Implementing TLS certificates Innovation Release
- Hybrid Manager dual release strategy
- Documentation for the current Long-term support release
Set up a custom x.509 certificate for the Hybrid Manager Portal
You can change the self-signed x.509 certificate used by the Hybrid Manager (HM) Portal with your own.
To import your own certificate you need to create a Kubernetes secret containing the server certificate and the private key.
Generate the certificate
Generate the base64 encoded string of your certificate (example: my-certificate.crt) and private key (example: my-certificate.key).
cat my-certificate.crt | base64 cat my-certificate.key | base64
Create the yaml file
Create a file (example: my-secret.yaml) with the following content and replace <base64 encoded string> with the values generated in the previous step.
apiVersion: v1 data: tls.crt: <base64 encoded string> tls.key: <base64 encoded string> kind: Secret metadata: name: my-portal-certificate namespace: default annotations: replicator.v1.mittwald.de/replicate-to: 'istio-system' type: kubernetes.io/tls
Apply the secret in your Kubernetes cluster
kubectl apply -n default -f ./my-secret.yaml
Configure HM to use the new certificate
Set the portal_certificate_secret parameter to the name of the secret you created, then apply the change using the method that matches your installation.
Edit your HybridControlPlane CR to add the portal_certificate_secret parameter under spec.globalParameters:
apiVersion: edbpgai.edb.com/v1alpha1 kind: HybridControlPlane metadata: name: edbpgai spec: globalParameters: portal_certificate_secret: "my-portal-certificate" # ... your other globalParameters
Apply the updated CR:
kubectl apply -f hybridmanager.yamlThe operator reconciles the change and updates the portal certificate configuration.
Edit your Helm values.yaml file by adding the input variable portal_certificate_secret under parameters.global:
parameters: global: portal_certificate_secret: "my-portal-certificate"
Run the Helm upgrade command to apply the changes on HM:
helm upgrade \ -n edbpgai-bootstrap \ --install \ -f my-values.yaml
Warning
Make sure you always provide the set of input variables you have used to install the Helm Chart. If in a subsequent execution of the Helm upgrade command you don't specify one of the custom inputs, its value is going to be set to its default.
For more information on how the secret can be formatted, consult Istio documentation.
Set up a custom cert-manager issuer for the HM Portal
The HM Portal's certificate can also be generated and managed using one of the x.509 issuers supported by HM's internal cert-manager, e.g. The ACME Issuer for Let's Encrypt certificates.
You can follow the documentation of the issuer of your choice directly from the cert-manager website to set it up.
Note
We suggest to set up a ClusterIssuer rather than an Issuer. If you prefer to set up an Issuer, you need to create it in the istio-system namespace.
Once the ClusterIssuer is configured, pass its name to HM using the method that matches your installation.
Note
Using a cert-manager issuer and providing your own certificate secret are mutually exclusive. If you configure an issuer, don't also set spec.globalParameters.portal_certificate_secret in your CR.
Edit your HybridControlPlane CR to add the issuer parameters under spec.globalParameters:
apiVersion: edbpgai.edb.com/v1alpha1 kind: HybridControlPlane metadata: name: edbpgai spec: globalParameters: portal_certificate_issuer_kind: "ClusterIssuer" # Valid values are Issuer and ClusterIssuer portal_certificate_issuer_name: "my-issuer" # Your Issuer name # ... your other globalParameters
Apply the updated CR:
kubectl apply -f hybridmanager.yamlThe operator reconciles the change and configures the portal to use the specified issuer.
Note
Using a cert-manager issuer and providing your own certificate secret are mutually exclusive. If you configure an issuer, don't also set parameters.global.portal_certificate_secret in your values.yaml.
Edit your Helm values.yaml to add the issuer parameters under parameters.global:
parameters: global: portal_certificate_issuer_kind: "ClusterIssuer" # Valid values are Issuer and ClusterIssuer portal_certificate_issuer_name: "my-issuer" # Your Issuer name
Run the Helm upgrade command to apply the changes on HM:
helm upgrade \ -n edbpgai-bootstrap \ --install \ -f my-values.yaml
Warning
Make sure you always provide the set of input variables you have used to install the Helm Chart. If in a subsequent execution of the Helm upgrade command you don't specify one of the custom inputs, its value is going to be set to its default.
Bring your own private certificate authority
By default, all the certificates used by HM are signed by an internal certificate authority (CA) powered by cert-manager. The CA is created at install time.
If you prefer to use your own Private CA, follow the steps in this section. Otherwise, you can skip this section.
Note
To successfully use this method you must have access to the CA private key.
Create one CA secret if it doesn't exist.
apiVersion: v1 data: ca.crt: <base64 encoded string> # real ca crt provided by customers tls.crt: <base64 encoded string> # real tls crt provided by customers tls.key: <base64 encoded string> # real tls key provided by customers kind: Secret metadata: name: my-custom-ca namespace: default annotations: replicator.v1.mittwald.de/replicate-to: 'cert-manager' type: kubernetes.io/tls
Warning
You can change my-custom-ca to a name of your choosing, except global-ca-secret.
Remember to be consistent with the name you have chosen when running the following commands.
Configure HM to use the new CA using the method that matches your installation.
Edit your HybridControlPlane CR to add the ca_secret_name parameter under spec.globalParameters:
apiVersion: edbpgai.edb.com/v1alpha1 kind: HybridControlPlane metadata: name: edbpgai spec: globalParameters: ca_secret_name: "my-custom-ca" # ... your other globalParameters
Apply the updated CR:
kubectl apply -f hybridmanager.yamlThe operator reconciles the change and configures HM to use your private CA.
Set the new CA by passing it via your values.yaml:
parameters: global: ca_secret_name: my-custom-ca
Or using the --set CLI argument:
helm upgrade \ -n edbpgai-bootstrap \ --install \ -f my-values.yaml \ --set parameters.global.ca_secret_name="my-custom-ca"
Warning
Make sure you always provide the set of input variables you have used to install the Helm Chart. If in a subsequent execution of the Helm upgrade command you don't specify one of the custom inputs, its value is going to be set to its default.