Certificates
To enable HTTPS on the Renku website you need valid certificates for the ingress.
Certificates can be obtained in different ways:
Use a certificate issuer like LetsEncrypt
Use a certificate bought from a certificate authority like SwissSign
Use self-signed certificates
Options one and three can be automated through the use of cert-manager
This document assumes that the default renku-tls secret name is used to configure the ingress.
cert-manager
If using Helm, you can deploy cert-manager using the following:
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.12.0 \
--set installCRDs=true
More details on the deployment can be found in the dedicated section of the project installation documentation.
Generate manually
For development purposes, self-signed certificates can be used to properly test that all components are communicating securely together.
Follow the cert-manager guide to create a self-signed certificate issuer.
You can then use it for your deployment by setting annotations such as the following in your configuration values:
global:
certificates:
customCAs:
- secret: renku-tls # must match the secretName field of the CA Certificate object.
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: null
cert-manager.io/issuer: my-ca-issuer
cert-manager.io/common-name: my-selfsigned-ca
For more details about the annotations, please check the values.yaml files.
LetsEncrypt
You can find the configuration to use Let’s Encrypt with the NGINX ingress in the dedicated chapter of the cert-manager documentation.
If you create a cluster issuer named letsencrypt-production, you can then use the default
values and just enable the ingress.