Automate Guide
AppService status

Kubernetes TLS certificates

A how-to guide on renewing and adding TLS certificates in a Kubernetes deployment

Suggest Edits

Adding and renewing TLS certificates in Kubernetes

These instructions present how to add a TLS certificate for SentiOne Automate for haproxy-ingress. More information about TLS type secrets is available in Kubernetes documentation - TLS secrets.

Prerequisites

  • A valid wildcard certificate signed by a trusted CA.

If the certificate has an extension of .pfx, you must first convert it to separate files .crt (certificate fragment) and .key (private key). Example of conversion:

openssl pkcs12 -in wildcard.pfx -out wildcard_example-com.crt -nodes -nokeys
openssl pkcs12 -in wildcard.pfx -out wildcard_example-com.key -nodes -nocerts

Preparing the Ingress object

In the following sample Ingress manifests, gateway is secured by a BasicAuth authentication scheme.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: envname-automate-ingress
spec:
  tls: # add spec.tls section
  - hosts: # include URIs to be secured by the certificate
    - admin.automate.example.com
    - new-web.automate.example.com
    - web-chat.automate.example.com
    secretName: tls-wildcard-example-com-secret # TLS certificate secret name that will be added in the next step
  rules:
  - host: admin.automate.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: admin
            port:
              number: 5750
  - host: new-web.automate.example.com
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: new-web
              port:
                number: 9000
  - host: web-chat.automate.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-chat
            port:
              number: 5760

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: haproxy
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/auth-realm: "Gateway Basic Auth"
    ingress.kubernetes.io/auth-secret: basic-auth-gateway
  name: envname-gateway-ingress
spec:
  tls:
  - hosts:
    - gateway-envname.example.com
    secretName: tls-wildcard-example-com-secret
  rules:
  - host: gateway-envname.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gateway
            port:
              number: 5000

Adding a certificate to Kubernetes

To add or replace the current certificate object, run the following command on each cluster:

kubectl create secret tls tls-wildcard-example-com-secret --key wildcard_example-com.key --cert wildcard_example-com.crt -n sentione

Then the updated Ingress object should be applied:

kubectl apply -f envname-automate-ingress -n sentione

kubectl apply -f envname-gateway-ingress -n sentione

Updated almost 2 years ago