Configuring SSL/TLS—Digital.ai Deploy

This topic illustrates how to configure SSL/TLS with Digital.ai Deploy. A self-signed certificate is used for illustrative purposes in this procedure. However, you may want to replace it with your own trusted certificate for production environments, which you can do by creating a new Secret object in Kubernetes that contains your certificate and then configuring the ingress controller to use it.

Step 1—Create a Domain Name

Skip this step if you have a registered domain name already.

For example, you can create your own domain using the Route53 service on AWS. For more information, see AWS Route53 Documentation

For illustrative purposes let us use the following domain name: digitalai-testing.com.

Step 2—Create a Self-signed Certificate

Skip this step if you have a valid certificate already.

Suppose you create a self-signed certificate named app.digitalai-testing.com using OpenSSL for the subdomain as shown in the following example:

openssl req -x509 \
  -newkey rsa:2048 \
  -keyout tls.key \
  -out tls.crt \
  -days 365 \
  -nodes \
  -subj "/C=IN/ST=MH/L=PUN/O=MyCompany/CN=app.digitalai-testing.com"

Step 3—Create Secret

Use the kubectl create secret command to save your TLS certificate and key as a Secret in the cluster. The key and cert fields refer to the local files where you’ve saved your certificate and private key.

kubectl create secret tls ssl-secret \
  --key=" tls.key " \
  --cert=" tls.crt "

Step 4—Configure the Ingress Controller

  1. In the Deploy CR YAML file:

    • Update the ingress configuration section by adding the tls-acme annotation and set the ssl-redirect key to true.
    • Add the tls key and type the secret name which was created in Step 3.

    There is a difference between NGINX and HAPROXY setups.

    Here’s an example that uses NGINX ingress controller.

     ingress:
       Enabled: true
       annotations:
         kubernetes.io/ingress.class: nginx
         nginx.ingress.kubernetes.io/affinity: cookie
         nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
         nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
         nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
         nginx.ingress.kubernetes.io/rewrite-target: /
         nginx.ingress.kubernetes.io/session-cookie-name: SESSION_XLD
         nginx.ingress.kubernetes.io/ssl-redirect: "true"
         nginx.ingress.kubernetes.io/tls-acme: "true"
       hosts:
         - app.digitalai-testing.com
       path: /
       # If you want to use TLS configuration uncomment the following lines and provide correct values.
       # You need to create secret, and provide the name under 'secretName'
       tls:
         - secretName: ssl-secret
           hosts:
             - app.digitalai-testing.com

    Here’s an example that uses HAPROXY ingress controller.

     ingress:
       Enabled: true
       annotations:
         kubernetes.io/ingress.class: haproxy
         ingress.kubernetes.io/ssl-redirect: true
         ingress.kubernetes.io/tls-acme: true
         ingress.kubernetes.io/rewrite-target: /
         ingress.kubernetes.io/affinity: cookie
         ingress.kubernetes.io/session-cookie-name: SESSION_XLD
         ingress.kubernetes.io/session-cookie-strategy: prefix
         ingress.kubernetes.io/config-backend: |
           option httpchk GET /ha/health HTTP/1.0
       hosts:
         - app.digitalai-testing.com
       path: /
       # If you want to use TLS configuration uncomment the following lines and provide correct values.
       # You need to create secret, and provide the name under 'secretName'
       tls:
         - secretName: ssl-secret
           hosts:
             - app.digitalai-testing.com
  2. Edit the CR file, in case you have already running application:

    ❯ kubectl get crd
    NAME                                             CREATED AT
    digitalaideploys.xld.digital.ai                 2022-06-27T08:19:54Z
    ...
    ❯ kubectl get digitalaideploys.xld.digital.ai
    NAME      AGE
    dai-xld   3d5h
    ❯ kubectl edit digitalaideploys.xld.digital.ai dai-xld
  3. Save the changes after editing; the changes are applied to the cluster automatically.

Step 5—Verify the Ingress Service

Run the kubectl get services command to see the ingress load balancer configured by the provider.

Example for AWS

AWS maps the ingress load balancer entry in the Route53 service by creating an A record.

See Creating records by using the Amazon Route 53 console for information on creating an ‘A’ record set on Route53.

Suppose you have created the following A record in route53: app.digitalai-testing.com.

Step 6—Verify the Ingress Configuration

Run the kubectl get ingress command to see the ingress controller configuration in your cluster.

❯ kubectl get ingress
NAME                       CLASS    HOSTS                       ADDRESS      PORTS   AGE
dai-xld-digitalai-deploy  <none>   app.digitalai-testing.com   10.224.0.6   80,443  3d5h

Step 7

  1. Access the application using the browser and verify the configured certificate from the browser.

    The following warning message shows up as we used a self-signed certificate.

  2. Click Advanced to go to the Digital.ai Deploy web UI.
<img src="/images/releasecertwarning.png" alt="Certificate Warning">
<img src="/images/certwarning.png" alt="Certificate Information">
<img src="/images/deployUIscreenshot.png" alt="Deploy UI">