Powered by Algolia

    Configuring HTTPS in Kubernetes

    This document is to help you to configure HTTPS in the Kubernetes environment.

    SSL Certificate Directory

    This directory should contain required SSL-specific files for running the reverse proxy in https mode:

    1. openiam.crt is the SSL certificate file.
    2. openiam.key is the SSL certificate key. It is required.
    3. openiam.sslchain.crt file will be used in SSLCertificateChainFile in Apache configurations.
    4. openiam.ssl.ca.crt file will be used in SSLCACertificateFile in Apache configurations.

    Additionally, either openiam.crt or openiam.sslchain.crt is required.

    For the reverse proxy to read and use these files, you need to shift the files into the following folders.

    .ssl/

    openiam-configmap/.ssl/

    In Terraform

    rproxy.https.disabled=0

    In Helm

    --set openiam.rproxy.http=0

    Updating the OpenIAM certificate in AKS

    Pre-requisites

    • Ensure the new certificate file, e.g. _6eddfb0689462086.crt is ready. • This file should be used to replace existing openiam.crt. • No need to run any Terraform apply. • AKS cluster access is configured (kubectl is working). • You have necessary permissions to edit ConfigMaps and delete pods.

    To update the certificate, follow the steps below.

    1. Backup existing files and ConfigMap as follows.
    cp /usr/local/openiam/kubernetes-docker-configuration/.ssl/openiam.crt /usr/local/openiam/kubernetes-docker-configuration/.ssl/openiam.crt.bak
    cp /usr/local/openiam/kubernetes-docker-configuration/openiam-configmap/.ssl/openiam.crt /usr/local/openiam/kubernetes-docker-configuration/openiam-configmap/.ssl/openiam.crt.bak
    

    kubectl get cm rproxy-ssl-certs -o yaml > rproxy-ssl-certs-backup.yaml
    1. Replace local certificate files by copying the new certificate over the existing one in both locations.
    cp _6eddfb0689462086.crt /usr/local/openiam/kubernetes-docker-configuration/.ssl/openiam.crt
    cp _6eddfb0689462086.crt /usr/local/openiam/kubernetes-docker-configuration/openiam-configmap/.ssl/openiam.crt
    1. Edit Kubernetes ConfigMap and update the new certs as shown below.
    kubectl get cm | grep prox
    kubectl edit cm rproxy-ssl-certs
    1. Restart rProxy Pod to apply changes.
    kubectl get pods | grep rproxy  # Find the rproxy pod name
    kubectl delete pod <rproxy-podname>
    1. Verify the update with the following command.
    kubectl get pods | grep rproxy

    Log in to the web console and verify that the new certificate has been updated.

    Note. If the certificate names differ between the .ssl/ and openiam-config/.ssl/ directories, please verify the certificate using the command below, and then follow the steps mentioned above.
    openssl x509 -in _6eddfb0689462086.crt -text -noout<
    Previous
    Deploying to Kubernetes
    Next
    Installing OpenIAM in Kubernetes environment