Secure HTTP
The CDK and CDM enable secure communication with AM and IDM services[1]. using a TLS-enabled ingress controller. Incoming requests and outgoing responses are encrypted. TLS is terminated at the ingress controller.
The CDK and the CDM both deploy the NGINX ingress
controller[2]. The
/path/to/forgeops/kustomize/base/ingress/ingress.yaml file contains an
annotation—cert-manager.io/cluster-issuer
—that configures the
NGINX ingress controller to use
cert-manager software for certificate
management[3].
The forgeops install command creates the cert-manager
namespace,
and then deploys the certificate manager pods in that namespace. The
forgeops install command configures cert-manager to generate
self-signed certificates for securing communication into the ingress.
When self-signed certificates are used, communication is encrypted, but users receive warnings about insecure communication from some browsers. Because of this, using self-signed certificates are unsuitable for deployments other than test environments.
For all other environments, you’ll want to reconfigure certificate management. Two common configurations are:
-
Using a certificate with a trust chain that starts at a trusted root certificate. Communication is encrypted, and users will not receive warnings from their browsers.
TLS certificate contains a simple example of how to deploy a certificate from a trusted authority in the CDK or the CDM. The steps in the example:
-
Remove the cert-manager annotation from the ingress.
-
Create a secret named
sslcert
that contains the certificate you want to use in your deployment.
-
-
Using a dynamically obtained certificate from Let’s Encrypt. Communication is encrypted and users will not receive warnings from their browsers.
You reconfigure cert-manager to use a cluster issuer that calls Let’s Encrypt to obtain a certificate, and installs the certificate as a Kubernetes secret.
There are many options for certificate management in a ForgeRock Identity Platform deployment. For more information about configuring certificate manager, refer to the cert-manager documentation.
TLS certificate
The forgeops install command installs cert-manager software.
By default, cert-manager configures the ingress controller in your CDK deployment with a self-signed certificate[4]. This is the simplest encryption option—you don’t have to make any changes to the CDK to get encryption.
However, when you access one of the ForgeRock web applications from your browser, you’ll get a "Not Secure" message from your browser. You’ll need to bypass the message.
If you have a certificate from a CA, or a certificate generated by the mkcert utility, you can use your certificate for TLS encryption instead of the default self-signed certificate:
-
Obtain the certificate:
-
Make sure that the certificate is PEM-encoded.
-
A best practice is to include the entire chain of trust with your certificate.
-
-
Make sure that the deployment FQDN that you specified in your /etc/hosts file works with your certificate.
-
Remove cert-manager’s annotation from the ingress definition:
$ kubectl annotate ingress forgerock cert-manager.io/cluster-issuer-
-
Delete the certificate resource originally created by cert-manager:
$ kubectl delete certificate sslcert
-
Update the secret named
sslcert
with your certificate. For example:$ kubectl create secret tls sslcert --cert=/path/to/my-cert.crt --key=/path/to/my-key.key \ --dry-run=client -o yaml | kubectl replace -f -
Certificate generated by the mkcert utility
If you don’t have a certificate from a CA, you can use the mkcert utility to generate a locally trusted certificate. In many cases, it’s acceptable to use such certificates for development purposes.
To use a certificate generated by the mkcert utility in a CDK deployment
on Minikube that uses cdk.example.com
as the deployment FQDN:
-
If you don’t have mkcert software installed locally, install it. Firefox users also need to install certutil software. Refer to the mkcert installation instructions for more information.
-
If you haven’t ever done so, run the mkcert -install command to create a local certificate authority (CA) and install it in your system root store. Restart your browser after creating the local CA.
-
Create a wildcard certificate for the
example.com
domain:$ cd $ mkcert "*.example.com"
The mkcert utility generates the certificate file as _wildcard.example.com.pem and the private key file as _wildcard.example.com-key.pem. Use these two file names when you create the Kubernetes
sslcert
secret.