Configure Event Router with custom certs

Home   »   Configure Event Router with custom certs

# Configure Event Router with Custom (self-signed) Certificates

1) Convert Cert to PEM

```console
$ openssl x509 -inform der -in ~/Downloads/ca.cer > vc-ca.crt
```

2) Create cert as `ConfigMap`

```console
$ kubectl create cm vc-cert --from-file vc-ca.crt
```

3) Configure Event Router Config with Cert Information

Snippet:

```yaml
metricsProvider:
  type: default
  name: veba-demo-metrics
  default:
    bindAddress: "0.0.0.0:8082"
certificates:
  rootCAs:
    - /etc/ssl/certs/ca-certificates.crt
    - /etc/vmware-event-router/ssl/vc-ca.crt
```

⚠️ Make sure that `insecureSSL` is deactivated too, and that you use a FQDN for the VC host to avoid SNI/SAN errors, e.g.

```yaml
  vcenter:
    address: https://sc2-10-184-165-188.eng.vmware.com
    insecureSSL: false
```

Otherwise a warning will be logged:

```console
WARN    [VCENTER]       vcenter/vcenter.go:112  using potentially insecure connection to vCenter  {"address": "https://sc2-10-184-165-188.eng.vmware.com", "insecure": true}
```

4) Create Router Config as Secret

See documentation

5) Update Event Router K8s Manifest with Volume/CM

Snippet:

```yaml
          volumeMounts:
            - name: config
              mountPath: /etc/vmware-event-router/
              readOnly: true
            - name: vc-cert
              mountPath: /etc/vmware-event-router/ssl
              readOnly: true
      volumes:
        - name: config
          secret:
            secretName: event-router-config
        - name: vc-cert
          configMap:
            name: vc-cert
```

If all goes well, you should see this `DEBUG` log line printed on startup:

```console
DEBUG   [VCENTER]       vcenter/vcenter.go:136  setting custom root CAs {"certificates": "/etc/ssl/certs/ca-certificates.crt:/etc/vmware-event-router/ssl/vc-ca.crt"}
```

Leave a Reply

Your email address will not be published. Required fields are marked *