Configure an external cert-manager
Suggest changes
PDFs
If a cert-manager already exists in your Kubernetes cluster, you need to perform some prerequisite steps so that Astra Control Center does not install its own cert-manager.
-
Confirm that you have a cert-manager installed:
kubectl get pods -A | grep 'cert-manager'Sample response:
cert-manager essential-cert-manager-84446f49d5-sf2zd 1/1 Running 0 6d5h cert-manager essential-cert-manager-cainjector-66dc99cc56-9ldmt 1/1 Running 0 6d5h cert-manager essential-cert-manager-webhook-56b76db9cc-fjqrq 1/1 Running 0 6d5h
-
Create a certificate/key pair for the astraAddress FQDN:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crtSample response:
Generating a 2048 bit RSA private key ..................+++ ........................................+++ writing new private key to 'tls.key'
-
Create a secret with previously generated files:
kubectl create secret tls selfsigned-tls --key tls.key --cert tls.crt -n <cert-manager-namespace>Sample response:
secret/selfsigned-tls created
-
Create a ClusterIssuer file that is exactly the following but includes the namespace location where your cert-manager pods are installed:
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: astra-ca-clusterissuer namespace: <cert-manager-namespace> spec: ca: secretName: selfsigned-tlskubectl apply -f ClusterIssuer.yamlSample response:
clusterissuer.cert-manager.io/astra-ca-clusterissuer created
-
Verify that the ClusterIssuer has come up correctly.
Readymust beTruebefore you can proceed:kubectl get ClusterIssuerSample response:
NAME READY AGE astra-ca-clusterissuer True 9s
-
Complete the Astra Control Center installation process. There is a required configuration step for the Astra Control Center cluster YAML in which you change the CRD value to indicate that the cert-manager is externally installed. You must complete this step during installation so that Astra Control Center recognizes the external cert-manager.