the masses are corralled into a state of denial that temporarily eases their anxiety at the recognition they're no longer getting ahead and the ladders of upward mobility have all crumbled.
This state of inspirational delusion enables denial to take a superficially plausible inspirational form: Rome is eternal, so we don't have to do anything but await an automatic return to greatness, AI will make us all rich, technological Progress is inevitable and automatically solves all our problems, and so on.
We fervently believe these delusions because the alternative is too painful to bear. The system is rotten to the core, it's all artifice masquerading as authenticity, and not only are we no longer getting ahead, there are no pathways left to get ahead other than gambling, selling our blood or delusional aspirations to become one of the tiny handful of newly minted Tech Bro millionaires.
There is an emotional progression that parallels the progression from a stable society of dynamic equilibrium to
civilizational psychosis: denial breaks down into anger, a volatile state with uncertain outcomes, which eventually transitions to bargaining (please let the stock market go back up so I can exit without losses) which leads to depression (it's all lost) which once processed can move to acceptance (oh well, time to start over).
Both denial and civilizational psychosis are inherently unstable as they're self-liquidating.
So denial will blossom into anger whether we "like" it or not.
Now that we've drained the aquifers of a stable society, the replacement form of "wealth" is a catastrophically delusional credit-asset bubble that generates the illusion of "wealth." Since the top 10% managerial / entrepreneurial / professional class the leadership needs to run the empire own 90% of the bubbling assets, inflating a credit-asset bubble is a painless way of generating the illusion in this class that they're still getting ahead.
Until the bubble pops, of course, and all bubbles pop, even when we insist they're not bubbles.
Bubbles masquerading as "wealth" is a manifestation of civilizational psychosis, and so these asset bubbles are equally unstable and self-liquidating: they implode not as a result of some external influence but as an inevitable consequence of their internal structure / nature.
Once the system's transition to a rigged casino becomes undeniable, denial cracks wide open and is replaced by anger. The responses to systemic unfairness are flight, resistance and revolt: dropping out, laying flat, let it rot, opting out, booing toadies worshiping the new gods of AI and eventually, manifestations of revolt as political, economic and social redress are suppressed as needless by a delusional leadership class that has embraced civilizational psychosis.
The price of believing their own PR will be higher than anyone thought possible.
NOTE: Contributions/subscriptions are acknowledged in the order received. Your name and email
remain confidential and will not be given to any other individual, company or agency.
Thank you, JD ($70), for your marvelously generous subscription
to this site -- I am greatly honored by your support and readership.
Thank you, Todd D. ($70), for your wondrously generous subscription
to this site -- I am greatly honored by your support and readership.
Thank you, Steven K. ($7/month) for your splendidly generous subscription
to this site -- I am greatly honored by your support and readership.
Thank you, Christopher P. ($70) for your enormously generous subscription
to this site -- I am greatly honored by your support and readership.
Go to my main site at www.oftwominds.com/blog.html
for the full posts and archives.
by Bárbara Castillo Abdul, Docente e Investigadora Senior, UDIT - Universidad de Diseño, Innovación y Tecnología
Durante años, la alfabetización mediática ha sido considerada una competencia esencial para desenvolverse en entornos digitales. Consiste en aprender a identificar fuentes fiables, a contrastar información o detectar contenidos engañosos.
Sin embargo, en un contexto marcado por la expansión de la inteligencia artificial en los procesos de acceso, producción y circulación del conocimiento, el ecosistema informativo se ha transformado y las competencias citadas no son suficientes.
Tradicionalmente, los usuarios interactuaban con contenidos relativamente identificables, producidos por emisores reconocibles y bajo lógicas editoriales más o menos transparentes. Hoy, esa relación ha cambiado de forma sustancial. Cada vez con mayor frecuencia, los usuarios no acceden a información que deben interpretar, sino que interactúan con sistemas que la sintetizan, reorganizan y generan en tiempo real.
¿Por qué responde ChatGPT lo que responde?
Por ejemplo, hace algunos años una persona que quería informarse sobre vacunas, salud mental o alimentación saludable podía leer noticias en distintos medios digitales, consultar artículos científicos o comparar la opinión de expertos. El pensamiento crítico consistía en evaluar quién producía la información, desde qué medio se difundía y con qué intención.
Hoy, ese mismo usuario puede preguntarle directamente a ChatGPT o a otro sistema de inteligencia artificial: “¿Las vacunas son seguras?”, “¿Cómo sé si tengo ansiedad?” o “¿Qué dieta es mejor para mí?”. En pocos segundos recibe una respuesta clara, estructurada y aparentemente fiable. Sin embargo, muchas veces desconoce qué fuentes utilizó el sistema, qué información priorizó, qué datos omitió o qué sesgos pueden influir en la respuesta generada.
La diferencia es profunda: antes, el pensamiento crítico se dirigía principalmente al contenido; ahora también debe dirigirse al sistema que produce y organiza el conocimiento. De hecho, investigaciones recientes advierten que la creciente dependencia de sistemas de inteligencia artificial puede modificar la forma en que las personas evalúan información y toman decisiones, especialmente en ámbitos sensibles como la salud y el bienestar.
Un uso acrítico de la IA
Sabemos que el uso de la IA mejora la eficiencia en la producción de contenidos, pero también tiende a desplazar el juicio crítico hacia la confianza en el sistema, especialmente cuando los resultados se presentan de forma coherente y verosímil.
La inteligencia artificial no solo facilita el acceso a la información, sino que interviene activamente en su construcción. Este cambio no es menor. Supone el paso de un modelo basado en la interpretación de contenidos a otro en el que la mediación algorítmica ocupa un lugar central. En este contexto, la fuente puede volverse más difusa, la autoría menos visible y la lógica de producción del conocimiento más opaca para los usuarios.
Por eso, la comprensión de los sistemas algorítmicos resulta tan relevante como la evaluación de los contenidos, y la alfabetización digital y mediática debe incluir la alfabetización en inteligencia artificial, un campo emergente que integra dimensiones técnicas, críticas y éticas.
¿Qué es la alfabetización en inteligencia artificial?
Dicha alfabetización va más allá de saber utilizar herramientas como ChatGPT, Gemini o Copilot. No se trata únicamente de aprender a escribir mejores instrucciones o de obtener respuestas más rápidas, sino de comprender cómo estos sistemas producen información, qué límites tienen y qué implicaciones sociales, éticas y cognitivas pueden generar.
En términos prácticos, una persona alfabetizada en IA debería ser capaz de comprender, al menos de forma básica, cómo funcionan los sistemas algorítmicos, qué papel desempeñan los datos en la generación de respuestas, por qué pueden aparecer sesgos o errores y cómo la automatización influye en la manera en que interpretamos la realidad y tomamos decisiones.
