Setting up a certificate issuer
Create the cert-manager issuer for generating the certificates and secrets for use with API Connect.
Before you begin
To deploy API Connect, you must first create the cert-manager issuers and certificates that API Connect uses. On OpenShift cert-manager is bundled as a foundational service, so you do not need to install cert-manager itself. For more information on cert-manager: Key Concepts: Cert-manager, Issuers, and Secrets
Procedure
-
Create a file that is called
ingress-issuer-v1.yaml
and paste in the following contents:# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigning-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "selfsigning-issuer" } spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ingress-ca labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-ca" } spec: duration: 87600h # 10 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretName: ingress-ca commonName: "ingress-ca" usages: - digital signature - key encipherment - cert sign isCA: true issuerRef: name: selfsigning-issuer kind: Issuer secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "ingress-ca" --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ingress-issuer labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-issuer" } spec: ca: secretName: ingress-ca --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: portal-admin-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "portal-admin-client" } spec: subject: organizations: - cert-manager commonName: portal-admin-client secretName: portal-admin-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "portal-admin-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-client-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-client-client" } spec: subject: organizations: - cert-manager commonName: gateway-client-client secretName: gateway-client-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-client-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: analytics-ingestion-client labels: { app.kubernetes.io/instance: "management", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "analytics-ingestion-client" } spec: subject: organizations: - cert-manager commonName: analytics-ingestion-client secretName: analytics-ingestion-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "management" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "analytics-ingestion-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-service labels: { app.kubernetes.io/instance: "gatewaycluster", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-service" } spec: subject: organizations: - cert-manager commonName: gateway-service secretName: gateway-service issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "gatewaycluster" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-service" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-peering labels: { app.kubernetes.io/instance: "gatewaycluster", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-peering" } spec: subject: organizations: - cert-manager commonName: gateway-peering secretName: gateway-peering issuerRef: name: ingress-issuer usages: - "server auth" - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days privateKey: rotationPolicy: Always secretTemplate: labels: app.kubernetes.io/instance: "gatewaycluster" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-peering"
- Apply the file to your namespace with
oc apply -f ingress-issuer-v1.yaml -n <apic_namespace>
- Verify that the command installation succeeded by running the following command:
oc get certificates -n <apic_namespace>
All certificates created successfully:
NAME READY SECRET AGE analytics-ingestion-client True analytics-ingestion-client 70s gateway-peering True gateway-peering 69s gateway-service True gateway-service 69s ingress-ca True ingress-ca 71s portal-admin-client True portal-admin-client 71s