Configuring trusted certificates in DevOps Velocity

The default configuration in Velocity accepts connections with self-signed CA certificates. You can configure Velocity to restrict self-signed CA certificates and allow only a predefined set of trusted CA certificates.

Before you begin

You must have completed the following tasks:
  • Obtained the self-signed CA certificate from the server that you want to connect through Velocity.
  • Ensured that you have access to the Kubernetes cluster where Velocity is installed.

About this task

The default configuration in Velocity accepts connections with self-signed CA certificates. To improve security and ensure that only trusted sources are used, you can configure Velocity to restrict self-signed CA certificates and accept only a specific set of approved CA certificates.

This process involves creating a Kubernetes secret that includes the path to the approved CA certificates, specifying the secret name using the global.privateCaBundleSecretName Helm parameter, and setting disableCertValidation=false during Helm installation or upgrade.

Procedure

  1. Create a Kubernetes secret that contains your trusted CA certificate bundle.

    You can download the self-signed CA certificate of any application such as HCL DevOps Deploy (Deploy), so that you can validate by creating the DevOps Deploy integration after installing or upgrading Velocity.

    Run the following command by replacing my-ca-cert.pem with the path to your certificate file and my-ca-secret with the desired secret name: 
    kubectl create secret generic my-ca-secret --from-file=ca.crt=./my-ca-cert.pem -n <namespace>
  2. Install or upgrade Velocity by using Helm with the updated parameters.
    Example command: 
    
     helm install velocity -n <custom_namespace_name>\
     ./accelerate-<version>-helm.tgz --set license=accept\
     --set url.domain= <domain_name or I.P address>\
     --set access.key=<access_key>\
     --set mongo.url=<mongodb url>\
     --set secret.tls=<tls_secrete_name>\
     --set global.privateCaBundleSecretName=my-ca-secret \
     --set disableCertValidation=false \
     --loglevel= <log_level_value>
  3. Integrate the DevOps Deploy plugin if you included the self-signed CA certificate of Deploy that you created the secret in step 1 to verify the connection.
    Note: You can also integrate any other plugin corresponding to the server CA certificates that you allowed to verify the connection.

    The plugin establishes a secure connection by using the specified trusted CA certificates, and the integration status is displayed as Online.

Results

You have configured Velocity to reject self-signed CA certificates and trust only the specified CA certificates.