Esto implica desarrollar nuevas competencias críticas: cuestionar la aparente neutralidad de las respuestas generadas por IA, identificar cuándo una respuesta requiere verificación adicional, reconocer los riesgos de delegar excesivamente el pensamiento en sistemas automatizados y comprender que estas tecnologías no “piensan”, sino que producen resultados a partir de patrones y probabilidades.
Ahora mismo existe una brecha entre estas transformaciones y las prácticas educativas. Mientras se persigue que los estudiantes sean capaces de analizar contenidos y desarrollar competencias de alfabetización mediática e informacional, tal y como promueven organismos como la UNESCO y marcos educativos vinculados a la competencia digital, no siempre se les está proporcionando herramientas para comprender los procesos mediante los cuales esos contenidos son generados.
Lo que está en juego ya no es únicamente una competencia digital, sino la capacidad de las sociedades para comprender quién organiza, prioriza y legitima el conocimiento en entornos cada vez más automatizados.
Los individuos pueden creer que toman decisiones plenamente informadas cuando, en realidad, dependen de sistemas cuya lógica interna no conocen. Esto no solo afecta la forma en que consumimos información, sino también la capacidad de las sociedades para participar críticamente en ámbitos como la salud, la política o la comunicación pública.
Para que los ciudadanos alcancen esta alfabetización en IA, el aprendizaje debería comenzar progresivamente desde la escuela e integrarse de manera transversal en distintas etapas educativas y programas de formación ciudadana, no solo desde áreas tecnológicas, sino también desde materias vinculadas a la comunicación, la ética, las ciencias sociales y la ciudadanía digital.
La población adulta también necesita espacios de formación y divulgación que permitan comprender críticamente el funcionamiento de estas tecnologías, especialmente en ámbitos sensibles como la salud, la información política o la educación.
La responsabilidad no recae únicamente en los sistemas educativos. Gobiernos, universidades, medios de comunicación, plataformas tecnológicas y organismos internacionales también tienen un papel clave en el desarrollo de una ciudadanía capaz de interactuar críticamente con la inteligencia artificial. En un contexto donde los algoritmos participan cada vez más en la organización de aquello que vemos, pensamos y creemos saber, entender cómo funcionan deja de ser una competencia especializada para convertirse en una necesidad democrática.
Bárbara Castillo Abdul no recibe salario, ni ejerce labores de consultoría, ni posee acciones, ni recibe financiación de ninguna compañía u organización que pueda obtener beneficio de este artículo, y ha declarado carecer de vínculos relevantes más allá del cargo académico citado.
Como ocurre con otros alimentos rodeados de un aura casi milagrosa, la fiebre por el aguacate parece imparable. Son innegables sus propiedades nutritivas y su asociación con la categoría de los llamados “superalimentos”, definidos por la RAE como aquellos “a los que se les suponen propiedades beneficiosas para la salud añadidas a su valor nutritivo”.
Los denominados “superalimentos” –un término más publicitario que científico–, caracterizados por su elevado contenido en antioxidantes, fibra, vitaminas y minerales, no solo se consumen por sus supuestos beneficios para la salud. Además, suelen percibirse como productos “naturales”, asociados a prácticas de manejo tradicionales desarrolladas y perfeccionadas por comunidades indígenas a lo largo de siglos o, al menos, sostenibles. Pero esto no siempre es así.
Incentivos que se traducen en la intensificación del cultivo
Las modas alimentarias generan nuevas demandas de consumo que, en un mundo tan conectado y tecnificado, se traducen rápidamente en la expansión de los cultivos más demandados. En España, la superficie dedicada al aguacate ha aumentado un 62 % en la última década, superando ya las 24 000 hectáreas. Además, este cultivo ha desbordado su ámbito tradicional –la Costa Tropical granadina y la Costa del Sol malagueña, donde aún se concentra el núcleo principal con unas 16 500 hectáreas– para extenderse hacia nuevos territorios.
Las Islas Canarias, pioneras y especialmente aptas para este cultivo, albergan alrededor de 1 400 hectáreas. A ellas se suman otras provincias andaluzas, como Cádiz (1 800 hectáreas), y la Comunidad Valenciana (4 200 hectáreas), donde el aguacate está sustituyendo progresivamente a los cítricos, hoy menos rentables pese a sus conocidas propiedades. Allí encuentra condiciones favorables, como la proximidad al mar –que reduce el riesgo de heladas– y determinadas áreas montañosas.
El crecimiento del consumo en España es igualmente notable: según el Panel de Consumo Alimentario en los hogares, pasó de 0,66 en 2010 a 2 kg en 2024 por habitante y año. Para satisfacer esta demanda, el mercado español depende en gran medida de las importaciones, que alcanzaron las 262 000 toneladas en 2024, de acuerdo con DATACOMEX.
Ello no impide que una parte importante de la producción nacional se destine a la exportación. Como ocurre con frecuencia en el mercado agroalimentario global, resulta perfectamente compatible –según la lógica de los mercados– exportar cerca de 140 000 toneladas de aguacate y, al mismo tiempo, importar producto procedente de lugares tan lejanos como Perú, origen del 66 % de los aguacates importados por España.
Otros alimentos nutritivos, incluidos los de origen animal
Más allá de estos alimentos de corte exótico, lo cierto es que en el ámbito mediterráneo tenemos la suerte de contar con diversos alimentos con destacadas propiedades nutricionales, como el innegociable aceite de oliva o las humildes almendras. Como vemos, parece que este tipo de alimentos han de ser necesariamente vegetales, dado que muchas corrientes nutricionales y ambientales han proscrito la proteína animal.
En este sentido es necesario reivindicar uno de los alimentos más completos: el huevo. Su perfecto equilibrio proteico es utilizado como el estándar de referencia para evaluar la calidad de las proteínas de otros alimentos debido a su alto valor biológico y perfil completo de aminoácidos. Además, es una fuente de colina, crucial para el desarrollo cognitivo y la salud cerebral y tiene un alto poder saciante, con solo 70-80 kcal por unidad. Hay otros “superalimentos” de origen animal. El yogur, por ejemplo, es un aliado para mantener en forma nuestra microbiota, pieza fundamental de nuestra salud.
Aunque el consumo de carne en exceso está desaconsejado, lo cierto es que la proteína animal fue clave en nuestra evolución como especie. La inteligencia se sustenta en un cerebro que demanda mucha energía y requiere alimentos con alta densidad de nutrientes, como la carne. Esta fue la que permitió a nuestra especie acortar la longitud del intestino, reducir el tamaño de las mandíbulas y dedicar tiempo y energía a algo más que masticar y digerir fibras vegetales. Aún hoy sigue siendo un componente esencial de la alimentación humana. Un estudio reciente señala que la mayoría de los alimentos más ricos en micronutrientes esenciales –como hierro, zinc, ácido fólico, vitamina A, calcio y vitamina B12, cuyas deficiencias siguen siendo muy frecuentes a escala global– son de origen animal.
