Secure HTTP
ForgeOps deployments use a TLS-enabled ingress controller to enable secure communication to the cluster[1]. Incoming requests and outgoing responses are encrypted. TLS is terminated at the ingress controller.
ForgeOps deployments install the NGINX ingress controller[2]. The /path/to/forgeops/kustomize/base/ingress/ingress.yaml
file contains an annotation—cert-manager.io/cluster-issuer
—that
configures the NGINX ingress controller to use
cert-manager software for certificate
management[3].
The forgeops apply command installs the cert-manager
utility in
the cert-manager
namespace and configures cert-manager
to generate
self-signed certificates for securing communication into the ingress.
When self-signed certificates are used, communication is encrypted, but users receive warnings about insecure communication from some browsers. Because of this, self-signed certificates are suitable for test environments only.
For all other environments, reconfigure certificate management. Two common configurations are:
-
Using a certificate with a trust chain that starts at a trusted root certificate—Communication is encrypted, and users do not receive warnings from their browsers.
TLS certificate contains a simple example of how to deploy a certificate from a trusted authority in a ForgeOps deployment. The steps in the example:
-
Remove the cert-manager annotation from the ingress.
-
Create a secret named
sslcert
that contains the certificate you want to use in your deployment.
-
-
Using a dynamically obtained certificate from Let’s Encrypt—Communication is encrypted and users do not receive warnings from their browsers.
You reconfigure cert-manager to use a ClusterIssuer that calls Let’s Encrypt to obtain a certificate and installs the certificate as a Kubernetes secret.
There are many options for certificate management in a Ping Identity Platform deployment. For more information about configuring certificate manager, refer to the cert-manager documentation.
TLS certificate
The forgeops apply command installs
cert-manager software.
Similarly, when using Helm, the default ForgeOps deployment requires
cert-manager
annotations.
By default, cert-manager
configures the ingress controller in ForgeOps
deployments with a self-signed certificate[4].
This is the simplest encryption option—you don’t have to
make any changes to your deployment to get encryption.
However, when you access one of the Ping Identity web applications from your browser, you’ll get a "Not Secure" message from your browser. Users will need to bypass the message.
If you have a certificate from a CA, or a certificate generated by the mkcert utility, you can use your certificate for TLS encryption instead of the default self-signed certificate:
-
Obtain the certificate:
-
Make sure that the certificate is PEM-encoded.
-
A best practice is to include the entire chain of trust with your certificate.
-
-
Make sure that the deployment FQDN (that you specified in your /etc/hosts file) works with your certificate. Refer to the hostname resolution page for your cluster provider: Google Cloud | AWS | Azure | Minikube.
-
Remove cert-manager’s annotation from the ingress definition:
-
If you are using Kustomize, run the kubectl annotate command:
$ kubectl annotate ingress forgerock cert-manager.io/cluster-issuer-
-
If you are using Helm, edit the charts/identity-platform/value.yaml file and set
cert_manager.enabled
to false:... cert_manager: enabled: false
-
-
Delete the certificate resource originally created by cert-manager:
$ kubectl delete certificate sslcert
-
Update the secret named
sslcert
with your certificate. For example:$ kubectl create secret tls sslcert --cert=/path/to/my-cert.crt --key=/path/to/my-key.key \ --dry-run=client -o yaml | kubectl replace -f -
Certificate generated by the mkcert utility
If you don’t have a certificate from a CA, you can use the mkcert utility to generate a locally trusted certificate. In many cases, it’s acceptable to use mkcert certificates for development purposes.
To use a certificate generated by the mkcert utility in a ForgeOps deployment
that uses my-fqdn
as the deployment FQDN:
-
If you don’t have mkcert software installed locally, install it. Firefox users must install certutil software. Refer to the mkcert installation instructions for more information.
-
If you haven’t ever done so, run the mkcert -install command to create a local certificate authority (CA) and install it in your system root store. Restart your browser after creating the local CA.
-
Create a wildcard certificate for the
example.com
domain:$ cd $ mkcert "*.example.com"
The mkcert utility generates the certificate file as _wildcard.example.com.pem and the private key file as _wildcard.example.com-key.pem. Use these two file names when you create the Kubernetes
sslcert
secret.
sslcert
.