Provision a TLS Certificate for the OpenTelemetry Operator

In order for the Kubernetes® API server to communicate with the webhook component of the OpenTelemetry™ Operator in the Cisco Cloud Observability Helm charts, the webhook requires a TLS certificate. The API server must then be configured to trust the generated TLS certificate.

This document contains references to the cert-manager documentation. Cisco AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.

• Install Cert-Manager
• Manually Provision a Self-Signed TLS Certificate
• Use an Automatically Generated TLS Certificate

The easiest and default method is to install the cert-manager.

Install Cert-Manager

The cert-manager generates self-signed certificates automatically:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml

See cert-manager installation.

Manually Provision a TLS Certificate

You can manually provision a TLS certificate.

You can use the following steps to generate a self-signed certificate and configure the operator to use it. If you already have the signed certificate, ensure that the certificate has correct subject alternative name (SAN) as described in step 2 and proceed with step 3.

1. If you do not already have a certificate authority (CA) for signing the certificate, you can generate a certificate authority (CA) with key and certificate using the following commands. Else, continue with step 2.

   openssl genrsa -out ca.key 2048
   openssl req -new -x509 -days 365 -key ca.key -subj "/CN=example CA" -out ca.crt  

   BASH

2. Use the CA certificate and key to sign the certificate signing request. 
   

   openssl req -newkey rsa:2048 -nodes -keyout operator.key -subj "/CN=*.appdynamics.svc" -out operator.csr 
   openssl x509 -req -extfile <(printf "subjectAltName=DNS:*.appdynamics.svc") -days 365 -in operator.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out operator.crt

   CODE

   These commands generate the operator server key file, operator.key, and the signed operator server certificate, operator.cert.
   Here, appdynamics is the namespace where the operator is installed. If you have installed the operator in a different namespace, change appdynamics to that namespace name.

3. Configure the operator to use the generated certificate and key. 
   In the operators-values.yaml file, add the configuration details from the file content of ca.crt, operator.key and operator.crt. For example:
   

   opentelemetry-operator:
     admissionWebhooks:
       certManager:
         enabled: false
       autoGenerateCert: 
         enabled: false
       cert_file: |
         -----BEGIN CERTIFICATE-----
         MIIDHzCCAgegAwIBAgIUd3A7FjyXjsbKiL1T+16ZP99bc8cwDQYJKoZIhvcNAQEL...
         operator.crt file content
         -----END CERTIFICATE-----
       ca_file: |
         -----BEGIN CERTIFICATE-----
         MIIDCzCCAfOgAwIBAgIUBWzuw/WmJmUVmPjW5Bi9VbAfy50wDQYJKoZIhvcNAQEL...
         ca.crt file content
         -----END CERTIFICATE----- 
       key_file: |
         -----BEGIN PRIVATE KEY-----
         MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsD+ApE/qMAsJU...
         operator.key file content
         -----END PRIVATE KEY----- 

   CODE

Use an Automatically Generated Self-Signed TLS Certificate

You can use an automatically generated self-signed TLS certificate by setting admissionWebhooks.certManager.enabled to false and admissionWebhooks.autoGenerateCert to true in the appdynamics-operator chart's operators-values.yaml file:

admissionWebhooks:
  create: true
  certManager:
    enabled: false
  autoGenerateCert: true

After these configurations are set, Helm will create a self-signed TLS certificate and a secret for you.

OpenTelemetry™ and Kubernetes® (as applicable) are trademarks of The Linux Foundation®.