Is there way how to setup wildcard certificate in Kong-Ingress-Controller to be used in each Ingress?

Question

Is there way how to setup wildcard certificate in Kong-Ingress-Controller to be used in each Ingress?

I have Kong installed from chart:

$ helm repo add kong https://charts.konghq.com
$ helm repo update

$ helm install kong/kong --generate-name --set ingressController.enabled=true --set admin.enabled=True --set admin.http.enabled=True --set ingress.enabled=True --set proxy.ingress.enabled=True --set admin.type=LoadBalancer --set proxy.type=LoadBalancer

And I would like to use https

Answer 1

In the Kong ingress controller, there is a plugin to auto manage HTTPS certificate and get from let's encrypt.

How you can use the cert-manager with the Kong ingress and it will do it for you.

Cert-manager will generate the wild card certificate and store it inside the K8s secret and you can attach the K8s secret(storing wildcard cert) with ingress.

Make sure you have the DNS auth method in the cert-manager for auth.

Steps to get wild card cert : https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2

in your case ingress will be looking like something

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: kong  <---------- Ingress controller classs name
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    certmanager.k8s.io/issuer: "letsencrypt-prod"
    certmanager.k8s.io/acme-challenge-type: dns01 <------ Use DNS-01 instead HTTP otherwise wildcard wont work
    certmanager.k8s.io/acme-dns01-provider: route53 <------ DNS provider
  name: ingress-resource-tls
  namespace: default
spec:
  rules:
  - host: "hello.devops.example.in"
    http:
      paths:
      - backend:
          serviceName: hello-app
          servicePort: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - "hello.devops.example.in"
    secretName: tls-secret

Answer 2

Had the same question for a long time.

Sol: Create a kubernetes TLS secret with your wildcard certificates:

apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: kong-proxy-tls
  namespace: kong # or your kong installation namespace
data: 
  tls.crt: "--YOUR wildcard certificate in Base64--"
  tls.key: "--YOUR widlcard certificate key in Base64--"

Now update the values.yaml file of kong helm chart (or use --set):

env:
  ssl_cert: /etc/secrets/kong-proxy-tls/tls.crt
  ssl_cert_key: /etc/secrets/kong-proxy-tls/tls.key
......
........
..........
secretVolumes:
  - kong-proxy-tls