Configure TLS certificates for management cluster applications

Starting from Container Cloud 2.12.0, the Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) with self-signed certificates generated by the Container Cloud provider.

Caution

Starting from Container Cloud 2.12.0, the Container Cloud endpoints are available only through HTTPS.

You can configure TLS certificates for the following applications on a Container Cloud management cluster:

  • Keycloak

  • Container Cloud web UI

Caution

  • A TLS certificate for Keycloak requires DISABLE_OIDC=true to be set in bootstrap.env during a management cluster deployment. With this parameter set, the cluster components that require OIDC authentication, such as the Container Cloud web UI, StackLight, the OIDC login in MKE, are not operational until the Keycloak certificate is set.

  • The organization administrator must ensure that the application host name is resolvable within and outside the cluster.

  • Adding of TLS certificates for Keycloak is not supported on existing clusters deployed using the Container Cloud release earlier than 2.9.0.

To prepare TLS certificates:

  1. Obtain your DNS server name. For example, container-cloud-auth.example.com.

  2. Buy or generate a certificate from a certification authority (CA) that contains the following items:

    • A full CA bundle including the root and all intermediate CA certificates.

    • Your server certificate issued for the container-cloud-auth.example.com DNS name.

    • Your secret key that was used to sign the certificate signing request. For example, cert.key.

  3. Select the root CA certificate from your CA bundle and add it to root_ca.crt.

  4. Combine all certificates including the root CA, intermediate CA from the CA bundle, and your server certificate into one file. For example, full_chain_cert.crt.

To configure TLS certificates for management cluster applications:

  1. For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:

    wget https://binary.mirantis.com/releases/get_container_cloud.sh
    chmod 0755 get_container_cloud.sh
    ./get_container_cloud.sh
    
  2. Change the directory to kaas-boostrap.

    If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.

  3. Select from the following options:

    • Set a TLS certificate for Keycloak:

      ./container-cloud set certificate \
        --cacert-file <fullRootpathToCACertForKeycloak> \
        --cert-file <fullPathToCertForKeycloak> \
        --key-file <pathToPrivateKeyForKeycloak> \
        --for keycloak  --hostname  <applicationHostName> \
        --kubeconfig <mgmtClusterKubeconfig>
      
    • Set a TLS certificate for the Container Cloud web UI:

      ./container-cloud set certificate \
        --cert-file <fullPathToCertForUI> \
        --key-file <pathToPrivateKeyForUI> \
        --for ui \
        --hostname  <applicationHostName> \
        --kubeconfig <mgmtClusterKubeconfig>
      

    In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.

    Flag

    Description

    --cacert-file

    Applicable to Keycloak only. Must contain only one PEM-encoded root CA certificate in the certificate chain of trust.

    --cert-file

    Must contain all certificates in the server certificate chain of trust including the PEM-encoded server certificate.

    --key-file

    Private key used to generate the provided certificate.

    --for keycloak/ui

    Configures a certificate for Keycloak or the Container Cloud web UI.

    --hostname

    DNS server host name.

    --kubeconfig

    Management cluster kubeconfig that is by default located in the kaas-bootstrap directory.

    Example command:

    ./container-cloud set certificate \
      --cacert-file root_ca.crt \
      --cert-file full_chain_cert.crt \
      --key-file cert.key \
      --for keycloak \
      --hostname container-cloud-auth.example.com \
      --kubeconfig kubeconfig