Skip to content
|
unreleased
github-edit-pageEdit this page
report-issueReport an issue
You are browsing unreleased documentation. See the latest documentation here.

Custom CA Certificates

Kong Gateway Operator uses a CA certificate to sign the certificates used by the ControlPlane and DataPlane components (for example, for securing Kong’s Admin API). This CA certificate is retrieved from a Kubernetes Secret as configured via --cluster-ca-secret and --cluster-ca-secret-namespace flags.

By default, the operator uses a self-signed CA certificate generated during the startup process. However, you can provide your own CA certificate to the operator by creating a Kubernetes Secret with the CA certificate.

Create a Kubernetes Secret

To provide your own CA certificate to the operator, you need to create a Kubernetes Secret containing the CA certificate and key.

This Secret has to contain the following fields:

  • tls.crt: The CA certificate
  • tls.key: The private key of the CA certificate

Configure the private key algorithm

You can specify the private key algorithm used to sign the certificates with the --cluster-ca-key-type flag.

It currently supports the following values:

  • ecdsa
  • rsa

When this flag is set to rsa, you can also set the --cluster-ca-key-size flag to specify the size of the RSA key.

Supported private key algorithms

Operator supports the following private key algorithms, which can be used to sign the certificates:

  • ECDSA: When this algorithm is used, Operator will use the ECDSAWithSHA256 signature algorithm to sign the certificates.

  • RSA: When this algorithm is used, Operator will use the SHA256WithRSA signature algorithm to sign the certificates.