Hi again @shivraj,
I’ve discussed with CockroachDB devs, and unfortunately, it doesn’t seem easy or even possible to use a custom CA for the admin UI but the Kubernetes built-in CA for everything else. The problem is CockroachDB requires the UI certs and the node certs to be in the same directory. But based on our testing, when you attempt to load the UI certs from a K8s secret into a directory, it prevents the Kubernetes CSR container from writing to that directory. We’ve opened a GitHub issue to find a solution to this.
In the meantime, if you require the admin UI to use a public CA, our recommendation is to change your cluster to use CockroachDB-generated node certificates and public UI certificates. If you can go that route, you’d use the “non-Kubernetes CA” files and instructions here: https://www.cockroachlabs.com/docs/v19.2/orchestrate-cockroachdb-with-kubernetes.html#step-2-start-cockroachdb. And you’d supplement that with certs and secrets for the Admin UI:
Use https://letsencrypt.org/ or another public CA to generate the Admin UI
ui.key, as suggested here: https://www.cockroachlabs.com/docs/stable/create-security-certificates-custom-ca.html#accessing-the-admin-ui-for-a-secure-cluster.
Put those files in the local directory containing the other cert files for the cluster, e.g.,
Then proceed to initialize the cluster.
I hope this help. Let us know.