TLS Certificates¶
Overview¶
The Ingress-Nginx Controller will terminate TLS within the cluster. The Loadbalancer / VIP must be configured as a TLS passthrough.
Certificate Requirements¶
The TLS certificates in PEM format must be generated for the given DNS. The following must be available in the PEM format:
- Private key
- Server certificate (must include intermediate certs and root cert in the same file. The order of the certs in the file must be server cert should be first, followed by intermediate certs with the root cert at last)
- Root certificate
Default Behavior¶
The installer will autogenerate the self-signed TLS certs for the given DNS value by default.
Providing Custom TLS Certificates¶
If you wish to provide a TLS cert, the following options can be used:
--ti-set-file cluster.tfi.private_key="</path/to/tls_private_key.pem>" \
--ti-set-file cluster.tfi.tls_cert="</path/to/tls_cert.crt>" \
--ti-set-file cluster.tfi.root_ca_cert="</path/to/root_ca.crt>"
Important Notes¶
- The server certificate provided needs to have a Subject Alternative Name (SAN) with the DNS name
- CN (Common Name) is deprecated and UI would be inaccessible without a valid SAN in the certificate
- The passphrase must NOT be set on the TLS key files. i.e Make sure that the file does NOT contain the text "ENCRYPTED" as shown
-----BEGIN ENCRYPTED PRIVATE KEY-----