I want to setup a wildcard domain certificate on a kubernetes cluster.
I got a crt/key pair, and an intermediate crt from my CA
I've created a Secret referencing the crt/key pair (I've tried with and without the intermediate crt)
apiVersion: v1
data:
tls.crt: LS0tLS1CRUd...
tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
name: wildcard-key-pair
type: kubernetes.io/tls
Then I've created a Certificate and the related Issuer, using cert-manager and following their documentation from https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: wildcard-issuer
namespace: default
spec:
ca:
secretName: wildcard-key-pair
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: wildcard
namespace: default
spec:
secretName: wildcard-tls-secret
dnsNames:
- '*.example.com'
- example.com
commonName: '*.example.com'
organization:
- example
issuerRef:
name: wildcard-issuer
kind: Issuer
But when I describe my certificate, using kubectl, I get the following error :
Error getting keypair for CA issuer: certificate is not a CA
I'm kind of confused about the whole process of getting my wildcard dns working on my kubernetes cluster, so if you have any idea that could point me in the right direction don't hesitate to share your thoughts.
This guide will explain how to generate a new signing key pair, however you can substitute it for your own *so long as it has the CA flag set.*- johnharris85