Configure an external cert-manager

Contributors netapp-dbagwell

If a cert-manager already exists in your Kubernetes cluster, you need to perform some prerequisite steps so that Astra Control Center does not install its own cert-manager.

Steps
  1. Confirm that you have a cert-manager installed:

    kubectl get pods -A | grep 'cert-manager'

    Sample response:

    cert-manager   essential-cert-manager-84446f49d5-sf2zd              1/1     Running    0     6d5h
    cert-manager   essential-cert-manager-cainjector-66dc99cc56-9ldmt   1/1     Running    0     6d5h
    cert-manager   essential-cert-manager-webhook-56b76db9cc-fjqrq      1/1     Running    0     6d5h
  2. Create a certificate/key pair for the astraAddress FQDN:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

    Sample response:

    Generating a 2048 bit RSA private key
    ..................+++
    ........................................+++
    writing new private key to 'tls.key'
  3. Create a secret with previously generated files:

    kubectl create secret tls selfsigned-tls --key tls.key --cert tls.crt -n <cert-manager-namespace>

    Sample response:

    secret/selfsigned-tls created
  4. Create a ClusterIssuer file that is exactly the following but includes the namespace location where your cert-manager pods are installed:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: astra-ca-clusterissuer
      namespace: <cert-manager-namespace>
    spec:
      ca:
        secretName: selfsigned-tls
    kubectl apply -f ClusterIssuer.yaml

    Sample response:

    clusterissuer.cert-manager.io/astra-ca-clusterissuer created
  5. Verify that the ClusterIssuer has come up correctly. Ready must be True before you can proceed:

    kubectl get ClusterIssuer

    Sample response:

    NAME                     READY   AGE
    astra-ca-clusterissuer   True    9s
  6. Complete the Astra Control Center installation process. There is a required configuration step for the Astra Control Center cluster YAML in which you change the CRD value to indicate that the cert-manager is externally installed. You must complete this step during installation so that Astra Control Center recognizes the external cert-manager.