Additional instructions explaining how to install a cert-manager and certificates in a
two data center disaster recovery deployment on Kubernetes.
Before you begin
Before you install a cert-manager, you should know your strategy for using certificates with API
Connect. Review the certificate requirements in Deployment requirements.
You should also have already completed Obtaining product files.
About this task
You must create certificates and keys for API
Manager and the Developer Portal on
both data centers, dc1 and dc2, and ensure that they match on both.
Use these instructions to install the supplied cert-manager and
ingress-issuer-v1.yaml
.
Note that ingress-issuer-v1.yaml
is supplied by cert-manager.
Procedure
- Install cert-manager.
- Use the following steps to allow
ingress-ca
secrets to be
the same on both data centers.
- On DC1 apply the file
ingress-issuer-v1-dc1.yaml
:kubectl -n <namespace> apply -f ingress-issuer-v1-dc1.yaml
- Validate that the command
succeeded:
kubectl get certificates -n <namespace>
- Export
ingress-ca
secret as a yaml from
DC1:kubectl -n <namespace> get secret ingress-ca -o yaml > ingress-ca.yaml
- Edit the
ingress-ca.yaml
file to remove all annotations
,
labels
, creationTimestamp
, managedFields
,
manager
, operation
, time
,
resourceVersion
, selfLink
, and uid
. Also, if you are
using a different namespace
in DC2, then update the namespace
field.
- Copy the
ingress-ca.yaml
from DC1 to DC2 and apply that file on
DC2:kubectl -n <namespace> apply -f ingress-ca.yaml
- On DC2 apply the file
ingress-issuer-v1-dc2.yaml
:kubectl -n <namespace> apply -f ingress-issuer-v1-dc2.yaml
- Use the following commands to test that they are the same, on DC1
run:
kubectl -n <namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > /tmp/ingress.pem.dc1
- On DC2
run:
kubectl -n <namespace> get secrets ingress-ca -o yaml | grep tls.crt | grep -v 'f:tls' | awk '{print $2}' | base64 -d > /tmp/ingress.pem.dc2
- To see the differences
run:
diff /tmp/ingress.pem.dc1 /tmp/ingress.pem.dc2
The files should be the
same.
- On DC2, to ensure that the certificates are working correctly and that they are using the
ingress-ca
secret. First, get the portal-admin-client crt
file:kubectl -n <namespace> get secrets portal-admin-client -o yaml | grep tls.crt | awk '{print $2}' | base64 -d > /tmp/admin-client.crt
- Test that it is working by using
OpenSSL:
openssl verify -verbose -CAfile /tmp/ingress.pem.dc1 /tmp/admin-client.crt
If
it is working, you should see:
/tmp/admin-client.crt: OK
- Continue with Deploying operators and cert-manager.