Configure an external cert manager
Suggest changes
PDFs
If a cert manager already exists in your Kubernetes cluster, you need to perform some prerequisite steps so that Astra Control Center does not install its own cert manager.
-
Confirm that you have a cert manager installed:
kubectl get pods -A | grep 'cert-manager'Sample response:
cert-manager essential-cert-manager-84446f49d5-sf2zd 1/1 Running 0 6d5h cert-manager essential-cert-manager-cainjector-66dc99cc56-9ldmt 1/1 Running 0 6d5h cert-manager essential-cert-manager-webhook-56b76db9cc-fjqrq 1/1 Running 0 6d5h
-
Create a certificate/key pair for the
astraAddressFQDN:openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crtSample response:
Generating a 2048 bit RSA private key ..................+++ ........................................+++ writing new private key to 'tls.key'
-
Create a secret with previously generated files:
kubectl create secret tls selfsigned-tls --key tls.key --cert tls.crt -n <cert-manager-namespace>Sample response:
secret/selfsigned-tls created
-
Create a
ClusterIssuerfile that is exactly the following but includes the namespace location where yourcert-managerpods are installed:apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: astra-ca-clusterissuer namespace: <cert-manager-namespace> spec: ca: secretName: selfsigned-tlskubectl apply -f ClusterIssuer.yamlSample response:
clusterissuer.cert-manager.io/astra-ca-clusterissuer created
-
Verify that the
ClusterIssuerhas come up correctly.Readymust beTruebefore you can proceed:kubectl get ClusterIssuerSample response:
NAME READY AGE astra-ca-clusterissuer True 9s
-
Complete the Astra Control Center installation process. There is a required configuration step for the Astra Control Center cluster YAML in which you change the CRD value to indicate that the cert manager is externally installed. You must complete this step during installation so that Astra Control Center recognizes the external cert manager.