旧バージョンのドキュメントを参照しています。最新のドキュメントはこちらをご参照ください。

Custom CA Certificates

Kong Gateway Operator uses a CA certificate to sign the certificates used by the ControlPlane and DataPlane components (for example, for securing Kong’s Admin API). This CA certificate is retrieved from a Kubernetes Secret as configured via --cluster-ca-secret and --cluster-ca-secret-namespace flags.

By default, the operator uses a self-signed CA certificate generated during the startup process. However, you can provide your own CA certificate to the operator by creating a Kubernetes Secret with the CA certificate.

Create a Kubernetes Secret

To provide your own CA certificate to the operator, you need to create a Kubernetes Secret containing the CA certificate and key.

This Secret has to contain the following fields:

tls.crt: The CA certificate
tls.key: The private key of the CA certificate

Configure the private key algorithm

You can specify the private key algorithm used to sign the certificates with the --cluster-ca-key-type flag.

It currently supports the following values:

ecdsa
rsa

When this flag is set to rsa, you can also set the --cluster-ca-key-size flag to specify the size of the RSA key.

Supported private key algorithms

Operator supports the following private key algorithms, which can be used to sign the certificates:

ECDSA: When this algorithm is used, Operator will use the ECDSAWithSHA256 signature algorithm to sign the certificates.
RSA: When this algorithm is used, Operator will use the SHA256WithRSA signature algorithm to sign the certificates.