La cara B de productos que no son tan naturales
La realidad de los alimentos de moda –una lista cada vez más extensa y cambiante que que se actualiza constantemente– dista mucho de ser tan atractiva como sugiere la publicidad. Muchos de los beneficios para la salud que se les atribuyen carecen de un respaldo científico sólido, especialmente cuando se analizan a partir de ensayos controlados de intervención en humanos.
Desde el punto de vista ambiental, su expansión fuera de sus dominios naturales está generando impactos considerables. Cuando un cultivo como el aguacate abandona los ambientes tropicales, caracterizados por lluvias abundantes y relativamente regulares, para implantarse en regiones áridas, surgen elevadas necesidades de riego que ponen en riesgo el equilibrio hídrico de esos territorios.
El deterioro y descenso de las masas de agua subterránea en muchas de estas zonas productoras constituye una clara evidencia de ello. A este agotamiento del recurso hídrico se suman otros procesos de degradación, como la salinización de los suelos y la erosión derivada de la transformación de laderas abruptas, desprovistas de su cubierta vegetal para albergar nuevas plantaciones.
Incluso en sus regiones de origen, donde estos cultivos están mejor adaptados a las condiciones ambientales, los impactos ecológicos son muy significativos al sobrepasar la disponibilidad de espacio y recursos.
Así, cuando la rentabilidad a corto plazo se convierte en el principal criterio de producción, tienden a imponerse el monocultivo –con la consiguiente pérdida de diversidad genética–, el uso intensivo de agroquímicos, la degradación progresiva del suelo y la tala indiscriminada de bosques para ampliar la superficie cultivada.
Una dieta variada y no basada en los alimentos de moda
Cada cierto tiempo surgen alimentos presentados casi como soluciones milagrosas capaces de resolver todos nuestros problemas de salud. Incorporarlos a la dieta puede ser positivo y enriquecedor, pero convertirlos en el eje exclusivo de la alimentación resulta contraproducente. Un enfoque nutricional más equilibrado pasa por mantener una dieta variada –tanto en el día a día como a lo largo de las estaciones–, basada en productos frescos y de temporada, evitando los ultraprocesados.
Desde el punto de vista ambiental, más importante que el producto en sí es comprender –aunque a menudo no resulte sencillo– cómo se produce ese alimento. No es comparable la carne procedente de macrogranjas con la obtenida de rebaños móviles que aprovechan distintos recursos pastables. Del mismo modo, no es equivalente consumir un aguacate cultivado en una pequeña explotación familiar con riego de apoyo que otro procedente de grandes monocultivos implantados sobre áreas previamente deforestadas.
Jaime Martínez Valderrama no recibe salario, ni ejerce labores de consultoría, ni posee acciones, ni recibe financiación de ninguna compañía u organización que pueda obtener beneficio de este artículo, y ha declarado carecer de vínculos relevantes más allá del cargo académico citado.
🎙️ Ep. 63 — Laura de la Fuente **Antifrágiles en la era de la incertidumbre**
Laura de la Fuente es CMO en Xcalibur Smart Mapping, directora del MIB en ISDI y madre de Daniela. Ha vivido todas las disrupciones tecnológicas de los últimos 20 años desde primera línea — de las webs en Flash al móvil, del COVID al boom actual de la IA.
En esta conversación abrimos el melón de cómo se gestiona emocionalmente un cambio profesional cuando el suelo no para de moverse. Por qué el conocimiento ya no es escudo. Qué significa ser antifrágil. Y por qué el verdadero diferencial profesional ya no es lo técnico — es lo humano. --- 🎓 **Episodio posible gracias a ISDI** Los días 19 y 20 de mayo, Laura presenta el nuevo MIB en sesiones inspiracionales en Barcelona y Madrid. Si estás dudando qué siguiente salto dar en esta época tan fascinante, este evento es para ti.
📩 Tengo descuentos para los oyentes del podcast. Escríbeme a **mafortperera@gmail.com** o por LinkedIn y te los hago llegar.
--- ⏱️ **Capítulos** - 00:00 — Bienvenida y presentación - 01:09 — Compatibilizar tres roles: CMO, MIB y maternidad - 03:40 — El tiempo deja de ser abstracto cuando eres madre - 05:40 — Empresas alineadas con tus valores - 12:10 — Gestión emocional del cambio profesional - 16:50 — Cisnes negros consecutivos y la era de la incertidumbre - 18:50 — Soft skills, pensamiento crítico y el nuevo CV - 26:00 — Resiliencia vs. antifragilidad - 31:00 — El conocimiento no elimina la vulnerabilidad - 31:15 — La persona más inteligente: ver por las esquinas - 42:00 — Por qué algunos se quedan fuera de la transformación - 51:00 — El garrote y la escopeta: la IA actual es la peor que vamos a usar - 1:01:30 — Cómo saber si es tu momento para dar el salto - 1:03:00 — El nuevo MIB: agentes, soft skills y antifragilidad - 1:07:00 — Recomendaciones y nominado
--- 🛠️ Recomendaciones de Laura: - Herramienta → Claude - Sistema → "Daniela Centric" - Nominado → Aquilino Peña
Diez advertencias para jóvenes que pueden cambiarte la forma de ver la vida: el tiempo, el cuerpo, la soledad, el ego, la admiración, el oficio, las conversaciones difíciles, el error, la responsabilidad y el miedo al rechazo. Un vídeo directo, brutalmente honesto y lleno de ideas que te ayudan a no perder años en tonterías, a construir criterio y a entender que la vida pasa rápido. Porque al final, lo que importa es esto: esto también pasará.
El calvario de una niña que no podía separarse de su madre
Hoy la vemos brillar en los Óscar, pero la infancia de Emma Stone en Arizona fue una lucha diaria por la supervivencia emocional.
Desde los 7 años, su ansiedad no era solo "miedo", era una barrera física. Era la niña que pasaba horas en la oficina de la enfermera del colegio, inventando dolores de estómago solo para que llamaran a su madre y poder volver a la seguridad de su casa.
La idea de estar lejos de su familia le provocaba ataques de pánico tan reales que sentía que el mundo se acababa en ese mismo instante.
👉 Biografía: https://es.wikipedia.org/wiki/Emma_Stone
“Mi ansiedad era constante. Recuerdo pedirle a mi madre que me explicara exactamente cómo iba a ser el día: '¿A qué hora me recoges?', '¿Dónde estarás tú mientras yo estoy en clase?'. Si algo se salía del plan, mi mente entraba en espiral. Escribir mi libro sobre el monstruo verde fue lo único que me permitió ponerle nombre a ese terror y entender que el monstruo y yo no éramos la misma persona”.
Emma llegó a pensar que nunca podría salir de su ciudad ni vivir sola. Sin embargo, descubrió que cuando interpretaba a otra persona en el teatro local, su propia mente se silenciaba. Al actuar, Emma "sale" de su propia cabeza para entrar en la de otro, lo que le da un respiro de sus propias preocupaciones. Esa hipersensibilidad que de pequeña la hacía llorar por las esquinas es la que hoy le permite entender y encarnar personajes tan complejos y humanos.
