Based on this previous story , we started managing several certificates for different applications and it was becoming harder to maintain (also we were hitting the rate limits for Let’s-ecnrypt), so with Lucas Collino we found a way to use wildcard certificates (as recommended).

This allows creating a single *.mycompany.com certificate which fits all the applications we support.

The certificate is stored in a secret in the kube-system namespace, we replicated that secret across all namespaces, so developers can access it in their own namespaces.

This guide assummes that you have followed the previous one, and you have Helm and cert-manager working.

Create the wildcard certificate

$ cat management-mycompany-com.yaml

--- apiVersion: certmanager.k8s.io/v1alpha1

kind: Certificate

metadata:

name: management-mycompany-com

namespace: kube-system

spec:

secretName: management-mycompany-com-tls

issuerRef:

name: letsencryptdns

kind: ClusterIssuer

dnsNames:

- '*.management.mycompany.com'

acme:

config:

- dns01:

provider: dns

domains:

- '*.management.mycompany.com'

After a few minutes you should have the secret created.

$ kubectl get certificates -n kube-system

NAME AGE

sandbox-mycompany-com 5m

$ kubectl describe certificate sandbox-mycompany-com -n kube-system ... Message: Certificate issued successfully...

$ kubectl get secret sandbox-mycompany-com-tls -n kube-system

NAME TYPE DATA AGE

sandbox-mycompany-com-tls kubernetes.io/tls 2 5m

Replicate the secret across all namespaces

We use this tool to replicate the secret with the certificate across all namespaces.

First create a file named replicatedsecret.yaml containing

apiVersion: v1

kind: Secret

metadata:

name: auxsecret

annotations:

replicator.v1.mittwald.de/replicate-from: kube-system/auxsecret

data: {}

And then create a small script that will go on each namespace and do the job:

$echo "Enter secret to replicate (ex: sandbox-mycompany-com-tls)"

read secret sed "s/auxsecret/$secret/g" replicatedsecret.yaml > replicatedsecret-$secret.yaml NS=$(kubectl get ns | grep -v kube-system | awk '{ print $1 }' | tail -n +2) #Get NS - kube-system

for i in $NS; do

echo $i

kubectl apply -f replicatedsecret-$secret.yaml -n $i

done

You can verify on your namespace that you have the secret sandbox-mycompany-com-tls replicated ;)

Another way should be following this guide https://www.revsys.com/tidbits/copying-kubernetes-secrets-between-namespaces

Create a test Ingress

Launch nginx in the default namespace and create a service for it.

Run kubectl run nginx --image nginx

and kubectl expose deploy nginx --port 80

You’ve just launched a pod with nginx in the default namespace with a service called nginx.

Create ingress.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

annotations:

ingress.kubernetes.io/ssl-redirect: "false"

kubernetes.io/ingress.class: nginx

labels:

app: nginx

name: nginx-sandbox-mycompany-com

namespace: default

spec:

tls:

- hosts:

- nginx.sandbox.mycompany.com

secretName: nginx-sandbox-mycompany-com-tls

rules:

- host: nginx.sandbox.mycompany.com

http:

paths:

- backend:

serviceName: nginx

servicePort: http

path: /

Run kubectl create -f ingress.yaml - we’ve just created the Ingress.

The certificate should be ready in about 30 seconds.

Now the whole traffic goes through https, and we’ve got valid certificates from Let’s Encrypt.

So, that’s it. I hope you find it useful and the steps are easy to follow. Please comment and/or ask questions if I missed something — I’d love to get your feedback.