|
| 1 | +--- |
| 2 | +title: Using loft with a self signed certificate |
| 3 | +sidebar_label: Using loft with a self signed certificate |
| 4 | +--- |
| 5 | + |
| 6 | +By default loft will start up without tls and expects tls to be handled by an ingress controller in front of loft. However, if you want to expose loft via a NodePort or LoadBalancer service and without an ingress controller, loft is able to serve any tls certificate. |
| 7 | + |
| 8 | +## Create the tls certificate |
| 9 | + |
| 10 | +The server tls certificate needs to have certain DNS names included because it will be used for Readiness/Liveness Probes, Webhook, APIService and UI and hence called by different parties. |
| 11 | + |
| 12 | +You can start by creating a new private key: |
| 13 | +``` |
| 14 | +openssl genrsa -out tls.key 4096 |
| 15 | +``` |
| 16 | + |
| 17 | +Then create a new `ssl.conf` with the following format (include any other domains loft should be reachable under): |
| 18 | +``` |
| 19 | +[ req ] |
| 20 | +default_bits = 4096 |
| 21 | +distinguished_name = req_distinguished_name |
| 22 | +x509_extensions = v3_ca |
| 23 | +req_extensions = v3_req |
| 24 | +x509_extensions = usr_cert |
| 25 | +
|
| 26 | +[ req_distinguished_name ] |
| 27 | +organizationName = Organization Name (eg, company) |
| 28 | +organizationName_default = loft |
| 29 | +commonName = Common Name (e.g. server FQDN or YOUR name) |
| 30 | +commonName_default = loft |
| 31 | +
|
| 32 | +[ usr_cert ] |
| 33 | +basicConstraints = CA:FALSE |
| 34 | +nsCertType = client, server |
| 35 | +keyUsage = digitalSignature |
| 36 | +extendedKeyUsage = serverAuth, clientAuth |
| 37 | +
|
| 38 | +[ v3_req ] |
| 39 | +subjectAltName = @alt_names |
| 40 | +extendedKeyUsage = serverAuth, clientAuth |
| 41 | +basicConstraints = CA:FALSE |
| 42 | +keyUsage = digitalSignature |
| 43 | +
|
| 44 | +[ alt_names ] |
| 45 | +DNS.1 = localhost |
| 46 | +DNS.2 = loft-apiservice.loft.svc |
| 47 | +DNS.3 = loft-apiservice.loft.svc.local |
| 48 | +DNS.4 = loft.loft.svc |
| 49 | +DNS.5 = loft.loft.svc.local |
| 50 | +``` |
| 51 | + |
| 52 | +Then create the certificate signing request: |
| 53 | +``` |
| 54 | +openssl req -new -sha256 \ |
| 55 | + -out tls.csr \ |
| 56 | + -key tls.key \ |
| 57 | + -config ssl.conf |
| 58 | +``` |
| 59 | + |
| 60 | +You will be asked some basic questions which you can skip via enter and use the default value 'loft'. |
| 61 | +Then create the certificate via: |
| 62 | + |
| 63 | +``` |
| 64 | +openssl x509 -req \ |
| 65 | + -sha256 \ |
| 66 | + -days 3650 \ |
| 67 | + -in tls.csr \ |
| 68 | + -signkey tls.key \ |
| 69 | + -out tls.crt \ |
| 70 | + -extensions v3_req \ |
| 71 | + -extfile ssl.conf |
| 72 | +``` |
| 73 | + |
| 74 | +## Create the kubernetes secret & upgrade loft |
| 75 | + |
| 76 | +In order for loft to find and automatically use the self signed certificate, you need to create a kubernetes secret called 'loft-cert' in the loft namespace. You can do this via kubectl: |
| 77 | +``` |
| 78 | +kubectl create secret generic loft-cert -n loft --type=kubernetes.io/tls --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key --from-file=ca.crt=tls.crt |
| 79 | +``` |
| 80 | + |
| 81 | +If the secret already exists, delete it via: |
| 82 | +``` |
| 83 | +kubectl delete secret loft-cert -n loft |
| 84 | +``` |
| 85 | + |
| 86 | +Now the only thing left to do is to tell loft to use tls instead of expecting the ingress controller to handle this. This can be done via helm: |
| 87 | +``` |
| 88 | +helm upgrade loft loft --repo https://charts.devspace.sh/ \ |
| 89 | + --namespace loft \ |
| 90 | + --reuse-values \ |
| 91 | + --set useSelfSignedCertificate=true |
| 92 | +``` |
| 93 | + |
| 94 | +If loft was already running, make sure the loft pod restarted or otherwise it will not serve the new certificate. If it has not restarted you can force a restart by running: |
| 95 | +``` |
| 96 | +kubectl delete po --selector=app=loft -n loft |
| 97 | +``` |
0 commit comments