👉 Testimonio detallado : ataques de pánico y como los supera -
Incluso ahora, en la cima de su carrera, Emma no oculta que sigue teniendo "días malos". Su mensaje para los jóvenes es directo: no se trata de que la ansiedad desaparezca para siempre, sino de aprender a vivir con ella sin que tome el control. Su historia demuestra que tener un "monstruo en el hombro" no te impide alcanzar tus sueños más grandes.
Vídeo de Emma Stone sobre la ansiedad
Un testimonio visual donde Emma Stone comparte su experiencia con la ansiedad y cómo ha aprendido a vivir con ell
The difference between success and failure often hangs on a concept that our standard education system never touches: confidence.
On Confidence walks us around the key issues that stop us form making more of our potential.
We hear about the impostor syndrome, the wisdom of imagining the great in the bathrooms, and what Nietzsche and Montaigne (among others) have to tell us about resilience and courage.
We often stay stuck with the level of confidence we have because we regard being confident as a matter of good luck.
In fact, the opposite is true: confidence is a skill based on ideas about our place in the world, and its secrets can be learnt.
The School of Life publishes a range of books on essential topics in psychological and emotional life, including relationships, parenting, friendship, careers and fulfilment. The aim is always to help us understand ourselves better and thereby to grow calmer, less confused and more purposeful.
Estimated reading time: 11 minutes.
Main ideas:
Confidence is a skill, not a gift from the gods.
There is a type of underconfidence that arises specifically when we grow too attached to our own dignity and become anxious around any situation that might seem to threaten it.
Everyone, however important and learned they might seem, is a fool.
The way to greater confidence is to come to peace with our inevitable ridiculousness.
We would grow free to try things by accepting that failure was the norm.
The solution to the impostor syndrome lies in making a crucial leap of faith: that others’ minds work in much the same way as ours do.
Nothing fundamentally stands between us and the possibility of responsibility, success and fulfillment.
The majority of what exists is arbitrary, neither inevitable nor right, simply the result of muddle and happenstance.
One of the greatest sources of despair is the belief that things should have been easier than they have turned out to be.
The capacity to remain confident is to a significant extent a matter of having internalised a correct narrative about what difficulties we are likely to encounter.
We see our early failures as proof of conclusive ineptness rather than as the inevitable stages on every path to mastery.
Confidence isn’t the belief that we won’t meet obstacles.
We can all cope far better than we think.
We should take not to dress up our base deficiencies as godly virtues.
Confidence is what translates theory in practice.
Comments extracted from the book, they could be right or wrong, you decide for yourself:
We so often lack confidence because we implicitly regard its possession as a matter of slightly freakish and irreplicable good luck. We tell ourselves, there isn’t much we can do about our particular situation. We are stuck with the confidence we were born with.
Confidence is a skill, not a gift from the gods. And it is a skill founded on a set of ideas about the world and our natural place within it. These ideas can be systematically studied and gradually learnt, so that the roots of excessive hesitancy and compliance can be overcome. We can school ourselves in the art of confidence.
There is a type of underconfidence that arises specifically when we grow too attached to our own dignity and become anxious around any situation that might seem to threaten it. We hold back from challenges in which there is any risk of ending up looking ridiculous, which comprises, of course, almost all the most interesting situations.
Ar the heart of our underconfidence is a skewed picture of how dignified a normal person can be. We imagine that it might be possible, after a certain age, to place ourselves beyond mockery. We trust that it is an option to lead a good life without regularly making a complete idiot of ourselves.
Erasmus advances a hugely liberating argument. In a warm tone, he reminds us that everyone, however important and learned they might seem, is a fool. No one is spared, not even the author.
Bruegel and Erasmus’s work proposes that the way to greater confidence is not to reassure ourselves of our own dignity; it’s to come to peace with our inevitable ridiculousness. We are idiots now, we have been idiots in the past, and we will be idiots again in the future, and that’s OK. There aren’t any other available options for human beings.
Once we learn to see ourselves as already, and by nature, foolish, it won’t matter so much if we do one more thing that might look stupid.
The fear of humiliation would no longer stalk us in the shadows of our minds. We would grow free to try things by accepting that failure was the norm.
The road to greater confidence beings with a ritual of telling oneself solemnly every morning, before heading out for the day, that one is a muttonhead, a cretin, a dumbbell and an imbecile. A few more acts of folly should, thereafter, not matter very much.
The root cause of impostor syndrome is a hugely unhelpful picture of what people at the top of the society are really like. We feel like impostors not because we are uniquely flawed, but because we can’t imagine how deeply flawed the elite must also be beneath a more or less polished surface.
We’re just failing to imagine that others are every bit as fragile as we are. We might not know exactly what they regret, but there will be agonising feelings of some kind. We won’t be able to say exactly what kind of sexual kink obsesses them, but there will be one. They are universal features of the human mental equipment.
The solution to the impostor syndrome lies in making a crucial leap of faith: that others’ minds work in much the same way as ours do. Other people must be as anxious, uncertain and wayward as we are.
The other traditional release from underconfidence of this type came from the opposite end of the social spectrum: being a servant.
Nothing fundamentally stands between us and the possibility of responsibility, success and fulfilment.
The root of our underconfidence is a touching, but ultimately hugely dangerous, degree of trust, a legacy of times in our lives when those in charge had our best interests in mind and took the time to assess every one of our needs.
RBT457534Z5467
Maturity means going from the myth of a person, however high their status in a system, to a full recognition of their humanity.
We finally pay other a strange but valid compliment when we accept them as versions of the same complex and imperfect creatures we know ourselves to be.
Broadly speaking, the unconfident believe that history is over; conversely, the confident trust that history is still in the process of being made, and possibly by themselves one day.
The world is being made an remade in every instant. Therefore, any one of us has a theoretical chance of being an agent in history, on a big or small scale.
The majority of what exists is arbitrary, neither inevitable nor right, simply the result of muddle and happenstance. We should be confident, even at sunset on winter afternoons, of our power to join the stream of history and, however modestly, change its course.
One of the greatest sources of despair is the belief that things should have been easier than they have turned out to be. We give up not simply because events are difficult, but because we hadn’t expected them to be so. We grow subdued and timid and eventually surrender, because a struggle this great seems impossibly rare. The capacity to remain confident is, therefore, to a significant extent a matter of having internalised a correct narrative about what dificulties we are likely to encounter.
The great stand-up comic does not reveal the time spent agonising over every detail of their performance. They will not tell us of the anxieties around whether it was best to deliver the last line sitting, to convey an impression of stunned passivity, or standing, to imply a stifled energy about to be released. Appearing to say the first thing that comes into one’s head is the result of decades of rehearsal. As customers, we pay to have news of struggle kept from us. We want to admire the polished surface of the gadget without reminder of the cramped circuits beneath.
