- Convert Cert to PEM
$ openssl x509 -inform der -in ~/Downloads/ca.cer > vc-ca.crt
- Create cert as
ConfigMap
$ kubectl create cm vc-cert --from-file vc-ca.crt
- Configure Event Router Config with Cert Information
Snippet:
metricsProvider:
type: default
name: veba-demo-metrics
default:
bindAddress: "0.0.0.0:8082"
certificates:
rootCAs:
- /etc/ssl/certs/ca-certificates.crt
- /etc/vmware-event-router/ssl/vc-ca.crt
insecureSSL
is deactivated too, and that you use a FQDN for the VC host to avoid SNI/SAN errors, e.g.
vcenter:
address: https://sc2-10-184-165-188.eng.vmware.com
insecureSSL: false
Otherwise a warning will be logged:
WARN [VCENTER] vcenter/vcenter.go:112 using potentially insecure connection to vCenter {"address": "https://sc2-10-184-165-188.eng.vmware.com", "insecure": true}
- Create Router Config as Secret
See documentation
- Update Event Router K8s Manifest with Volume/CM
Snippet:
volumeMounts:
- name: config
mountPath: /etc/vmware-event-router/
readOnly: true
- name: vc-cert
mountPath: /etc/vmware-event-router/ssl
readOnly: true
volumes:
- name: config
secret:
secretName: event-router-config
- name: vc-cert
configMap:
name: vc-cert
If all goes well, you should see this DEBUG
log line printed on startup:
DEBUG [VCENTER] vcenter/vcenter.go:136 setting custom root CAs {"certificates": "/etc/ssl/certs/ca-certificates.crt:/etc/vmware-event-router/ssl/vc-ca.crt"}