Manually create TLS certificates
The Obcerv Operator installs an admission webhook that requires a TLS certificate. You can use cert-manager to automate the process of creating TLS certificates.
To manually create and configure a certificate:
-
Determine the following before generating your keys, certificates and Kubernetes Secrets:
- Namespace where you will be installing the Obcerv Operator, referred to as
<%namespace%>in following instructions. - Name of the Obcerv Operator instance, referred to as
<%instance-name%>in following instructions. - Password you will use to protect the pkcs12 file, referred to as
<%password%>in following instructions. - Name of the pkcs12 keystore file, referred to as
<%keystore-name%>in following instructions.
- Namespace where you will be installing the Obcerv Operator, referred to as
-
Use your Certificate Authority (CA) to generate an RSA private key for your webhook server.
-
Generate a Certificate Signing Request (CSR), incorporating the fully qualified webhook service name
"/CN=<%instance-name%>-webhook.<%namespace%>.svc", for the webhook private key, and sign it with the private key of the CA. -
Generate a pkcs12 bundle containing the webhook server key and certificate, protected with a password.
-
Create a Kubernetes Secret containing the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:
kubectl create secret generic <%instance-name%>-webhook-tls --from-file=<%keystore-name%>=keystore.p12 -
Create a Kubernetes Secret containing the password for the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:
kubectl create secret generic <%instance-name%>-webhook-tls-password --from-literal=password='<%password%>' -
Obtain the base64 encoded value of the certificate that signed the pkcs12 file and use the output as the
caCertificatein your Helm values file.cat ca.crt | base64 ... webhook.tls.caCertificate: <%...output from previous command...%>
Note: The value for the caCertification must be on a single line with no carriage returns.
- Set the following Helm values:
webhook: tls: selfSigned: false # Default secret name containing customer provided pkcs12 file loaded in a secret. keystoreSecret: "<%instance-name%>-webhook-tls" # Default name of the pkcs12 file inside the above secret keystoreSecretKey: "<%keystore-name%>" #defaults to "keystore.p12" # Password used when generating the pkcs12 file. keystorePasswordSecret: "<%instance-name%>-webhook-tls-password" # Base64 encoded value of the CA certificate that signed the certification for the webhook server. caCertificate: ""
Note: If you encounter errors installing the operator after manually configuring TLS certificates, consult the Troubleshooting steps.