Configure Custom Domains or Custom Certificates post Kommander Installation

This page contains instructions on how to set up custom certificates for any cluster type after installing DKP.

There are two configuration methods:

Configuration Method	WHILE installing the Kommander component	AFTER installing the Kommander component
Supported cluster types	Only Essential or Management clusters	All cluster types
Documentation	Go to Configure the Kommander Installation with a Custom Domain and Certificate	Remain in this page

Configuration Options

After you have installed the Kommander component of DKP, you can configure a custom domain and certificate by modifying the KommanderCluster object of your cluster. You have several options to establish a custom domain and certificate.

Choose an ACME-supported Certificate Authority, if you want the cert-manager can automatically handle certificate renewal and rotation.

I want to use an automatically-generated certificate with ACME

Automatically-generated Certificate

Use a certificate that is managed automatically and supported by cert-manager:

Create an Issuer or ClusterIssuer with your certificate provider information. Store this object in the cluster where you want to customize the certificate and domain.
1. See Configuration Example with Let's Encrypt if you want to use DKP’s default certificate authority.
2. For an advanced configuration example, see Configure the Kommander Installation with a Custom Domain and Certificate | basic, and select I want to use an automatically-generated certificate with ACME and require advanced configuration.

Update the KommanderCluster by referencing the name of the created Issuer or ClusterIssuer in the spec.ingress.issuerRef field.
Enter the custom domain name in the spec.ingress.hostname field:

CODE

cat <<EOF | kubectl -n <workspace_namespace> --kubeconfig <management_cluster_kubeconfig> patch \ 
kommandercluster <cluster_name>  --type='merge' --patch-file=/dev/stdin
spec:
  ingress:
    hostname: <cluster_hostname>
    issuerRef:
      name: <issuer_name>
      kind: Issuer # or ClusterIssuer depending on the issuer config
EOF

Certificates issued by another Issuer

You can also configure a certificate issued by another Certificate Authority. In this case, the CA will determine which information to include in the configuration.

Refer to https://cert-manager.io/docs/configuration/ for configuration examples.
The ClusterIssuer's name MUST BE kommander-acme-issuer.

I have a manually-generated certificate

Manually-generated Certificate

Use a manually-created certificate that is customized for your hostname.

Obtain or create a certificate that is customized for your hostname. Store this object in the workspace namespace of the target cluster.

Create a secret with the certificate in the cluster’s namespace. Give it a name by replacing <certificate_secret_name>:

CODE

kubectl create secret generic -n "${WORKSPACE_NAMESPACE}" <certificate_secret_name> \
  --from-file=ca.crt=$CERT_CA_PATH \
  --from-file=tls.crt=$CERT_PATH \
  --from-file=tls.key=$CERT_KEY_PATH \
  --type=kubernetes.io/tls

Update the KommanderCluster by referencing this secret in the spec.ingress.certificateSecretRef field and provide the custom domain name in the spec.ingress.hostname:

CODE

cat <<EOF | kubectl -n <workspace_namespace> --kubeconfig <management_cluster_kubeconfig> patch \ 
kommandercluster <cluster_name>  --type='merge' --patch-file=/dev/stdin
spec:
  ingress:
    hostname: <cluster_hostname>
    certificateSecretRef:
      name: <certificate_secret_name>
EOF

For Kommander to access the secret containing the certificate, it must be located in the workspace namespace of the target cluster.

Next Step:

Verify and Troubleshoot Domain and Certificate Customization

Configuration Options

Automatically-generated Certificate

Certificates issued by another Issuer

Manually-generated Certificate

Next Step:

Related topics