Download PDF
Download page Provision a TLS Certificate for the OpenTelemetry Operator.
Provision a TLS Certificate for the OpenTelemetry Operator
In order for the Kubernetes® API server to communicate with the webhook component of the OpenTelemetry™ Operator in the Cisco Cloud Observability Helm charts, the webhook requires a TLS certificate. The API server must then be configured to trust the generated TLS certificate.
This document contains references to the cert-manager documentation. Cisco AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.
There are three ways to generate this required TLS certificate:
- Install Cert-Manager
- Manually Provision a Self-Signed TLS Certificate
- Use an Automatically Generated TLS Certificate
The easiest and default method is to install the cert-manager.
Install Cert-Manager
The cert-manager generates self-signed certificates automatically:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
See cert-manager installation.
Manually Provision a TLS Certificate
You can manually provision a TLS certificate.
You can use the following steps to generate a self-signed certificate and configure the operator to use it. If you already have the signed certificate, ensure that the certificate has correct subject alternative name (SAN) as described in step 2 and proceed with step 3.
If you do not already have a certificate authority (CA) for signing the certificate, you can generate a certificate authority (CA) with key and certificate using the following commands. Else, continue with step 2.
openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -subj "/CN=example CA" -out ca.crt
BASHUse the CA certificate and key to sign the certificate signing request.
openssl req -newkey rsa:2048 -nodes -keyout operator.key -subj "/CN=*.appdynamics.svc" -out operator.csr openssl x509 -req -extfile <(printf "subjectAltName=DNS:*.appdynamics.svc") -days 365 -in operator.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out operator.crt
CODEThese commands generate the operator server key file,
operator.key
, and the signed operator server certificate,operator.cert
.
Here,appdynamics
is the namespace where the operator is installed. If you have installed the operator in a different namespace, changeappdynamics
to that namespace name.Configure the operator to use the generated certificate and key.
In theoperators-values.yaml
file, add the configuration details from the file content ofca.crt
,operator.key
andoperator.crt
. For example:opentelemetry-operator: admissionWebhooks: certManager: enabled: false autoGenerateCert: enabled: false cert_file: | -----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUd3A7FjyXjsbKiL1T+16ZP99bc8cwDQYJKoZIhvcNAQEL... operator.crt file content -----END CERTIFICATE----- ca_file: | -----BEGIN CERTIFICATE----- MIIDCzCCAfOgAwIBAgIUBWzuw/WmJmUVmPjW5Bi9VbAfy50wDQYJKoZIhvcNAQEL... ca.crt file content -----END CERTIFICATE----- key_file: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsD+ApE/qMAsJU... operator.key file content -----END PRIVATE KEY-----
CODE
Use an Automatically Generated Self-Signed TLS Certificate
You can use an automatically generated self-signed TLS certificate by setting admissionWebhooks.certManager.enabled
to false
and admissionWebhooks.autoGenerateCert
to true
in the appdynamics-operator
chart's operators-values.yaml
file:
operators-values.yaml
admissionWebhooks:
create: true
certManager:
enabled: false
autoGenerateCert: true
After these configurations are set, Helm will create a self-signed TLS certificate and a secret for you.
OpenTelemetry™ and Kubernetes® (as applicable) are trademarks of The Linux Foundation®.