(Optional) Adding a Certificate for Securing the Turbonomic UI
If your company policy requires SSL connections that use a trusted certificate, Turbonomic installs a trusted certificate from a known certificate authority.
Requesting a Certificate
The first step is to acquire a certificate. The following steps describe how to generate a certificate request.
Open a Secure Shell terminal session.
Open an SSH terminal session on your Turbonomic instance. Log in as
turbo
, and use the password that you created for the administration account during installation.For more information, see Set up the Turbonomic System Administrator account.
-
Change to the directory where you want to store the private key file.
If your shell session is on your Turbonomic instance, use the
/opt/turbonomic
directory.cd /opt/turbonomic
Create and save the private key file.
For this example, the private key file is named
myPrivate.key
.openssl genrsa -out myPrivate.key 2048
You need this file later. If you are in a session on your Turbonomic instance, copy the file to your local machine.
Create a file to contain the information that generates the signed certificate request (CSR).
vi certsignreq.cfg
Add the request data to the
certsignreq.cfg
file.In the file, insert the following code. For any fields marked by angle brackets (for example
<city>
), provide the indicated value. For example, your country, city, company, and so on.[req] ts = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [dn] C=<country, 2 letter code> L=<city> O=<company> OU=<organizational unit name> CN=<FQDN> emailAddress=<email address> [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = <FQDN> DNS.2 = <server’s short name> DNS.3 = <server’s IP address>
Note:For the
CN
field, specify the fully qualified domain name of the Turbonomic instance.Alternative names are other ways to access the Turbonomic instance. In the
[alt_names]
section, the value for theDNS.1
field is required. ForDNS.1
, specify the fully qualified domain name of the Turbonomic instance. Values for theDNS.2
andDNS.3
are optional. You can add moreDNS.x
fields if needed.For example:
Write and quit the file.
Press
Esc
, type:wq!
, and pressEnter
.Generate the certificate request file.
In this example, the file is named
myRequest.csr
.openssl req -new -sha256 -nodes -out myRequest.csr -key myPrivate.key -config certsignreq.cfg
-
Send the generated request file to your certificate authority.
If you generated the file on your Turbonomic instance, transfer the file to your local machine. The path to the certificate request file on your remote machine is
/opt/turbonomic/myRequest.csr
.Your certificate authority uses this file to create the certificate for you. If your certificate authority gives you an encoding choice between DER and Base 64, choose Base 64.
When you receive the certificate, save it to disk.
If you did not receive the certificate encoded in Base 64, you must convert it from DER to Base 64.
In this example, the certificate is named
MyCertificate.crt
.openssl x509 -inform der -in MyCertificate.der -out MyCertificate.crt
Installing the Signed Certificate in Turbonomic
After you obtain the signed certificate, you can install it on your Turbonomic instance. You use the private key and certificate files that you obtained when requesting the signed certificate:
myPrivate.key
MyCertificate.crt
To install the signed certificate:
Open an SSH terminal session on your Turbonomic instance.
Add the key and certificate data to your Turbonomic charts.yaml file.
/opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
Find the section for
global
parameters. Under theglobal
parameters, create theingress:secrets
section, and then create entries forcertificate
,key
, andname
.Your global parameters should be similar to the following example:
global: ingress: secrets: - certificate: | -----BEGIN CERTIFICATE----- SAMPLE PUBLIC KEY -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- SAMPLE PRIVATE KEY -----END RSA PRIVATE KEY----- name: nginx-ingressgateway-certs
For the fields you added:
certificate:
holds the content of yourMyCertificate.crt
file. Open that file to copy its contents and paste them here.key:
holds the content of yourmyPrivate.key
file. Open that file to copy its contents and paste them here.name:
Is required and the name must benginx-ingressgateway-certs
.
Apply the changes that you made to the CR file.
kubectl apply -f kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
-
Restart the
nginx
pod.To require a certificate for HTTPS access, you must restart the
nginx
pod.-
Get the full name of the pod.
kubectl get pods -n turbonomic
In the output, look for the entry for
nginx
. You should find an entry similar to:nginx-5b775f498-sm2mm 1/1 Running 0
-
Restart the pod.
kubectl delete pod nginx-<UID>
Where
<UID>
is the generated ID for the pod instance.
After the nginx pod restarts Turbonomic requires a certificate for HTTPS access.
-