Using private CAs in Astronomer

In the next release of Astronomer, released in fall of 2020, trust of private Certificate Authorities will be supported through helm values in the Astronomer helm chart.

Overview

Certificate Authorities (CAs) are used to generate certificates that can be used to host secure HTTP services and more. In order for these certificates to be truly secure, they must come from a trusted CA. Modern operating systems trust many public CAs, but what happens when you run your own CA that is not trusted by default?

In the next version of Astronomer, there is a new feature that makes it very easy to to configure Astronomer to trust a private CA, giving your Astronomer installation trusted access to your company’s private HTTPS APIs and services.

Prerequisites

  1. You must be using Astronomer version v0.18 or higher.
  2. You must be installing Astronomer using helm.
  3. You must have your private CA’s public certificate in a file as pem format.

Usage

  1. If it does not already exist, create the kubernetes namespace you intend to use.

    NAMESPACE=astronomer
    kubectl create namespace "$NAMESPACE"
    
  2. Create a secret within this new kubernetes namespace using your private CAs certificate, in pem format.

    kubectl --namespace "$NAMESPACE" \
        create secret generic "my-private-ca" \
        --from-file="cert.pem=private-CA.pem"
    

    The format of the --from-file portion of this command is particularly important. It creates a secret with one data entry inside with the key cert.pem and the value set to the contents of the file you referenced. If the data.key inside of the secret has a name other than cert.pem it will not be recognized by the Astronomer helm chart and thus your private CA will not be trusted.

  3. In your helm values.yaml file, include the following data:

    global:
      privateCaCerts:
      - my-private-ca
    
1 Like