In certain scenarios we may want to use self-signed certificate HTTPS. For example, in private network or corporation network.
This document explains how to setup self-signed certificate for PrimeHub.
To enable this feature, you need to make sure:
- Keycloak version ≥ 8.0
- PrimeHub version ≥ 3.1
- Your Keycloak is installed in the same Kubernetes cluster with PrimeHub so they can talk with each other using in-cluster connections.
Create a config file for openssl named
selfsigned.cnf. Please make sure to replace the
YOUR_DOMAIN_NAME field with the domain name you want to use.
prompt = no distinguished_name = req_dn x509_extensions = x509_ext [ req_dn ] commonName = YOUR_DOMAIN_NAME [ x509_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = YOUR_DOMAIN_NAME
Generate a self-signed certificate using the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt -config selfsigned.cnf
Modify the file permission for latter use.
sudo chmod 644 selfsigned.*
Create A Secret For Nginx-Ingress-Controller
Create a TLS from our certificate and key files.
You may need to manually create the
hub namespace before PrimeHub installation.
kubectl -n hub create secret tls selfsigned-tls --key selfsigned.key --cert selfsigned.crt
Trust Self-Signed Certificate on Node
Execute following steps to trust your self-signed certificate on your node for latter use.
sudo mkdir -p /usr/local/share/ca-certificates/primehub sudo cp selfsigned.crt /usr/local/share/ca-certificates/primehub/ sudo update-ca-certificates
Nginx-Ingress TLS Setting
Add the following ingress setting to your helm overrides. Including these components.
You can also refer to the nginx-ingress documentation.
Including these ingresses:
- keycloak (installed via PrimeHub chart)
# helm_override/primehub.yaml ingress: annotations: kubernetes.io/tls-acme: "false" tls: - hosts: - YOUR_DOMAIN_NAME secretName: selfsigned-tls
Keycloak Service URL Setting (Optional)
Please notice that if you install a standalone Keycloak by using Keycloak chart instead of the one installed during PrimeHub installation, then you need to have a proper TLS.
KC_SVC_URL in your
.env file to activate internal connection.
Please note which namespace your Keycloak locates. e.g.
# .env namespace: default KC_SVC_URL=http://keycloak-http.default/auth #Use the following if your Keycloak installed in the `hub` namespace #KC_SVC_URL=http://keycloak-http.hub/auth
If you installed Keycloak by using Keycloak chart, then you need to configure Keycloak ingress to use self-signed certificate. If you install Keycloak via PrimeHub chart then there's no extra configuration needed.
# helm_override/keycloak.yaml keycloak: ingress: annotations: kubernetes.io/tls-acme: "false" tls: - hosts: - YOUR_DOMAIN_NAME secretName: selfsigned-tls # Note if your Keycloak using other domain & tls
# helm_override/prometheus.yaml grafana: enabled: true ingress: annotations: kubernetes.io/tls-acme: "false" tls: - hosts: - YOUR_DOMAIN_NAME secretName: selfsigned-tls
With these settings, you can proceed PrimeHub installation and it should be working. Don't forget to trust your self-signed certificate in your browser.