Skip to main content
Version: 1.19

Bring your own Wildcard Certificate

For this, you'll need the private and public keys of your certificate. The certificate must be a PEM-encoded X.509 certificate in PKCS1 format, with *.SUBDOMAIN as its Subject Alternative Name.

Import the secret into your kubernetes cluster by running the command below:

kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE} --namespace okteto

After you create the secret, add the following to your Helm configuration file to tell Okteto and NGINX to use your certificate.

config.yaml
wildcardCertificate:
  create: false
  name: your-ssl-certificate-secret

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret

You can use any certificate provider you are familiar with if it's compatible with the x.509 and PKCS1 standards. For example, we have a guide maintained by the community to configure your certificate with GoDaddy.

Finally, upgrade your Okteto installation for the new configuration to be applied.

info

If publicOverride is set, its value must also be included in the certificate's Subject Alternative Name list. For example, if you use dev.example.com as the publicOverride, and okteto.net as the subdomain, you need to generate a certificate that includes *.okteto.net and dev.example.com in the Subject Alternative Name list.

Bring your own Certificate Authority

By default, Okteto will trust a certificate issued by any well-know certificate authority. If your certificate is self-signed, issued by a new certificate authority, or issued by a private certificate authority, you'll need to import your certificate authority's public key.

First import your certificate authority by running the command below:

kubectl create secret generic ${CA_NAME} --from-file=ca.crt=${CA_FILE} --namespace okteto

After you create the secret, add the following to your Helm configuration file to tell Okteto to use your certificate authority:

config.yaml
wildcardCertificate:
  create: false
  name: your-ssl-certificate-secret
  privateCA:
    enabled: true
    secret:
      name: your-ca-secret
      key: ca.crt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret

Finally, upgrade your Okteto instance for the new configuration to be applied. We recommend that you upgrade to the same version that you already have to minimize the changes and help you troubleshoot any issues.