ContextQMD
Back to Yugabyte Db

Add cert-manager certificates to YugabyteDB Anywhere

docs/content/v2024.1/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-kubernetes.md

2026.1.0.0-b293.7 KB
Original Source

{{<tabs>}} {{<tabitem href="../add-certificate-self/" text="Self-Signed" >}} {{<tabitem href="../add-certificate-ca/" text="CA-Signed" >}} {{<tabitem href="../add-certificate-hashicorp/" text="Hashicorp Vault" >}} {{<tabitem href="../add-certificate-kubernetes/" text="Kubernetes cert-manager" active="true" >}} {{</tabs>}}

For a universe created on Kubernetes, YugabyteDB Anywhere allows you to configure an existing running instance of the cert-manager as a TLS certificate provider for a cluster.

Prerequisites

The following criteria must be met:

  • The cert-manager is running in the Kubernetes cluster.
  • A root or intermediate CA (either self-signed or external) is already configured on the cert-manager. The same CA certificate file, including any intermediate CAs, must be prepared for upload to YugabyteDB Anywhere. For intermediate certificates, the chained CA certificate can be constructed using a command similar to cat intermediate-ca.crt root-ca.crt > bundle.crt.
  • An Issuer or ClusterIssuer Kind is configured on the cert-manager and is ready to issue certificates using the previously-mentioned root or intermediate certificate.
  • Prepare the root certificate in a file (for example, root.crt).

Add certificates using cert-manager

Add TLS certificates issued by the cert-manager as follows:

  1. Navigate to Integrations > Security > Encryption in Transit.

  2. Click Add Certificate to open the Add Certificate dialog.

  3. Select K8S cert-manager.

  4. In the Certificate Name field, enter a meaningful name for your certificate.

  5. Click Upload Root Certificate and select the CA certificate file that you prepared.

  6. Click Add to make the certificate available.

To view the certificate details, navigate to Integrations > Security > Encryption in Transit, find the certificate in the list, and click Show details.

Configure the provider

After the certificate is added to YugabyteDB Anywhere, configure the Kubernetes provider configuration by following instructions provided in Configure region and zones.

In the Add new region dialog shown in the following illustration, you would be able to specify the Issuer name or the ClusterIssuer name for each zone. Because an Issuer Kind is a Kubernetes namespace-scoped resource, the zone definition should also set the Namespace field value if an Issuer Kind is selected.

Rotate certificates in cert-manager

cert-manager monitors certificates and automatically renews them before expiration, based on the renewBefore setting in the Certificate resource. Ensure that your certificate resources are properly configured with appropriate renewBefore values (for example, 15-30 days before expiry) to prevent certificate expiration.

To rotate certificates for a universe, after certificates are renewed in cert-manager, perform a rolling restart of your universe (Actions > Initiate Rolling Restart).

Note that, if you are using cert-manager for a universe, rotating node-to-node root certificates is not currently supported. To rotate these certificates, contact {{% support-platform %}}.

Troubleshoot

If you encounter problems, you should verify the name of Issuer or ClusterIssuer in the Kubernetes cluster, as well as ensure that the Kubernetes cluster is in Ready state. You can use the following commands:

sh
kubectl get ClusterIssuer
sh
kubectl -n <namespace> Issuer