Ensure your dkp configuration references the Management cluster of the environment where you want to customize the domain or certificate by setting the KUBECONFIG= environment variable, or using the --kubeconfig flag, in accordance with Kubernetes conventions.

Edit the KommanderCluster Resource

To customize the domain or certificate of a cluster, alter the spec values of the ingress object in the KommanderCluster resource. Note that you can reference an issuer as an issuerRef OR a secret as a certificateSecretRef, as long as the object is created in the cluster where you want to customize the configuration.

Management, Managed or Attached cluster?

In the Management cluster, both the KommanderCluster and issuerRef or certificateSecretRef objects are on the same cluster. In Managed and Attached clusters, the KommanderCluster object is stored on the Management cluster, and the issuerRef or certificateSecretRef object is on the Managed or Attached cluster.


Use the API YAML to customize the domain (via the hostname field), and the certificate (via the issuerRef or certificateSecretRef field).

You have two options to update and apply the KommanderCluster resource with the required ingress. Refer to the following examples:

  • One option is to use a certificate that is managed automatically and supported by cert-manager like ACME (if you use Let’s Encrypt, refer to the example. For this, reference the name of the Issuer or ClusterIssuer that contains your ACME provider information in the issuerRef field, and enter the custom domain name in the hostname field of the target cluster:

    cat <<EOF | kubectl -n <workspace_namespace> --kubeconfig <management_cluster_kubeconfig> patch \ 
    kommandercluster <cluster_name>  --type='merge' --patch-file=/dev/stdin
        hostname: <cluster_hostname>
          name: <issuer_name>
          kind: ClusterIssuer # or Issuer depending on the issuer config
  • Another option is to use a manually create a certificate that is customized for your hostname. Ensure the secret in the certificateSecretRef field and the custom domain name in the hostname field of the target cluster are provided:

    kubectl create secret generic -n "${WORKSPACE_NAMESPACE}" domain-tls-certs \
      --from-file=ca.crt=$CERT_CA_PATH \
      --from-file=tls.crt=$CERT_PATH \
      --from-file=tls.key=$CERT_KEY_PATH \

It is not possible to configure the namespace of the secret with a command. Ensure the secret is stored in the workspace namespace of the target cluster.

Related topics

Why Should you set up a Custom Domain or Certificate?

Configuration Example with Let's Encrypt

Verify and Troubleshoot Configuration Status