Enable Custom Certificate Authority for DMS

This document provides instructions on how to configure DPF to use a custom Certificate Authority (CA) for mutual TLS (mTLS) authentication between the provisioning controller and DOCA Management Service (DMS) in non-Kubernetes(only Kubernetes control plane) system. To enable mTLS, the user needs to create a Kubernetes Secret containing the required certificates and keys, and configure the DPFOperatorConfig to use this Secret.

Ensure have the following files ready:

• Server Certificate: A PEM-encoded certificate for the server (tls.crt).

• Private Key: A PEM-encoded private key corresponding to the server certificate (tls.key).

• CA Certificate: A PEM-encoded certificate for the custom Certificate Authority (ca.crt).

Create a Kubernetes Secret of type kubernetes.io/tls that includes the tls.crt, tls.key, and ca.crt fields in dpf-operator-system namespace.

            

            
kubectl create secret tls custom-ca-secret  --cert=tls.crt --key=tls.key --certificate-authority=ca.crt -n dpf-operator-system
        

When creating or updating the DPFOperatorConfig, specify the name of the Secret created in the previous step.

Example DPFOperatorConfig Configuration

In the DPFOperatorConfig configuration, set the customCASecretName field to the name of the Secret (e.g., custom-ca-secret):

            

            
apiVersion: operator.dpu.nvidia.com/v1alpha1
kind: DPFOperatorConfig
metadata:
  name: dpfoperatorconfig
  namespace: dpf-operator-system
spec:
  provisioningController:
    bfbPVCName: "bfb-pvc"
    customCASecretName: "custom-ca-secret"
  kamajiClusterManager: {}