Configuring private certificate authority

Complete the following steps if your organization uses its own certificate authority (CA) and this authority interacts with other systems that use assigned certificates.

To configure private certificate authority:

  1. Add the following extraConfigmapMounts configuration to the Databand block in user-values.yaml: 
      extraConfigmapMounts:
  - name: ca-certs
    configMap: ca-certs
    mountPath: /usr/local/lib/python3.10/dist-packages/certifi/cacert.pem
    readOnly: true
    subPath: cacert.pem
  2. Copy the following code sample to create a configmap and enter your root CA and any necessary intermediate CAs. By adding intermediate CAs, you can override the certificates that are supplied for public internet usage and validate certificates for any HTTPS services that you want to connect to. 
    apiVersion: v1
kind: ConfigMap
metadata:
  name: "ca-certs"
  labels:
    app.kubernetes.io/name: "ca-certs"
data:
  cacert.pem: |-
    -----BEGIN CERTIFICATE-----

    ..
   -----END CERTIFICATE-----
  3. Apply the configmap from step 2 to your cluster: 
    oc apply -f cacert-cm.yaml

Next, update your CA and any private trust chains that you use.

Updating CA and private trust chains

If you use Keycloak with private SSL certificates, you must update your CA and private trust chains by adding your root CA and any intermediate CAs that you use to the databand-web container.

  1. Combine your root CA and any intermediate CAs that you use into one file: 
    cat cert1.pem cert2.pem > cas.pem
  2. Create a secret for this newly created file: 
    oc create secret generic ca-certs --from-file=certs=cas.pem
  3. Verify that the secret was created successfully: 
    oc get secret ca-certs -o yaml
  4. Add the volumes and volumeMounts blocks to your databand-web pod: 
    spec:
  template:
    spec:
      volumes:
        - name: ca-cert-volume
          secret:
            secretName: ca-certs
            items:
              - key: certs
                path: cacert.pem
            defaultMode: 420
      containers:
          volumeMounts:
            - name: ca-cert-volume
              mountPath: /usr/local/lib/python3.10/dist-packages/certifi/cacert.pem
              subPath: cacert.pem

Now, you are ready to begin authenticating with your chosen third-party authenticator.