ContextQMD
Back to Yugabyte Db

Add cert-manager certificates to YugabyteDB Anywhere

docs/content/v2.25/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md

2026.1.0.0-b253.1 KB
Original Source

{{<tabs>}} {{<tabitem href="../add-certificate-self/" text="Self-Signed" >}} {{<tabitem href="../add-certificate-ca/" text="CA-Signed" >}} {{<tabitem href="../add-certificate-hashicorp/" text="Hashicorp Vault" >}} {{<tabitem href="../add-certificate-kubernetes/" text="Kubernetes cert-manager" active="true" >}} {{</tabs>}}

For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the cert-manager as a TLS certificate provider for a cluster.

Prerequisites

The following criteria must be met:

  • The cert-manager is running in the Kubernetes cluster.
  • A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same CA certificate file, including any intermediate CAs, must be prepared for upload to YugabyteDB Anywhere. For intermediate certificates, the chained CA certificate can be constructed using a command similar to cat intermediate-ca.crt root-ca.crt > bundle.crt.
  • An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate.
  • Prepare the root certificate in a file (for example, root.crt).

Add certificates using cert-manager

Add TLS certificates issued by the cert-manager as follows:

  1. Navigate to Integrations > Security > Encryption in Transit.

  2. Click Add Certificate to open the Add Certificate dialog.

  3. Select K8S cert-manager.

  4. In the Certificate Name field, enter a meaningful name for your certificate.

  5. Click Upload Root Certificate and select the CA certificate file that you prepared.

  6. Click Add to make the certificate available.

Configure the provider

After the certificate is added to YugabyteDB Anywhere, set up the Kubernetes provider configuration by following the instructions in Configure region and zones.

When adding a region, you can specify the Issuer kind, Issuer name, and optionally the Issuer group for each zone.

Including the common name

If your certificate issuer (for example, for aws-privateca-issuer) requires the certificate to include the common name, set the following override for the provider region:

yml
tls:
  certManager:
    certificates:
      commonNameRequired: true

When configured, YugabyteDB Anywhere sets the common name to the name of the service created for the pod, and adds common name to the certificate request sent to cert-manager.

Troubleshoot

If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands:

sh
kubectl get ClusterIssuer
sh
kubectl -n <namespace> Issuer