We see our early failures as proof of conclusive ineptness rather than as the inevitable stages on every path to mastery. We have not seen enough of the rough drafts of those we admire, and therefore cannot forgive ourselves the horror of our own early attempts.
Despite their limited resources, ancient Greek communities went to astonishing lengths to remind themselves of what the most prestigious job available actually involved: namely, a lost of hardship.
To shore up our confidence, we would need regularly to encounter the modern equivalents of the works of the classical sculptors: films, poems, songs and novels that would represent for us the agonies that unfold in the unglamorous but hugely representative hubs of modern capitalism.
Confidence isn’t the belief that we won’t meet obstacles: it is the recognition that difficulties are an inescapable part of all worthwhile contributions. We need to ensure we have plenty of narratives to hand that normalise the role of pain, anxiety and disappointment in even the best and most successful lives.
A mid-life crisis is not a legitimate awakening; it’s a sign of being shamefully ill prepared. In an ideal culture, our mortality would be systematically impressed upon us from the earliest age.
In our psychological make-up, the approval of the world effectively supports our approval of ourselves. Consequently, when enemies agitate against us, we lose faith not in them, but, more alarmingly, in ourselves.
Success isn’t simply a pleasant prize to stumble upon when we enjoy a subject or a task interests us; it a psychological necessity, something we must secure in order to feel we have the right to be alive.
Underconfident types work with the assumption that almost everyone they encounter will be sane, measured, intelligent, judicious, and in command of themselves. The more psychlogically robust assume form the start that most people, even grand and supposedly intelligent ones, are riddled with prejudice, beset by low motives, and capable of deliberate cattiness and meanness better suited to a playground of the under-fives. The benefit of thinking a lot less of everyone can be a calmer attitude towards the specific meanness of a few.
We can all cope far better than we think; what appears inmensely threatening may be highly survivable. The storms will die down, we will be battered, a few things will be ripped, but eventually we will return to safer shores.
What we fear will happen has, in truth, already happened; we are projecting into the future a catastrophe that belongs to a past we have not had the chance to fathom and mourn adequately.
What fundamentally distinguishes adulthood from childhood is that the adult has access to a great many more sources of hope than the child. We can survive a letdown here or there, because we no longer inhabit a closed province, bounded by the family, the neighbourhood and the school.
We should get suspicious when we catch ourselves pulling off erratic performances around people we deep down really like or need to impress.
Confidence is in its essence entirely compatible with remaining sensitive, kind, witty and softly-spoken. It might be brutishness, not confidence, that we hate.
We should take not to dress up our base deficiencies as godly virtues.
We need to develop the skill that allows us to make our talents active in the world at large.
Confidence is what translates theory in practice.
We should allow ourselves to develop confidence in confidence.
Have you read this book? Any other similar book? Do you have anything to say about what this book is saying? Do you recommend any book related to this matter? Anything at all? I’ll be glad to know what you think about it in the comments.
Queridos amigos,
Continuando con la reflexión de la semana pasada sobre cómo prepararse para las crisis, hoy abordo otra idea importante: las empresas demasiado tensionadas funcionan peor.
Cuando personas y recursos trabajan permanentemente al límite, cualquier imprevisto genera estrés, desgaste y pérdida de compromiso. La obsesión por la máxima eficiencia puede acabar reduciendo la verdadera eficacia.
Reflexiono sobre ello en el nuevo post de *Toma de Decisiones*.
Un cordial saludo,
Miguel Ángel
Most engineers assume their Kubernetes cluster encrypts all of its traffic. It doesn't. The commands you run with kubectl are encrypted — your client and the API server speak TLS. The API server talking to etcd is usually encrypted too, depending on how the cluster was provisioned.
But traffic between your pods? Plaintext by default. Ingress traffic from the internet to your services? Only encrypted if you explicitly configure TLS. And certificates for internal services? You have to provision those yourself.
This is not a Kubernetes oversight. It's a deliberate design choice — Kubernetes provides the primitives and leaves the implementation to you. The problem is that certificate management is notoriously painful. Certificates expire. Provisioning them manually doesn't scale. Forgetting to rotate them causes outages.
cert-manager solves this. It runs as a controller inside your cluster, watches for Certificate resources, requests certificates from configured issuers, stores them in Kubernetes Secrets, and rotates them automatically before they expire. You declare what you want, cert-manager makes it happen and keeps it that way.
In this article you'll work through how cert-manager's core model works, automate public Ingress TLS using Let's Encrypt, set up an internal Certificate Authority for service-to-service encryption, and understand how certificate rotation works so outages caused by expired certificates become a thing of the past.
Prerequisites
A kind cluster with the nginx Ingress controller installed
Helm 3 installed
A domain name with DNS you control — needed for the Let's Encrypt demo
Basic understanding of TLS: you know what a certificate, a private key, and a CA are
Before installing anything, it's worth being precise about what the cluster already protects and what it leaves open.
Traffic path
Encrypted by default?
Notes
kubectl → API server
Yes
TLS with the cluster CA
API server → etcd
Usually
Depends on cluster provisioner — verify with your setup
API server → kubelet
Yes
TLS, but kubelet cert verification depends on configuration
Pod → Pod (same cluster)
No
Plaintext unless you add a service mesh or mTLS
Internet → Ingress
No
Opt-in — requires TLS configuration on the Ingress resource
Pod → Kubernetes API
Yes
Via the service account token and cluster CA
The two gaps that matter most in practice are pod-to-pod traffic and Ingress TLS. This article covers both Ingress TLS with Let's Encrypt and internal service-to-service encryption using a private CA.
How cert-manager Works
cert-manager is a Kubernetes operator. It extends the Kubernetes API with custom resources that represent certificate requests and their configuration. When you create a Certificate resource, cert-manager's controller picks it up, requests a certificate from the configured issuer, and stores the resulting certificate and private key in a Kubernetes Secret. When the certificate approaches its expiry, cert-manager renews it automatically.
This model means your application doesn't know or care about certificate management. It reads a Secret. cert-manager keeps that Secret fresh.
The Four Core Resources
cert-manager introduces four custom resources that you'll use regularly:
Resource
What it represents
Issuer
A certificate authority or ACME account — namespace-scoped
ClusterIssuer
Same as Issuer, but available cluster-wide
Certificate
A request for a certificate — describes what you want
CertificateRequest
An individual signing request — created automatically by cert-manager, rarely touched directly
In practice you'll mostly deal with ClusterIssuer and Certificate. The ClusterIssuer defines where certificates come from. The Certificate defines what certificate you want and where to store it.
Issuers and ClusterIssuers
An Issuer can only issue certificates within its own namespace. A ClusterIssuer can issue certificates in any namespace. For shared infrastructure like Let's Encrypt, you almost always want a ClusterIssuer. For application-specific internal CAs, an Issuer scoped to that application's namespace is the safer choice.
cert-manager supports several issuer types. The three you'll encounter most often are:
ACME — for public certificates from Let's Encrypt or any ACME-compatible CA. Ownership of the domain is proven via an HTTP-01 or DNS-01 challenge.
