How do I configure the Okteto wildcard certificate with cert-manager and Civo DNS?

How Do I?
,
1

How do I configure the Okteto wildcard certificate with cert-manager and Civo DNS?

2

Our team created an open source external issuer that is compatible with Civo DNS.

In order to use it, first you need to install cert-manager in your cluster. You can use the marketplace versions, or using their official instructions.

Once cert-manager is up and running, the next step is to install the certificate-manager-civo-webhook in your cluster:

helm repo add okteto https://charts.okteto.com
helm repo update
helm install --namespace cert-manager cert-manager-webhook-civo okteto/cert-manager-webhook-civo

Once the cert-manager and certmanager-civo-webhook are configured, create the following Issuer in the okteto namespace:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: okteto-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  "<<your-email>>"
    privateKeySecretRef:
      name: okteto-letsencrypt
    solvers:
    - dns01:
        webhook:
          solverName: "civo"
          groupName: civo.webhook.okteto.com
          config:
            secretName: civo-secret

The Civo issuer needs an API token in order to create the required entries in your DNS to validate the wildcard certificate. Get it from the dashboard, and create a secret for it:

kubectl create secret generic civo-secret --from-literal=api-key=<YOUR_CIVO_TOKEN> --namespace okteto

And finally, create the Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: okteto-letsencrypt
spec:
 secretName: okteto-letsencrypt
 duration: 8760h0m0s
 renewBefore: 600h0m0s # 25d
 issuerRef:
   name: okteto-letsencrypt
   kind: Issuer
 dnsNames:
   - "*.<<your-okteto-subdomain>>"

Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:

wildcardCertificate:
  create: false
  name: okteto-letsencrypt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt

Finally, upgrade your Okteto installation for the new configuration to be applied.

3

Hi @ramiro, Is their similar example but for Azure AKS?

4

@scheung38 we don’t have on yet, but GitHub - okteto/cert-manager-webhook-civo: A webhook to use CIVO DNS as a DNS issuer for cert-manager. has information that can help you get started.