Skip to main content

Configuring Additional CA Certificates

You can optionally mount additional CA certificates into all AtScale service containers, independent of your primary TLS certificate secret. This is useful when a client proxy routes cluster traffic using a certificate signed by a different Certificate Authority than the primary AtScale TLS certificate.

You define your additional certificates by including one of the following (optional) properties in your values override file:

  • global.atscale.extraCaCerts: An array of objects defining the name of each CA certificate file and its base64-encoded PEM certificate.
  • global.atscale.existingExtraCaCertsSecret: The name of an existing Kubernetes Secret whose keys will be mounted as a CA, alongside the extraCaCerts entries.

Certificates are mounted at /etc/ssl/certs/<sanitized-name> in the api, sml, engine, entitlement, mcp, monitor, and proxy containers. For the Java-based engine service, certificates are also imported into the JVM truststore via keytool in the init container.

Checksum annotations ensure pods restart when extraCaCerts values change.

Add your certificates to your values override file

To configure your additional certificates, add either extraCaCerts or existingExtraCaCertsSecret to your values override file:

global:
  atscale:
    # Inline list of additional CA certificates
    extraCaCerts:
      - name: my-ca.crt
        value: "..."   # base64-encoded PEM
      - name: another-ca.pem
        value: "..."

Or:

global:
  atscale:
    # OR reference an existing secret whose keys are each mounted as a CA
    existingExtraCaCertsSecret: "my-ca-secret"