In the next release of Astronomer, released in fall of 2020, trust of private Certificate Authorities will be supported through helm values in the Astronomer helm chart.
Certificate Authorities (CAs) are used to generate certificates that can be used to host secure HTTP services and more. In order for these certificates to be truly secure, they must come from a trusted CA. Modern operating systems trust many public CAs, but what happens when you run your own CA that is not trusted by default?
In the next version of Astronomer, there is a new feature that makes it very easy to to configure Astronomer to trust a private CA, giving your Astronomer installation trusted access to your company’s private HTTPS APIs and services.
- You must be using Astronomer version v0.18 or higher.
- You must be installing Astronomer using helm.
- You must have your private CA’s public certificate in a file as pem format.
If it does not already exist, create the kubernetes namespace you intend to use.
NAMESPACE=astronomer kubectl create namespace "$NAMESPACE"
Create a secret within this new kubernetes namespace using your private CAs certificate, in pem format.
kubectl --namespace "$NAMESPACE" \ create secret generic "my-private-ca" \ --from-file="cert.pem=private-CA.pem"
The format of the
--from-fileportion of this command is particularly important. It creates a secret with one data entry inside with the key
cert.pemand the value set to the contents of the file you referenced. If the
data.keyinside of the secret has a name other than
cert.pemit will not be recognized by the Astronomer helm chart and thus your private CA will not be trusted.
In your helm
values.yamlfile, include the following data:
global: privateCaCerts: - my-private-ca