Setting up a certificate issuer

Create the cert-manager issuer for generating the certificates and secrets for use with API Connect.

Before you begin

To deploy API Connect, you must first create the cert-manager issuers and certificates that API Connect uses. On OpenShift cert-manager is bundled as a foundational service, so you do not need to install cert-manager itself. For more information on cert-manager: Key Concepts: Cert-manager, Issuers, and Secrets

Procedure

  1. Create a file that is called ingress-issuer-v1.yaml and paste in the following contents:
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    #
    #     http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    
    ---
    
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: selfsigning-issuer
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "selfsigning-issuer"
      }
    spec:
      selfSigned: {}
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: ingress-ca
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "ingress-ca"
      }
    spec:
      duration: 87600h # 10 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretName: ingress-ca
      commonName: "ingress-ca"
      usages:
      - digital signature
      - key encipherment
      - cert sign
      isCA: true
      issuerRef:
        name: selfsigning-issuer
        kind: Issuer
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "management"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "ingress-ca"
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: ingress-issuer
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "ingress-issuer"
      }
    spec:
      ca:
        secretName: ingress-ca
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: portal-admin-client
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "portal-admin-client"
      }
    spec:
      subject:
        organizations:
        - cert-manager
      commonName: portal-admin-client
      secretName: portal-admin-client
      issuerRef:
        name: ingress-issuer
      usages:
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "management"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "portal-admin-client"
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: gateway-client-client
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "gateway-client-client"
      }
    spec:
      subject:
        organizations:
        - cert-manager
      commonName: gateway-client-client
      secretName: gateway-client-client
      issuerRef:
        name: ingress-issuer
      usages:
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "management"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "gateway-client-client"
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: analytics-ingestion-client
      labels: {
        app.kubernetes.io/instance: "management",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "analytics-ingestion-client"
      }
    spec:
      subject:
        organizations:
        - cert-manager
      commonName: analytics-ingestion-client
      secretName: analytics-ingestion-client
      issuerRef:
        name: ingress-issuer
      usages:
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "management"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "analytics-ingestion-client"
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: gateway-service
      labels: {
        app.kubernetes.io/instance: "gatewaycluster",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "gateway-service"
      }
    spec:
      subject:
        organizations:
        - cert-manager
      commonName: gateway-service
      secretName: gateway-service
      issuerRef:
        name: ingress-issuer
      usages:
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "gatewaycluster"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "gateway-service"
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: gateway-peering
      labels: {
        app.kubernetes.io/instance: "gatewaycluster",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "gateway-peering"
      }
    spec:
      subject:
        organizations:
        - cert-manager
      commonName: gateway-peering
      secretName: gateway-peering
      issuerRef:
        name: ingress-issuer
      usages:
      - "server auth"
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 720h # 30 days
      privateKey:
        rotationPolicy: Always
      secretTemplate:
        labels:
          app.kubernetes.io/instance: "gatewaycluster"
          app.kubernetes.io/managed-by: "ibm-apiconnect"
          app.kubernetes.io/name: "gateway-peering"
    
  2. Apply the file to your namespace with oc apply -f ingress-issuer-v1.yaml -n <apic_namespace>
  3. Verify that the command installation succeeded by running the following command:
    oc get certificates -n <apic_namespace>

    All certificates created successfully:

    NAME                         READY   SECRET                       AGE
    analytics-ingestion-client   True    analytics-ingestion-client   70s
    gateway-peering              True    gateway-peering              69s
    gateway-service              True    gateway-service              69s
    ingress-ca                   True    ingress-ca                   71s
    portal-admin-client          True    portal-admin-client          71s