Configuring TLS certificates¶
Default self-signed certificate¶
A self-signed certificate is automatically generated each time REANA's Helm
chart is deployed or upgraded. This certificate is valid for 90 days and is
stored in a Kubernetes secret named <helm-release-prefix>-tls-secret. To
generate a new TLS certificate, you can simply perform an upgrade of your REANA
instance using helm upgrade.
You can disable the generation of the self-signed certificate by setting the
ingress.tls.self_signed_cert Helm value to false whilst deploying your REANA
instance. If you want to use longer lasting certificates, see the
Using a custom certificate section.
The self-signed TLS certificate is used in the REANA web interface. The web site will appear as insecure to the users due to the certificate being self-signed. This may be acceptable on development instances with limited user exposure. However, for production deployments, please use a real TLS certificate using certificate authorities such as Let's Encrypt.
Using a custom certificate¶
If you have a custom certificate issued by a trusted Certificate Authority (CA), you can configure REANA to use it as follows.
First, prepare the mycert.crt and mycert.key files which contain
respectively the public and private part of your certificate.
Note
You can use this same technique with a custom self-signed certificate.
For example, to create a self-signed certificate lasting 365 days, you can
generate mycert.crt and mycern.key as follows:
$ # source https://letsencrypt.org/docs/certificates-for-localhost/
$ openssl req -x509 -out mycert.crt -keyout mycert.key \
-newkey rsa:2048 -nodes -sha256 -days 365 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Using mycert.crt and mycert.key, you should then create a
Kubernetes TLS secret
containing the certificate, which in this example will be called
reana-mycert-secret:
$ kubectl create secret tls reana-mycert-secret --cert=./mycert.crt --key=./mycert.key
Finally, you must set the necessary Helm values whilst deploying REANA:
ingress.tls.self_signed_certshould be set tofalse, so that the default self-signed certificate is not generated;ingress.tls.secret_nameshould be set to the name of the Kubernetes secret containing the certificate, in this casereana-mycert-secret.
Automatic certificate issuance¶
You may also be able to let Kubernetes handle the issuance and configuration of
TLS certificates so that the process would be fully automatic. Different ingress
controllers may require different configurations, but the setup usually requires
to annotate REANA's Ingress object.
For example, in order to use the Let's Encrypt certificate service with the
Traefik ingress controller, it would be necessary to discover and edit the
ingress ConfigMap:
$ # discover ingress config map
$ kubectl get configmaps --all-namespaces | grep ingress
$ # edit config map to input the acme section as listed below
$ kubectl edit configmaps -n kube-system ingress-traefik
$ # delete ingress pod to trigger certificate issuance
$ kubectl -n kube-system delete $(kubectl -n kube-system get pod -o name | grep traefik)
The newly added acme section should be similar to this:
[acme]
email = "john.doe@example.org"
storage = "acme.json"
entryPoint = "https"
ACMELogging = true
[acme.tlsChallenge]
[[acme.domains]]
main = "reana.example.org"