Configuring TLS certificates¶
Default self-signed certificate¶
A self-signed certificate is automatically generated each time REANA's Helm
chart is deployed or upgraded. This certificate is valid for 90 days and is
stored in a Kubernetes secret named
generate a new TLS certificate, you can simply perform an upgrade of your REANA
You can disable the generation of the self-signed certificate by setting the
ingress.tls.self_signed_cert Helm value to
false whilst deploying your REANA
instance. If you want to use longer lasting certificates, see the
Using a custom certificate section.
The self-signed TLS certificate is used in the REANA web interface. The web site will appear as insecure to the users due to the certificate being self-signed. This may be acceptable on development instances with limited user exposure. However, for production deployments, please use a real TLS certificate using certificate authorities such as Let's Encrypt.
Using a custom certificate¶
If you have a custom certificate issued by a trusted Certificate Authority (CA), you can configure REANA to use it as follows.
First, prepare the
mycert.key files which contain
respectively the public and private part of your certificate.
You can use this same technique with a custom self-signed certificate.
For example, to create a self-signed certificate lasting 365 days, you can
mycern.key as follows:
$ # source https://letsencrypt.org/docs/certificates-for-localhost/ $ openssl req -x509 -out mycert.crt -keyout mycert.key \ -newkey rsa:2048 -nodes -sha256 -days 365 \ -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
mycert.key, you should then create a
Kubernetes TLS secret
containing the certificate, which in this example will be called
$ kubectl create secret tls reana-mycert-secret --cert=./mycert.crt --key=./mycert.key
Finally, you must set the necessary Helm values whilst deploying REANA:
ingress.tls.self_signed_certshould be set to
false, so that the default self-signed certificate is not generated;
ingress.tls.secret_nameshould be set to the name of the Kubernetes secret containing the certificate, in this case
Automatic certificate issuance¶
You may also be able to let Kubernetes handle the issuance and configuration of
TLS certificates so that the process would be fully automatic. Different ingress
controllers may require different configurations, but the setup usually requires
to annotate REANA's
For example, in order to use the Let's Encrypt certificate service with the
Traefik ingress controller, it would be necessary to discover and edit the
$ # discover ingress config map $ kubectl get configmaps --all-namespaces | grep ingress $ # edit config map to input the acme section as listed below $ kubectl edit configmaps -n kube-system ingress-traefik $ # delete ingress pod to trigger certificate issuance $ kubectl -n kube-system delete $(kubectl -n kube-system get pod -o name | grep traefik)
The newly added
acme section should be similar to this:
[acme] email = "email@example.com" storage = "acme.json" entryPoint = "https" ACMELogging = true [acme.tlsChallenge] [[acme.domains]] main = "reana.example.org"