Configure Custom Domains or Custom Certificates post Kommander Installation

If you have not installed DKP yet, you can also configure a custom domain during the installation of DKP.

Once you have installed the Kommander component of DKP, you can configure a custom domain and certificate by modifying the KommanderCluster object of your cluster.

Important Concepts

IssuerRef, ClusterIssuerRef or certificateSecretRef?

If you use a certificate issued and managed automatically by cert-manager, you need an Issuer or Cluster Issuer that you reference in your KommanderCluster resource. The referenced object must contain the information of your certificate provider.

If you want to use a manually-created certificate, you need a secret that you reference in your KommanderCluster resource.

Management, Managed or Attached cluster? Location of the KommanderCluster and Issuer objects

In the Management or Essential cluster, both the KommanderCluster and issuer objects are stored on the same cluster. The issuer can be referenced as an Issuer, ClusterIssuer or certificateSecretRef.

In Managed and Attached clusters, the KommanderCluster object is stored on the Management cluster. The Issuer, ClusterIssuer or certificateSecretRef is stored on the Managed or Attached cluster.

Configuration

You have two options to update the KommanderCluster resource and establish a custom domain and certificate.

Expand the instructions depending on whether you need to reference an automatically-generated certificate or a manually-generated certificate:

Use an automatically-generated certificate

Use a certificate that is managed automatically and supported by cert-manager:

Create an Issuer or ClusterIssuer with your certificate provider information. Store this object in the cluster where you want to customize the certificate and domain.
For an example of how to do this, refer to Configure your Custom Domain and Certificate.

Update the KommanderCluster by referencing the name of the created Issuer or ClusterIssuer in the spec.ingress.issuerRef field.
Enter the custom domain name in the spec.ingress.hostname field:

CODE

cat <<EOF | kubectl -n <workspace_namespace> --kubeconfig <management_cluster_kubeconfig> patch \ 
kommandercluster <cluster_name>  --type='merge' --patch-file=/dev/stdin
spec:
  ingress:
    hostname: <cluster_hostname>
    issuerRef:
      name: <issuer_name>
      kind: Issuer # or ClusterIssuer depending on the issuer config
EOF

Use a manually-generated certificate

Use a manually-created certificate that is customized for your hostname.

Obtain or create a certificate that is customized for your hostname. Store this object in the workspace namespace of the target cluster.

Create a secret with the certificate in the cluster’s namespace. Give it a name by replacing <certificate_secret_name>:

CODE

kubectl create secret generic -n "${WORKSPACE_NAMESPACE}" <certificate_secret_name> \
  --from-file=ca.crt=$CERT_CA_PATH \
  --from-file=tls.crt=$CERT_PATH \
  --from-file=tls.key=$CERT_KEY_PATH \
  --type=kubernetes.io/tls

Update the KommanderCluster by referencing this secret in the spec.ingress.certificateSecretRef field and provide the custom domain name in the spec.ingress.hostname:

CODE

cat <<EOF | kubectl -n <workspace_namespace> --kubeconfig <management_cluster_kubeconfig> patch \ 
kommandercluster <cluster_name>  --type='merge' --patch-file=/dev/stdin
spec:
  ingress:
    hostname: <cluster_hostname>
    certificateSecretRef:
      name: <certificate_secret_name>
EOF

In order for Kommander to access the secret containing the certificate, it must be located in the workspace namespace of the target cluster.

Next Step:

Verify and Troubleshoot Configuration Status

Important Concepts

Configuration

Next Step:

Related topics