Skip to main content

Configure an external cert manager

Contributors netapp-dbagwell

If a cert manager already exists in your Kubernetes cluster, you need to perform some prerequisite steps so that Astra Control Center does not install its own cert manager.

Steps
  1. Confirm that you have a cert manager installed:

    kubectl get pods -A | grep 'cert-manager'

    Sample response:

    cert-manager   essential-cert-manager-84446f49d5-sf2zd              1/1     Running    0     6d5h
    cert-manager   essential-cert-manager-cainjector-66dc99cc56-9ldmt   1/1     Running    0     6d5h
    cert-manager   essential-cert-manager-webhook-56b76db9cc-fjqrq      1/1     Running    0     6d5h
  2. Create a certificate/key pair for the astraAddress FQDN:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

    Sample response:

    Generating a 2048 bit RSA private key
    ..................+++
    ........................................+++
    writing new private key to 'tls.key'
  3. Create a secret with previously generated files:

    kubectl create secret tls selfsigned-tls --key tls.key --cert tls.crt -n <cert-manager-namespace>

    Sample response:

    secret/selfsigned-tls created
  4. Create a ClusterIssuer file that is exactly the following but includes the namespace location where your cert-manager pods are installed:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: astra-ca-clusterissuer
      namespace: <cert-manager-namespace>
    spec:
      ca:
        secretName: selfsigned-tls
    kubectl apply -f ClusterIssuer.yaml

    Sample response:

    clusterissuer.cert-manager.io/astra-ca-clusterissuer created
  5. Verify that the ClusterIssuer has come up correctly. Ready must be True before you can proceed:

    kubectl get ClusterIssuer

    Sample response:

    NAME                     READY   AGE
    astra-ca-clusterissuer   True    9s
  6. Complete the Astra Control Center installation process. There is a required configuration step for the Astra Control Center cluster YAML in which you change the CRD value to indicate that the cert manager is externally installed. You must complete this step during installation so that Astra Control Center recognizes the external cert manager.