Preparing secrets for TLS encryption
Operations Management can automatically generate TLS certificates for customers who do not have their own certificate authority (CA). However, if you have your own CA and you want to deploy on your own site, then you can manually create a certificate and use your own CA to sign the certificate.
A Kubernetes ingress is a collection of rules that can be configured to give
services externally reachable URLs. Each Operations Management component
requires its own ingress.. Each ingress must have an associated secret that has the TLS encrypted certificate. If you are
using your own CA, then prepare these secrets with the procedure below.
Note: If you are deploying
on IBM Cloud® Private with OpenShift skip
this topic. OpenShift
creates its own TLS certificates, and these can be edited post-install. For more information, see
Updating certificate for a route.
#!/bin/bash
if [ -z "$1" ]; then
RELNAME=noi
fi
for INGRESS in impact nci-0 nci-1 netcool proxy scala was ibm-hdm-common-ui
do
kubectl delete secret $RELNAME-$INGRESS-tls-secret
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem -subj "/CN=$INGRESS.$RELNAME.{{global.cluster.fqdn}}/"
kubectl create secret tls $RELNAME-$INGRESS-tls-secret --cert=./certificate.pem --key=./key.pem
rm ./key.pem ./certificate.pem
done