Configuring trusted certificates in DevOps Loop

You can configure DevOps Loop to use private CA and self-signed certificates by creating or updating a Kubernetes secret with a PEM certificate bundle.

You must have completed the following tasks:

  • Ensured that you have the administrator privileges to the Kubernetes namespace where DevOps Loop will be installed.
  • Ensured that the private CA is available in a PEM format (.pem).
Note: In the scenarios below, mycacrt.pem is used as a sample PEM file name for a private CA or combined certificate bundle. You must replace mycacrt.pem with the actual name and path of your PEM file.
Perform any of the following actions based on the scenario:
Scenario Action Notes
No certificate provided (auto-generate self-signed) Perform the following steps:
  1. Set SELF_SIGNED=true in the DevOps Loop installation script.

    The script generates key.pem and cert.pem valid for 365 days with SAN for $DOMAIN.

    The script creates a Kubernetes secret named in devops-loop-tls-secret containing ca.crt=cert.pem, tls.crt=cert.pem, and tls.key=key.pem.

    The script also sets global.ibmCertSecretName=devops-loop-tls-secret, so that it is used to terminate TLS for the DevOps Loop instance.

No manual secret creation is required. The certificate is generated automatically.
Using a private CA certificate bundle Perform the following steps:
  1. Combine multiple CA/intermediate certificates if needed:
    cat rootCA1.pem rootCA2.pem > mycacrt.pem
  2. Create the secret:
    kubectl create secret generic privateca-secret --from-file=ca.crt=/path/to/mycacrt.pem -n devops-loop
  3. Edit the ADDITIONAL_HELM_OPTIONS variable in the DevOps Loop installation script to add:
    --set global.privateCaBundleSecretName=privateca-secret –set ibm-devops-prod.ingress.cert.selfSigned=true
    The helm value
    ibm-devops-prod.ingress.cert.selfSigned=true
    is needed to work-around an issue with the latest shipping version of DevOps Test when using TLS certificates signed by a private CA.
Used when internal services are signed by a private CA. The ca.crt key is mandatory.
Updating an existing CA or self-signed certificate Perform the following steps:
  1. To prevent the need to manually restart pods, create a new secret with the updated certificate in the secret:
    kubectl create secret generic privateca2-secret \
    --from-file=ca.crt=/path/to/mycacrt.pem -n devops-loop
           
  2. Edit the ADDITIONAL_HELM_OPTIONS variable in the DevOps Loop installation script to add:
    --set global.privateCaBundleSecretName=privateca2-secret –set ibm-devops-prod.ingress.cert.selfSigned=true
    The helm value
    ibm-devops-prod.ingress.cert.selfSigned=true
    is needed to work around an issue with the latest shipping version of DevOps Test when using TLS certificates signed by a private CA.
You have configured DevOps Loop to use the specified trusted certificates.

You must run the DevOps Loop installation script. See Installation of DevOps Loop.