Onboarding a Mesh

To enable External CA signing for the Service Mesh deployed in your cluster, the Cert-orchestrator running with the Signer component needs to be enabled with a Certificate Authority Setting (CA Setting), a Kubernetes resource that represents the configuration of certificate authorities (CAs) responsible for generating signed certificates through certificate signing requests.

Prerequisites:

To onboard a mesh:

  1. Go to menu > KUBE+ > Inventory > Mesh Inventory.
  2. Click Onboard Mesh on the menu bar.
  3. On the Onboard Mesh page, enter/select the field information for the General Information and Mesh Certificate Authority sections.
    Table 1. General Information - Field and Description Table
    Field Description
    General Information
    Name Enter a unique name that can be used to identify the mesh configuration associated with the specified cluster.
    Cluster Select a cluster from the dropdown list in which the service mesh needs to be configured with an external CA for signing.
    Vendor Select a service mesh vendor from the dropdown list.
    Mesh Certificate Authority
    Issuer CA mode Select a radio button of Issuer CA mode. The options are:
    • via AppViewX - This option allows to send the workload certificate signing requests directly to AppViewX and signed by the configured CA Setting (Certificate Authority). The supported CA is EJBCA.
    • Air-Gapped - This option allows to sign the workload certificate signing requests by an Intermediate/SUB CA where the signing happens within the Kubernetes cluster. The Supported CAs are EJBCA and Microsoft CA.
    Select Policy Select the Cluster Policy from the dropdown list, which derives the associated CA for external CA signing.
    Certification Authority This field is not applicable, if you choose via AppViewX for Issuer CA mode. If you select Issuer CA mode as Air-Gapped, then enter/select the necessary details.
    Ca Account The account of the CA.
    Common Name Common name of the certificate.
    Organization Enter the name of the organization.
    Organization unit Enter the name of the organization unit.
    Locality Enter the locality of the certificate.
    State Enter the state of the certificate.
    Country Enter the country of the certificate.
    Email Address Enter the email address of the certificate.
    Private Key Parameters
    Key Type Select a key type of the certificate from the dropdown list. The values are:

    • RSA

    • ECDSA
    Bit Length Select a bit length for RSA or ECDSA. The values for RSA are:

    • 2048

    • 4096
    • 3072
    The values for ECDSA are:

    • 256

    • 384
    • 521
  4. Click Generate YAML to get the commands in the Issuer CA YAML field.
    Note:
    • To see the commands in the full screen view, click the .
    • To copy the command, click .
  5. Click Add to add the mesh to the Mesh Inventory list.