Skip to main content

Wildcard TLS Certs

Setup

I use cert-manager in my K3s cluster to handle TLS certificates. For the issuer, I chose Let's Encrypt since it's free. I leverage Cloudflare as my DNS01 challenge provider as I already use it for my domain.

ClusterIssuer lets me create certificates across any namespace:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
      - dns01:
          cloudflare:
            email: [email protected]
            apiKeySecretRef:
              name: cf-api-token
              key: token

Certificates

For wildcard certificates (like *.test.lttviet.com), I create a Certificate resource. Since these are namespace-scoped, I use kubernetes-reflector to automatically mirror the certificates to other namespaces that need them:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: lttviet.com
  namespace: cert-manager
spec:
  secretName: lttviet.com
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
    group: cert-manager.io
  dnsNames:
    # wildcard cert for test.lttviet.com
    - '*.test.lttviet.com'
  secretTemplate:
    annotations:
      # mirror to 'homepage' namespace
      reflector.v1.k8s.emberstack.com/reflection-allowed: 'true'
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: 'homepage'
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: 'true'
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: 'homepage'
Last updated on by Viet Le