CA — for internal certificates signed by a CA whose private key is stored in a Kubernetes Secret. Used for service-to-service TLS within the cluster.
Self-signed — generates self-signed certificates. Rarely useful on its own, but essential as the bootstrap step when creating an internal CA.
The Certificate Lifecycle
When you create a Certificate resource, cert-manager follows this sequence:
Creates a CertificateRequest with a CSR (Certificate Signing Request)
Passes the CSR to the configured issuer
For ACME issuers: creates a Challenge resource and fulfils it (more on this below)
Receives the signed certificate from the issuer
Stores the certificate and private key in the Kubernetes Secret named in spec.secretName
Monitors the certificate's expiry — by default, renews when 2/3 of the validity period has elapsed
Your application mounts the Secret. cert-manager updates it silently. Most applications that watch for file changes will pick up the new certificate without a restart.
ACME Challenges: HTTP-01 vs DNS-01
Let's Encrypt needs proof that you control the domain before it issues a certificate. ACME defines two challenge types for this.
HTTP-01 works by having cert-manager create a temporary HTTP endpoint at http://<your-domain>/.well-known/acme-challenge/<token>. Let's Encrypt sends a request to that URL. If the response matches the expected token, the challenge passes. This requires your cluster to be reachable from the internet on port 80.
DNS-01 works by having cert-manager create a temporary DNS TXT record at _acme-challenge.<your-domain>. Let's Encrypt checks for that record. This doesn't require inbound HTTP access, which makes it the right choice for private clusters, and it's the only way to get wildcard certificates (*.example.com).
The trade-off: HTTP-01 is simpler to set up but only works for single domains and requires internet-accessible infrastructure. DNS-01 requires API access to your DNS provider but works for internal clusters and wildcards.
Demo 1 — Install cert-manager and Issue a Certificate Using Pebble and Let's Encrypt
Pebble is Let's Encrypt's local ACME test server. It runs inside your cluster, issues certificates using the same ACME protocol as Let's Encrypt, and requires no public domain or internet access. Using Pebble lets you test the full cert-manager flow — challenge, issuance, renewal — on a plain kind cluster.
Once you understand the flow locally, switching to real Let's Encrypt is a one-line change: replace the ClusterIssuer server URL and point a DNS record at a publicly reachable cluster. The rest of the configuration is identical.
You'll install cert-manager, create a ClusterIssuer for Let's Encrypt, deploy a sample application with an Ingress, and watch a real certificate be issued and stored automatically.
Step 1: Install cert-manager
cert-manager is now distributed via OCI Helm charts from quay.io/jetstack. The --set crds.enabled=true flag installs the Custom Resource Definitions as part of the chart:
You also need the nginx Ingress controller — cert-manager routes HTTP-01 challenges through it. The controller.service.type=ClusterIP override is for kind specifically: the default LoadBalancer Service never gets an EXTERNAL-IP on kind (there's no cloud LB), which makes --wait hang forever. On a real cluster, drop the override and keep LoadBalancer.
kubectl get pods -n cert-manager
kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
cert-manager-76f84784c8-r4fx4 1/1 Running 0 6m45s
cert-manager-cainjector-66fbf49587-gv25n 1/1 Running 0 6m45s
cert-manager-webhook-577fddf86-l5wj4 1/1 Running 0 6m45s
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-6c7cd85885-h7zgx 1/1 Running 0 3m34s
kind-specific gotcha — remove the nginx admission webhook now.** On kind, the nginx admission webhook serves with a self-signed certificate that the Kubernetes API server cannot verify. The first time you try to create any Ingress resource you'll see failed calling webhook "validate.nginx.ingress.kubernetes.io": ... x509: certificate signed by unknown authority. Delete the webhook up front so the rest of the demo doesn't trip over it:
Pebble is the local ACME test server, distributed by the JupyterHub project. It ships with a companion CoreDNS deployment (pebble-coredns) that Pebble uses to resolve names during ACME validation.
NAME READY STATUS RESTARTS AGE
pebble-8d8d49d64-lz8ck 1/1 Running 0 36s
pebble-coredns-7fb5c7cbf4-4jw9h 1/1 Running 0 36s
Step 3: Wire up DNS for the fake hostname
We're going to issue a cert for echo.pebble.local. That hostname is fake — it doesn't exist in any real DNS — so we have to teach two independent resolvers about it before issuance will work:
Resolver
Used by
What we need it to do
pebble-coredns (in the pebble namespace)
Pebble itself, when it makes the HTTP-01 validation request
Patchpebble-coredns to answer for *.pebble.local with the ingress controller's IP. The CoreDNS template plugin parses unreliably when the whole block is collapsed onto one line, so apply a real multi-line ConfigMap:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: pebble-coredns
namespace: pebble
data:
Corefile: |
.:8053 {
errors
health
ready
template ANY ANY pebble.local {
answer "{{ .Name }} 60 IN A ${NGINX_IP}"
}
forward . /etc/resolv.conf
cache 2
reload
}
EOF
kubectl rollout restart deploy/pebble-coredns -n pebble
kubectl rollout status deploy/pebble-coredns -n pebble
You should see Address: <NGINX_IP> in the response. If you get SERVFAIL, check kubectl logs -n pebble deploy/pebble-coredns — a parser error like not a TTL: "}" means the template block collapsed onto one line again.
Patch the cluster CoreDNS so cert-manager's self-check can resolve the same name. Add a stub zone that forwards pebble.local to pebble-coredns:
Both Server: 10.96.0.10 and Address: <NGINX_IP> should appear.
Step 4: Fetch the Pebble CA and create the ClusterIssuer
Pebble signs its certificates with a self-signed root that lives in the pebble ConfigMap under root-cert.pem. cert-manager needs to trust this CA to talk to Pebble's ACME directory, so we pass it as a base64-encoded caBundle in the ClusterIssuer:
kubectl get configmap pebble -n pebble \
-o jsonpath='{.data.root-cert\.pem}' > pebble-ca.crt
head -1 pebble-ca.crt # should print -----BEGIN CERTIFICATE-----
CA_BUNDLE=$(base64 -i pebble-ca.crt | tr -d '\n')
echo "CA_BUNDLE length: ${#CA_BUNDLE}" # ~1600 chars, one continuous line
Create the ClusterIssuer using the heredoc — the ${CA_BUNDLE} shell variable gets substituted into the YAML before kubectl reads it:
If READY stays False, the two most common causes are a malformed caBundle (verify it's a single unbroken base64 line with no newlines) or Pebble being unreachable from the cert-manager namespace. To check reachability:
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/echo 1/1 1 1 32s
NAME READY STATUS RESTARTS AGE
pod/echo-5665fbcfdd-mbgxj 1/1 Running 0 36s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/echo ClusterIP 10.96.103.114 <none> 80/TCP 40s
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 32m
Step 6: Create an Ingress with TLS
The cert-manager.io/cluster-issuer: pebble annotation tells cert-manager to automatically create a Certificate resource for this Ingress, using the issuer we just created. The hostname echo.pebble.local doesn't need to resolve externally — we taught both DNS resolvers about it in Step 3.
