Skip to main content

Configure Astra Control Center after installation

Contributors netapp-dbagwell

Depending on your environment, there might be additional configuration needed after you install Astra Control Center.

Remove resource limitations

Some environments use the ResourceQuotas and LimitRanges objects to prevent the resources in a namespace from consuming all available CPU and memory on the cluster. Astra Control Center does not set maximum limits, so it will not be in compliance with those resources. If your environment is configured this way, you need to remove those resources from the namespaces where you plan to install Astra Control Center.

You can use the following steps to retrieve and remove these quotas and limits. In these examples, the command output is shown immediately after the command.

Steps
  1. Get the resource quotas in the netapp-acc (or custom-named) namespace:

    kubectl get quota -n [netapp-acc or custom namespace]

    Response:

    NAME          AGE   REQUEST                                        LIMIT
    pods-high     16s   requests.cpu: 0/20, requests.memory: 0/100Gi   limits.cpu: 0/200, limits.memory: 0/1000Gi
    pods-low      15s   requests.cpu: 0/1, requests.memory: 0/1Gi      limits.cpu: 0/2, limits.memory: 0/2Gi
    pods-medium   16s   requests.cpu: 0/10, requests.memory: 0/20Gi    limits.cpu: 0/20, limits.memory: 0/200Gi
  2. Delete all of the resource quotas by name:

    kubectl delete resourcequota pods-high -n [netapp-acc or custom namespace]
    kubectl delete resourcequota pods-low -n [netapp-acc or custom namespace]
    kubectl delete resourcequota pods-medium -n [netapp-acc or custom namespace]
  3. Get the limit ranges in the netapp-acc (or custom-named) namespace:

    kubectl get limits -n [netapp-acc or custom namespace]

    Response:

    NAME              CREATED AT
    cpu-limit-range   2022-06-27T19:01:23Z
  4. Delete the limit ranges by name:

    kubectl delete limitrange cpu-limit-range -n [netapp-acc or custom namespace]

Add a custom TLS certificate

Astra Control Center uses a self-signed TLS certificate by default for ingress controller traffic (only in certain configurations) and web UI authentication with web browsers. You can remove the existing self-signed TLS certificate and replace it with a TLS certificate signed by a Certificate Authority (CA).

Note

The default, self-signed certificate is used for two types of connections:

  • HTTPS connections to the Astra Control Center web UI

  • Ingress controller traffic (only if the ingressType: "AccTraefik" property was set in the astra_control_center.yaml file during Astra Control Center installation)

Replacing the default TLS certificate replaces the certificate used for authentication for these connections.

Before you begin
  • Kubernetes cluster with Astra Control Center installed

  • Administrative access to a command shell on the cluster to run kubectl commands

  • Private key and certificate files from the CA

Remove the self-signed certificate

Remove the existing self-signed TLS certificate.

  1. Using SSH, log in to the Kubernetes cluster that hosts Astra Control Center as an administrative user.

  2. Find the TLS secret associated with the current certificate using the following command, replacing <ACC-deployment-namespace> with the Astra Control Center deployment namespace:

    kubectl get certificate -n <ACC-deployment-namespace>
  3. Delete the currently installed secret and certificate using the following commands:

    kubectl delete cert cert-manager-certificates -n <ACC-deployment-namespace>
    kubectl delete secret secure-testing-cert -n <ACC-deployment-namespace>

Add a new certificate using the command line

Add a new TLS certificate that is signed by a CA.

  1. Use the following command to create the new TLS secret with the private key and certificate files from the CA, replacing the arguments in brackets <> with the appropriate information:

    kubectl create secret tls <secret-name> --key <private-key-filename> --cert <certificate-filename> -n <ACC-deployment-namespace>
  2. Use the following command and example to edit the cluster Custom Resource Definition (CRD) file and change the spec.selfSigned value to spec.ca.secretName to refer to the TLS secret you created earlier:

    kubectl edit clusterissuers.cert-manager.io/cert-manager-certificates -n <ACC-deployment-namespace>

    CRD:

    #spec:
    #  selfSigned: {}
    
    spec:
      ca:
        secretName: <secret-name>
  3. Use the following command and example output to validate that the changes are correct and the cluster is ready to validate certificates, replacing <ACC-deployment-namespace> with the Astra Control Center deployment namespace:

    kubectl describe clusterissuers.cert-manager.io/cert-manager-certificates -n <ACC-deployment-namespace>

    Response:

    Status:
      Conditions:
        Last Transition Time:  2021-07-01T23:50:27Z
        Message:               Signing CA verified
        Reason:                KeyPairVerified
        Status:                True
        Type:                  Ready
    Events:                    <none>
  4. Create the certificate.yaml file using the following example, replacing the placeholder values in brackets <> with appropriate information:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: <certificate-name>
      namespace: <ACC-deployment-namespace>
    spec:
      secretName: <certificate-secret-name>
      duration: 2160h # 90d
      renewBefore: 360h # 15d
      dnsNames:
      - <astra.dnsname.example.com> #Replace with the correct Astra Control Center DNS address
      issuerRef:
        kind: ClusterIssuer
        name: cert-manager-certificates
  5. Create the certificate using the following command:

    kubectl apply -f certificate.yaml
  6. Using the following command and example output, validate that the certificate has been created correctly and with the arguments you specified during creation (such as name, duration, renewal deadline, and DNS names).

    kubectl describe certificate -n <ACC-deployment-namespace>

    Response:

    Spec:
      Dns Names:
        astra.example.com
      Duration:  125h0m0s
      Issuer Ref:
        Kind:        ClusterIssuer
        Name:        cert-manager-certificates
      Renew Before:  61h0m0s
      Secret Name:   <certificate-secret-name>
    Status:
      Conditions:
        Last Transition Time:  2021-07-02T00:45:41Z
        Message:               Certificate is up to date and has not expired
        Reason:                Ready
        Status:                True
        Type:                  Ready
      Not After:               2021-07-07T05:45:41Z
      Not Before:              2021-07-02T00:45:41Z
      Renewal Time:            2021-07-04T16:45:41Z
      Revision:                1
    Events:                    <none>
  7. Edit the TLS stores CRD to point to your new certificate secret name using the following command and example, replacing the placeholder values in brackets <> with appropriate information

    kubectl edit tlsstores.traefik.io -n <ACC-deployment-namespace>

    CRD:

    ...
    spec:
      defaultCertificate:
        secretName: <certificate-secret-name>
  8. Edit the ingress CRD TLS option to point to your new certificate secret using the following command and example, replacing the placeholder values in brackets <> with appropriate information:

    kubectl edit ingressroutes.traefik.io -n <ACC-deployment-namespace>

    CRD:

    ...
     tls:
        secretName: <certificate-secret-name>
  9. Using a web browser, browse to the deployment IP address of Astra Control Center.

  10. Verify that the certificate details match the details of the certificate you installed.

  11. Export the certificate and import the result into the certificate manager in your web browser.