v2.23 Preview Preview release - not for production v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support v2.18 STS Stable release with standard-term support v2.14 LTS Stable release with long-term support Unsupported versions

Add certificates

Use your own certificates for encryption in transit

For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the cert-manager as a TLS certificate provider for a cluster.

Prerequisites

The following criteria must be met:

  • The cert-manager is running in the Kubernetes cluster.
  • A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same CA certificate file, including any intermediate CAs, must be prepared for upload to YugabyteDB Anywhere. For intermediate certificates, the chained CA certificate can be constructed using a command similar to cat intermediate-ca.crt root-ca.crt > bundle.crt.
  • An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate.
  • Prepare the root certificate in a file (for example, root.crt).

Add certificates using cert-manager

Add TLS certificates issued by the cert-manager as follows:

  1. Navigate to Integrations > Security > Encryption in Transit.

  2. Click Add Certificate to open the Add Certificate dialog.

  3. Select K8S cert-manager.

    Add Kubernetes Certificate

  4. In the Certificate Name field, enter a meaningful name for your certificate.

  5. Click Upload Root Certificate and select the CA certificate file that you prepared.

  6. Click Add to make the certificate available.

Configure the provider

After the certificate is added to YugabyteDB Anywhere, configure the Kubernetes provider configuration by following instructions provided in Configure region and zones.

In the Add new region dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the Namespace field value if an Issuer Kind is selected.

Add new region

Troubleshoot

If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands:

kubectl get ClusterIssuer

kubectl -n <namespace> Issuer