Configure TLS certificates for management cluster applications¶
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) with self-signed certificates generated by the Container Cloud provider.
Caution
The Container Cloud endpoints are available only through HTTPS.
You can configure TLS certificates for the following applications on a Container Cloud management cluster:
Keycloak
Container Cloud web UI
Caution
The organization administrator must ensure that the application host name is resolvable within and outside the cluster.
Custom TLS certificates for Keycloak are supported for new and existing clusters originally deployed using Container Cloud 2.9.0 or later.
Prepare TLS certificates¶
Obtain your DNS server name. For example,
container-cloud-auth.example.com
.Buy or generate a certificate from a certification authority (CA) that contains the following items:
A full CA bundle including the root and all intermediate CA certificates.
Your server certificate issued for the
container-cloud-auth.example.com
DNS name.Your secret key that was used to sign the certificate signing request. For example,
cert.key
.
Select the root CA certificate from your CA bundle and add it to
root_ca.crt
.Combine all certificates including the root CA, intermediate CA from the CA bundle, and your server certificate into one file. For example,
full_chain_cert.crt
.
Configure TLS certificates¶
For clusters deployed using the Container Cloud release earlier than 2.9.0, download the latest version of the bootstrap script:
wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to
kaas-boostrap
.If you deleted this directory, restore it using the step 1 of the Collect cluster logs procedure.
Select from the following options:
Set a TLS certificate for Keycloak:
./container-cloud set certificate \ --cacert-file <fullRootpathToCACertForKeycloak> \ --cert-file <fullPathToCertForKeycloak> \ --key-file <pathToPrivateKeyForKeycloak> \ --for keycloak --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
Set a TLS certificate for the Container Cloud web UI:
./container-cloud set certificate \ --cert-file <fullPathToCertForUI> \ --key-file <pathToPrivateKeyForUI> \ --for ui \ --hostname <applicationHostName> \ --kubeconfig <mgmtClusterKubeconfig>
In the commands above, replace the parameters enclosed in angle brackets with the corresponding values of your cluster.
Flag
Description
--cacert-file
Applicable to Keycloak only. Must contain only one PEM-encoded root CA certificate in the certificate chain of trust.
--cert-file
Must contain all certificates in the server certificate chain of trust including the PEM-encoded server certificate.
--key-file
Private key used to generate the provided certificate.
--for keycloak/ui
Configures a certificate for Keycloak or the Container Cloud web UI.
--hostname
DNS server host name.
--kubeconfig
Management cluster
kubeconfig
that is by default located in thekaas-bootstrap
directory.Example command:
./container-cloud set certificate \ --cacert-file root_ca.crt \ --cert-file full_chain_cert.crt \ --key-file cert.key \ --for keycloak \ --hostname container-cloud-auth.example.com \ --kubeconfig kubeconfig
Renew expired TLS certificates¶
Starting from 2.16.0, Container Cloud provides automatic renewal of
certificates for internal Container Cloud services. Custom certificates
require manual renewal. If you have permissions to view the default
project, you may see the Certificate Is Expiring Soon warning for
custom certificates. The warning appears on top of the Container Cloud web UI.
It displays the certificate with the least number of days before expiration.
Click See Details and get more information about other expiring
certificates. You can also find the details about the expiring certificates in
the Status column’s Certificate Issues tooltip on the
Clusters page.
The Certificate Issues status may include the following messages:
- Some certificates require manual renewal
A custom certificate is expiring in less than seven days. Renew the certificate manually using the same container-cloud binary as for the certificate configuration. For details, see Configure TLS certificates.
- Some certificates were not renewed automatically
An automatic certificate renewal issue. Unexpected error, contact Mirantis support.
The self-signed certificates generated and managed by the Container Cloud
provider are stored in *-tls-certs
secrets in the kaas
namespace.
The below procedures describe how to renew certificates for internal
Container Cloud services.
Note
Internal non-custom certificates for clusters created prior to Container Cloud 2.16.0 require manual renewal until your cluster is updated to 2.16.0. Once updated, automatic certificate renewal applies.
To manually renew internal non-custom certificates for the Container Cloud services:
Delete the old secret:
For
admission-controller
:kubectl -n kaas delete secret admission-tls-certs
For
mcc-cache
:kubectl -n kaas delete secret cache-tls-certs
For
iam-api
:kubectl -n kaas delete secret iam-tls-certs
For
kaas-ui
:kubectl -n kaas delete secret ui-tls-certs
For
keycloak
:kubectl -n kaas delete secret keycloak-tls-certs
Wait for a few minutes and verify the secret creation:
kubectl -n kaas get secret <secret_name>
Example of a positive system response:
NAME TYPE DATA AGE keycloak-tls-certs Opaque 2 21d
Restart the corresponding service
Deployment
orstatefulSet
:For
admission-controller
:kubectl -n kaas rollout restart deployment admission-controller
For
mcc-cache
:kubectl -n kaas rollout restart statefulset mcc-cache
For
iam-api
:kubectl -n kaas rollout restart deployment iam-api
For
kaas-ui
:kubectl -n kaas rollout restart deployment kaas-kaas-ui
For
keycloak
:kubectl -n kaas rollout restart statefulset iam-keycloak