Configure TLS certificates for management cluster applications¶
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) with self-signed certificates generated by the Container Cloud provider.
The Container Cloud endpoints are available only through HTTPS.
You can configure TLS certificates for the following applications on a Container Cloud management cluster:
Container Cloud web UI
The organization administrator must ensure that the application host name is resolvable within and outside the cluster.
Custom TLS certificates for Keycloak are supported for new and existing clusters originally deployed using Container Cloud 2.9.0 or later.
Prepare TLS certificates¶
Obtain your DNS server name. For example,
Buy or generate a certificate from a certification authority (CA) that contains the following items:
A full CA bundle including the root and all intermediate CA certificates.
Your server certificate issued for the
Your secret key that was used to sign the certificate signing request. For example,
Select the root CA certificate from your CA bundle and add it to
Combine all certificates including the root CA, intermediate CA from the CA bundle, and your server certificate into one file. For example,
Configure TLS certificates¶
For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:
wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to
If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.
Select from the following options:
Set a TLS certificate for Keycloak:
./container-cloud set certificate \ --cacert-file <fullRootpathToCACertForKeycloak> \ --cert-file <fullPathToCertForKeycloak> \ --key-file <pathToPrivateKeyForKeycloak> \ --for keycloak --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
Set a TLS certificate for the Container Cloud web UI:
./container-cloud set certificate \ --cert-file <fullPathToCertForUI> \ --key-file <pathToPrivateKeyForUI> \ --for ui \ --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.
Applicable to Keycloak only. Must contain only one PEM-encoded root CA certificate in the certificate chain of trust.
Must contain all certificates in the server certificate chain of trust including the PEM-encoded server certificate.
Private key used to generate the provided certificate.
Configures a certificate for Keycloak or the Container Cloud web UI.
DNS server host name.
kubeconfigthat is by default located in the
./container-cloud set certificate \ --cacert-file root_ca.crt \ --cert-file full_chain_cert.crt \ --key-file cert.key \ --for keycloak \ --hostname container-cloud-auth.example.com \ --kubeconfig kubeconfig
Renew expired TLS certificates¶
Starting from 2.16.0, Container Cloud provides automatic renewal of
certificates for internal Container Cloud services. Custom certificates
require manual renewal. If you have permissions to view the
project, you may see the Certificate Is Expiring Soon warning for
custom certificates. The warning appears on top of the Container Cloud web UI.
It displays the certificate with the least number of days before expiration.
Click See Details and get more information about other expiring
certificates. You can also find the details about the expiring certificates in
the Status column’s Certificate Issues tooltip on the
The Certificate Issues status may include the following messages:
- Some certificates require manual renewal
A custom certificate is expiring in less than seven days. Renew the certificate manually using the same container-cloud binary as for the certificate configuration. For details, see Configure TLS certificates.
- Some certificates were not renewed automatically
An automatic certificate renewal issue. Unexpected error, contact Mirantis support.
The self-signed certificates generated and managed by the Container Cloud
provider are stored in
*-tls-certs secrets in the
The below procedures describe how to renew certificates for internal
Container Cloud services.
Internal non-custom certificates for clusters created prior to Container Cloud 2.16.0 require manual renewal until your cluster is updated to 2.16.0. Once updated, automatic certificate renewal applies.
To manually renew internal non-custom certificates for the Container Cloud services:
Delete the old secret:
kubectl -n kaas delete secret admission-tls-certs
kubectl -n kaas delete secret cache-tls-certs
kubectl -n kaas delete secret iam-tls-certs
kubectl -n kaas delete secret ui-tls-certs
kubectl -n kaas delete secret keycloak-tls-certs
Wait for a few minutes and verify the secret creation:
kubectl -n kaas get secret <secret_name>
Example of a positive system response:
NAME TYPE DATA AGE keycloak-tls-certs Opaque 2 21d
Restart the corresponding service
kubectl -n kaas rollout restart deployment admission-controller
kubectl -n kaas rollout restart statefulset mcc-cache
kubectl -n kaas rollout restart deployment iam-api
kubectl -n kaas rollout restart deployment kaas-kaas-ui
kubectl -n kaas rollout restart statefulset iam-keycloak