Configuring TLS certificates for your Event Gateway
Use cert-manager to create and manage your Event Gateway endpoint certificate, or supply your own TLS certificate.
- The Event Endpoint Management operator and cert-manager create self-signed TLS certificates and secrets that secure your endpoints.
- Specify the CA certificate and key for your gateway. When you specify the CA certificate, the Event Endpoint Management operator automatically generates and maintains the server certificate that secures your gateway endpoints.
- Specify the server certificate, the server certificate key, and the CA certificate for your gateway.
The best way to create and manage TLS certificates is to use cert-manager. Cert-manager creates TLS certificates, stores them in Kubernetes secrets, and automatically renews them before they expire. Cert-manager supports integration with external public signers, and can also create self-signed certificates.
Generating a CA certificate with OpenSSL
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -days 730 -out tls.crtSupplying your own server certificate and key
If you already have a server certificate that you want to use, then create a Kubernetes secret that contains this certificate, along with its key and CA certificate.
The Subject Alternative Names (SANs) in your certificate must include the path to all the
hostnames that are used for your Event Gateway. You can use a wildcard SAN entry, for example:
*.<CLUSTER_API> - where <CLUSTER_API> is derived from the
URL of your OpenShift Container Platform cluster. If the URL is
https://console-openshift-console.apps.clusterapi.com/ then <cluster
api> is apps.clusterapi.com.
If your certificate is not signed by a well-known public CA chain, then you must provide the full signing chain.
- Create a file called
custom-gateway-cert.yamland paste in the following contents:apiVersion: v1 data: ca.crt: <base64 encoded CA certificate> tls.crt: <base64 encoded server certificate> tls.key: <base64 encoded key> metadata: name: custom-gateway-cert kind: Secret type: kubernetes.io/tls - Apply the file to create the Kubernetes secret in the same namespace where your Event Gateway is
to be
deployed:
kubectl -n <namespace> apply -f custom-gateway-cert.yaml