KOTS: Is it possible to configure TLS certs for contour in the embedded installation?


#1

Is it possible to configure TLS certs for contour in the embedded installation? I can see how to set them up for the kots admin itself, but not for contour.


#2

There is a secret deployed alongside your application named kotsadm-tls. This certificate comes from a file uploaded on the customer’s config screen. The secret can be used to configure contour TLS.

This secret is only available for embedded installations and is deployed in the same namespace as your application and kotsadm and therefore cannot be used in custom namespaces.

Contour uses Envoy’s SNI feature to provide TLS support. This requires that your certificate be associated with a valid host domain name (not an IP address) and the hostname appears in the ingress’s spec.tls.hosts and spec.rules.host fields as shown below. In the following example we collect the hostname from the application config.

See below for an example:

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: backend
spec:
  tls:
  - secretName: kotsadm-tls
    hosts:
    - repl{{ ConfigOption "hostname"}}
  backend:
    serviceName: frontend
    servicePort: 80
  rules:
  - host: repl{{ ConfigOption "hostname"}}
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

config.yaml

apiVersion: kots.io/v1beta1
kind: Config
metadata:
  name: contour-example
spec:
  groups:
    - name: general
      title: General
      items:
      - name: hostname
        title: Hostname
        type: text
        required: true