TLS Certificate (Optional)
This documentation describes new, pre-release CDK features. If you want to work with a stable feature set, use the CDK as described in this section of the documentation.
This page covers several options you can use to encrypt HTTP communications over TLS in CDK deployments.
By default, Minikube’s ingress controller plugin is configured with a self-signed certificate. This is the simplest encryption option—you don’t have to make any changes to the CDK to get encryption.
However, when you access one of the ForgeRock web applications from your browser, you’ll get a "Not Secure" message from your browser. You’ll need to bypass the message.
If you have a certificate from a CA, you can use the certificate for TLS encryption. Install the certificate and your private key in a Kubernetes secret in your namespace. Minikube’s ingress controller plugin gets the certificate from the secret, and then uses it to encrypt communications.
To use a certficate from a CA in a CDK deployment on Minikube:
Obtain the certificate:
Make sure that the certificate is PEM-encoded.
A best practice is to include the entire trust chain in your
Make sure that the deployment FQDN that you specified in your /etc/hosts file works with your certificate.
Create a secret named
sslcertin your namespace that contains the certificate. For example:
$ kubectl create secret tls sslcert --cert=/path/to/my-cert.crt --key=/path/to/my-key.key
If you don’t have a certificate from a CA, you can use the mkcert utility to generate a locally trusted certificate. In many cases, it’s acceptable to use such certificates for development purposes.
To use a certificate generated by the mkcert utility in a CDK deployment
on Minikube that uses
dev.example.com as the deployment FQDN:
If you don’t have mkcert software installed locally, install it. Firefox users also need to install certutil software. See the mkcert installation instructions for more information.
If you haven’t ever done so, run the mkcert -install command to create a local certificate authority (CA) and install it in your system root store. Restart your browser after creating the local CA.
Create a wildcard certificate for the
$ cd $ mkcert "*.example.com"
Create a secret named
sslcertin your namespace that contains the wildcard certificate. For example:
$ kubectl create secret tls sslcert --cert=./_wildcard.example.com.pem --key=./_wildcard.example.com-key.pem