Deploying API Connect subsystems with custom certificates

Steps to configure API Connect subsystem CR YAML files to deploy them with custom certificates.

Before you begin

Create the custom certificates that you want to use, either creating the certificates manually or using cert-manager.

For a two data center disaster recovery deployment, follow the steps in Generating custom certificates using cert-manager in a two data center deployment.

About this task

This task covers the steps to configure your API Connect CR YAML files to use the custom certificates that you created.

Procedure

  1. Edit the helper_files/ingress-issuer-v1.yaml file and delete the default definitions for the certificates that you are customizing.

    The ingress-issuer-v1.yaml file is provided as part of the installation helper_files archive. See Obtaining product files.

    This file is used for generating the default certificates. To use a custom certificate, you must delete the default definition so that API Connect uses your certificate instead of the default certificate. If you customize all the default certificates and delete those definitions from the file, then you don't need to use the file during installation.

  2. Update the user-facing endpoint definitions in the subsystem CRs, for all the endpoints where you created a custom certificate.
    Note: If you want to customize only your user-facing endpoint certificates, then you do not need to customize them at installation. You can install API Connect normally and then update the certificates following the steps in Customizing user-facing certificates.

    For each custom endpoint certificate, delete the annotation that specifies the default issuer, and replace the secret name with your own custom secret name.

    1. Open the subsystem CR for editing and locate the endpoint definition.

      For example, the following snippet shows the definition for the cloudManagerEndpoint in the management CR:

        cloudManagerEndpoint:
          annotations:
            cert-manager.io/issuer: ingress-issuer
          hosts: 
          - name: admin.example.com
            secretName: cm-endpoint
      
    2. Delete the annotation for the cert-manager.io/issuer.

      Delete the field name and the value; you can leave the annotations: label in place.

    3. Replace the default secret name with the name of the Kubernetes secret that you created for that endpoint’s custom certificate.

      In the following example, cm-endpoint is the default secret name, which must be replaced. Make sure to reference the correct secret for the custom certificate.

        cloudManagerEndpoint:
          annotations:
          hosts: 
          - name: admin.example.com
            secretName: my_cm-endpoint
      
  3. Customize internal (CA, inter, and intra-subsystem) certificates.
    1. Open the subsystem CR for editing.
    2. Set the spec.microServiceSecurity property to custom.

      By default, the setting is configured for certManager as shown in the following example:

      microServiceSecurity: certManager
      certManagerIssuer:
          name: selfsigning-issuer
          kind: Issuer
    3. Delete the spec.certManagerIssuer block.

      In the following example, microServiceSecurity is set to custom and the certManagerIssuer block is commented out:

      microServiceSecurity: custom
      #certManagerIssuer:
      #    name: selfsigning-issuer
      #    kind: Issuer
  4. Add the spec.customCertificates block and list the secret name for each internal custom certificate that you created for the subsystem.

    See the Table 5 table for the certificate names.

    You do not have to provide a custom certificate for every certificate supported by the subsystem. Put the custom certificates that you created; any certificates that you omit from the list are generated automatically during installation.

    For example, your customCertificates list for the management subsystem might look like the following:

    customCertificates:
       - name: caCertificate
         secretName: ingress-ca
       - name: clientCertificate
         secretName: management-client
       - name: serverCertificate
         secretName: management-server
       - name: dbServerCertificate
         secretName: db-server-certificate
       - name: NATSTLSCertificate
         secretName: management-natscluster-mgmt
       - name: dbClientPostgres
         secretName: db-client-postgres
       - name: dbClientReplicator
         secretName: db-client-replication
       - name: dbClientApicuser
         secretName: db-client-apicuser
       - name: S3ProxyTLSCertificate            
         secretName: management-s3proxy-all

What to do next

Complete the installation of API Connect: