Kong gateway with a wildcard cert secret

Hi, We have some k8s clusters with Kong Gateways and are looking at doing TLS termination on the k8s cluster end.

all of our apps have the url something.domain.com
we have a wildcard cert for *.domain.com

I am wanting to terminate on the k8s instead of the F5 load balancer we are using.

We have a gateway per namespace (dev, qa, stage)

how would we set this gateway up to handle SSL termination on the k8s

Is this how I would do this? Would I still need to do this per gateway / namespace?

 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: example-gateway
 spec:
   gatewayClassName: kong 
   listeners:
   - name: https
     port: 443
     protocol: HTTPS
     hostname: "*.domain.com"
     tls:
       mode: Terminate
       certificateRefs:
         - kind: Secret
           name: mywildcardcert

thanks in advance.

@Lance_Lyons This link indicates that wildcards are supported in the listener hostname: API specification - Kubernetes Gateway API.

As for the rest of your question, I’m going to paste a response from a colleague that I hope gives you some additional information.

as far as the [namespace] split, namespaces generally don’t work well as a prod/test separation mechanism, they’re more for RBAC. there are a bunch of things in kubernetes that aren’t namespaced and you’ll have a hard time trying to disentangle those. separate clusters is my standard recommended approach for managing that.

[the] rest is kinda open-ended depending on how they handle DNS. you can’t readily have separate instances each handling *. example.com simultaneously

Thanks Rick, I appreciate the feedback. Do you know of any examples of the wildcard cert configuration on the Kong Gateway? I have reviewed the document link you provided and was hoping there were some examples.