Caution
This feature is available starting from the Container Cloud release 2.9.0.
You can configure TLS certificates for the following applications on a Container Cloud management cluster:
Keycloak
Container Cloud web UI
Caution
A TLS certificate for Keycloak requires DISABLE_OIDC=true
to be set in bootstrap.env during a management
cluster deployment. With this parameter set, the cluster
components that require OIDC authentication, such as the
Container Cloud web UI, StackLight, the OIDC login in MKE,
are not operational until the Keycloak certificate is set.
The organization administrator must ensure that the application host name is resolvable within and outside the cluster.
Adding of TLS certificates for Keycloak is not supported on existing clusters deployed using the Container Cloud release earlier than 2.9.0.
To configure TLS certificates for management cluster applications:
For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:
wget https://binary.mirantis.com/releases/get_container_cloud.sh
chmod 0755 get_container_cloud.sh
./get_container_cloud.sh
Change the directory to kaas-boostrap.
If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.
Select from the following options:
Set a TLS certificate for Keycloak:
./kaas set certificate --cacert-file <pathToCACertForKeycloak> \
--cert-file <pathToCertForKeycloak> --key-file <pathToPrivateKeyForKeycloak> \
--for keycloak --hostname <applicationHostName> \
--kubeconfig <mgmtClusterKubeconfig>
Set a TLS certificate for the Container Cloud web UI:
./kaas set certificate --cert-file <pathToCertForUI> \
--key-file <pathToPrivateKeyForUI> --for ui --hostname <applicationHostName> \
--kubeconfig <mgmtClusterKubeconfig>
In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.