Skip to content

TLS certificates#

To ensure that all communications between clients and MKE 4k are encrypted, MKE 4k services are exposed using HTTPS. By default, this is done using self-signed TLS certificates that are not trusted by client tools such as web browsers. Thus, when you try to access MKE 4k, your browser warns that it does not trust MKE 4k or that MKE 4k has an invalid certificate.

You can configure MKE 4k to use your own TLS certificates so that your browser and other client tools will trust your MKE 4k installation. The address you configure for these custom TLS certificates must differ from the address that is specified in .spec.apiServer.externalAddress, and you must use a separate DNS name for the endpoint where the custom TLS certificates are applied.

Info

Mirantis recommends that you make TLS certificate changes outside of peak business hours. Your applications will continue to run normally. The Kube API Server and Ingress Controller will both restart, though, and as such your workloads may experience a short period of unavailability.

Use the MKE 4k CLI (mkectl) to configure MKE 4k to use your own TLS certificates and keys:

  1. All keys and certificates must be uploaded in PEM format.

  2. Enable your custom TLS certificates.

    In the spec.certificates section of the mke4.yaml configuration file:

    • Set enabled to true.

    • Add your TLS certificates in the PEM format under ca, cert and key.

  3. Set a fully qualified domain name in the .spec.certificates.domainName section of the mke4.yaml configuration file.

    Important

    • The domain name can be an IP address, but only if that IP is visible to the Kube API server.
    • Make sure the domain name is not the same as the address specified in .spec.apiServer.externalAddress.

    A fully configured spec.certificates section is illustrated below:

    spec:
  certificates:
    enabled: true
    domainName: "not.external-address.com"
    ca: |
      -----BEGIN CERTIFICATE-----
      <pem-data>
      -----END CERTIFICATE-----
    cert: |
      -----BEGIN CERTIFICATE-----
      <pem-data>
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      <pem-data>
      -----END PRIVATE KEY-----

  4. Apply the configuration:

    mkectl apply

  5. Once the mkectl apply command completes, to avoid storing sensitive data in the local file you can remove the cert and key fields from .spec.certificates, as at this point the certificates have been stored securely in the cluster.

    Warning

    Do not remove the ca key and its value from .spec.certificates.