Replacing the default ingress certificate

    The internal infrastructure CA certificates are self-signed. While this process might be perceived as bad practice by some security or PKI teams, any risk here is minimal. The only clients that implicitly trust these certificates are other components within the cluster. Replacing the default wildcard certificate with one that is issued by a public CA already included in the CA bundle as provided by the container userspace allows external clients to connect securely to applications running under the .apps sub-domain.

    Replacing the default ingress certificate

    You can replace the default ingress certificate for all applications under the .apps subdomain. After you replace the certificate, all applications, including the web console and CLI, will have encryption provided by specified certificate.

    Prerequisites

    • The certificate must include the subjectAltName extension showing *.apps.<clustername>.<domain>.

    • The certificate file can contain one or more certificates in a chain. The wildcard certificate must be the first certificate in the file. It can then be followed with any intermediate certificates, and the file should end with the root CA certificate.

    Procedure

    1. Update the cluster-wide proxy configuration with the newly created config map:

    3. Update the Ingress Controller configuration with the newly created secret:

      1Replace <secret> with the name used for the secret in the previous step.