Welcome to Tanzu Mission Control Self-Managed Part 4 of the series. I’ll show you how to use cluster issuer and cert-manager for automatic certificate issuing in this post.
If you have landed on this post directly by mistake, I encourage you to read the previous blog posts of this series using the below links:
1: TMC Self-Managed – Introduction & Architecture
2: Configure DNS for TMC Self-Managed
3: Configure OIDC Complaint Identity Provider (Okta)
For its certificates, TMC Self-Managed uses cert-manager. You can use the cert-manager and cluster issuer to create a self-signed certificate for the installation in a lab or POC environment. On the workload cluster where TMC Self-Managed will be installed in my lab, I have installed cert-manager as a Tanzu package.
In an airgap environment, you can follow the instructions outlined in the Add a Package Repository and Install cert-manager in the TKG product documentation to install cert-manager.
Deploy Cluster Issuer
When you install Tanzu Mission Control Self-Managed, the cert-manager requests TLS certificates for the external endpoints that you created previously in your DNS zone. So you must set up a cluster issuer in your cluster.
Cert-Manager supports a wide variety of issuers to enable the creation of a ClusterIssuer, including the following:
This blog makes use of CA as a cluster issuer type, which allows bringing your own self-signed certificates to be used in the deployment. The steps for configuring CA for cert-manager are provided below:
Note: The commands provided below need to be executed on the bootstrap machine from where you are managing the TKG clusters.
Step 1: Generate a self-signed CA certificate for TMC Self-Managed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# export DOMAIN="*.tmc.vstellar.lab" # export SUBJ="/C=IN/ST=Karnataka/L=Bengaluru/O=VMware, Inc./OU=Tanzu/CN=${DOMAIN}" # openssl genrsa -out ca.key 4096 # openssl req -x509 -new -nodes -key ca.key -sha512 -days 3650 -out tmcsm-ca.crt -subj "$SUBJ" # openssl genrsa -out server-app.key 4096 # openssl req -sha512 -new -subj "$SUBJ" -key server-app.key -out server-app.csr # cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=${DOMAIN} EOF # openssl x509 -req -sha512 -days 3650 -passin pass:1234 -extfile v3.ext -CA tmcsm-ca.crt -CAkey ca.key -CAcreateserial -in server-app.csr -out server-app.crt |
Step 2: Copy the ca certificate to the /etc/ssl/certs directory
1 |
# cp tmcsm-ca.crt /etc/ssl/certs/ |
Step 3: Create a secret for the cert-manager
1 2 3 4 5 6 7 8 |
# kubectl create secret tls local-ca --key ca.key --cert tmcsm-ca.crt -n cert-manager ### List secrets in cert-manager namespace ### # kubectl get secrets -n cert-manager NAME TYPE DATA AGE local-ca kubernetes.io/tls 2 4s |
Step 4: Create cluster issuer yaml
Note: Key secretName in the yaml should match with the secret that you created in the previous step.
1 2 3 4 5 6 7 8 9 10 |
# vim local-issuer.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: local-issuer namespace: cert-manager spec: ca: secretName: local-ca |
Step 5: Create cluster issuer
1 |
# kubectl apply -f local-issuer.yaml |
Step 6: Verify that cluster issuer status is ready
1 2 3 4 |
# kubectl get clusterissuer NAME READY AGE local-issuer True 43s |
And that’s it for this post. In the next post of this series, I will demonstrate configuring the harbor registry for hosting TMC Self-managed artifacts.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.
Pingback: Install Tanzu Mission Control Self-Managed on vSphere with Tanzu on vSphere 7