This document explains the process of deploying the Tectonic Identity and Console services protected by TLS. After completing the steps below, you will be able to continue with the secure deployment of the Tectonic services.
A PostgreSQL database must be available for metadata storage. We currently recommend running this database server outside of the cluster to simplify persisting the data stored there.
You will need TLS certificate/key pairs for Console, Identity, and possibly for your Certificate Authority (CA). These files will be converted to the Kubernetes secret format in this guide. If you need to create these files, see this quick guide to cluster TLS from the CA up.
Kubernetes Secret objects are used to configure Tectonic services with the necessary TLS components.
The next steps convert the PEM-formatted TLS certificate/key pairs to be used by the Identity and Console services into the format expected by the Kubernetes API.
generate-secrets-from-file.sh script implements the secrets specification by base64-encoding data in the given source file and wrapping the result in the necessary YAML boilerplate to feed to
The generate-secrets script takes the following arguments:
generate-secrets-from-file.sh secret out key,in [ key,in [...] ]
secret is the secret's name,
out is the output file to be written, and
in represent a pair of
key and the
input file containing the source data for the key.
Given TLS certificate/key pairs for the Identity service in files
identity-key.pem, we can produce a secret-format YAML file by invoking:
$ ./generate-secrets-from-file.sh tectonic-identity-cert tectonic-identity-cert.yml cert,identity.pem key,identity-key.pem
$ kubectl create -f tectonic-identity-cert.yml secrets/tectonic-identity-cert
$ ./generate-secrets-from-file.sh tectonic-console-cert tectonic-console-cert.yml cert,console.pem key,console-key.pem $ kubectl create -f tectonic-console-cert.yml secrets/tectonic-console-cert
If deploying with a private CA, you'll need to create and load a secret for your CA certificate/key pair (and any intermediaries) so that your cluster can trust the certificate chain to the Identity and Console services.
$ ./generate-secrets-from-file.sh tectonic-ca-cert tectonic-ca-cert.yml cert,ca.pem $ kubectl create -f tectonic-ca-cert.yml secrets/tectonic-ca-cert