Custom TLS certificate configuration in OMS Gateway

Configure your own TLS certificate in OMS Gateway for internal communications between the ingress layer and OMS Gateway.

Overview

When you use the Sterling Intelligent Promising Operator, it is recommended that a TLS certificate is used to secure communication between the ingress and the OMS Gateway. You can provide your own TLS certificate for the OMS Gateway for several reasons, such as complying with your organization internal security policies, for using a certificate signed by a trusted external certificate authority (CA), or managing the certificate lifecycle by your own.

If you provide your own TLS certificate, you must also configure the corresponding CA in the ingress to help ensure secure communication. However, if no certificate is provided, the Operator automatically generates a self-signed certificate for the OMS Gateway and configure the CA in the ingress. The root certificate for the self-signed TLS certificate is stored in a Kubernetes secret named sip-operator-ca that is located in the same namespace as the Operator. You can extract this CA and use it in ingress or external systems if needed.

TLS certificate flow

With your own certificate
You provide a secret containing your TLS certificate for the OMS Gateway in the identitySecretName property. This certificate is used as the identity certificate for the OMS Gateway. You must also configure the corresponding CA in the ingress through annotations. For more information, see example of TLS certificate configuration.
Without your own certificate
If the identitySecretName is not provided but TLS is enabled, which means sslEnabled: true, the Operator generates a self-signed certificate and configure the corresponding CA in the ingress.
Non-TLS mode
If TLS is disabled, which is sslEnabled: false, HTTP communication is used and no certificate is required.

TLS certificate format

Use the following attributes to configure the TLS certificate data in a Kubernetes secret.
  • tls.crt: Specify the Base64-encoded TLS certificate file in PEM format.
  • tls.key: Specify the Base64-encoded private key file associated with the TLS certificate, in PEM format.
  • type: Specify the type to kubernetes.io/tls to indicate that this secret contains a TLS certificate and key.
Configure the TLS certificate in a Kubernetes secret as shown in the following example.
kind: Secret
apiVersion: v1
metadata:
  name: <oms-gateway-identity-cert>
  namespace: <sip-operator-namespace>
data:
  tls.crt: >-
    <Base64-encoded TLS certificate file in PEM format>
  tls.key: >-
    <Base64-encoded private key file associated with the TLS certificate, in PEM format>
type: kubernetes.io/tls