Octelium Logo
Documentation
TLS Certificate

Octelium Clusters need TLS certificate management for 2 main purposes:

  • Setting TLS certificate for the Cluster domain upon the Cluster installation in order for it to be able to receive requests by Users publicly over the internet over HTTPS, namely by the API Server and Portal. That means you must set Cluster domain TLS by the end of the Cluster installation in order to actually start using the Cluster.
  • Setting the TLS Certificate for BeyondCorp mode (read more here) or TLS enabled Services. Currently all BeyondCorp Services use the Cluster domain certificate.

Cluster Domain Certificate

The Cluster domain TLS certificate is required to be ready by the end of the Cluster installation in order for the Cluster, namely its API Server and Portal to communicate over HTTPS. The Cluster certificate needs to include the following domains in the SAN list:

  1. The Cluster domain <DOMAIN> (required to access API Server and Portal)
  2. The wildcard domain *.<DOMAIN>. (required) This is used for BeyondCorp and TLS Services in the default Namespace including the Auth Server portal which authenticates the Users via OIDC and SAML 2.0 IdentityProviders.
  3. The wildcard domains *.local.<DOMAIN> and *.default.local.<DOMAIN>. This is used for Services in the default Namespace that are needed to be accessed over TLS (read more about enabling TLS for Services here).

There is no one canonical way to issue your Cluster certificate by a certificate authority. You can use Let's Encrypt via Certbot for example to issue a certificate for your Cluster domain for free.

Here is an example of issuing the certificate using the certbot CLI tool via a DNS challenge:

sudo certbot certonly --email <YOUR_EMAIL> --agree-tos --cert-name <DOMAIN> -d "<DOMAIN>,*.<DOMAIN>,*.local.<DOMAIN>" --manual --preferred-challenges dns

# Your certificate is stored by default in /etc/letsencrypt/live/<DOMAIN>/

You can also use a Kubernetes-based open source solution such as cert-manager.

Once you issue the certificate, you can feed it to the Cluster by creating a Kubernetes secret with the name cert-cluster in the namespace octelium as follows:

kubectl create secret tls cert-cluster -n octelium --key </PATH/TO/PRIVATE_KEY.PEM> --cert </PATH/TO/CERT_CHAIN.PEM>

The Cluster automatically watches for that kubernetes secret and once it is created or updated, it is synchronized into an Octelium Secret resource.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms