Edit this page
Report an issueCustom CA Certificates
Kong Gateway Operator uses a CA certificate to sign the certificates used by the ControlPlane and DataPlane components (for example, for securing Kong’s Admin API).
This CA certificate is retrieved from a Kubernetes Secret as configured via --cluster-ca-secret and --cluster-ca-secret-namespace flags.
By default, the operator uses a self-signed CA certificate generated during the startup process.
However, you can provide your own CA certificate to the operator by creating a Kubernetes Secret with the CA certificate.
Create a Kubernetes Secret
To provide your own CA certificate to the operator, you need to create a Kubernetes Secret containing the CA certificate and key.
This Secret has to contain the following fields:
-
tls.crt: The CA certificate -
tls.key: The private key of the CA certificate
Supported private key algorithms
Operator supports the following private key algorithms, which can be used to sign the certificates:
- ECDSA: When this algorithm is used, Operator will use the
ECDSAWithSHA256signature algorithm to sign the certificates.
