FAQ

  1. How to configure HA ?

    • You can configure HA by increasing the number of pods running, By default this is set to one.

    • "certOrchestrator.replicaCount" field needs to be overridden in the deployment.

    • Can use --set flag to override the same as below using helm

      • --set certOrchestrator.replicaCount=2 (example to increase the number of pods to two )

    • Always only one pod will be a leader, other pods will be non-leader, when the leader is down, an election will happen to elect the leader among the existing non-leader + new pod ( created due to the kill of old leader ), based on the election one of the pod will become Leader.

  2. How to check if your pod is up and running ?How to configure monitoring for your pod running in a cluster?

    You can monitor the pod livenessProbe under the below path from the cert-orchestrator pod

    path: /healthz

    port: 8081

  3. How to add tolerations to the deployment pod?

    Tolerations can be overridden using helm, Pl refer the helm chart configuration.

  4. What is the permission to be allowed in the cluster for running your pod?

    • cert-orchestrator

      • configmaps

    • create, get
      • namespaces

        • get, list

    • nodes

      • get, list, watch

    • pods

      • get, list

    • secrets

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:casettingclusters

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:casettingclusters/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:casettings

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:casettings/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:certreqs

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:certreqs/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:certs

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:certs/finalizers

      • update

    • cert-orchestrator.certplus.appviewx:certs/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:discoveryrequests

      • create, delete, get, list, patch, update watch

    • cert-orchestrator.certplus.appviewx:discoveryrequests/finalizers

      • update

    • cert-orchestrator.certplus.appviewx:discoveryrequests/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:renewaljobs

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:renewaljobs/status

      • get, patch, update

    • cert-orchestrator.certplus.appviewx:signers

      • create, delete, get, list, patch, update, watch

    • cert-orchestrator.certplus.appviewx:signers/finalizers

      • update

    • cert-orchestrator.certplus.appviewx:signers/status

      • get, patch, update

    • certificates.k8s.io:certificatesigningrequests

      • get, list, patch, update, watch

    • certificates.k8s.io:certificatesigningrequests/status

      • get, patch, update

    • certificates.k8s.io:[SIGNER_NAME]/istio:signers

      • sign

    • coordination.k8s.io:leases

      • create, delete, get, list, update, watch

    • events

      • create, patch

    • networking.k8s.io:ingresses

      • get, list,watch

    • secrets-store.csi.x-k8s.io:secretproviderclasses

      • create, delete, get, list, patch, update, watch

    • secrets-store.csi.x-k8s.io:secretproviderclasses/finalizers

      • update

    • secrets-store.csi.x-k8s.io:secretproviderclasses/status

      • get, patch, update

    • appviewx-infra-orchestrator
      • cert-orchestrator.certplus.appviewx:discoveryrequests

        • create, get

    • appviewx-csi-provider
      • serviceaccounts/token

        • create

      • secrets

        • create, get

      • cert-orchestrator.certplus.appviewx:certs

        • create, get

  5. Whats is the permission given for SA (cluster role and cluster role binding)?

    Refer to the answer provided for the previous question.

  6. How to configure resource requirements?

    Refer to the helm chart configuration under certOrchestrator.resources.
    Table 1. cert-orchestrator : Helm chart configuration parameters
    Qualifier Parameter Definition Allowed Values
    certOrchestrator enabled Enable certOrchestrator. true / false
    renewalEnabled Enable renewal. true / false
    namespace Namespace for the cert-orchestrator installation. Valid namespace name
    certOrchestrator.discovery enabled Enable Discovery true / false
    isGroupAutoGenerate Allow auto group creation at AppViewX. true / false
    credentialSecretName Secret with credentials to be used for Discovery with AppViewX. Valid Secret Name
    credentialSecretNamespace Namespace for the above. Valid namespace Name
    certOrchestrator.global logLevel Log level for the cert-orchestrator terminal log. 0 to 7
    clusterName Name of the cluster for the current installation. Valid Cluster Name
    k8sVendor Type of vendor where the cert-orchestrator runs. Valid vendor Name
    certOrchestrator.image repository Repository name for the image Valid image name with repo
    tag tag for the image Valid image tag
    pullPolicy Image Pull Policy Always, Never or IfNotPresent. Defaults to IfNotPresent
    certOrchestrator.resources limits.cpu Describes the maximum amount of CPU allowed. Default is 1000m, See Kubernetes - meaning of CPU
    limits.memory Describes the maximum amount of Memory allowed. Default is 1Gi. see Kubernetes - meaning of Memory
    certOrchestrator.resources requests.cpu Describes the minimum amount of CPU required.

    Default is 500m, see Kubernetes - meaning of CPU
    requests.memory Describes the minimum amount of Memory required. Default is 500Mi. See Kubernetes - meaning of Memory
    certOrchestrator tolerations Describes the tolerations allowed for the pods to schedule.
    Table 2. appviewx-csi-provider : Helm chart configuration parameters
    Qualifier Parameter Definition Allowed Values
    appviewxCSIProvider enabled Enable appviewxCSIProvider. true / false
    appviewxCSIProvider.image repository Repository name for the image. Valid image name with repo.
    tag Tag for the image. Valid image tag
    pullPolicy Image Pull Policy Always, Never or IfNotPresent. Defaults to IfNotPresent
    certOrchestrator tolerations Describes the tolerations allowed for the pods to schedule.
    Table 3. appviewx-signer : Helm chart configuration parameters
    Qualifier Parameter Definition Allowed Values
    appviewxSigner enabled Enable appviewxSigner. true / false
    Table 4. appviewx-infra-orchestrator : Helm chart configuration parameters
    Qualifier Parameter Definition Allowed Values
    appviewxInfraOrchestrator enabled Enable certOrchestrator. true / false
    tick Sync frequency for the certificate scan. Valid time period string. Example : "60m"
    appviewxInfraOrchestrator.image repository Repository name for the image. Valid image name with repo
    tag Tag for the image. Valid image tag
    pullPolicy Image Pull Policy Always, Never or IfNotPresent. Defaults to IfNotPresent
    appviewxInfraOrchestrator tolerations Describes the tolerations allowed for the pods to schedule.