โ๏ธConfigure HTTPS
External traffic
Overview
You have two ingresses to secure:
The main entrypoint
nginx(for the example, we assume the addressapp.example.com)The authentication service entrypoint
curity(we assume the addressauth.example.com)
This guide assumes you have a DNS entry pointing to the IP address of the Load Balancer where you're running Toucan.
This guide also assume full understanding of TLS and how to configure it.
Parameters
Here's the location of the parameters you need to configure:
Using cert-manager
Configuring the Issuer
Check the official documentation: cert-manager - Issuer Configuration.
Each time you deploy a new Certificate, the solver will try to create a DNS record with the name _acme-challenge.<host>.
Each time you deploy a new Certificate, the solver will try to create an ingress using the ingressClassName you set in the http01 solver.
Be sure to open port 80 on the Load Balancer and firewall so that the ACME server can reach your ingress to fetch the challenge.
If you don't have a CA ready, you can generate one:
If you are using an existing CA, deploy your CA certificate as a Secret:
Note: If your issuer represents an intermediate, ensure that tls.crt contains the issuer's full chain in the correct order: issuer -> intermediate(s) -> root. The root (self-signed) CA certificate is optional, but adding it will ensure that the correct CA certificate is stored in the secrets for issued Certificates under the ca.crt key. If you fail to provide a complete chain, it might not be possible for consumers of issued Certificates to verify whether they're trusted.
Now, deploy the issuer:
Using the Issuer
You can set the parameters as follows:
This will automatically generate a certificate and secret named app.example.com-tls, and configure the ingress to use the certificate issued by the Issuer named test-issuer.
Manually
If you have a certificate and private key ready, you can deploy it as a Secret:
And set the values:
We do not recommend setting the certificate and private key in the values.override.yaml file if you plan to do GitOps in the future.
Prefer using a secret manager like external-secrets or sealed-secrets.
Lastly, if you are using a private CA, you need to inject the CA's certificate to the internal services that uses auth.example.com:
Internal traffic
Overview
Parameters
By default, TLS or mTLS is enabled for all services using self-signed certificates.
This configuration is already highly secure, as the self-signed Certificate Authority (CA) remains entirely within the Kubernetes environment and is never exposed externally.
That said, you may choose to use your own Public Key Infrastructure (PKI) to facilitate more flexible and centralized trust management.
Note: At the moment of writing, we are unable to offer you a proper way to configure TLS or mTLS on the client. This feature is planned for a future release. Thank you for your patience.
Last updated
Was this helpful?