Skip to main content

Bringing Your Own Certificates

Bring your own Wildcard Certificate#

By default, Okteto Enterprise will create a wildcard certificate for your cluster using cert-manager and Let's Encrypt. This certificate is used to secure communication to the Okteto dashboard, the build service, the registry service, and to all the applications that use [Automatic SSL Endpoints].

In certain scenarios you may want to bring your own certificates rather than let Okteto create a wildcard certificate for you. You can configure this via the wildcardCertificate configuration key in your Helm configuration file.

To start, you need the private and public keys of your certificate. The certificate must be a PEM-encoded X.509 certificate, with *.SUBDOMAIN as its Subject Alternative Name.

Import the secret into your kubernetes cluster by running the command below:

kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE} --namespace okteto

After you create the secret, add the following to your Helm configuration file to tell Okteto and NGINX to use your certificate.

wildcardCertificate:
create: false
name: your-ssl-certificate-secret
nginx-ingress:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret

Finally, install or upgrade your Okteto Enterprise installation for the new configuration to be applied.

Bring your own Certificate Authority#

By default, Okteto will trust a certificate issued by any well-know certificate authority. If your certificate is self-signed, issued by a new certificate authority, or issued by a private certificate authority, you'll need to import your certificate authority's public key.

First import your certificate authority by running the command below:

kubectl create secret generic ${CA_NAME} --from-literal-string=ca.crt=${CA_FILE} --namespace okteto

After you create the secret, add the following to your Helm configuration file to tell Okteto to use your certificate authority.

wildcardCertificate:
create: false
name: your-ssl-certificate-secret
privateCA:
enabled: true
secret:
name: your-ca-secret
key: ca.crt
nginx-ingress:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/your-ssl-certificate-secret

Finally, install or upgrade your Okteto Enterprise installation for the new configuration to be applied.