Configuring TLS

The default installation of Banzai Cloud Pipeline generates a self-signed server certificate to start serving HTTPS requests as soon as possible. This setup, however, causes a warning in web browsers, which can be accepted during evaluation, but it’s not production-ready.

To obtain a TLS certificate you should either let your local certificate authority issue it, or acquire it from a public CA.

You may want to set the final domain name of the deployment before configuring TLS.

Custom certificates 🔗︎

To set up a certificate, prepare the certificate and the private key in PEM format. Your certificate authority should explain you all the steps needed for this.

You should check the common name (CN) field of the subject, and the subject alternative name (SAN) records with the openssl x509 -text -in cert.pem command. If you have a certificate chain, append that to the end of the certificate.

Encode the PEM formatted certificate and key to a single-line base64 string with the base64 command (base64 -w0 with the GNU version), and use the following snippet in your values.yaml file:

traefik:
  ssl:
    defaultKey: aabbccdd
    defaultCert: AABBCCDD
    generateTLS: false

To update the deployment, run banzai pipeline up [--workspace=default].

Terminating TLS on Amazon ELB 🔗︎

TLS is normally terminated by the Ingress controller, but in some cases external load balancers are also capable of that.

Note: This feature is available only on Amazon.

Prerequisites: This procedure assumes that AWS external load balancer integration is enabled on your cluster.

1. Find the Amazon Resource Name (ARN) of the certificate that the load balancer uses. It should be in the following format: arn:aws:acm:{region}:{user id}:certificate/{id}

2. Verify that the region set in {region} section of the ARN certificate matches the region of your Banzai Cloud Pipeline installation.

3. Retrieve the ACM Certificate that your load balancer uses by issuing the following command:

   aws acm describe-certificate --certificate-arn <arn-of-the-certificate>
   

4. Check the output of the command to verify that the certificate exists and points to the certificate you want to use.

5. Check the Status field in the output and verify that the certificate is still valid. If the status of the certificate is EXPIRED, renew the certificate and get the updated ARN.

6. Configure the Pipeline installer to use the external load balancer. Use the ARN that you have retrieved and verified in the previous steps as the value of the service.beta.kubernetes.io/aws-load-balancer-ssl-cert key.

   CAUTION:

   If you use an invalid or expired ARN, you won’t be able to access your Banzai Cloud Pipeline installation.

   traefik:
     ssl:
       enabled: false
     service:
       annotations:
         service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:xx-xxxx-x:xxxxxxxxx:xxxxxxx/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx # replace this value
         service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
         service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
   

7. Since Ingress is no longer responsible for terminating TLS, configure every internal traffic to go through the load balancer. Disable host aliases:

   pipeline:
     hostAliases: []