When you enable ACME, by default DKP generates an ACME-supported certificate with an HTTP01 solver that is provided by Let’s Encrypt.

You can also set up an advanced configuration for a Custom Domain or Custom Certificate in the installer config file for your cluster. However, in some cases, the custom configuration cannot be done completely via the installer config file, but must be specified further in a ClusterIssuer.

Whether it is sufficient to establish the configuration of your custom certificate in the installer config file only, or you require a ClusterIssuer to define further configuration options depends on the degree of customization.

If you require a ClusterIssuer, you MUST create it before you run the Kommander installation.

When do You Need a ClusterIssuer?

The configuration of the ClusterIssuer resource depends on your DKP landscape:

How do You Configure a ClusterIssuer?

The following image describes the configurable fields of a ClusterIssuer:

For more information on the available options, refer to the ACME section in the cert-manager documentation.

Example:

The following ClusterIssuer uses a DNS01 challenge for communication, because this example environment is not connected to the Internet. For this, specify the DNS01 challenge in the spec.acme.solvers field.

To validate the request, the ACME issuer requires an External Account Binding (EAB) that is stored in a secret. This secret is referenced in the spec.privateKeySecretRef.name field.

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: kommander-acme-issuer
spec:
  acme:
    email: <your_email>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: kommander-acme-issuer-account
    solvers:
      - dns01:
          route53:
            region: us-east-1
            role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
EOF
CODE

If you need to make changes in the configuration of your custom domain or certificate after you have installed DKP, modify the ingress in the KommanderCluster object as shown in the Custom domains and certificates configuration section.

Next Step:

DKP Kommander Configuration Reference