Configure TLS certificates for management cluster applications

The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) with self-signed certificates generated by the Container Cloud provider.


The Container Cloud endpoints are available only through HTTPS.

You can configure TLS certificates for the following applications on a Container Cloud management cluster:

  • Keycloak

  • Container Cloud web UI


  • The organization administrator must ensure that the application host name is resolvable within and outside the cluster.

  • Custom TLS certificates for Keycloak are supported for new and existing clusters originally deployed using Container Cloud 2.9.0 or later.

Prepare TLS certificates

  1. Obtain your DNS server name. For example,

  2. Buy or generate a certificate from a certification authority (CA) that contains the following items:

    • A full CA bundle including the root and all intermediate CA certificates.

    • Your server certificate issued for the DNS name.

    • Your secret key that was used to sign the certificate signing request. For example, cert.key.

  3. Select the root CA certificate from your CA bundle and add it to root_ca.crt.

  4. Combine all certificates including the root CA, intermediate CA from the CA bundle, and your server certificate into one file. For example, full_chain_cert.crt.

Configure TLS certificates

  1. For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:

    chmod 0755
  2. Change the directory to kaas-boostrap.

    If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.

  3. Select from the following options:

    • Set a TLS certificate for Keycloak:

      ./container-cloud set certificate \
        --cacert-file <fullRootpathToCACertForKeycloak> \
        --cert-file <fullPathToCertForKeycloak> \
        --key-file <pathToPrivateKeyForKeycloak> \
        --for keycloak  --hostname  <applicationHostName> \
        --kubeconfig <mgmtClusterKubeconfig>
    • Set a TLS certificate for the Container Cloud web UI:

      ./container-cloud set certificate \
        --cert-file <fullPathToCertForUI> \
        --key-file <pathToPrivateKeyForUI> \
        --for ui \
        --hostname  <applicationHostName> \
        --kubeconfig <mgmtClusterKubeconfig>

    In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.




    Applicable to Keycloak only. Must contain only one PEM-encoded root CA certificate in the certificate chain of trust.


    Must contain all certificates in the server certificate chain of trust including the PEM-encoded server certificate.


    Private key used to generate the provided certificate.

    --for keycloak/ui

    Configures a certificate for Keycloak or the Container Cloud web UI.


    DNS server host name.


    Management cluster kubeconfig that is by default located in the kaas-bootstrap directory.

    Example command:

    ./container-cloud set certificate \
      --cacert-file root_ca.crt \
      --cert-file full_chain_cert.crt \
      --key-file cert.key \
      --for keycloak \
      --hostname \
      --kubeconfig kubeconfig

Renew expired TLS certificates

Starting from 2.16.0, Container Cloud provides automatic renewal of certificates for internal Container Cloud services. Custom certificates require manual renewal. If you have permissions to view the default project, you may see the Certificate Is Expiring Soon warning for custom certificates. The warning appears on top of the Container Cloud web UI. It displays the certificate with the least number of days before expiration. Click See Details and get more information about other expiring certificates. You can also find the details about the expiring certificates in the Status column’s Certificate Issues tooltip on the Clusters page.

The Certificate Issues status may include the following messages:

  • Some certificates require manual renewal

    A custom certificate is expiring in less than seven days. Renew the certificate manually using the same container-cloud binary as for the certificate configuration. For details, see Configure TLS certificates.

  • Some certificates were not renewed automatically

    An automatic certificate renewal issue. Unexpected error, contact Mirantis support.

The self-signed certificates generated and managed by the Container Cloud provider are stored in *-tls-certs secrets in the kaas namespace. The below procedures describe how to renew certificates for internal Container Cloud services.


Internal non-custom certificates for clusters created prior to Container Cloud 2.16.0 require manual renewal until your cluster is updated to 2.16.0. Once updated, automatic certificate renewal applies.

To manually renew internal non-custom certificates for the Container Cloud services:

  1. Delete the old secret:

    • For admission-controller:

      kubectl -n kaas delete secret admission-tls-certs
    • For mcc-cache:

      kubectl -n kaas delete secret cache-tls-certs
    • For iam-api:

      kubectl -n kaas delete secret iam-tls-certs
    • For kaas-ui:

      kubectl -n kaas delete secret ui-tls-certs
    • For keycloak:

      kubectl -n kaas delete secret keycloak-tls-certs
  2. Wait for a few minutes and verify the secret creation:

    kubectl -n kaas get secret <secret_name>

    Example of a positive system response:

    NAME                 TYPE     DATA   AGE
    keycloak-tls-certs   Opaque   2      21d
  3. Restart the corresponding service Deployment or statefulSet:

    • For admission-controller:

      kubectl -n kaas rollout restart deployment admission-controller
    • For mcc-cache:

      kubectl -n kaas rollout restart statefulset mcc-cache
    • For iam-api:

      kubectl -n kaas rollout restart deployment iam-api
    • For kaas-ui:

      kubectl -n kaas rollout restart deployment kaas-kaas-ui
    • For keycloak:

      kubectl -n kaas rollout restart statefulset iam-keycloak