Before you begin
Review the pre-installation planning sections in Installing the Event Gateway.
Creating TLS certificates for the Event Gateway
Your operator-managed Event Gateway requires a CA certificate and key to generate the TLS certificate that secures your gateway endpoint.
The best way to create and manage TLS certificates is to use cert-manager. Cert-manager creates TLS certificates based on a YAML definition, stores them in Kubernetes secrets, and automatically renews them before they expire. Cert-manager supports integration with external public signers, and can also create self-signed certificates.
On Kubernetes, install the cert-manager community operator. Cert-manager is included on Red Hat OpenShift.
Creating a self-signed CA certificate with cert-manager
The following steps show how to create a self-signed CA certificate and key that you can use to secure your gateway endpoint.
If you want to create externally-signed certificates with cert-manager, see the cert-manager documentation.
-
If you do not already have a cert-manager Issuer or ClusterIssuer in your environment, then create one by following these steps:
a. Create a file called
issuer.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: <issuer type> metadata: name: gateway-selfsigned-issuer namespace: <namespace> spec: selfSigned: {}
If you want the issuer to be available in all namespaces, then replace
<issuer type>
withClusterIssuer
, and<namespace>
withcert-manager
.If you want the issuer to be available only in your gateway namespace, then replace
<issuer type>
withIssuer
, and<namespace>
, with your gateway namespace.b. Apply the file to create the issuer:
kubectl apply -f issuer.yaml
-
Create a file called
CACertificate.yaml
and paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-eem-selfsigned-ca spec: isCA: true commonName: <common name> secretName: <gateway group id>-<gateway name>-certs privateKey: algorithm: RSA issuerRef: name: <issuer name> kind: <issuer type> group: cert-manager.io
Replace the placeholder values as follows:
<common name>
Set to a unique common name for your CA certificate.<gateway group id>
Set to the name of your gateway group. The name must match the group name that you specify when you generate your gateway CR YAML.<gateway name>
Set to the name of your gateway. The name must match the name that you specify for your gateway when you generate your gateway CR YAML.<issuer name>
Set to the name of your cert-manager issuer. If you created an issuer in step 1, then set togateway-selfsigned-issuer
.<issuer type>
Set to your issuer type, eitherIssuer
orClusterIssuer
.
-
Create your CA certificate and secret by applying the file in your gateway namespace:
kubectl -n <namespace> apply -f CACertificate.yaml
-
Verify that the secret is created and contains the
tls.key
andca.crt
properties:kubectl -n <namespace> get -o yaml secret <gateway group id>-<gateway name>-certs
Generating a TLS certificate with OpenSSL
For test and demonstration purposes, you can create a CA certificate and key with the following OpenSSL commands:
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -days 730 -out tls.crt
Important: It is recommended to use cert-manager to create and manage your certificates. Do not use this example certificate in production environments.
Operator-managed Event Gateway installation steps
- In the navigation pane, click Administration > Event Gateways.
- Click Add gateway.
- Select the Operator-managed deployment tile, then click Next.
-
Provide the configuration details for your gateway, then click Next.
- Gateway group: Create or specify an existing gateway group for your new gateway.
- Gateway ID: Provide an ID for your new gateway that is unique within the gateway group.
- Replicas: The number of Kubernetes replicas of the gateway pod to create.
- Copy the generated custom resource YAML to two separate files:
gateway_cr_original.yaml
gateway_cr.yaml
Important: Keep
gateway_cr_original.yaml
in a safe location and do not edit it. To remove write permissions to avoid accidental updates to this file, you can runchmod a-w gateway_cr_original.yaml
. -
Update the
gateway_cr.yaml
file as follows:a. Set
spec.license.accept
totrue
.b. If you already have a Kubernetes secret that contains the CA certificate and key for your gateway endpoint, then delete the
<gateway group>-<gateway ID>-certs
secret definition fromgateway_cr.yaml
, and setspec.tls.caSecretName
to the name of your Kubernetes secret.c. If you do not have a Kubernetes secret that contains the CA certificate and key for your gateway endpoint, then you can set
<tls-certificate>
and<tls-key>
directly ingateway_cr.yaml
.Paste the certificate and key into your
gateway_cr.yaml
file as follows:... stringData: # Provide CA certificate and key in PEM format tls.crt: | -----BEGIN CERTIFICATE----- MIIDizCCAnOgAwIBAgIUQFS1LnATi4S/Cp7v/qpC8RWHtJYwDQYJKoZIhvcNAQEL ... ... FbI5AUFaY4/6B9C8L5x7EDQCIGYJ3SJMdvBXkFFAA+/bdMVJG7AgkH6ReHH5NDk= -----END CERTIFICATE----- tls.key: | -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD1URQNSfFOgx2P ... P3/fdFOUp0I54BfD1D/03NT4zw== -----END PRIVATE KEY----- ---
d. Replace any other placeholder variables in the YAML, and set other properties as required.
e. Create a backup of the updated
gateway_cr.yaml
file, in addition to thegateway_cr_original.yaml
file. -
To install the Event Gateway through the OpenShift Container Platform web console, complete the following steps:
a. Log in to the OpenShift Container Platform web console using your login credentials.
b. Click the + (Quick create) icon in the upper-right.
c. Select Import YAML.
d. Set Project to the namespace where you want to install the Event Gateway.
e. Paste in the contents of your updated
gateway_cr.yaml
file.h. Click Create to start the Event Gateway installation process.
-
To install the Event Gateway by using the CLI, run the following commands:
a. If you are deploying an operator-managed gateway on other Kubernetes platforms, then add the
spec.endpoints[]
section to yourgateway_cr.yaml
file:spec: endpoints: - name: gateway host: <gateway endpoint>
For more information about the
endpoints
property, see Configuring ingresses.b. Apply the
gateway_cr.yaml
file in your Kubernetes environment by using thekubectl
command. For example:kubectl -n <gateway namespace> apply -f gateway_cr.yaml
-
Return to the Event Gateways page to monitor the status of the new Event Gateway. When the gateway is registered, the status reports Running.
- Complete the gateway verification checks.