Bring your own Wildcard Certificate
For this, you'll need the private and public keys of your certificate. The certificate must be a PEM-encoded X.509 certificate in PKCS1 format, with *.SUBDOMAIN
as its Subject Alternative Name
.
Import the secret into your kubernetes cluster by running the command below:
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE} --namespace okteto
Where CERT_NAME
is your-ssl-certificate-secret
.
After you create the secret, add the following to your Helm configuration file to tell Okteto and NGINX to use your certificate.
wildcardCertificate:
create: false
name: your-ssl-certificate-secret
ingress-nginx:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret
You can use any certificate provider you are familiar with if it's compatible with the x.509 and PKCS1 standards. For example, we have a guide maintained by the community to configure your certificate with GoDaddy.
Finally, upgrade your Okteto installation for the new configuration to be applied.
If publicOverride
is set, its value must also be included in the certificate's Subject Alternative Name
list. For example, if you use dev.example.com
as the publicOverride
, and okteto.net
as the subdomain
, you need to generate a certificate that includes *.okteto.net
and dev.example.com
in the Subject Alternative Name
list.
Bring your own Certificate Authority
By default, Okteto will trust a certificate issued by any well-know certificate authority. If your certificate is self-signed, issued by a new certificate authority, or issued by a private certificate authority, you'll need to import your certificate authority's public key.
First import your certificate authority by running the command below:
kubectl create secret generic ${CA_NAME} --from-file=ca.crt=${CA_FILE} --namespace okteto
Where CA_NAME
is your your-ca-secret
.
After you create the secret, add the following to your Helm configuration file to tell Okteto to use your certificate authority:
wildcardCertificate:
create: false
name: your-ssl-certificate-secret
privateCA:
enabled: true
secret:
name: your-ca-secret
key: ca.crt
ingress-nginx:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret
Finally, upgrade your Okteto instance for the new configuration to be applied. We recommend that you upgrade to the same version that you already have to minimize the changes and help you troubleshoot any issues.