SSL/TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
To enable SSL for the Workflow API and all managed apps, you can add an SSL certificate to the Deis Workflow router. You must provide either an SSL certificate that was registered with a CA or your own self-signed SSL certificate.
Note that the platform SSL certificate also functions as a default certificate for your apps that are deployed via Workflow. If you would like to attach a specific certificate to an application and domain see Application SSL Certificates.
To terminate SSL connections on the Deis Router use
kubectl to create a new Secret at a known name. The Deis Workflow
router will automatically detect this secret and reconfigure itself appropriately.
The following criteria must be met:
If your certificate has intermediate certs, append the intermediate signing certs to the bottom of the
before base64 encoding the combined certificates.
Prepare your certificate and key files by encoding them in base64:
$ cat certificate-file.crt -----BEGIN CERTIFICATE----- / * your SSL certificate here */ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- /* any intermediate certificates */ -----END CERTIFICATE----- $ cat certificate-file.crt | base64 -e LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi8gKiB5b3VyIFNTTCBjZXJ0aWZpY2F0ZSBoZXJlICovCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi8qIGFueSBpbnRlcm1lZGlhdGUgY2VydGlmaWNhdGVzICovCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K $ cat certificate.key -----BEGIN RSA PRIVATE KEY----- /* your unencrypted private key here */ -----END RSA PRIVATE KEY----- $ cat certificate.key | base64 -e LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQovKiB5b3VyIHVuZW5jcnlwdGVkIHByaXZhdGUga2V5IGhlcmUgKi8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
Open your favorite text editor and create the Kubernetes manifest:
$ $EDITOR deis-router-platform-cert.yaml
The format of the Secret manifest should match the below example. Make sure you paste the appropriate values for
key from the above examples:
$ cat deis-router-platform-cert.yaml apiVersion: v1 kind: Secret metadata: name: deis-router-platform-cert namespace: deis type: Opaque data: tls.crt: LS0...tCg== tls.key: LS0...LQo=
Once you've created the
deis-router-platform-cert.yaml file, you can install the manifest with
kubectl create -f
deis-router-platform-cert.yaml. The Deis Workflow router will automatically notice the new secret and update its
Most cloud-based load balancers also support SSL termination in addition to passing traffic through to Deis Router. Any communication inbound to the load balancer will be encrypted while the internal components of Deis Workflow will still communicate over HTTP. This offloads SSL processing to the cloud load balancer but also means that any application-specific SSL certificates must also be configured on the cloud load balancer.
To terminate SSL on the cloud load balancer you will need to modify the load balancer's listener settings:
See your vendor's specific instructions on installing SSL on your load balancer. For AWS, see their documentation on installing an SSL cert for load balancing.