Certificate Management
The deployment templates support configuration for two types of certificates:
- TLS offloading: those certificates are used in the proxy container (still requires the fullchain), the certificate can be issued by any public certificate authority including Let's Encrypt or custom authority issued one.
- Custom Certificate Authority certificates: those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers
Certificates used for TLS offloading
Those certificates are used in the proxy container and the certificate shall be a fullchain.
Starting from 2025.0.0 the deployment requires valid certificate for its fqdn issued by a public certificate authority or a company owned one (please see Custom Certificate Authority certificates)
The configuration of these certificates can be set up using the following variables in the .env file for docker
HTTPS_CRT_PATH=/etc/nginx/ssl/certificate.crt
HTTPS_KEY_PATH=/etc/nginx/ssl/private.key
or the following properties in the helm chart (some properties are already set up for https):
common:
domain: "<FQDN>"
deploymentPort: "443"
deploymentProtocol: "https"
publicUrl: "https://<FQDN>"
ssoDomain: "<FQDN>"
ssoPublicUrl: "https://<FQDN>"
publicCert:
tlsSecretName: "ai-hub-proxy-certificate-secret-name"
For kubernetes as you can see above a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.
Please note, that within the secret the certificate will appear as
tls.crt
and the private key astls.key
. We suggest to keep that name, the 'cert.cert' andprivate.key
shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values
This can be done using the following command:
kubectl create secret generic ai-hub-proxy-certificate-secret-name \
--from-file=tls.crt=cert.cert \
--from-file=tls.key=private.key
After creating the kubernetes secret, the cert.cert
and private.key
files can be removed from the filesystem.
Password protected certificates used for TLS offloading
The configuration of password protected certificates can be set up using the following variables in the .env file for docker
HTTPS_KEY_PASSWORD_FILE_PATH=/etc/nginx/ssl/password.txt
or the following properties in the helm chart (some properties are already set up for https):
common:
domain: "<FQDN>"
deploymentPort: "443"
deploymentProtocol: "https"
publicUrl: "https://<FQDN>"
ssoDomain: "<FQDN>"
ssoPublicUrl: "https://<FQDN>"
publicCert:
tlsSecretName: "ai-hub-proxy-certificate-secret-name"
passwordFile:
enabled: True
passwordSecretName: "ai-hub-proxy-certificate-password-secret-name"
proxy:
https:
keyPasswordPath: "certificate-password-file.txt"
For kubernetes as you can see above a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.
Please note, that within the secret the certificate will appear as
tls.crt
and the private key astls.key
. We suggest to keep that name, the 'cert.cert' andprivate.key
shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values
This can be done using the following command:
kubectl create secret generic ai-hub-proxy-certificate-secret-name \
--from-file=tls.crt=cert.cert \
--from-file=tls.key=private.key
After creating the kubernetes secret, the cert.cert
and private.key
files can be removed from the filesystem.
Besides that a secret containing the password for the certificate shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.
Create a file for example with the name ai-hub-proxy-certificate-password.txt
and save the password of the certificate into this file.
The following command reads the contents of ai-hub-proxy-certificate-password.txt
and creates the kubernetes secret.
kubectl create secret generic ai-hub-proxy-certificate-password-secret-name --from-file ai-hub-proxy-certificate-password.txt
After creating the kubernetes secret, the ai-hub-proxy-certificate-password.txt
file can be removed from the filesystem.
Obtaining Let's Encrypt certificate for TLS offloading
The Let's Encrypt certificate is issued by Let's Encrypt on-demand after AI Hub is deployed.
Please note, that the FQDN of the deployment shall be able to get resolved on any public name server and shall point to this deployment
See Let's Encrypt
Custom Certificate Authority certificates
Those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers.
To use custom certificate a TLS secret must be created in the same namespace where the AI Hub will be deployed. Use the standard kubernetes command to create the TLS secret
kubectl create secret generic my-internal-cert --from-file=tls.crt=certificate.crt
Use the TLS secret name in custom-values.yaml:
common:
.........
customCA:
enabled: True
tlsSecretName: my-internal-cert
Read more: Customer Internal CA