Link Search Menu Expand Document

SSL

deployment kubernetes ssl

On this page

  1. SSL configuration
    1. Server SSL configuration
      1. Root CA

SSL configuration

The website communication would usually terminate the SSL at the ingress level. As such you have the option to either provide a certificate in a secret, or use CertManager.

To create create a secret with your own certificate, you can run the following command:

kubectl create secret tls <secret-name> \
--key <private-key-path> \
--cert <public-certificate-path>

then you have to assign the certificate name in the values yaml file

tls:
    ingressCertSecret: <secret-name>

Alternatively, if you use CertManager you will need to have either an Issuer or a ClusterIssuer. Also, since you are using a wildcard route in the ingress (to cater for the multi-tenancy), the certificates will require the DNS protocol, i.e. CertManager requires access to your DNS to be able to set the TXT entries for the certificate challenges (to prove you control that DNS and be granted a certificate). CertManager supports various DNS (Azure DNS amongst them). You will need to set the following properties

tls:
    issuer: <name of your issuer or cluster issuer>
    dns01_provider: # default `azure-dns`

This means you will require a secret to be able to access the DNS and create the entries. Further documentation can be found in CertManager.

Server SSL configuration

As explained above (see Hostnames and addresses) the api, auth, public-api and webhooks components are accessible from the outside of the cluster through SSL only. They are all running in a Windows application which needs to receive the certificate for the SSL connection in PFX format. You should therefore create certificates for all those hostnames (or the same certificate with wildcard entries or multiple SANs). Those certificates need to be added to a secret.

Assuming you have the public certificate and private key files you need to:

  • transform them to pfx format, for example using openssl. If you have a terminal open in the location of your cert files:

      docker run --rm -ti -v ${PWD}:/certs --workdir /certs alpine sh
      apk add openssl
      # you will get asked to create a secret 
      openssl pkcs12 -export -out cert.pfx -in cert.pem -inkey key.pem
    
  • base64 encode the pfx file

      $cert=[Convert]::ToBase64String([System.IO.File]::ReadAllBytes('<path-to-pfx>'))
    
  • create the secret. It expects the following keys: CERT_PASSWORD,CERTVALUE_API,CERTVALUE_AUTH,CERTVALUE_PUBLIC,CERTVALUE_WEBHOOK

      kubectl create secret generic <secret-name> `
      --from-literal=CERT_PASSWORD=<password-for-pfx> ` 
      --from-literal=CERTVALUE_API=$cert `
      --from-literal=CERTVALUE_AUTH=$cert  `
      --from-literal=CERTVALUE_PUBLIC=$cert ` 
      --from-literal=CERTVALUE_WEBHOOK=$cert `
    
  • Once of you have created the secret, its name needs to be assigned to the following parameter

      tls:
          serverCertSecret:  # name of the k8s secret with the TLS certs for the backend server. If Undefined it will use self-signed certificate
    
Root CA

If you are using a private Certification Authority to create your certificates, you will need to provide the public key of your CA to the Website component so it can talk through SSL to the CluedIn server.

  1. Put the certificate chain for your CA in a file named ca.crt
  2. Create a secret with the contents of the ca.crt file:
     kubectl create secret generic <secret-name> --from-file=ca.crt
    
  3. Add the name of the secret overriding the parameter:
     tls:
         rootCASecret: <secret-name>