DEV Community

Jello
Jello

Posted on

Issuing wildcard certificates on Kubernetes Gateway API (Part 1/2)

What you will need to follow along:

  1. A domain name and a cloudflare api token with the following permissions: Image description
  2. Helm

First install cert-manager

#Add the helm repo
helm repo add jetstack https://charts.jetstack.io

# You can remove the experimental support if you don't need it 
helm install cert-manager jetstack/cert-manager --version v1.12.3 \
    --namespace cert-manager \
    --set installCRDs=true \
    --create-namespace \
    --set "extraArgs={--feature-gates=ExperimentalGatewayAPISupport=true}"
Enter fullscreen mode Exit fullscreen mode

Validating the deployment by executing

kubectl get pods -n cert-manager

should produce the following output

Image description

We need cluster issuer to be able to create certificates in our cluster

First we need to create scecret with the cloudflare token in the cert manager space

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
  namespace: cert-manager
type: Opaque
stringData:
   api-token: ${CLOUDFLARE_API_TOKEN}
Enter fullscreen mode Exit fullscreen mode

Then we can create the cluster issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cloudflare-domain-issuer
spec:
  acme:
    email: email-to-register-domain
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        cloudflare:
          email: cloudflare-email
          apiTokenSecretRef:
            name: cloudflare-api-token-secret
            key: api-token
Enter fullscreen mode Exit fullscreen mode

kubectl get cluster issuer
Image description

if the cluster issuer is ready then we can issue our wildcard certificate
secretName: fine-ops: Specifies the name of the Kubernetes Secret where the generated certificate and private key will be stored.

Note: secretName specifies the name of the Kubernetes Secret where the generated certificate and private key will be stored.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: certificate-fine-ops
  namespace: default
spec:
  dnsNames:
    - "*.fine-ops.com"
  secretName: fine-ops
  issuerRef:
    name: cloudflare-domain-issuer
    kind: ClusterIssuer
Enter fullscreen mode Exit fullscreen mode

kubectl get cr

Image description

Here you have it :)

Using the certificate in the kubernetes Gateway API

Top comments (0)