Skip to main content

Overview

This guide provides detailed instructions for configuring an SSL certificate for HTTPS connections in the Appcircle Helm chart.

By default, the Helm chart is configured for HTTP without an SSL certificate. If you use Appcircle with HTTP, you need to open port 6379 on the ingress controller for Redis the connection.

caution

Appcircle must be installed with HTTPS from the initial installation. If you initially installed Appcircle with HTTP, you will need to uninstall it and then reinstall it with HTTPS.

You have two options for configuring SSL certificates:

  1. Trial Purposes: Define the SSL certificate directly in the values.yaml by following this section.
  2. Production: Create a Kubernetes secret for better security and manageability by following this section.
info

When configuring Appcircle with HTTPS, you have the option to use self-signed or untrusted root certificates. However, if you choose to do so, it is essential to add the certificate or the root CA certificate to the trusted certificates. Failure to do this may result in connection errors. For detailed instructions about adding trusted CA certificates, refer to the Adding Trusted CA Certificates documentation.

Define the SSL Certificate in values.yaml

Initial SSL Configuration

Update the values.yaml

To configure the SSL certificate, update your values.yaml file with the following settings:

global:
  urls:
    scheme: https
  tlsWildcard:
    # Public certificate - Fullchain including leaf (app), intermediate and root SSL certificates
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIFzTCCBLWgAwIBAgISBMLn5uQI6Wmzku14xXUbbIbmMA0GCSqGSIb3DQEBCwUA
      ...
      SA==
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
      ...
      uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
      ...
      emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
      -----END CERTIFICATE-----
    # Private key for the SSL certificate
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3wS87baGONXjr
      ...
      oUcjMAu/mGJjtn9AS0S7rRa58Q==
      -----END PRIVATE KEY-----
    # Certificate Authority public key - Typically the bottom certificate of the fullchain SSL certificate
    caCert: |
      -----BEGIN CERTIFICATE-----
      MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
      ...
      emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
      -----END CERTIFICATE-----

# Web event Redis configuration
webeventredis:
  # Enable TLS for Redis connections
  tls:
    enabled: true
  # Ingress configuration for Redis
  ingress:
    enabled: true
    tls: true

Updating the Certificate

To update the SSL certificate used on Appcircle server, perform the following steps to update the Helm chart and restart the required services:

  1. Update the SSL certificate defined in the values.yaml.

  2. Run the Helm upgrade command to apply the changes:

helm upgrade appcircle-server appcircle/appcircle -n appcircle -f values.yaml
  1. To restart the Redis service after updating the SSL certificate, you need to first filter and find the names of the stateful sets, as the names might change according to the release name. Use the following command to get the stateful sets:
kubectl get statefulset -n appcircle | grep webeventredis
  1. Restart the Redis StatefulSets to apply the changes:
kubectl rollout restart statefulset/appcircle-server-webeventredis-master -n appcircle
kubectl rollout restart statefulset/appcircle-server-webeventredis-replicas -n appcircle

Define the SSL Certificate in Secrets

Initial SSL Configuration

Updating the values.yaml

To configure the SSL certificate, update your values.yaml file with the following settings:

global:
  urls:
    scheme: https
# Web event Redis configuration
webeventredis:
  # Enable TLS for Redis connections
  tls:
    enabled: true
  # Ingress configuration for Redis
  ingress:
    enabled: true
    tls: true

Create the Secret

Create a secret with the name appcircle-tls-wildcard containing the tls.crt, tls.key and ca.crt keys.

info

The certificate (cert) should be in PEM format and include the full-chain (leaf, intermediate, and root certificates).

The private key (key) should not be password-protected.

caution

The name appcircle-tls-wildcard is reserved and cannot be changed.

kubectl create secret generic appcircle-tls-wildcard \
  --from-file=tls.crt='fullchain.crt' \
  --from-file=tls.key='private.key' \
  --from-file=ca.crt='root-ca.crt' \
  --type=kubernetes.io/tls \
  -n appcircle

Updating the Certificate

To update an existing SSL certificate, use the following commands.

  1. Update the secret with the new certificate.
kubectl create secret generic appcircle-tls-wildcard \
  -n appcircle \
  --from-file=tls.crt='fullchain.crt' \
  --from-file=tls.key='private.key' \
  --from-file=ca.crt='root-ca.crt' \
  --type=kubernetes.io/tls \
  --save-config --dry-run=client -o yaml | kubectl apply -f -
  1. To restart the Redis service after updating the SSL certificate, you need to first filter and find the names of the stateful sets, as the names might change according to the release name. Use the following command to get the stateful sets:
kubectl get statefulset -n appcircle | grep webeventredis
  1. Restart the Redis StatefulSets to apply the changes:
kubectl rollout restart statefulset/appcircle-server-webeventredis-master -n appcircle
kubectl rollout restart statefulset/appcircle-server-webeventredis-replicas -n appcircle

Final Steps

Verify the SSL configuration by accessing the Appcircle server over HTTPS.

Need help?

Get help from Appcircle's support team, or see how others are using Appcircle by joining our Slack Channel.

Slack
No description available
join.slack.com
Preview of Slack