Custom certificates reference for IKS

API Connect supports custom certificates for each subsystem, and for internal communications.

Table 1. Certificates for Management Subsystem:
Certificate	Type	Notes
`analytics-client-client`	Common Subsystem Communication	Must be signed by the same CA as `analytics-ac-endpoint` Certificate of Analytics Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be `CN=a7s-client-client`, or they could both be `CN=a7s-client-client, O=cert-manager`, but they must be identical.
`analytics-ingestion-client`	Common Subsystem Communication	Must be signed by the same CA as `analytics-ai-endpoint` Certificate of Analytics Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be `CN=a7s-ingestion-client`, or they could both be `CN=a7s-ingestion-client, O=cert-manager`, but they must be identical.
`portal-admin-client`	Common Subsystem Communication	Must be signed by the same CA as `portal-admin` Certificate of Portal Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be `CN=portal-admin-client`, or they could both be `CN=ptl-adm-client, O=cert-manager`, but they must be identical.
`gateway-client-client`	Common Subsystem Communication	Must be signed by the same CA as `gwv5-management-endpoint` and/or `gwv6-management-endpoint` of Gateway Subsystem
`cm-endpoint`	External Frontend/Ingress
`apim-endpoint`	External Frontend/Ingress
`api-endpoint`	External Frontend/Ingress
`consumer-endpoint`	External Frontend/Ingress
`hub-endpoint`	External Frontend/Ingress
`turnstile-endpoint`	External Frontend/Ingress

Note:

To generate the certificates for the endpoints used by the Automated testing behavior endpoints (hub-endpoint and turnstile-endpoint), add the following statements to the custom-certs-external.yaml:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: hub-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "hub-endpoint"
  }
spec:
  commonName: hub-endpoint 
  secretName: hub-endpoint 
  dnsNames:
  - hub.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 48h
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: turnstile-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "turnstile-endpoint"
  }
spec:
  commonName: turnstile-endpoint 
  secretName: turnstile-endpoint 
  dnsNames:
  - turnstile.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 48h

Table 2. Certificates for Analytics Subsystem
Certificate	Type	Notes
`analytics-ac-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `analytics-client-client` Certificate of Management Subsystem
`analytics-ai-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `analytics-ingestion-client` Certificate of Management Subsystem

Table 3. Certificates for Gateway Subsystem
Certificate	Type	Notes
`gwv5-endpoint`	External Frontend/Ingress
`gwv5-management-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `gateway-client-client` Certificate of Management Subsystem
`gwv6-endpoint`	External Frontend/Ingress
`gwv6-management-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `gateway-client-client` Certificate of Management Subsystem

Table 4. Certificates for Portal Subsystem
Certificate	Type	Notes
`portal-admin`	External Frontend/Ingress	Must be signed by the same CA as `portal-admin-client` Certificate of Management Subsystem
`portal-web`	External Frontend/Ingress

Table 5. Internal Certificates
Certificate	Type (CA/Server/Client)	Subsystem
`caCertificate`	CA	Management, Analytics, Portal
`clientCertificate`	Client	Management, Analytics, Portal
`serverCertificate`	Server	Management, Analytics, Portal
`dbServerCertificate`	Server	Management
`pgBouncerServerCertificate`	Server	Management
`PGOTLSCertificate`	Server	Management
`NATSTLSCertificate`	Server	Management
`dbClientPostgres`	Client	Management
`dbClientReplicator`	Client	Management
`dbClientPgbouncer`	Client	Management
`dbClientApicuser`	Client	Management

Several certificates as noted above are required to be signed by the same CA as another certificate. For example, portal-admin-client, and portal-admin. This means that if the portal-admin-client certificate were to be customized, then the portal-admin certificate must also be customized, and signed by the same CA as portal-admin-client. To ensure that pairs of certificates like these are signed by the same CA, the Issuer for each certificate must be the same.