Creating the object-store CA secret
Configure your analytics subsystem to trust your object-store.
If your object-store presents a self-signed public server certificate, create a Kubernetes secret that contains the certificate, and specify the secret in your analytics CR.
- Use an SSH client to login to your analytics VM as the
apicadm
user:ssh apicadm@<analytics VM FQDN>
If you have a three replica deployment, you can login to any one of the VMs. You do not need to repeat these steps on all VMs.
- Switch to the root user:
sudo -i
- Create a file called
ca.crt
that contains your object-store public server certificate:
where <certificate> contains the full chain of your object-store CA certificate, for example:echo "<certificate>" > ca.crt
intermediate-certificate-1 intermediate-certificate-2 . . . intermediate-certificate-n root-certificate
- Run the following command to create a Kubernetes secret from the certificate
file:
kubectl create secret generic analytics-custom-objstore-server-ca --from-file=ca.crt=/path/to/cert.crt
- Verify that the secret is created:
expected output is:kubectl get secrets
NAME TYPE DATA AGE ... analytics-custom-objstore-server-ca generic 1 7s ...
- Take a backup of the new secret.
Run:
kubectl get secret analytics-custom-objstore-server-ca -o yaml
Copy the output to a new file in your project directory called analytics-custom-objstore-server-ca.yaml.
- Exit from your VM SSH session.
- Set your
analytics-backup-certs
property to the Kubernetes secret that you created:apicup subsys set <analytics subsystem> analytics-backup-certs analytics-custom-objstore-server-ca