To enable SSL, deploy OMEnvironment by configuring truststore and ingress
TLS secret.
Procedure
- Create the keystore from the certificate with the following command:
openssl pkcs12 -export -in <certificate file> \
-inkey <certificate key> \
-out tls.p12 \
-name <yourdomain> \
-CAfile <CA file>
- Create the ingress TLS secret with the SSL certificate. This TLS secret is used for the
ingress from client to the controller.
kubectl create secret tls ingress-secret \
--namespace <your namespace> \
--key tls.key \
--cert tls.crt
Note: If you do not want to use the default certificate, you can add your own certificate by
creating the secret from it and using it in the
common.ingress.ssl.identitySecretName.
- Mount the
tls.p12 file into the pods by passing it to the
/shared store location by using any of the following ways:
- Pass
tls.p12 inside the shared volume and specify it under the
security section as shown in the following example.security:
ssl:
trust:
# This is the `tls.p12` file that you created in the earlier step.
storeLocation: /shared/tls.p12
storeType: PKCS12
- Pass
tls.p12 through a secret, storage or a config map by using
additionalMounts. For more information about mounting into pods, see additionalMounts parameter. The following example uses a secret to mount into
pods.additionalMounts:
secrets:
- mountPath: /shared/tls.p12
name: truststoreconfigmap
subPath: tls.p12
- Deploy in
OMEnvironment instance with the following
command:
# (truncated)
# ...
common:
ingress:
host: <your domain>
ssl:
# enable SSL
enabled: true
# this is the secret created in the earlier step
identitySecretName: ingress-secret
security:
ssl:
trust:
# this is the `tls.p12` file you created in the earlier step
storeLocation: /shared/tls.p12
storeType: PKCS12
# ...
# (truncated)
What to do next
After the deployment is completed, access the application ingresses in the browser and check the
following points:
- The applications are accessible.
- Click the lock icon in the URL bar to check whether the correct certificate is shown.