How do I configure the Okteto wildcard certificate with cert-manager and Google Cloud DNS?
The recommended solution is to use Workload Identity.
You need to create a Service Account
in the same Google Cloud project as your GKE cluster. Give it the DNS Administrator
roles.
Bind the GCP Service Account you just created with the K8S Service Account of cert-manager. Replace the variables below with your own information.
gcloud iam service-accounts add-iam-policy-binding \
${GSA_NAME}@${GSA_PROJECT}.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${PROJECT_ID}.svc.id.goog[${RELEASE_NAMESPACE}/certmanager]"
and add these options to your cert-manager Helm configuration file:
extraArgs: [--issuer-ambient-credentials=true]
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
Once your cert-manager is configured this way, create the following Issuer
in the okteto
namespace:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: okteto-letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "<<your-email>>"
privateKeySecretRef:
name: okteto-letsencrypt-acme
solvers:
- http01:
ingress:
serviceType: ClusterIP
class: nginx
- dns01:
cloudDNS:
project: "<<your-google-project-id>>"
and the following Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: okteto-letsencrypt
spec:
secretName: okteto-letsencrypt
duration: 8760h0m0s
renewBefore: 600h0m0s # 25d
issuerRef:
name: okteto-letsencrypt-acme
kind: Issuer
dnsNames:
- "*.<<your-okteto-subdomain>>"
Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:
wildcardCertificate:
create: false
name: okteto-letsencrypt
ingress-nginx:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt
Finally, upgrade your Okteto installation for the new configuration to be applied.
For troubleshooting, you can check the cert manager logs, and the events associated to the resources Challenge
, Order
and CertificateRequest
.