Categories

Versions

Certificate Management

The deployment templates support configuration for two types of certificates:

  • TLS offloading: those certificates are used in the proxy container (still requires the fullchain), the certificate can be issued by any public certificate authority including Let's Encrypt or custom authority issued one.
  • Custom Certificate Authority certificates: those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers

Certificates used for TLS offloading

Those certificates are used in the proxy container and the certificate shall be a fullchain.

Starting from 2025.0.0 the deployment requires valid certificate for its fqdn issued by a public certificate authority or a company owned one (please see Custom Certificate Authority certificates)

The configuration of these certificates can be set up using the following variables in the .env file for docker

HTTPS_CRT_PATH=/etc/nginx/ssl/certificate.crt
HTTPS_KEY_PATH=/etc/nginx/ssl/private.key

or the following properties in the helm chart (some properties are already set up for https):

common:
  domain: "<FQDN>"
  deploymentPort: "443"
  deploymentProtocol: "https"
  publicUrl: "https://<FQDN>"
  ssoDomain: "<FQDN>"
  ssoPublicUrl: "https://<FQDN>"
  publicCert:
    tlsSecretName: "ai-hub-proxy-certificate-secret-name"

For kubernetes as you can see above a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Please note, that within the secret the certificate will appear as tls.crt and the private key as tls.key. We suggest to keep that name, the 'cert.cert' and private.key shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values

This can be done using the following command:

kubectl create secret generic ai-hub-proxy-certificate-secret-name \
  --from-file=tls.crt=cert.cert \
  --from-file=tls.key=private.key

After creating the kubernetes secret, the cert.cert and private.key files can be removed from the filesystem.

Password protected certificates used for TLS offloading

The configuration of password protected certificates can be set up using the following variables in the .env file for docker

HTTPS_KEY_PASSWORD_FILE_PATH=/etc/nginx/ssl/password.txt

or the following properties in the helm chart (some properties are already set up for https):

common:
  domain: "<FQDN>"
  deploymentPort: "443"
  deploymentProtocol: "https"
  publicUrl: "https://<FQDN>"
  ssoDomain: "<FQDN>"
  ssoPublicUrl: "https://<FQDN>"
  publicCert:
    tlsSecretName: "ai-hub-proxy-certificate-secret-name"
    passwordFile:
      enabled: True
      passwordSecretName: "ai-hub-proxy-certificate-password-secret-name"
proxy:
  https:
    keyPasswordPath: "certificate-password-file.txt"

For kubernetes as you can see above a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Please note, that within the secret the certificate will appear as tls.crt and the private key as tls.key. We suggest to keep that name, the 'cert.cert' and private.key shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values

This can be done using the following command:

kubectl create secret generic ai-hub-proxy-certificate-secret-name \
  --from-file=tls.crt=cert.cert \
  --from-file=tls.key=private.key

After creating the kubernetes secret, the cert.cert and private.key files can be removed from the filesystem.

Besides that a secret containing the password for the certificate shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Create a file for example with the name ai-hub-proxy-certificate-password.txt and save the password of the certificate into this file.

The following command reads the contents of ai-hub-proxy-certificate-password.txt and creates the kubernetes secret.

kubectl create secret generic ai-hub-proxy-certificate-password-secret-name --from-file ai-hub-proxy-certificate-password.txt

After creating the kubernetes secret, the ai-hub-proxy-certificate-password.txt file can be removed from the filesystem.

Obtaining Let's Encrypt certificate for TLS offloading

The Let's Encrypt certificate is issued by Let's Encrypt on-demand after AI Hub is deployed.

Please note, that the FQDN of the deployment shall be able to get resolved on any public name server and shall point to this deployment

See Let's Encrypt

Custom Certificate Authority certificates

Those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers.

To use custom certificate a TLS secret must be created in the same namespace where the AI Hub will be deployed. Use the standard kubernetes command to create the TLS secret

kubectl create secret generic my-internal-cert --from-file=tls.crt=certificate.crt

Use the TLS secret name in custom-values.yaml:

common:
  .........
  customCA:
    enabled: True
    tlsSecretName: my-internal-cert