ForgeOps

Secure HTTP

ForgeOps deployments use a TLS-enabled ingress controller to enable secure communication to the cluster[1]. Incoming requests and outgoing responses are encrypted. TLS is terminated at the ingress controller.

ForgeOps deployments install the NGINX ingress controller[2]. The /path/to/forgeops/kustomize/base/ingress/ingress.yaml file contains an annotation—cert-manager.io/cluster-issuer—that configures the NGINX ingress controller to use cert-manager software for certificate management[3].

The forgeops apply command installs the cert-manager utility in the cert-manager namespace and configures cert-manager to generate self-signed certificates for securing communication into the ingress.

When self-signed certificates are used, communication is encrypted, but users receive warnings about insecure communication from some browsers. Because of this, self-signed certificates are suitable for test environments only.

For all other environments, reconfigure certificate management. Two common configurations are:

  • Using a certificate with a trust chain that starts at a trusted root certificate—Communication is encrypted, and users do not receive warnings from their browsers.

    TLS certificate contains a simple example of how to deploy a certificate from a trusted authority in a ForgeOps deployment. The steps in the example:

    • Remove the cert-manager annotation from the ingress.

    • Create a secret named sslcert that contains the certificate you want to use in your deployment.

  • Using a dynamically obtained certificate from Let’s Encrypt—Communication is encrypted and users do not receive warnings from their browsers.

    You reconfigure cert-manager to use a ClusterIssuer that calls Let’s Encrypt to obtain a certificate and installs the certificate as a Kubernetes secret.

There are many options for certificate management in a Ping Identity Platform deployment. For more information about configuring certificate manager, refer to the cert-manager documentation.

TLS certificate

The forgeops apply command installs cert-manager software. Similarly, when using Helm, the default ForgeOps deployment requires cert-manager annotations.

By default, cert-manager configures the ingress controller in ForgeOps deployments with a self-signed certificate[4]. This is the simplest encryption option—you don’t have to make any changes to your deployment to get encryption.

However, when you access one of the Ping Identity web applications from your browser, you’ll get a "Not Secure" message from your browser. Users will need to bypass the message.

If you have a certificate from a CA, or a certificate generated by the mkcert utility, you can use your certificate for TLS encryption instead of the default self-signed certificate:

  1. Obtain the certificate:

    • Make sure that the certificate is PEM-encoded.

    • A best practice is to include the entire chain of trust with your certificate.

  2. Make sure that the deployment FQDN (that you specified in your /etc/hosts file) works with your certificate. Refer to the hostname resolution page for your cluster provider: Google Cloud | AWS | Azure | Minikube.

  3. Remove cert-manager’s annotation from the ingress definition:

    1. If you are using Kustomize, run the kubectl annotate command:

      $ kubectl annotate ingress forgerock cert-manager.io/cluster-issuer-
    2. If you are using Helm, edit the charts/identity-platform/value.yaml file and set cert_manager.enabled to false:

      ...
      cert_manager:
      
          enabled: false
  4. Delete the certificate resource originally created by cert-manager:

    $ kubectl delete certificate sslcert
  5. Update the secret named sslcert with your certificate. For example:

    $ kubectl create secret tls sslcert --cert=/path/to/my-cert.crt --key=/path/to/my-key.key \
      --dry-run=client -o yaml | kubectl replace -f -

Certificate generated by the mkcert utility

If you don’t have a certificate from a CA, you can use the mkcert utility to generate a locally trusted certificate. In many cases, it’s acceptable to use mkcert certificates for development purposes.

To use a certificate generated by the mkcert utility in a ForgeOps deployment that uses my-fqdn as the deployment FQDN:

  1. If you don’t have mkcert software installed locally, install it. Firefox users must install certutil software. Refer to the mkcert installation instructions for more information.

  2. If you haven’t ever done so, run the mkcert -install command to create a local certificate authority (CA) and install it in your system root store. Restart your browser after creating the local CA.

  3. Create a wildcard certificate for the example.com domain:

    $ cd
    $ mkcert "*.example.com"

    The mkcert utility generates the certificate file as _wildcard.example.com.pem and the private key file as _wildcard.example.com-key.pem. Use these two file names when you create the Kubernetes sslcert secret.


1. To access DS, refer to DS command-line access.
2. If you prefer to use a different ingress controller, deploy infrastructure in Kubernetes to support it.
3. The NGINX ingress and cert-manager are evolving technologies. Descriptions of these technologies were accurate at the time of this writing, but might differ when you deploy them.
4. For more information on how to change the default behavior, refer to the steps for creating sslcert.