Configuring trusted certificates in DevOps Loop

You can configure DevOps Loop to use private CA and self-signed certificates by creating or updating a Kubernetes secret with a PEM certificate bundle.

Before you begin

You must have completed the following tasks:

  • Ensured that you have the administrator privileges to the Kubernetes namespace where DevOps Loop will be installed.
  • Ensured that the private CA is available in a PEM format (.pem).
Note: In the scenarios below, mycacrt.pem is used as a sample PEM file name for a private CA or combined certificate bundle. You must replace mycacrt.pem with the actual name and path of your PEM file.

Procedure

Perform any of the following actions based on the scenario:
Scenario Action Notes
No certificate provided (auto-generate self-signed) Perform the following steps:
  1. Set SELF_SIGNED=true in the DevOps Loop installation script.

    The script generates key.pem and cert.pem valid for 365 days with SAN for $DOMAIN.

    The script creates a Kubernetes secret named in devops-loop-tls-secret containing ca.crt=cert.pem, tls.crt=cert.pem, and tls.key=key.pem.

    The script also sets global.ibmCertSecretName=devops-loop-tls-secret, so that it is used to terminate TLS for the DevOps Loop instance.

 No manual secret creation is required. The certificate is generated automatically.
Using a private CA certificate bundle Perform the following steps:
  1. Combine multiple CA/intermediate certificates if needed: 
    cat rootCA1.pem rootCA2.pem > mycacrt.pem
  2. Create the secret:
    kubectl create secret generic privateca-secret --from-file=ca.crt=/path/to/mycacrt.pem -n devops-loop
  3. Edit the ADDITIONAL_HELM_OPTIONS variable in the DevOps Loop installation script to add:
    --set global.privateCaBundleSecretName=privateca-secret –set ibm-devops-prod.ingress.cert.selfSigned=true
    The helm value 
    ibm-devops-prod.ingress.cert.selfSigned=true
    is needed to work-around an issue with the latest shipping version of DevOps Test when using TLS certificates signed by a private CA.
 Used when internal services are signed by a private CA. The ca.crt key is mandatory.
Updating an existing CA or self-signed certificate Perform the following steps:
  1. To prevent the need to manually restart pods, create a new secret with the updated certificate in the secret:
    kubectl create secret generic privateca2-secret \
--from-file=ca.crt=/path/to/mycacrt.pem -n devops-loop
  2. Edit the ADDITIONAL_HELM_OPTIONS variable in the DevOps Loop installation script to add:
    --set global.privateCaBundleSecretName=privateca2-secret –set ibm-devops-prod.ingress.cert.selfSigned=true
    The helm value 
    ibm-devops-prod.ingress.cert.selfSigned=true
    is needed to work around an issue with the latest shipping version of DevOps Test when using TLS certificates signed by a private CA.

Results

You have configured DevOps Loop to use the specified trusted certificates.

What to do next

You must run the DevOps Loop installation script. See Installation of DevOps Loop.