Creating a secret to store shared custom certificates

You can create a secret called cpd-custom-ca-certs that contains a set of custom certificates. You can run the gen-platform-ca-certs to inject the secret, the secret mount, and associated environment variables into Cloud Pak for Data pods so that they have access to the custom certificates.

Who needs to complete this task?

To complete this task, you must have one of the following roles:

  • Cluster administrator
  • Instance administrator
When do you need to complete this task?

Complete this task if you want to use a set of shared custom certificates across multiple services.

The following services support shared custom certificates:

  • AI Factsheets
  • Cognos Analytics
  • Data Privacy
  • DataStage
  • Data Virtualization
  • Db2 Big SQL
  • 5.0.1 or later IBM Match 360
  • OpenPages
  • 5.0.1 or later watsonx Assistant

If you have multiple instances of Cloud Pak for Data on the cluster, you must complete this task for each instance where you want to use shared custom certificates.

Before you begin

A cluster administrator must install and enable the IBM Cloud Pak for Data configuration admission controller webhook.

  1. Check whether the configuration admission controller webhook is installed:
    oc get mutatingwebhookconfiguration -n ${PROJECT_CPD_INST_OPERANDS} | grep cpd-config-ac-webhook-cfg
  2. Check whether the configuration admission controller webhook is enabled:
    oc get namespace ${PROJECT_CPD_INST_OPERANDS} --show-labels | grep cpd-config-ac-${PROJECT_CPD_INST_OPERANDS}=enabled --col

About this task

The Cloud Pak for Data configuration admission controller is a mutating webhook that injects the cpd-custom-ca-certs secret, the secret mount, and the associated environment variables into Cloud Pak for Data pods so that they have access to a shared set of custom certificates.

You must create a secret called cpd-custom-ca-certs that contains your custom certificates. After you create the cpd-custom-ca-certs secret, run the gen-platform-ca-certs command to:

  • Update the cpd-custom-ca-certs secret with the contents custom certificates.
  • Inject the contents of the cpd-custom-ca-certs secret into Cloud Pak for Data pods.

Procedure

  1. Identify the certificates that you want to include in the shared secret.
    Important: The certificates must be on the client workstation.
  2. Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  3. Use the oc cli to create the cpd-custom-ca-certs secret.

    Include a --from-file entry for each certificate that you want to include in the secret. For example:

    oc create secret generic cpd-custom-ca-certs \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--from-file=<file-name-1>.crt=<fully-qualified-cert-file-name-1> \
--from-file=<file-name-2>.crt=<fully-qualified-cert-file-name-2>
  4. Update the cpd-custom-ca-certs secret with the contents of custom certificates.

    The command that you run depends on whether you want to inject the secret into Cloud Pak for Data pods.

    Important: Injecting the secret into the pods can take some time. It is recommended that you complete this action during a maintenance window or before you give users access to this instance of Cloud Pak for Data. However, services cannot use the certificates in the secret until you inject the secret into the Cloud Pak for Data pods.
    Inject the secret into Cloud Pak for Data pods 
    cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=true
    Update the secret but don't inject the secret into Cloud Pak for Data pods 
    cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=false

    When you are ready to inject the secret into pods, run:

    cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=true