Configure TLS certificates for management cluster applications¶
Starting from Container Cloud 2.12.0, the Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) with self-signed certificates generated by the Container Cloud provider.
Caution
Starting from Container Cloud 2.12.0, the Container Cloud endpoints are available only through HTTPS.
You can configure TLS certificates for the following applications on a Container Cloud management cluster:
Keycloak
Container Cloud web UI
Caution
A TLS certificate for Keycloak requires
DISABLE_OIDC=trueto be set inbootstrap.envduring a management cluster deployment. With this parameter set, the cluster components that require OIDC authentication, such as the Container Cloud web UI, StackLight, the OIDC login in MKE, are not operational until the Keycloak certificate is set.The organization administrator must ensure that the application host name is resolvable within and outside the cluster.
Adding of TLS certificates for Keycloak is not supported on existing clusters deployed using the Container Cloud release earlier than 2.9.0.
To prepare TLS certificates:
Obtain your DNS server name. For example,
container-cloud-auth.example.com.Buy or generate a certificate from a certification authority (CA) that contains the following items:
A full CA bundle including the root and all intermediate CA certificates.
Your server certificate issued for the
container-cloud-auth.example.comDNS name.Your secret key that was used to sign the certificate signing request. For example,
cert.key.
Select the root CA certificate from your CA bundle and add it to
root_ca.crt.Combine all certificates including the root CA, intermediate CA from the CA bundle, and your server certificate into one file. For example,
full_chain_cert.crt.
To configure TLS certificates for management cluster applications:
For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:
wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.shChange the directory to
kaas-boostrap.If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.
Select from the following options:
Set a TLS certificate for Keycloak:
./container-cloud set certificate \ --cacert-file <fullRootpathToCACertForKeycloak> \ --cert-file <fullPathToCertForKeycloak> \ --key-file <pathToPrivateKeyForKeycloak> \ --for keycloak --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
Set a TLS certificate for the Container Cloud web UI:
./container-cloud set certificate \ --cert-file <fullPathToCertForUI> \ --key-file <pathToPrivateKeyForUI> \ --for ui \ --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.
Flag
Description
--cacert-fileApplicable to Keycloak only. Must contain only one PEM-encoded root CA certificate in the certificate chain of trust.
--cert-fileMust contain all certificates in the server certificate chain of trust including the PEM-encoded server certificate.
--key-filePrivate key used to generate the provided certificate.
--for keycloak/uiConfigures a certificate for Keycloak or the Container Cloud web UI.
--hostnameDNS server host name.
--kubeconfigManagement cluster
kubeconfigthat is by default located in thekaas-bootstrapdirectory.Example command:
./container-cloud set certificate \ --cacert-file root_ca.crt \ --cert-file full_chain_cert.crt \ --key-file cert.key \ --for keycloak \ --hostname container-cloud-auth.example.com \ --kubeconfig kubeconfig