By default, VMware Data Services Manager manages the certificates for the database cluster. These certificate are not certified by any public certificate authority. If your organization employs more restrictive certificate policies, you can replace the default VMware Data Services Manager certificate with your own custom certificate.

As a DSM administrator, you can configure custom certificates, including certificate chain along with its associated private key and a certificate authority (CA).

When you update the database cluster certificates, the following considerations apply:
Important:
  • You cannot configure custom certificates for multi-node PostgreSQL clusters with activated High Availability.
  • If you choose to configure a custom certificate, you are responsible for renewing it when it approaches an expiration date.

    If the certificate expires, your environment might experience problems, such as losing monitoring of the database cluster, losing clients connectivity, being considered unhealthy, or being shutdown. You must also update the Kubernetes TLS Secret with the renewed certificate. For more information, see TLS Secrets in the Kubernetes Documentation.

  • Updating database cluster certificates can cause a restart of the database cluster.

Prerequisites

  • Use the VMware Data Services Manager API to perform this task. For more information, see Access the VMware Data Services Manager API.
  • To manage the certificates, you can use Kubernetes cert-manager. It manages various certificate and issuer types and outputs a Kubernetes TLS Secret in the required format. For information, see the cert-manager web site at https://cert-manager.io/. Other certificate management tools are also supported.

Procedure

  1. Create a Kubernetes TLS Secret containing the certificate data in the same namespace where the database cluster is located.
    Make sure to include the following properties:
    • tls.crt: Base64-encoded PEM signed certificate chain
    • tls.key: Base64-encoded PEM private key
    • ca.crt: Base64-encoded PEM CA certificate
  2. Update the database cluster certificate using the VMware Data Services Manager API.
    Update the DSM Kubernetes Custom Resource of type PostgresCluster or MysqlCluster, representing the database cluster, to set its spec.tls.secretName property to the name of the Kubernetes TLS Secret.
    You can also use the Consumption Operator in addition to DSM Kubernetes API. The database cluster and its associated secret gets copied to DSM automatically. For more information, see Enabling Self-Service Consumption of VMware Data Services Manager.