Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. You can choose to use either a self-signed certificate or provide your own. The following articles outline how you can specify a certificate.
- Install Deepfactor portal using Helm
- Deploy Deepfactor Portal in your Kubernetes Cluster using Let’s Encrypt Certificate
- Deploying Deepfactor Portal in your Kubernetes Cluster With AWS Private CA Cert
You should update the Deepfactor portal certificate before it expires. The following document outlines the steps needed to update the portal certificate based on the kind of certificate installed on the portal.
Self Signed Certificate #
- Delete old secrets named deepfactor-certs and df-certs-ingress
# delete old certificates secret kubectl delete secret deepfactor-certs df-certs-ingress -n deepfactor
- Generate new self-signed certificates:
- Download the required files using the below commands.
# create a directory for the files mkdir deepfactor-certs # change directory cd deepfactor-certs/ wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/generate-cert.sh wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portal.cnf wget https://static.deepfactor.io/scripts/public/df-portal/cert-gen/openssl-portalca.cnf
- Navigate to the download directory and run the script
generate-cert.shby providing the DNS for your portal.chmod +x generate-cert.sh sudo ./generate-cert.sh <DNS-of-your-portal>
- Download the required files using the below commands.
- Create Kubernetes secret for the certificates
# create new certificates secret kubectl create secret generic df-certs-ingress --from-file=tls.crt=./portal.crt --from-file=tls.key=./portal.key --from-file=ca.crt=./portalca.crt --namespace=deepfactor
- Upgrade the portal and restart the podsThe below example assumes the release name as df-stable, chart repo name, and namespace as deepfactor.
# new secrets can be reloaded by the portal upgrade and restart of the Nginx and Apiservice pods # upgrade the portal first helm upgrade df-stable deepfactor/deepfactor -n deepfactor -f override.yaml --set dfstartup.enabled=false # restart the pods kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor # wait for the pods to be in running state kubectl get pods -n deepfactor
Public CAs #
- If the certificate is managed by a third-party tool like cert-manager, then the tool should take care of the renewal of certificates and you just need to restart a few of the Deepfactor pods to use the updated certificates.
The below example assumes the release name as df-stable, chart repo name, and namespace as deepfactor.# restart the pods kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor # wait for the pods to be in running state kubectl get pods -n deepfactor
- If the certificate is self-managed, then delete the old secret and create a new one with the same name
# create new certificates secret kubectl create secret generic df-certs-ingress --from-file=tls.crt="/path/to/tlscrt.pem" --from-file=tls.key="/path/to/tlskey.pem" --from-file=ca.crt="/path/to/ca.pem" --namespace=deepfactor # restart the pods kubectl rollout restart deploy df-stable-deepfactor-nginx df-stable-deepfactor-apisvc -n deepfactor # wait for the pods to be in running state kubectl get pods -n deepfactor