Skip to content

Cluster-Wide TLS Certificate Replication#

This guide explains how we use cert-manager and Kubernetes Reflector to automatically distribute a single wildcard TLS certificate to every namespace in the cluster.

Overview#

Instead of requesting a new certificate for every application, we maintain one "Source of Truth" certificate. Reflector watches this certificate and mirrors it automatically.

  • Source Namespace: cert-manager
  • Secret Name: wildcard-igresc-com-tls
  • Update Frequency: Automatic (synced on cert-manager renewal)

Administrator Configuration#

The following configuration is applied to the central Certificate object. The secretTemplate block ensures that the resulting Kubernetes Secret contains the necessary instructions for Reflector.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-igresc-com
  namespace: cert-manager
spec:
  secretName: wildcard-igresc-com-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - "igresc.com"
    - "*.igresc.com"
  secretTemplate:
    annotations:
      # Permit Reflector to mirror this secret
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      # Enable automatic distribution to all current and future namespaces
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"

For Application Developers#

If you are deploying a new service, you do not need to create a Certificate resource. The TLS secret is already present in your namespace.

How to use the shared certificate#

Simply reference the wildcard-igresc-com-tls secret in your Ingress manifest. Reflector ensures this secret exists in your namespace with the valid, up-to-date certificate data.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: homepage-ingress
  namespace: dashboard
spec:
  rules:
  - host: dashboard.igresc.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: homepage
            port:
              number: 80
  tls:
  - hosts:
    - "dashboard.igresc.com"
    # This secret is automatically managed by the platform team
    secretName: wildcard-igresc-com-tls

Automatic Updates

When the platform team renews the root certificate, your application will receive the new certificate automatically. You do not need to restart your pods; most Ingress Controllers (like NGINX or Traefik) will detect the secret update and reload the certificate without downtime.

Troubleshooting#

Verify the Secret exists#

To check if the secret has been successfully replicated to your namespace, run:

kubectl get secret wildcard-igresc-com-tls -n <your-namespace>

Check Replication Status#

If the secret is missing, ensure the Reflector pod is running in the cluster:

kubectl get pods -A -l app.kubernetes.io/name=reflector