Configure TLS certificates for management cluster applications

Configure TLS certificates for management cluster applicationsΒΆ

Caution

This feature is available starting from the Container Cloud release 2.9.0.

You can configure TLS certificates for the following applications on a Container Cloud management cluster:

  • Keycloak

  • Container Cloud web UI

Caution

  • A TLS certificate for Keycloak requires DISABLE_OIDC=true to be set in bootstrap.env during a management cluster deployment. With this parameter set, the cluster components that require OIDC authentication, such as the Container Cloud web UI, StackLight, the OIDC login in MKE, are not operational until the Keycloak certificate is set.

  • The organization administrator must ensure that the application host name is resolvable within and outside the cluster.

  • Adding of TLS certificates for Keycloak is not supported on existing clusters deployed using the Container Cloud release earlier than 2.9.0.

To configure TLS certificates for management cluster applications:

  1. For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:

    wget https://binary.mirantis.com/releases/get_container_cloud.sh
    chmod 0755 get_container_cloud.sh
    ./get_container_cloud.sh
    
  2. Change the directory to kaas-boostrap.

    If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.

  3. Select from the following options:

    • Set a TLS certificate for Keycloak:

      ./kaas  set certificate --cacert-file <pathToCACertForKeycloak> \
      --cert-file <pathToCertForKeycloak> --key-file <pathToPrivateKeyForKeycloak> \
      --for keycloak  --hostname  <applicationHostName> \
      --kubeconfig <mgmtClusterKubeconfig>
      
    • Set a TLS certificate for the Container Cloud web UI:

      ./kaas  set certificate --cert-file <pathToCertForUI> \
      --key-file <pathToPrivateKeyForUI> --for ui --hostname  <applicationHostName> \
      --kubeconfig <mgmtClusterKubeconfig>
      

    In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.