Trust private certificate authorities (CAs)

This guide explains how to install Astro Private Cloud in an environment that uses Private Certificate Authority (Private CA)–issued TLS certificates. In this setup, all platform components, including the Control Plane, Data Plane, and internal services, communicate over secure HTTPS connections that are validated against your organization’s internal CA. This procedure covers configuring trusted roots, deploying certificates to the appropriate namespaces, and ensures the Astro installation properly trusts and uses the Private CA during installation and runtime.

Store the CA’s root public certificate to an Opaque Kubernetes secret in the Astro Private Cloud namespace with a descriptive name, such as private-root-ca, by running the following command.

Before you run this command, keep the following in mind:

The root certificate you specify should be the certificate of the authority that signed the Astro Private Cloud certificate. This is not the certificate associated with Astro Private Cloud or any other service.
The name of the secret file must be cert.pem for your certificate to be trusted properly.
The file must contain only a single certificate, it can’t be a certificate bundle.

1 kubectl -n astronomer create secret generic private-root-ca --from-file=cert.pem=./private-root-ca.pem

Add <secret name> to the list of secret names contained in global.privateCaCerts in values.yaml:

1 global:
2   privateCaCerts:
3   - private-root-ca

Step 3 and 4 are additional steps for Private CA on the Control Plane only

Create a database secret and add <secret name> to the list of secret names.

1 kubectl -n astronomer create secret generic db-private-ca  --from-file=cert.pem=./private-root-ca.pem

1 global:
2   privateCaCerts:
3   - private-root-ca
4   - db-private-ca

Add your Private CA to your Helm values.yaml.

1 database:
2   connection:
3     ssl:
4       ca: /etc/ssl/certs/ca-certificates.pem
5       rejectUnauthorized: true