# Watch the Certificate resource (Ctrl-C once Ready=True)
kubectl get certificate echo-tls -n default -w
NAME READY SECRET AGE
echo-tls False echo-tls 5s
echo-tls True echo-tls 28s
When READY becomes True, the certificate has been issued and stored in the echo-tls Secret. The full chain — CertificateRequest → Order → Challenge → solver pod → Secret — happens in well under a minute on a healthy cluster:
kubectl get certificate,certificaterequest,order,challenge -n default
NAME READY SECRET AGE
certificate.cert-manager.io/echo-tls True echo-tls 81s
NAME APPROVED DENIED READY ISSUER AGE
certificaterequest.cert-manager.io/echo-tls-1 True True pebble 81s
NAME STATE AGE
order.acme.cert-manager.io/echo-tls-1-1824732543 valid 81s
(Challenges are deleted automatically once an Order completes, so kubectl get challenge -n default typically shows nothing at this point — that's success, not failure.)
If READY stays False for more than a minute, see the troubleshooting tips at the end of this section.
Inspect the issued certificate to confirm Pebble signed it:
Issuer is Pebble's intermediate CA — proof the full ACME flow worked end-to-end. The cert is valid for 90 days, and cert-manager will renew it automatically at day 60.
Hit the ingress over HTTPS from inside the cluster to confirm everything is wired together:
The echo server should return a JSON blob — note the "x-forwarded-proto":"https" field, which proves the request came through nginx over TLS.
Troubleshooting if the cert never goes Ready:
kubectl describe order -n default — look for "DNS problem" or "Connection refused" in the events.
kubectl logs -n pebble deploy/pebble --tail=50 — Pebble logs the exact URL it tried to fetch during validation and any errors.
If the Order is stuck pending with no events: cert-manager hasn't reconciled yet. Wait 30s.
If the Order is invalid: one of the two DNS layers (Step 3) is misconfigured. Re-run both nslookup checks.
If the Ingress apply itself failed with an x509 webhook error: you skipped the kubectl delete validatingwebhookconfiguration ingress-nginx-admission step in Step 1.
Step 8: Switch to Let's Encrypt staging (real public domain)
Pebble proved the flow works locally. Now move to a publicly-reachable domain pointed at a publicly-reachable cluster. The DNS gymnastics from Step 3 go away — the domain is real, so both resolvers find it without intervention.
Use Let's Encrypt staging first. It speaks the same ACME protocol as production but with generous rate limits, so failed attempts during testing won't lock you out:
kubectl apply -f clusterissuer-staging.yaml
# Point the Ingress at staging and the real hostname, then force re-issuance
kubectl annotate ingress echo \
cert-manager.io/cluster-issuer=letsencrypt-staging --overwrite -n default
kubectl delete secret echo-tls -n default
The new cert's issuer will look something like (STAGING) Let's Encrypt.
Step 9: Switch to Let's Encrypt production
Once staging works, repeat with the production ClusterIssuer. The only difference is the server URL:
cert-manager detects the missing Secret and immediately requests a browser-trusted certificate from production Let's Encrypt.
cert-manager detects the missing Secret and immediately triggers a new certificate request using the production issuer.
How to Get a Wildcard Certificate with DNS-01
HTTP-01 challenges work well for single domains with public ingress. But there are two situations where you need DNS-01 instead: when your cluster is not publicly accessible (internal clusters, air-gapped environments, staging namespaces behind a VPN), and when you want a wildcard certificate that covers all subdomains of your domain.
DNS-01 requires cert-manager to be able to create and delete TXT records in your DNS provider. cert-manager has built-in support for Route53, Cloud DNS, Cloudflare, Azure DNS, and many others.
Here is a ClusterIssuer for DNS-01 using AWS Route53:
# clusterissuer-dns01.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns01
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-dns01-account-key
solvers:
- dns01:
route53:
region: us-east-1
# Use IRSA (IAM Roles for Service Accounts) in production
# rather than static credentials
hostedZoneID: YOUR_HOSTED_ZONE_ID
A wildcard Certificate using that issuer:
# wildcard-cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-example-com
namespace: default
spec:
secretName: wildcard-example-com-tls
issuerRef:
name: letsencrypt-dns01
kind: ClusterIssuer
commonName: "*.example.com"
dnsNames:
- "*.example.com"
- "example.com" # Also cover the apex domain
duration: 2160h # 90 days
renewBefore: 720h # Renew 30 days before expiry
The resulting Secret wildcard-example-com-tls can be referenced by any Ingress in the default namespace. All subdomains — api.example.com, dashboard.example.com, staging.example.com — are covered by a single certificate that rotates automatically.
For Cloudflare instead of Route53, the solver section looks like this:
Demo 2 — Set Up an Internal CA for Service-to-Service TLS
Let's Encrypt certificates are great for public-facing services. But for internal services — a gRPC microservice calling another, a web application talking to its database — you don't need public trust. You need a CA that the cluster trusts, and you need it to issue certificates for service names that don't exist as public DNS records.
cert-manager's CA issuer handles this. You create a root CA, tell cert-manager about it, and then issue certificates for internal services using that CA. Every service that trusts the root CA trusts every certificate it issues.
Step 1: Create a self-signed ClusterIssuer
A self-signed issuer generates certificates that are signed by the certificate itself — it is its own CA. You use this as a bootstrap step to create the root CA certificate:
Your application reads /etc/tls/tls.crt and /etc/tls/tls.key to configure TLS. Other services that need to trust it read /etc/tls/ca.crt.
Step 5: Distribute the CA bundle with trust-manager
The problem with a custom CA is that every service needs to know about it. cert-manager's companion tool, trust-manager, handles this by distributing the CA bundle as a ConfigMap to every namespace:
Create a Bundle resource that takes the CA certificate from the internal-ca-secret and distributes it cluster-wide:
# ca-bundle.yaml
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: internal-ca-bundle
spec:
sources:
- secret:
name: internal-ca-secret
key: ca.crt
target:
configMap:
key: ca-bundle.crt
namespaceSelector:
matchLabels:
# Distribute to all namespaces with this label
kubernetes.io/metadata.name: production
kubectl apply -f ca-bundle.yaml
After a few seconds, every matching namespace has a ConfigMap named internal-ca-bundle containing the CA certificate. Applications mount this ConfigMap to trust internally-issued certificates without any per-service configuration.
