Using wildcard certificates with cert-manager in Kubernetes and replicating across all namespaces

Based on this previous story , we started managing several certificates for different applications and it was becoming harder to maintain (also we were hitting the rate limits for Let’s-ecnrypt), so with Lucas Collino we found a way to use wildcard certificates (as recommended).

This allows creating a single *.mycompany.com certificate which fits all the applications we support.

The certificate is stored in a secret in the kube-system namespace, we replicated that secret across all namespaces, so developers can access it in their own namespaces.

This guide assummes that you have followed the previous one, and you have Helm and cert-manager working.

Create the wildcard certificate

$ cat management-mycompany-com.yaml 
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
 name: management-mycompany-com
 namespace: kube-system
spec:
 secretName: management-mycompany-com-tls
 issuerRef:
   name: letsencryptdns
   kind: ClusterIssuer
 dnsNames:
   - '*.management.mycompany.com'
 acme:
   config:
     - dns01:
         provider: dns
       domains:
         - '*.management.mycompany.com'

After a few minutes you should have the secret created.

$ kubectl get certificates -n kube-system
NAME AGE
sandbox-mycompany-com 5m
$ kubectl describe certificate sandbox-mycompany-com -n kube-system
...    Message:               Certificate issued successfully...
$ kubectl get secret sandbox-mycompany-com-tls -n kube-system
NAME TYPE DATA AGE
sandbox-mycompany-com-tls kubernetes.io/tls 2 5m

Replicate the secret across all namespaces

We use this tool to replicate the secret with the certificate across all namespaces.

First create a file named replicatedsecret.yaml containing

apiVersion: v1
kind: Secret
metadata:
  name: auxsecret
  annotations:
    replicator.v1.mittwald.de/replicate-from: kube-system/auxsecret
data: {}