This guide will show you how to use self-signed certificates with your Okteto Enterprise instance. This assumes that you are already familiar with Okteto's deployment guide.
brew install cfssl
You can also get the binaries directly from their github repo.
The certificate authority is created using the information on ca.json
. Modify as needed, and then run the following command to create the CA's private and public keys:
cfssl gencert -initca ca.json | cfssljson -bare ca
The intermediate certificate authority is created using the information on intermediate-ca.json
. Modify as needed, and then run the following command to create the Intermediate CA's private and public keys:
cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate_ca
cfssl sign -ca ca.pem -ca-key ca-key.pem -config profile.json -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca
The certificate is created using the information on certificate.json
. Modify as needed, and then run the following command to create the private and public keys:
cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config profile.json -profile=server certificate.json | cfssljson -bare self-signed-certificate
Once the certificates are created, you'll need to upload them to your Kubernetes cluster for Okteto to be able to use them.
kubectl create secret tls self-signed-certificate --key self-signed-certificate-key.pem --cert self-signed-certificate.pem --namespace okteto
You also need to upload the CA we just created
kubectl create secret generic self-signed-ca --from-file=ca.crt=intermediate_ca.pem --namespace okteto
Update your helm configuration file to use the certificates we created by adding the values below. You can see the extended version of this instructions here.
wildcardCertificate:
create: false
name: self-signed-certificate
privateCA:
enabled: true
secret:
name: self-signed-ca
key: ca.crt
ingress-nginx:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/self-signed-certificate
Install (or upgrade) your instance by following these instructions.
Once the install/upgrade command finishes, your Okteto Enterprise instance will be configured to the self-signed certificates you provided.
We recommend that you install the self-signed intermediate CA we created on all the devices that you'll be using to access your Okteto Enterprise instance, to avoid having any SSL trust issues.
For MacOS:
- Open the KeyChain Access
- Import
ca-intermediate.pem
andca.pem
to theLogin
keychain. - Double click on the newly added certificate in your KeyChain, and set the trust policy to 'Always'