To integrate with an external service, you must first import its Transport Layer Security
(TLS) certificate into the operator trust list.
Procedure
If the root certificate authority (CA) key of the external service is not signed by the
operator root CA key, provide the TLS certificate of the external service to the component's
truststore.
The certificate includes the root CA key and the key of each component. If the external
service is not installed by the same custom resource, the root CA key of the service is not signed
by the operator root CA key. If the service is installed by the same custom resource, check the
documentation of the external service to see whether it uses the same root CA key.
-
Get the root CA that is used to sign your external service and save it to a certificate, for
example external-service-cert.crt.
See
OpenSSL for instructions to export the root CA of your external
service.
-
To create the secret, run the following command in the OpenShift project:
kubectl create secret generic secretName --from-file=tls.crt=your_cert_path/external-service-cert.crt
Substitute your values for
secretName and
your_cert_path/external-service-cert.crt. The
certificate and key files must be in Privacy Enhanced Mail (PEM) format.
-
Add the secret to the component's truststore.
Add the secret to the custom resource in the
shared_configuration.trusted_certificate_list parameter if you want this service to
be trusted by all components installed by the operator.
For example:
shared_configuration:
…
trusted_certificate_list: [adw-tls-secret, baw-tls-secret, aca-tls-secret]
This
variable is an array and multiple values can be provided by separating them with a comma as shown in
the example.