Backend over https¶
This configuration allows the upstream connection between the Digital Enterprise Server and the reverse proxy (normally Nginx) be encrypted for security purpose. This does not affect the encryption between the client and the reverse proxy which is controlled by another option ingress.tls. A self-signed certificate is generated for this configuration because no certificate validation is required.
Self-signed certificate generation¶
The certificate can be generated with openssl using the following command:
openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-subj "/CN=trisotech.com" \
-out cert.crt \
-keyout cert.key
The generated PEM files (cert.crt and cert.key) will be required for the next step.
Kubernetes secret configuration¶
The Digital Enterprise Suite support the ‘kubernetes.io/tls’ secret type to configure https. Here is the command to create the secret (kubectl can be replaced by oc for OpenShift):
File |
Description |
|---|---|
cert.crt |
DES certificate (see previous step) |
cert.key |
key associated with the certificate |
<NAME> |
The helm instance name (can be optained using helm ls) |
kubectl create secret tls <NAME>-des-https --cert=cert.crt --key=cert.key
DES configuration¶
The DES offer the possibility to set annontations on the ingress to configure the reverse proxy. Here is an configuration example for Nginx where <HOSTNAME> is the value set in ingress.hosts[0]:
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/backend-protocol"="HTTPS" \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-ssl-name"=<HOSTNAME> \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-ssl-server-name"=true