This document is for an unreleased version of Crossplane.

This document applies to the Crossplane master branch and not to the latest release v1.20.


title: Self-signed CA certs weight: 270

Using self-signed certificates isn’t advised in production, it’s recommended to only use self-signed certificates for testing.

When Crossplane loads Configuration and Provider Packages from private registries, you must configure it to trust the CA and Intermediate certs.

You need to install Crossplane via the Helm chart with the registryCaBundleConfig.name and registryCaBundleConfig.key parameters defined. See Install Crossplane.

Configure

  1. Create a CA Bundle (A file containing your Root and Intermediate certificates in a specific order). You can do this with any text editor or from the command line, so long as the resulting file contains all required crt files in the proper order. Often, this is either a single self-signed Root CA crt file, or an Intermediate crt and Root crt file. The order of the crt files should be from lowest to highest in signing order. For example, if you have a chain of two certificates below your Root certificate, you place the bottom level Intermediate cert at the beginning of the file, then the Intermediate cert that singed that cert, then the Root cert that signed that cert.

  2. Save the files as [yourdomain].ca-bundle.

  3. Create a Kubernetes ConfigMap in your Crossplane system namespace:

kubectl -n [Crossplane system namespace] create cm ca-bundle-config \
--from-file=ca-bundle=./[yourdomain].ca-bundle
  1. Set the registryCaBundleConfig.name Helm chart parameter to ca-bundle-config and the registryCaBundleConfig.key parameter to ca-bundle.

The Helm docs cover providing Helm with parameter values, Helm install. An example block
in an override.yaml file would look like this:

  registryCaBundleConfig:
    name: ca-bundle-config
    key: ca-bundle