Manually create TLS certificates

The Obcerv Operator installs an admission webhook that requires a TLS certificate. You can use cert-manager to automate the process of creating TLS certificates.

To manually create and configure a certificate:

  1. Determine the following before generating your keys, certificates and Kubernetes Secrets:

    • Namespace where you will be installing the Obcerv Operator, referred to as <%namespace%> in following instructions.
    • Name of the Obcerv Operator instance, referred to as <%instance-name%> in following instructions.
    • Password you will use to protect the pkcs12 file, referred to as <%password%> in following instructions.
    • Name of the pkcs12 keystore file, referred to as <%keystore-name%> in following instructions.
  2. Use your Certificate Authority (CA) to generate an RSA private key for your webhook server.

  3. Generate a Certificate Signing Request (CSR), incorporating the fully qualified webhook service name "/CN=<%instance-name%>-webhook.<%namespace%>.svc", for the webhook private key, and sign it with the private key of the CA.

  4. Generate a pkcs12 bundle containing the webhook server key and certificate, protected with a password.

  5. Create a Kubernetes Secret containing the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:

    kubectl create secret generic <%instance-name%>-webhook-tls --from-file=<%keystore-name%>=keystore.p12
    
  6. Create a Kubernetes Secret containing the password for the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:

    kubectl create secret generic <%instance-name%>-webhook-tls-password --from-literal=password='<%password%>'
    
  7. Obtain the base64 encoded value of the certificate that signed the pkcs12 file and use the output as the caCertificate in your Helm values file.

    cat ca.crt | base64
    ...
    webhook.tls.caCertificate: <%...output from previous command...%>
    
Note: The value for the caCertification must be on a single line with no carriage returns.
  1. Set the following Helm values:
    webhook:
      tls:
        selfSigned: false
    
        # Default secret name containing customer provided pkcs12 file loaded in a secret.
        keystoreSecret: "<%instance-name%>-webhook-tls"
    
        # Default name of the pkcs12 file inside the above secret
        keystoreSecretKey: "<%keystore-name%>" #defaults to "keystore.p12"
    
        # Password used when generating the pkcs12 file.
        keystorePasswordSecret: "<%instance-name%>-webhook-tls-password"
    
        # Base64 encoded value of the CA certificate that signed the certification for the webhook server.
        caCertificate: ""
    
Note: If you encounter errors installing the operator after manually configuring TLS certificates, consult the Troubleshooting steps.
["Obcerv"] ["User Guide", "Technical Reference"]

Was this topic helpful?