Is it possible to use a wildcard certificate generated via cert-manager (Lets Encrypt) in multiple K8S clusters
Question
I would be using different subdomains for different services, but those services would reside in different K8S clusters. I would like to know if I can just copy the wildcard certificate across the clusters. Also, if there is a similar example somewhere please link me to it. Any help would be appreciated.
2 answers
solution1
0 2018-07-19 10:30:25
So there is no native handling of multiple clusters in cert-manager.
That said, there is nothing to stop you copying across the resulting 'Secret' resource between clusters, either manually or automatically.
The 'kubed' project (by appscode) has support for syncing Secrets between clusters: https://github.com/appscode/kubed . Full information can be found on their website: https://appscode.com/products/kubed/0.8.0/guides/config-syncer/inter-cluster/
I hope this helps!
solution2
0 2021-07-21 20:30:32
i know, i am a bit late to the party but writing an answer might be helpful to someone
For wildcard cert DNS-01 method, auth is required. You can use any DNS as per use case or which ever you are using.
Note : You might require to first add the CAA record in your DNS.
CAA record can get added into DNS zone
example :
Type Value
devops.in CAA 0 issuewild "letsencrypt.org"
get your records details from : https://sslmate.com/caa/
First we have to create the secret for storing the access key using the command
kubectl create secret generic route53-secret --from-literal=secret-access-key="skjdflk4598sf/dkfj490jdfg/dlfjk59lkj"
Here sharing the example issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: test123@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- selector:
dnsZones:
- "devops.in"
dns01:
route53:
region: us-east-1
hostedZoneID: Z2152140EXAMPLE
accessKeyID: AKIA5A5D7EXAMPLE
secretAccessKeySecretRef:
name: route53-secret
key: secret-access-key
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: le-crt
spec:
secretName: tls-secret
issuerRef:
kind: Issuer
name: letsencrypt-prod
commonName: "*.devops.in"
dnsNames:
- "*.devops.in"
Also make sure your user have necesarry permission to manage the Route53
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.