The default installation of Banzai Cloud Pipeline generates a self-signed server certificate to start serving HTTPS requests as soon as possible. This setup, however, causes a warning in web browsers, which can be accepted during evaluation, but it’s not production-ready.

To obtain a TLS certificate you should either let your local certificate authority issue it, or acquire it from a public CA.

You may want to set the final domain name of the deployment before configuring TLS.

Custom certificates

To set up a certificate, prepare the certificate and the private key in PEM format. Your certificate authority should explain you all the steps needed for this.

You should check the common name (CN) field of the subject, and the subject alternative name (SAN) records with the openssl x509 -text -in cert.pem command. If you have a certificate chain, append that to the end of the certificate.

Encode the PEM formatted certificate and key to a single-line base64 string with the base64 command (base64 -w0 with the GNU version), and use the following snippet in your values.yaml file:

traefik:
  ssl:
    defaultKey: aabbccdd
    defaultCert: AABBCCDD
    generateTLS: false

To update the deployment, run banzai pipeline up [--workspace=default].

Terminating TLS on Amazon ELB

TLS is normally terminated by the Ingress controller, but in some cases external load balancers are also capable of that. (Currently this is only available on Amazon though)

The installer currently configures Ingress to terminate TLS, so you have to explicitly tell it to configure the load balancer:

traefik:
  ssl:
    enabled: false
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:xx-xxxx-x:xxxxxxxxx:xxxxxxx/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx # replace this value
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443

Because Ingress is no longer responsible for terminating TLS, every internal traffic must go through the load balancer as well, therefore host aliases must be disabled:

pipeline:
  hostAliases: []