Configuring SSL/TLS

This topic describes how to configure SSL/TLS with Digital.ai Deploy. As an example, we have demonstrated the configuration of TLS with Digital.ai Deploy using a self-signed certificate. However, you’ll want to replace it with your own, trusted one for production environments. You can do that by creating a new Secret object in Kubernetes that contains your certificate and then updating the ingress controller to use it.

Note: If you have already registered a domain name and a valid trusted certificate then skip Step1 and Step 2 and proceed from Step 3

Step 1

To begin with, we need to have a registered domain name. You can create your own domain using the route53 service on AWS. Please refer to the official AWS documentation link, given below:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html

We have already created a domain named digitalai-testing.com

Step 2

We will create a self-signed certificate named app.digitalai-testing.com using OpenSSL for the subdomain below:

openssl req -x509 \
-newkey rsa:2048 \
-keyout tls.key \
-out tls.crt \
-days 365 \
-nodes \
-subj "/C=IN/ST=MH/L=PUN/O=MyCompany/CN=app.digitalai-testing.com"

Step 3

Use the kubectl create secret to save your TLS certificate and key as a Secret in the cluster. The key and cert fields refer to the local files where you’ve saved your certificate and private key.

kubectl create secret tls ssl-secret \
  --key=" tls.key " \
  --cert=" tls.crt "

Step 4

In the values.yaml file of the helm chart, update the ingress configuration section by uncommenting the tls-acme annotation and change the ssl-redirect from false to true.

Also uncomment the tls section and provide the secret name which was created in Step 3

image

Step 5

Install the chart using the following command:

helm install [NAME] [CHART]

Step 6

Run the kubectl get services command to see the ingress loadbalancer configured by AWS and map the ingress loadbalancer entry in the route53 service by creating an ‘A’ record.

See the AWS documentation for information on creating an ‘A’ record set on route53:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html

We have already created the following ‘A’ record in route53.

app.digitalai-testing.com

Step 7

Run the kubectl get ingress command to see the ingress configured in your cluster.

image

Step 8

Access the application from the browser and check the configured certificate from the browser. You’ll get the warning message shown in the image below, as the certificate is self-signed. Click the Advanced button to proceed to the Digital.ai Deploy webUI

image

image

image

Next Step