Customizing certificates during installation on Kubernetes
How to customizing your user-facing and internal API Connect certificates during installation.
To deploy API Connect with custom internal certificates, some additional preparation and steps are required before any API Connect subsystem CRs are created. Review the topics in this section before you start the installation process.
*.example.com
is
not valid for foo.bar.example.com
.Certificate name | Issuer | Description |
---|---|---|
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
For a two data center disaster recovery
deployment, both data centers must have an identical subject name. For example, both data centers
subject name could be To
update this certificate, use kubectl. Restart the This certificate is loaded by the management subsystem into the
|
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint . This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
Certificate name | Issuer | Description |
---|---|---|
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint, in the If this certificate is updated, restart the |
Certificate name | Issuer | Description |
---|---|---|
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
gwv5-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
gwv6-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
gwv5-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
Certificate name | Issuer | Description |
---|---|---|
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
Certificate name | spec.customCertificates name |
Description |
---|---|---|
management-ca
|
caCertificate |
The issuer for the management subsystems intra-subsystem certificates:
management-client, management-server, postgres, and nats certificates. Communication between
management subsystem pods fails if there is a problem with this certificate. This certificate is
also used as the CA for REST API calls to the management subsystem from the other subsystems, when
using |
portal-ca |
caCertificate |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
analytics-ca |
caCertificate |
The issuer for the analytics-client and
analytics-server certificates. Communication between analytics subsystem pods fails
if there is a problem with this certificate.If you update this certificate, you must then update
the
analytics-client and analytics-server server certificates, and
then ensure that the following pods are restarted:
|
management-client |
clientCertificate |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
portal-client |
clientCertificate |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
analytics-client |
clientCertificate |
Client certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. If this certificate is updated, then the |
management-server |
serverCertificate |
Server certificate used in communication between management subsystem
pods. Communication between management subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
|
portal-server |
serverCertificate |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names within the SAN section are:
<instance name>
and <remote portal CR name> are truncated if more than 15 characters.This certificate is used by all portal pods. |
analytics-server |
serverCertificate |
Server certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
If this certificate is updated, then the
|
db-server |
dbServerCertificate |
Intra-subsystem certificate for the management database. |
natscluster-mgmt |
NATSTLSCertificate |
Intra-subsystem certificate for the nats
pods. |
db-client-postgres |
dbClientPostgres |
Intra-subsystem certificate for the management database subsystem. |
db-client-apicuser |
dbClientApicuser |
Intra-subsystem certificate for the management database subsystem. |
To see the complete list of TLS certificates, see API Connect TLS certificates.
You can replace the default certificates with certificates that you already own, for example DigiCert certificates, or generate new custom certificates by using software such as cert-manager.
- If you have your own certificates, see Generating custom certificates manually.
- If you do not have your own custom certificates, and you want to use cert-manager to generate custom certificates, see Generating custom certificates using cert-manager.
If you want to customize API Connect internal certificates (the certificates for communication within API Connect components), then you must customize all of them, but you do not need to create all of them yourself. Any custom internal certificates that are not named in your subsystem CRs are generated automatically during installation. You cannot convert an existing API Connect installation to use custom internal certificates, these certificates must be configured at installation.
Setting an encryption-secret for the management database using OpenSSL
You can optionally create an encryption-secret for the management database. If you do not create an encryption-secret, then it is created automatically for you.
- The encryption-secret is a secure random bytes password that is used for field level encryption
in the management database. You can generate 128 random bytes using the following command in
OpenSSL:
openssl rand -out /path/to/secret/encryption-secret.bin 128
- Use kubectl to put the generated secret into
management-encryption-key
:kubectl create secret generic management-encryption-key -n <namespace> --from-file=/path/to/secret/encryption_secret.bin
where
<namespace>
is the namespace where the management CR is going to be created) - Make sure that in management_cr.yaml,
encryptionSecret.secretName
points to the name of the secret created in the previous step.