Creating a secret to store shared custom certificates

You can create a secret called cpd-custom-ca-certs that contains a set of custom certificates. You can run the gen-platform-ca-certs to inject the secret, the secret mount, and associated environment variables into IBM Software Hub pods so that they have access to the custom certificates.

Who needs to complete this task?

To complete this task, you must have one of the following roles:

Cluster administrator
Instance administrator

When do you need to complete this task?

Complete this task if you want to use a set of shared custom certificates across multiple services.

The following services support shared custom certificates:

AI Factsheets
Analytics Engine powered by Apache Spark
Cognos Analytics
Data Privacy
DataStage
Data Virtualization
Db2 Big SQL
IBM Match 360
OpenPages
RStudio®
Watson Studio
Watson Studio Runtimes
watsonx Assistant
watsonx.data™
watsonx™ Orchestrate

If you have multiple instances of IBM Software Hub on the cluster, you must complete this task for each instance where you want to use shared custom certificates.

Before you begin

A cluster administrator must install and enable the IBM Software Hub configuration admission controller webhook.

Check whether the configuration admission controller webhook is installed:
```
oc get mutatingwebhookconfiguration -n ${PROJECT_CPD_INST_OPERANDS} | grep cpd-config-ac-webhook-cfg
```
- If the webhook is installed, the command returns output with the following format:
```
cpd-config-ac-webhook-cfg-<project-name>         1          28d5h
```
- If the webhook is not installed, the command returns an empty response. For more information, see Installing the IBM Software Hub configuration admission controller webhook.
Check whether the configuration admission controller webhook is enabled:
```
oc get namespace ${PROJECT_CPD_INST_OPERANDS} --show-labels | grep cpd-config-ac-${PROJECT_CPD_INST_OPERANDS}=enabled --col
```
- If the webhook is enabled, the command returns output with the following format:
```
<project-name>    Active   28d   cpd-config-ac-<project-name>=enabled,kubernetes.io/metadata.name=<project-name>,...
```
- If the webhook is not enabled, the command returns an empty response. For more information, see Installing the IBM Software Hub configuration admission controller webhook.

About this task

The IBM Software Hub configuration admission controller is a mutating webhook that injects the cpd-custom-ca-certs secret, the secret mount, and the associated environment variables into IBM Software Hub pods so that they have access to a shared set of custom certificates.

You must create a secret called cpd-custom-ca-certs that contains your custom certificates. After you create the cpd-custom-ca-certs secret, run the gen-platform-ca-certs command to:

Update the cpd-custom-ca-certs secret with the contents custom certificates.
Inject the contents of the cpd-custom-ca-certs secret into IBM Software Hub pods.

Procedure

Identify the certificates that you want to include in the shared secret.

Important: The certificates must be on the client workstation.
Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster:
```
${CPDM_OC_LOGIN}
```
Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.

Use the oc cli to create the cpd-custom-ca-certs secret.

Include a --from-file entry for each certificate that you want to include in the secret. For example:

oc create secret generic cpd-custom-ca-certs \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--from-file=<file-name-1>.crt=<fully-qualified-cert-file-name-1> \
--from-file=<file-name-2>.crt=<fully-qualified-cert-file-name-2>

Update the cpd-custom-ca-certs secret with the contents of custom certificates.
The command that you run depends on whether you want to inject the secret into IBM Software Hub pods.

Important: Injecting the secret into the pods can take some time. It is recommended that you complete this action during a maintenance window or before you give users access to this instance of IBM Software Hub. However, services cannot use the certificates in the secret until you inject the secret into the IBM Software Hub pods.
Inject the secret into IBM Software Hub pods
```
cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=true
```
Update the secret but don't inject the secret into IBM Software Hub pods
```
cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=false
```
When you are ready to inject the secret into pods, run:
```
cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=true
```

watsonx.data users only. Update the wxd lakehouse custom resource to start an operator reconcile loop:

oc patch wxd lakehouse \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch='{"spec": {"update_ca_certs": true}}'