Step 6: Verify the certificate chain
# Extract the CA cert and service cert
kubectl get secret payments-tls-secret -n production \
-o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
kubectl get secret payments-tls-secret -n production \
-o jsonpath='{.data.tls\.crt}' | base64 -d > payments.crt
# Verify the cert was signed by the CA
openssl verify -CAfile ca.crt payments.crt
payments.crt: OK
How Certificate Rotation Works
Certificate rotation is the part of certificate management that breaks production clusters most often. cert-manager handles it automatically, but understanding the mechanism helps you tune it and debug it when things go wrong.
cert-manager watches every Certificate resource it manages and checks the expiry of the underlying certificate in the Secret. When the remaining validity drops below the renewBefore threshold, cert-manager triggers a renewal. The default renewBefore is 1/3 of the certificate's total validity period — so a 90-day certificate starts renewing at day 60.
The renewal creates a new CertificateRequest, goes through the full issuance flow, and updates the Secret in place. The new certificate replaces the old one atomically. Applications that use file mounts and watch for changes (most modern web servers and gRPC frameworks do) will pick up the new certificate without restarting.
# See the current rotation status
kubectl describe certificate echo-tls -n default
Look for these fields in the output:
Status:
Not After: 2024-06-18T10:00:00Z
Not Before: 2024-03-20T10:00:00Z
Renewal Time: 2024-05-18T10:00:00Z # When cert-manager will start renewing
Conditions:
Type: Ready
Status: True
Message: Certificate is up to date and has not expired
If a renewal fails — for example, because the HTTP-01 challenge can't be completed — cert-manager retries with exponential backoff. The existing certificate continues to serve until it actually expires, giving you a window to debug the issue.
To see renewal events in real time:
kubectl get events -n default --field-selector reason=Issued
kubectl get events -n default --field-selector reason=Failed
SettingrenewBeforecorrectly: For public-facing services, 30 days before a 90-day certificate is a sensible buffer. For internal short-lived certificates (24-hour validity), set renewBefore to 8 hours so rotation happens well before expiry even if the first attempt fails. Never set renewBefore to more than half the certificate's validity — cert-manager will immediately try to renew a certificate it just issued.
Kubernetes leaves TLS configuration entirely to you. In this article you worked through both the public and internal sides of that responsibility.
On the public side, you installed cert-manager using the current OCI Helm chart, created a ClusterIssuer backed by Let's Encrypt, and watched cert-manager go through the full ACME HTTP-01 challenge flow — from creating a temporary solver pod to storing a valid certificate in a Kubernetes Secret. You saw how switching from staging to production is a one-line annotation change, and how cert-manager renews certificates automatically before they expire.
On the internal side, you bootstrapped a private CA using cert-manager's self-signed issuer, created a ClusterIssuer backed by that CA, and issued certificates for internal service names that only exist inside the cluster. You used trust-manager to distribute the CA bundle cluster-wide so services can trust each other's certificates without per-service configuration. And you saw how to verify the certificate chain with openssl so you can confirm it's working before deploying to production.
Understanding certificate rotation is what separates teams that manage TLS confidently from teams that get woken up at 3am by an expired certificate. cert-manager automates the renewal, but the renewBefore field is your safety margin — set it correctly and know how to read the renewal status.
Recently I got an invitation from an organization I respect, to a gathering of senior people, unconference format. Yes, it’s
mostly about AI. No, it doesn’t reek of boosterism. My guess is that the discussions would be relatively intelligent and
unbeliever contributions would be welcome.
I declined, because it’s in the USA.
Here’s the text; maybe someone in a similar situation might find it useful.
Thanks to whoever thought of me for the kind invitation, which I must regretfully decline.
I’m Canadian and as a matter of principle feeling negative about visiting a neighboring country whose leader has repeatedly
threatened our sovereignty and shown massive disrespect for our nationhood. Particularly when that leader has followed up
similar statements about other nations with military action.
I could probably work around that. But there’s also the issue of entering the US; if I roll up at the border and am asked to
disclose my social media output, there’s a significant risk of an extremely negative outcome. I have a family to support and
really can’t afford that risk.
I still consider myself a friend of your organization, and one with strong opinions about the subjects scheduled for
discussion; my regrets about having to decline are entirely sincere.
El sindicato de vivienda AZET ha denunciado la imposición de multas de hasta 5.000 euros a varios de sus miembros por participar en la paralización de un desahucio en el barrio bilbaíno de Zurbaranbarri. Ha puesto en marcha una campaña para hacer frente a la «ofensiva represiva».
La próxima vez que compres sardinas enlatadas, fíjate en la etiqueta. Así evitarás consumir sardinas que hayan sido congeladas previamente, envasadas en aceite de mala calidad o capturadas mediante prácticas de pesca irresponsables.
Un artículo para descubrir la economía de las sardinas y cómo comprarlas de forma inteligente. Además, mi receta favorita de paté de sardinas.
La promesa de la UE de reducir a la mitad el uso de pesticidas pierde impulso tras abandonar objetivos vinculantes. Mientras, químicos polémicos como el glifosato siguen autorizados.
De hecho, la industria rusa ha llegado a desplegar modelos de hasta 3.000 kilogramos, capaces de devastar áreas inmensas, y continúa ampliando sus ritmos de producción. Difícil de...
Bienvenidos a un nuevo episodio de "Vaquero Podcast", esta vez con con el profesor Juan Antonio de Castro.Hablamos de George Soros, de su red de influencia y...
Gadis, Froiz y Cuevas acumulan beneficios millonarios mientras sus trabajadoras cobran el salario mínimo y la mesa de negociación lleva meses paralizada.
La Cámara Alta aprueba votar el proyecto de ley por primera vez y después de ocho intentos, después de que cuatro republicanos se hayan unido a los demócratas del Senado
Europa lanza por fin su respuesta tecnológica frente a la hegemonía estadounidense. Cinco gigantes del pago móvil continental acaban de sellar una alianza histórica para unificar sus redes. A partir del año que viene, las transacciones diarias de millones de usuarios se liberarán de los circuitos transatlánticos tradicionales para circular por una infraestructura estrictamente europea e independiente.
Tres canales de TikTok que acumulan en total más de 1,5 millones de seguidores están suplantando la imagen de profesionales médicos de Brasil, México y Francia para difundir como "consejos de salud" recomendaciones sin evidencia científica: desde de infusiones de hoja de níspero para prevenir un cáncer a colocar patatas debajo de la cama para quitar la fiebre. Una investigación de VerificaRTVE analiza cómo proliferan este tipo de cuentas y cómo podemos identificarlas.
La investigación sobre el fraude millonario a las arcas del Servicio Murciano de Salud (SMS) se salda ya con once personas detenidas y dos investigadas. Y no solo por presuntos delitos económicos, sino también contra la salud pública, debido al uso de productos sanitarios caducados en operaciones quirúrgicas, lo que puso en «riesgo» a los pacientes.
Copyright © The School of Life 2017
