Skip to main content

Replace Frontend Certificate

Introduction to how to use custom certificates to replace the system frontend's default certificate.

tip

This article only applies to environments deployed using ocboot.

If using a Helm-deployed environment, please replace certificates in your own kubernetes cluster.

Also, docker compose deployed environments are generally only used for testing and do not support certificate replacement yet.

After default deployment is complete, when accessing the frontend interface, the browser will prompt an insecure SSL connection because the frontend uses a self-signed certificate by default. This article introduces how to use custom certificates to replace the frontend's default certificate.

Frontend Certificate Replacement Steps​

Assume the prepared certificate files are: cert.pem and cert.key, and the domain name is foo.bar.com.

1. Import Certificate into kubernetes Cluster​

kubernetes uses secret resources to save certificate content, and then the frontend service uses ingress to reference the corresponding certificate to provide HTTPS connection. To use custom certificates, need to first save the certificate to the cluster.

# Create certificate
$ kubectl create secret tls yunion-io-web-secret --key cert.key --cert cert.pem -n onecloud

2. Edit ingress Rule​

Edit the default-web ingress rule to reference the yunion-io-web-secret certificate created earlier.

$ kubectl edit ingress -n onecloud default-web
...
  tls:
  # Modify this secretName to yunion-io-web-secret
  - secretName: yunion-io-web-secret
...

3. Restart ingress controller​

After setting the default-web ingress rule, you can restart the ingress controller service to make the certificate take effect.

$ kubectl get pods -n kube-system | grep traefik | awk '{print $1}' | xargs kubectl delete pods -n kube-system

4. Modify Service api_server Entry Configuration​

Because using domain name foo.bar.com to access, need to modify the cloud platform's default api_server configuration. This configuration affects the frontend VNC connection address. Change the old https://ip access address to https://foo.bar.com, as follows:

$ climc service-config-edit common
default:
  api_server: https://foo.bar.com
  ...

Then restart the webconsole service, as follows:

$ kubectl delete pods -n onecloud $(kubectl get pods -n onecloud | egrep 'webconsole|apigateway' | awk '{print $1}')

After configuration is complete, wait for webconsole and apigateway pods to restart, then you can access the frontend via https://foo.bar.com.

Steps to Change Frontend HTTPS 443 Port to Another Port​

Assume the platform login address is https://10.127.90.221, change port 443 to 8443, steps as follows:

Execute the following commands on the first control node:

# Enter the corresponding manifests directory
$ cd /var/lib/rancher/k3s/server/manifests

# Edit traefik-ds.yaml
$ vim traefik-ds.yaml

Modify the entrypoints.websecure.address port inside.

......
      containers:
      - args:
        - --entrypoints.web.address=:80/tcp
        # Modify entrypoints.websecure.address here to port 8443
        - --entrypoints.websecure.address=:8443/tcp
        - --api.dashboard=false
        - --ping=false
.....

Wait for traefik pod to be recreated and become Running:

$ kubectl get pods -n kube-system | grep traefik	
traefik-t5b6l                             1/1     Running     0             21s

Enter https://10.127.90.221:8443 in the browser to access the console, where the ip is the original console address.