Creating the object-store CA secret

Configure your analytics subsystem to trust your object-store.

If your object-store presents a self-signed public server certificate, create a Kubernetes secret that contains the certificate, and specify the secret in your analytics CR.

  1. Use an SSH client to login to your analytics VM as the apicadm user:
    ssh apicadm@<analytics VM FQDN>

    If you have a three replica deployment, you can login to any one of the VMs. You do not need to repeat these steps on all VMs.

  2. Switch to the root user:
    sudo -i
  3. Create a file called ca.crt that contains your object-store public server certificate:
    echo "<certificate>" > ca.crt
    where <certificate> contains the full chain of your object-store CA certificate, for example:
    intermediate-certificate-1
    intermediate-certificate-2
    . . .
    intermediate-certificate-n
    root-certificate
  4. Run the following command to create a Kubernetes secret from the certificate file:
    kubectl create secret generic analytics-custom-objstore-server-ca --from-file=ca.crt=/path/to/cert.crt
  5. Verify that the secret is created:
    kubectl get secrets
    expected output is:
    NAME                                                            TYPE                DATA   AGE
    ...
    analytics-custom-objstore-server-ca                             generic             1      7s
    ...
  6. Take a backup of the new secret. Run:
    kubectl get secret analytics-custom-objstore-server-ca -o yaml

    Copy the output to a new file in your project directory called analytics-custom-objstore-server-ca.yaml.

  7. Exit from your VM SSH session.
  8. Set your analytics-backup-certs property to the Kubernetes secret that you created:
    apicup subsys set <analytics subsystem> analytics-backup-certs analytics-custom-objstore-server-ca