Importing the Zen route certificate to the runtime environment

Before you can deploy your project to the runtime environment, you must import to this runtime environment the certificate of the route to the Content Designer Repository API (CDRA) that is in your authoring environment. To enable the deployment, you add the CDRA Transport Layer Security (TLS) certificate into the operator trust list in the runtime environment.

About this task

During the deployment to runtime, the deployment scripts package your project artifacts and push them from the authoring environment into the runtime environment. The authoring environment acts as an external client of the runtime environment, and as such, a certificate is required for a secure connection between the environments.

Procedure

  1. Provide the TLS certificate of the Zen front door route in the authoring environment to the runtime environment's truststore.
    Because the Zen route is not installed by the same custom resource, the root CA key of the Zen route is not signed by the runtime environment operator root CA key.
    1. Get the root CA that is used to sign your authoring environment Zen route and save it to a certificate, for example Zen-route.crt.
      You can use the route to download the certificate:
      1. In the OpenShift® console of your authoring environment, select Routes, and click the route for Zen front door (CPD route).
        Tip: Record this route and add it in the CR YAML for the runtime environment in the next step. You can also get the route from the command line by running the following command.
        oc get route cpd -n <namespace> -o jsonpath='{"https://"}{.spec.host}{"\n"}'
      2. In the browser address bar, click the lock icon.
      3. In the dialog, click View certificate.
      4. Choose the option to download the PEM (certificate) for the IBM Automation® Foundation CA certificate.
      5. Save the file.
      Note: You can also find the root ca.crt for the Zen route from the Open Shift console by going to the Zen (CPD) route and view the details to find the CA Certificate.
    2. To create the secret, run the following command in the OpenShift project: 
      kubectl create secret generic cdra-tls-secret --from-file=tls.crt=your_cert_path/Zen-route.crt
      Substitute your values for cdra-tls-secret and your_cert_path/Zen-route.crt. The certificate and key files must be in Privacy Enhanced Mail (PEM) format.
    3. Add the secret to the component's truststore.
      Add the secret to the runtime environment custom resource in the shared_configuration.trusted_certificate_list parameter if you want this service to be trusted by all components installed by the operator.
      For example: 
      shared_configuration:
  …
  trusted_certificate_list: [adw-tls-secret, baw-tls-secret, cdra-tls-secret]
      Where cdra-tls-secret is the secret that you created for the route. This trusted_certificate_list variable is an array and multiple values can be provided by separating them with a comma as shown in the example.
  2. Add the following setting to the runtime environment custom resource YAML: 
    cpds:
  production_setting:
    repo_service_url: "<Zen-route>/adp/cdra/cdapi"

    Use the previously recorded value of the Zen route in your authoring environment, in the repo_service_url value, and append /adp/cdra/cdapi to the value.