Configuring TLS certificates for your Event Gateway

Use cert-manager to create and manage your Event Gateway endpoint certificate, or supply your own TLS certificate.

Three options are available for configuring TLS on the client-facing endpoints of your operator-managed gateway:
  • The Event Endpoint Management operator and cert-manager create self-signed TLS certificates and secrets that secure your endpoints.
  • Specify the CA certificate and key for your gateway. When you specify the CA certificate, the Event Endpoint Management operator automatically generates and maintains the server certificate that secures your gateway endpoints.
  • Specify the server certificate, the server certificate key, and the CA certificate for your gateway.

The best way to create and manage TLS certificates is to use cert-manager. Cert-manager creates TLS certificates, stores them in Kubernetes secrets, and automatically renews them before they expire. Cert-manager supports integration with external public signers, and can also create self-signed certificates.

The Event Gateway YAML files that the Event Endpoint Management UI creates includes the definitions of a self-signed certificate and issuer.
Note: If you want to create externally-signed certificates with cert-manager, see the cert-manager documentation.

Generating a CA certificate with OpenSSL

For test and demonstration purposes, you can create a CA certificate and key with the following OpenSSL commands:
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -days 730 -out tls.crt
Important: It is recommended to use cert-manager to create and manage your certificates. Do not use this example certificate in production environments.

Supplying your own server certificate and key

If you already have a server certificate that you want to use, then create a Kubernetes secret that contains this certificate, along with its key and CA certificate.

The Subject Alternative Names (SANs) in your certificate must include the path to all the hostnames that are used for your Event Gateway. You can use a wildcard SAN entry, for example: *.<CLUSTER_API> - where <CLUSTER_API> is derived from the URL of your OpenShift Container Platform cluster. If the URL is https://console-openshift-console.apps.clusterapi.com/ then <cluster api> is apps.clusterapi.com.

If your certificate is not signed by a well-known public CA chain, then you must provide the full signing chain.

  1. Create a file called custom-gateway-cert.yaml and paste in the following contents:
    apiVersion: v1
    data:
      ca.crt: <base64 encoded CA certificate>
      tls.crt: <base64 encoded server certificate>
      tls.key: <base64 encoded key>
    metadata:
      name: custom-gateway-cert
    kind: Secret
    type: kubernetes.io/tls
  2. Apply the file to create the Kubernetes secret in the same namespace where your Event Gateway is to be deployed:
    kubectl -n <namespace> apply -f custom-gateway-cert.yaml