Certificate Management
How do I change OpenUnison's certificates?
OpenUnison's certificate when deployed in Kubernetes is hosted by the Ingress controller, not by the OpenUnison container its self. When used for the login portal, we want to supply the CA certificate for two reasons:
- So it can be embedded in the
kubectl
command correctly - So that the dashboard SSO works properly when validating the login process
Before moving forward you'll need:
- A certificate with subject alternative names for your portal (
network.openunison_host
) and your dashboard (network.dashboard_host
). If using impersonation, the impersonation host is needed too (network.api_server_host
) - The certificate authority (CA) certificate that signed your certificate from #1
- Any intermediate certs needed to complete the chain
Once you have your certificates and keys:
- Delete the
ou-tls-certificate
secret in theopenunison
namespace -kubectl delete secret ou-tls-certificate -n openunison
- Recreate the
ou-tls-certificate
secret -kubectl create secret tls ou-tls-certificate --cert=/path/to/chain.pem --key=/path/to/key.pem -n openunison
- NOTEchain.pem
should be your entire certificate chain, including the CA and all intermediate certs. You may also allow a tool like cert-manager to generate your certificate either directly or by specifying the correct annotations on your Ingress controller. - Update your
values.yaml
file to specifynetwork.createIngressCertificate=false
. - If your certificate isn't signed by a well known CA, such as Let's Encrypt, base64 encode the PEM certificate and add it to
the
trusted_certs
section of your values.yaml with the nameunison-ca
:
Finally, update both your orchestra
and orchestra-login-portal
helm deployments: