Onboarding a Cluster - Advanced

Deploy and manage cert-orchestrator on Kubernetes clusters by customizing installation commands and choosing specific services.

The advanced onboarding enables the DevOps team/cluster administrators to generate a specific install command that can be executed at the clusters, administrators or DevOps team can modify the namespace, connectivity URL and KUBE+ services to be deployed in the cluster.

To obtain cert-orchestrator deployment configuration for the respective Kubernetes cluster:

  1. Go to menu > KUBE+ > Inventory > Cluster Inventory.
  2. Click Connect Cluster on the menu bar.
  3. Select Get Started under Advanced Onboarding.
  4. On the Cluster Easy Onboard page, enter values in the form fields to generate the deployment/installation command. Details on the mapping of each field are provided in the table below:
    Table 1. Generating Helm Command - Fields and Description Table
    Field Description
    Cluster and Connectivity Details
    Enter Cluster Name* Enter a unique cluster name in the format of FQDN. Example: my-cluster.net.
    Vendor* Select the K8s vendor where the cert orchestrator is deployed from the dropdown list. The options are:

    • EKS

    • AKS

    • GKE

    • OpenShift

    • Self-Managed
    Connect To* Select one of the following options to establish a connection between the cert-orchestrator and AppViewX across different AppViewX deployment scenarios:

    • AppViewX URL - For on-prem deployment, select this option.

    • Cloud Connector URL - For cloud SaaS deployment, select this option.
    URL* Enter the URL based on the Connect To type (onprem/cloud connector).
    Credential Type* Select one of the following credential types for integrating the cert-orchestrator with AppViewX:

    • Basic Authentication

    • OAuth2.0
    Username* This option is applicable for the Basic Authentication of the Credential Type and will auto populate the list of users from the user inventory. Select the required user to be used for authentication.
    Note: In this mode, only users created within the AppViewX database or on boarded via AAA (LDAP, RADIUS, TACACS) are supported. SSO credentials cannot be used for API authentication. It is recommended to use OAuth 2.0 for authentication instead.
    Crypto Mesh Details
    Namespace* Enter the Namespace where the cert-orchestrator is to be deployed. It is recommended to install in the crypto-mesh namespace.
    Features* Select the list of feature gates to be enabled/disabled in the cert-orchestrator deployment configuration for the cluster.
    Certification Group* Select the certificate group to onboard certificates:

    • Auto Create Group - This option enables Auto creation of Certificate Groups in AppViewX with the Group Name as the Namespace Name.

    • Use Existing - This option allows you to choose the existing certificate group. If you choose this option, select a group from the Select Group dropdown menu. .
    Enable Private Key Discovery* Set the value to “True”, if you want to discover the private keys from the Kubernetes secrets.
  5. Click Generate Installation Command to get the Helm command in the Commands field.
    Note:
    • To see the commands in the full screen view, click the (Expand) icon.
    • To copy the command, click (Copy) icon.
  6. Click Finish.
    Execute the copied installation commands sequentially on your Kubernetes cluster where the cert orchestrator is to be deployed.
    Note:
    • Upon clicking Finish, the deployment generated for the cluster will not appear in the cluster inventory until the cert-orchestrator is successfully deployed within the cluster.
    • If a connection required from the cluster to AppViewX via a proxy, you can set the proxy environment variables in a ConfigMap or Secret:
      • Using a ConfigMap: If you want to use a ConfigMap to specify proxy settings, you can pass the --set certOrchestrator.envConfigMapName=myconfig flag in the Helm command.
        Sample ConfigMap:
        apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
  namespace: crypto-mesh
data:
  http_proxy: "http://MY_PROXY:MY_PROXY_IP"
  https_proxy: "http://MY_PROXY:MY_PROXY_IP"
  #  no_proxy: "svc,local"
      • Using a Secret: If you prefer to use a Secret (especially if the proxy credentials need to be stored securely), you can pass the --set certOrchestrator.envSecretName=mysecret flag in the Helm command.
        Sample secret:
        apiVersion: v1
		kind: Secret
		metadata:
		  name: proxy-config
		  namespace: default
		type: Opaque
		data:
		  http_proxy: aHR0cDovLzEyNy4wLjAuMTo4MDgw  # Base64 encoded value of "<http://127.0.0.1:8080>"
		  https_proxy: aHR0cHM6Ly8xMjcuMC4wLjE6ODA4MA==  # Base64 encoded value of "<https://127.0.0.1:8080>"
		  no_proxy: MTI3LjAuMC4xLCxsb2NhbGhvc3Q=  # Base64 encoded value of "127.0.0.1,localhost"

To verify if the cert-orchestrator is deployed and functioning as expected, execute the following command:

kubectl get pods --all -n crypto-mesh
Note: The initial status of the cert-orchestrator pod will be in 1/2 running state and the state will be changed to 2/2 upon approval/moving the cluster to managed state in the Cluster inventory.

  • Expected status is for the pods to be in running status with 1/2 state.

  • In case of any issues or logs to be collected or verified, execute kubectl logs -f <cert-orchestrator-podname> -n crypto-mesh.

  • Ensure to review the deployment prerequisites for ephemeral volume if the Ephemeral Volume use case is selected.