Steps to configure API Connect subsystem CR
YAML files to deploy them with custom certificates.
About this task
This task covers the steps to configure your API Connect CR YAML files to
use the custom certificates that you created.
Procedure
-
Edit the helper_files/ingress-issuer-v1.yaml file and delete the default
definitions for the certificates that you are customizing.
The ingress-issuer-v1.yaml file is provided as part of the installation
helper_files
archive. See Obtaining product files.
This file is used for generating the default certificates. To use a custom certificate, you must
delete the default definition so that API Connect uses your
certificate instead of the default certificate. If you customize all the default certificates and
delete those definitions from the file, then you don't need to use the file during installation.
-
Update the user-facing endpoint definitions in the subsystem CRs, for all the endpoints where
you created a custom certificate.
Note: If you want to customize only your user-facing endpoint certificates, then you do not need to
customize them at installation. You can install
API Connect normally and
then update the certificates following the steps in
Customizing user-facing certificates.
For each custom endpoint certificate, delete the annotation that specifies the default issuer,
and replace the secret name with your own custom secret name.
-
Open the subsystem CR for editing and locate the endpoint definition.
For example, the following snippet shows the definition for the
cloudManagerEndpoint
in the management CR:
cloudManagerEndpoint:
annotations:
cert-manager.io/issuer: ingress-issuer
hosts:
- name: admin.example.com
secretName: cm-endpoint
-
Delete the annotation for the
cert-manager.io/issuer
.
Delete the field name and the value; you can leave the annotations:
label in
place.
-
Replace the default secret name with the name of the Kubernetes secret that you created for
that endpoint’s custom certificate.
In the following example, cm-endpoint
is the default secret name, which must be
replaced. Make sure to reference the correct secret for the custom certificate.
cloudManagerEndpoint:
annotations:
hosts:
- name: admin.example.com
secretName: my_cm-endpoint
-
Customize internal (CA, inter, and intra-subsystem) certificates.
-
Open the subsystem CR for editing.
-
Set the
spec.microServiceSecurity
property to custom
.
By default, the setting is configured for certManager
as shown in the following
example:
microServiceSecurity: certManager
certManagerIssuer:
name: selfsigning-issuer
kind: Issuer
-
Delete the
spec.certManagerIssuer
block.
In the following example, microServiceSecurity
is set to custom
and the certManagerIssuer
block is commented out:
microServiceSecurity: custom
#certManagerIssuer:
# name: selfsigning-issuer
# kind: Issuer
-
Add the
spec.customCertificates
block and list the secret name for each
internal custom certificate that you created for the subsystem.
See the Table 5
table for the certificate names.
You do not have to provide a custom certificate for every certificate supported by the subsystem.
Put the custom certificates that you created; any certificates that you omit from the list are
generated automatically during installation.
For example, your customCertificates
list for the management subsystem might
look like the following:
customCertificates:
- name: caCertificate
secretName: ingress-ca
- name: clientCertificate
secretName: management-client
- name: serverCertificate
secretName: management-server
- name: dbServerCertificate
secretName: db-server-certificate
- name: NATSTLSCertificate
secretName: management-natscluster-mgmt
- name: dbClientPostgres
secretName: db-client-postgres
- name: dbClientReplicator
secretName: db-client-replication
- name: dbClientApicuser
secretName: db-client-apicuser
- name: S3ProxyTLSCertificate
secretName: management-s3proxy-all
What to do next
Complete the installation of
API Connect: