Extracting Operator root certificate and adding it to ingress

When using the IBM® Sterling Intelligent Promising Operator, it is recommended to use a TLS certificate to secure communication between ingress and the OMS Gateway. Extract the Sterling Intelligent Promising Operator root certificate from a Kubernetes secret and use it to configure the ingress resource to help ensure secure connection. The root certificate is stored in a secret that is named sip-operator-ca within the same namespace as the Operator. If you provide your own TLS certificate for the OMS Gateway service, it is not required to extract the certificate from the secret. The extraction of root certificate is necessary only if you do not provide your own TLS certificate.

Procedure

  • Extracting root certificate
    The root certificate is available in the secret named sip-operator-ca in the namespace where the Sterling Intelligent Promising Operator is installed.
    kind: Secret
apiVersion: v1
metadata:
  name: sip-operator-ca
  namespace: <sip_operator_namespace>
data:
  tls.crt: >-
    <Base64-encoded TLS certificate file in PEM format>
  tls.key: >-
    <Base64-encoded private key file associated with the TLS certificate, also in PEM format>
  tls.p12: >-
    <Base64-encoded PKCS#12 file that contains a certificate and private key>
  tls.p12.password: <Base64-encoded password that is used to decrypt the .p12 file>
type: kubernetes.io/tls
    1. Extract and decode the tls.crt field that contains the Base64-encoded root certificate, by using the following command. 
      kubectl get secret sip-operator-ca -n <sip_namespace> -o yaml

      This command creates a file that is named sip-operator-root-cert.crt that contains the root certificate in PEM format.

    2. Optional: Extract the private key.
      The secret also contains the private key in the tls.key field. If required, extract and decode it by using the following command:
      echo "<Base64-encoded private key>" | base64 --decode > tls.key
    3. Optional: Extract the PKCS#12 certificate.
      1. If you require the .p12 format that contains the certificate and private key, decode it as shown in the following command:
        echo "<Base64-encoded PKCS#12>" | base64 --decode > tls.p12
      2. Decode the password associated with the .p12 file as shown in the following example:
        echo "<Base64-encoded password>" | base64 --decode > p12-password.txt
  • Update cloud provider-specific configurations
    Each cloud provider may have different procedures to set up TLS certificates and ingress controllers. For more information, see the official documentation for instructions on adding the TLS certificate to ingress in your cloud environment.